Comtech Solutions Limited trading as CookieScan™ and referred to as, ‘we’ or ‘our’ for the purpose of the notice, is committed to protecting the privacy and security of your personal information.
This Privacy Notice describes how we collect and use personal information about you during and after your relationship with us pursuant to the.
- General Data Protection Regulation (GDPR)
- UK GDPR
- Data Protection Act 2018
- Data Protection (Jersey) Law 2018
- Data Protection (Bailiwick of Guernsey) Law 2017
- California Consumer Privacy Act CCPA
- Any other Data Protection Law, Act or Regulation involved in the protection of data subject’s rights and personal data.
For the purpose of this notice and to make it easier to read, all the above will be referred to as (“The Laws”), CookieScan™ is a “Data Controller”, which means we are responsible for deciding how we hold and use personal information. CookieScan™ is also a Data Processor, which means we process data on behalf of a Data Controller (The CookieScan account holder)
A Data Processor Agreement (“DPA”) can be found at Appendix 1 of this Notice.
CookieScan is registered with the Jersey Office of the Information Commissioner – Registration No. 67708.
We will comply with the law, the principles of which says that the personal information we hold about you must be: –
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept your data only as long as necessary for the purposes we collected it.
- Kept securely.
We have appointed a DPO to oversee compliance with this Privacy Notice.
If you have any questions about this Privacy Notice or how we handle your personal information, contact the DPO at DataProtection@CookieScan.com.
You have the right to make a complaint at any time to your Supervisory Authority. A list of all Supervisory Authorities can be found at this link – EUDPR • European Union Data Protection Representatives
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
To explain this to you, we will list our different services when we collect or use additional information about you.
CookieScan™ collects very little data about you. When you open an account with CookieScan™, you are directed to Strip to complete your details and payment method. Strip is the payment gateway CookieScan™ uses to collect payments for accounts and renewals of accounts.
CookieScan™ collects the IP address of every site user interacting with the CookieScan™ banner. This IP address is recorded to log against the site user’s preference to providing consent or not for a cookie or category of cookie to be loaded onto their device.
The log is retained for each account holder to show cookie preference of site users if interaction with the CookieScan™ banner has taken place. This will depend on the type of banner the account holder selects for their site.
Modal – This central CookieScan™ banner will not allow any site activity until a cookie preference has been made by the site user. If this style of banner is selected by the account holder, all IP addresses and cookie preference of site visitors who progress past the banner will be recorded.
Bar – This is a Footer banner and will allow activity on the website without any interaction on the banner by the site user. The banner will remain visible until interaction or a preference has been made by the site user. Once interaction has been made, the IP address of the site user will be recorded.
Simple – This is a footer style banner and remains visible on the site until interaction is made by the user. It does not collect consent for the category of cookie, as it is only displayed in countries where there are no cookie consent requirements. All categories of cookie are set to upload to the user’s device by default. The IP address of the user will be recorded once the Accept bouton is selected.
What Special Category Data do we collect about you?
CookieScan™ does not collect any Special Category Data from account holders.
We will only use your personal information when the law allows us to.
Most commonly, we will use your personal information in the following circumstances:
- We need to comply with a legal obligation; It is a legal requirement of PECR and ePrivacy Directive to keep an accurate record of website user’s cookie preferences. This forms part of the Data Controllers (CookieScan™ account holders) obligations for compliance.
- Where you have given, your consent for a specific purpose. The use of Consent as a legal basis requires the Data Controller (CookieScan™ account holders) to keep a record of such consent to produce if challenged.
We will only use your personal information for the purposes we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal information for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.
We may, on occasions, pass your Personal Information to an organisation outside of CookieScan exclusively to process on our behalf; these organisations are called Data Processors.
We require these parties to agree to process this information based on our instructions and requirements consistent with this Privacy Notice.
We do not pass on information gained from your engagement with us without a clear legal basis for doing so. However, we may disclose your Personal Information to meet legal obligations, regulations, or valid governmental requests such as a Police request for CCTV.
The personal data we collect from you may be transferred to and stored at a destination outside the European Economic Area (“EEA”). Some cookies transfer the data collected to destinations outside of the EEA. For example, Google Analytics cookies will transfer your data collected to the USA.
If you do not want this data transfer, do not consent to this type of cookie which is categorized as a Statistical Cookie.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, altered or disclosed, or accessed in an unauthorised way. In addition, we limit access to your personal information to those Colleagues, Agents, Contractors and other third parties on a need to know basis.
They will only process your personal information on our strict instructions, and they are subject to a duty of confidentiality.
Details of these measures may be obtained from our Data Protection Officer (DPO).
