EU Regulation 679/2016 ("GDPR")
v. May, 2020
In compliance with the Privacy Shield Principles, Entando, Inc. commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Entando, Inc. at: [email protected]
Entando, Inc. has further committed to refer unresolved Privacy Shield complaints to JAMS (Judicial Arbitration and Mediation Services, Inc), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
If personal information covered by this Privacy Shield policy is to be used for a new purpose that is materially different from that for which the personal information was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, Entando, Inc. will provide data subjects with an opportunity to choose whether to have their personal information so used or disclosed. To the extent required by the Privacy Shield Principles, Entando, Inc. obtains opt-in consent for certain uses and disclosures of sensitive data.
With respect to personal information received or transferred pursuant to the Privacy Shield Frameworks, Entando, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (“FTC”). In certain situations Entando, Inc. may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
ENTANDO INC. and ENTANDO S.R.L. (jointly defined as "Entando" or the "Controller") are engaged in the protection of the Personal Data entrusted to it. Management and Security of Personal Data are guaranteed with the utmost care, in accordance with the requirements of the privacy legislation pursuant to EU Regulation 679/2016 (“GDPR“).
This policy explains who we are, for what purposes we could use your data, how we manage them, to whom we can communicate your data, where they could be transferred and which are Your rights.
Premise - About Us
Entando is an international company principally involved in the development of enterprise software platforms for building web applications and solutions.
In particular Entando provides software subscriptions and support services for their open source platforms, components and solutions. Entando also oversees an international open source community and partner network who support in the development of the core platform and open source or proprietary solutions built using the platform.
1. Who will treat my data?
Your data will be treated, as Data Controller, by:
ENTANDO S.R.L. (the "Controller")
Piazza Salento 9
09127 - Cagliari (Italy)
Email [email protected]
Subject to direction and coordination of Entando Inc
ENTANDO INC. (the "Controller")
600 B Street, Suite 300
92101 - San Diego (CA) - USA
Email [email protected]
The list of processor and sub-processor for the processing of personal data is available at the headquarters of the owner or by request at [email protected]
2. Why do you need my data?
The Data Controller will use your data exclusively for the following purposes:
Entando will carry out the treatment:
Therefore your personal data are necessary or mandatory for the purposes listed in letter a).
The purpose referred to in letter b), on the other hand, does not derive from a legal obligation or contract and the consent to provide such data for such purpose is optional and does not affect provision of the services.
Any partial or total failure to provide the data will result in the partial or total impossibility of achieving the aforementioned purposes.
Entando will always use Personal Data effectively necessary for the specific purpose (minimization).
We will not use your Personal Data for any other purpose other than those described in this statement, if not by informing you in advance and, where necessary, obtaining your consent.
3. How will you use my data?
Your personal data will be processed, through the use of tools and procedures suitable to ensure maximum security and confidentiality, through archives and paper, and also through digital media, computer and telecommunications adequate and in compliance with the GDPR provisions.
The communications may take place in traditional ways (example: paper mail, phone calls with operator), automated (eg, phone calls without operator) and similar (example: fax, e-mail, sms, mms) .
4. How long will you keep my information?
Your personal data will be stored for a period consistent with the purposes of treatment indicated above.
Here below follow the duration of the different treatments:
Purpose: Candidates for job placement
Duration: Maximum 24 months after sending the candidate's Curriculum Vitae
Legal basis: art. 5 lett. e) of GDPR
Purpose: Work contract
Duration: 10 years after the termination of the employment relationship
Legal basis: art. 43 of Presidential Decree 600/73; art. 2946 of the Italian civil code on the ordinary prescription; Title I, Chapter III, of Legislative Decree 81/08 (as amended)
Purpose: Customers, service, suppliers, partners, etc.
Duration: 10 years from the end of the contractual relationship
Legal basis: art. 2948 of the Italian Civil Code, which provides a period of 5 years for payments; art. 2220 of the Italian Civil Code, which provides a period of 10 years, for the keeping of accounting records; art. 22 of the D.P.R. September 29, 1973, n.600.
Purpose: Customers, for marketing purposes (both first-party and third-party) and profiling
Duration: In compliance with the terms prescribed by law for the type of activity and in any case until the revocation of consent or until the exercise of the right of opposition
Legal basis: art. 23 of Legislative Decree 196/03; General Provision of 15/05/13 Italian Garante Privacy; art. 21 GDPR.
5. Will you share my information with other subjects?
Your Data may be communicated to Entando partners for the management of contracts in place with You, and to third parties, (including Credit Recovery Companies, Professionals, Public Bodies, Auditing Bodies or Supervisory Bodies), to fulfill obligations deriving from the law, regulations, community regulations or for aspects concerning the management and execution of the contractual relationship.
Your personal data will not be transferred to third parties for marketing purposes unless you have expressly permitted such transfer.
For all the purposes indicated in this statement your data may be transferred also abroad, inside and outside the European Union, in compliance with the rights and guarantees provided by the current legislation, subject to verification that the country in question ensure an "adequate" level of protection.
The Data will also be processed by internal resources of the Entando offices, properly trained, which operate as authorized personnel to process the Data in accordance with art. 29 GDPR.
We also inform you that in compliance with a company policy, all company emails will be kept through an archived outsourced archiving system with adequate security measures in order to protect them.
Access to the archived Data may be carried out only by public authorities, in the cases and methods provided for by the laws in force, in the event of legal disputes.
Your personal data are not subject to dissemination.
Hubspot have declared to be GDPR compliant and here you can find links to resources https://www.hubspot.com/data-privacy/gdpr. Hubspot is currently included in the Privacy Shield as per the following link: https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG.
6. What are my rights?
At any time, you will have the right to ask:
You will also have:
the right to oppose their treatment:
We will handle your request with the utmost care to ensure the effective exercise of your rights.
Finally, you will have the right to lodge a complaint with the National Supervisory Authority (Italian Garante Privacy).
7. Can I withdraw my consent after I gave it?
Yes, you can revoke your consent at any time, without this, however this will not:
8. I still have questions ...
Appendix – Definitions of certain terms referred to above:
(Article 4 of the GDPR): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(Article 4 of the GDPR): means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
Legal Basis for Processing:
(Article 6 of the GDPR): At least one of these must apply whenever personal data is processed:
Consent: the individual has given clear consent for the processing of their personal data for a specific purpose.
Contract: the processing is necessary for compliance with a contract.
Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary to perform a task in the public interest, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for the legitimate interests of the Data Controller unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
(Article 4 of the GDPR): this means the person or company that determines the purposes and the means of processing personal data.
(Article 4 of the GDPR): means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Data Subject Rights:
(Chapter 3 of the GDPR) each Data Subject has eight rights. These are:
The right to be informed; This means anyone processing your personal data must make clear what they are processing, why, and who else the data may be passed to.
The right of access; this is your right to see what data is held about you by a Data Controller.
The right to rectification; the right to have your data corrected or amended if what is held is incorrect in some way.
The right to erasure; under certain circumstances you can ask for your personal data to be deleted. This is