We have put in place procedures to deal with any suspected data security breach and notify you and any applicable regulator of a suspected breach where we are legally required to do so.
All data is retained securely and only used for the purposes set out in the Law. Data is retained to comply with our statutory obligations and in accordance with our retention schedule. If you would like a copy of our retention schedule, please contact our DPO at DataProtection@Cookiescan.com
Our banner consents are renewed every six months. This means that if a website user consented to marketing cookies on the 1st January they will be asked again for their consent on the 1st July. The website interaction logs showing this consent or denial of consent are retained for 12 months from the date the interaction took place with the banner.
In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Under certain circumstances, by law, you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This right enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This right enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request erasure of your personal information. This right enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing your personal information where we rely on a legitimate interest (or those of a third party). There is something about your particular situation that makes you want to object to processing on this ground. You also have the right to object to processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This right enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
For residents of California once of your rights under the California Consumer Privacy Act (CCPA) is;
- Do not sell my Data CookieScan™ does not sell the data it collects under any circumstances.
If you want to review, verify, correct or request the erasure of your personal information, object to the processing or request that we transfer a copy of your personal information to another party, contact our DPO at DataProtection@Cookiescan.com.
You will not have to pay a fee to access your personal information (or exercise any other rights). However, we may charge a reasonable fee if your access request is unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Use the Data Subject Access Request form, available on our Cookie Banner. If you have any questions about this process or any of your rights, contact our DPO at DataProtection@Cookiescan.com
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or exercise any of your other rights).
We will respond to your request within Four Weeks upon satisfactory verification of your identity.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent, open the CookieScan banner by selecting the small grey box at the bottom left corner of the website you are using and change your preference (Consent). This can be done at any time.
Once you have changed your preference, we will register that you have denied consent to allow cookies to load onto your device. Please remember there will be cookies on your device from previous website visits if you consented to allow them to be loaded.
It is recommended that once you change your preference to withdraw consent to cookies, you clear your device history and cookies.
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates.
We may also notify you in other ways from time to time about the processing of your personal information or requesting you to confirm the accuracy of the information we hold on you.
We want the chance to resolve any complaints you have about how we process your information. You have the right to complain to your countries Supervisory Authority about how we have used your data.
The details for each of these contacts are:
Second Floor, 6 Vine Street, St Helier, Jersey JE2 4WB
Telephone +44 (0) 1534 735330 or email DataProtection@Cookiescan.com
Please look up your countries Supervisory Authority for contact details. This list is for all EU SA’s EUDPR • European Union Data Protection Representatives
1.1 This agreement regarding processing of personal data (”DPA”) regulates Comtech Solutions Limited, CookieScan™ (the ”Processor”) processing of personal data on behalf of the Client (”Controller”), the CookieScan™ account holder.
1.2 The DPA shall ensure that the Processor complies with the applicable data protection and privacy legislation (”The Law”), as outlined in the first section of the Privacy Notice above.
1.3 Purpose: The purpose of the processing under the Contract is the provision of CookieScan™’ services by the Processor as specified in the account type the Data Controller has subscribed too.
1.4 In connection with the Processor’s delivery of CookieScan™’ services to the Controller, the Processor will process certain categories and types of the Controller’s and his customer’s personal data on behalf of the Data Controller.
1.5 ” Personal data” includes “any information relating to an identified or identifiable natural person” as defined in Article 4(1) GDPR (”Personal Data”). The categories and types of Personal Data processed by the Processor on behalf of the Controller are listed in sub-Appendix A. The Processor only performs processing activities that are necessary and relevant to perform CookieScan™ Services. The parties shall update sub-appendix A whenever changes occur that necessitates an update.
1.6 The Processor may only act and process the Personal Data in accordance with its function and with the documented instructions from the Controller (”Instruction”), unless required by law to act without such instructions. The Instruction at the time of entering into this DPA is that the Processor may only process the Personal Data with the purpose of delivering CookieScan™ services as described by the account type subscribed to.
1.7 The Controller guarantees to process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Controller’s instructions for the processing of Personal Data shall comply with Applicable Law. The Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.
1.8 The Processor will inform the Controller of any instruction that it deems to be in violation of applicable laws and will not execute the instructions until they have been confirmed or modified.
1.9.1 The Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Controller in writing has agreed.
1.9.2 The Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this DPA with strict confidentiality.
1.9.3 Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of Propelfwd’s services and this DPA.
1.9.4 The Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.
1.10.1 The Processor shall implement the appropriate technical and organizational measures in accordance with The Law. The security measures are subject to technical progress and development. The Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.
1.11 The Processor shall provide documentation for the Processor’s security measures if requested by the Controller in writing.
1.12 Data protection impact assessments and prior consultation
1.12.1 If the Processor’s assistance is necessary and relevant upon the Controller’s prior written consent, the Processor shall assist the Controller in preparing data protection impact assessments in accordance with The Law along with any prior consultation in accordance with The Law. The Processor would charge such assistance based on the hourly rate applicable at that time.
1.13 Rights of the data subjects
1.13.1 If the Controller receives a request from a data subject for the exercise of the data subject’s rights under the applicable law and the correct and legitimate reply to such a request necessitates the Processor’s assistance upon the Controller’s prior written consent, the Processor shall assist the Controller by providing the necessary information and documentation. The Processor shall be given reasonable time to assist the Controller with such requests in accordance with the applicable law.
1.13.2 If the Processor receives a request from a data subject for the exercise of the data subject’s rights under the applicable law and such request is related to the Personal Data of the Controller, the Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.
1.14 Personal Data Breaches
1.14.1 The Processor shall give immediate notice to the Controller if a breach occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed regarding the Personal Data processed on behalf of the Controller (“Personal Data Breach”).
1.14.2 The Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.
1.15 Documentation of compliance and Audit Rights
1.15.1 Upon request by a Controller, the Processor shall make available to the Controller all relevant information necessary to demonstrate compliance with this DPA. If the Controller requests an audit, the Processor will conduct an audit by IT security specialists and make the report available to the Controller.
1.16 Data Transfers
1.16.1 The provision of CookieScan™’ services will involve the transfer of Personal Data to countries outside the European Economic Area. As far as the Processor processes Personal Data in its sphere only those storage solutions that provide secure services with adequate relevant safeguards will be employed. All data stored by CookieScan™ are located in a data centre based in the United Kingdom.
1.16.2 Cookie providers, such as Google will transfer data obtained by their cookies to other countries outside the EEA. CookieScan™ has no control over the data transfer of cookie providers.
1.17 The Data Processor is given general authorization to engage third parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Controller, provided that the Processor notifies the Controller in writing about the identity and role of a potential Sub-Processor (and its processors, if any). If the Controller wishes to object to the relevant Sub- Processor, the Controller shall give notice hereof in writing within ten (10) business days from receiving the notification from the Processor. Absence of any objections from the Controller shall be deemed a consent to the relevant Sub-Processor.
1.18 In the event the Controller objects to a new Sub-Processor and the Processor cannot accommodate the Controller’s objection, the Controller may terminate the services by providing written notice to the Processor.
1.19 The Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Processor, including the obligations under this DPA. The Processor shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Controller if so requested in writing.
1.20 The Processor is accountable to the Controller for any Sub-Processor in the same way as it is accountable for its own actions and omissions.
1.21 The Processor is at the time of entering into this DPA using the Sub- Processors listed in sub-Appendix B. If the Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix B under paragraph 2.
1.22 Subject to 5.8.1 of this Data Processing Agreement the Controller shall remunerate the Data Processor based on time spent to perform the obligations under section 5.5, 5.6, 5.7 and 5.8 of this DPA based on the Processor’s hourly rates then applicable. The current hourly rates are set at £110 per hour.
1.23 The total aggregate liability to the Client, of whatever nature, whether in contract, tort or otherwise, of the Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the Terms of Business.
1.24 Nothing in this DPA will relieves the processor of its own direct responsibilities and liabilities under the Law.
9.1 Following expiration or termination of the CookieScan™ account, the Processor will delete or return to the Controller all Personal Data in its possession as provided in the Agreement except to the extent the Processor is required by Applicable law to retain some or all of the Data (in which case the Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.
- Personal Data
1.1 The Processor processes the following types of Personal Data in connection with its delivery of CookieScan™’ services:
1.1.1 Cookie identification name and provider;
1.1.2 IP address of the device/data subject visiting the relevant website and interacting with the CookieScan™ banner;
1.1.3 Preference of cookie usage – consent to allow cookies to load onto device or not;
2. Categories of data subjects
2.1 The Processor processes personal data about the following categories of data subjects on behalf of the Controller:
2.2 data subjects who visit a website belonging to the Controller(s),
2.3 data subjects who interact with the CookieScan™ banner placed on the website belonging to the Controller(s),
- APPROVED SUB-PROCESSORS
1.1 The following Sub-Processors shall be considered approved by the Controller at the time of entering into this Agreement:
a) Propelfwd – Data Protection Consultants
b) Microsoft Office 365 – Word, Excel, Teams, Outlook etc.
f) YourDataSafe – Information Governance tool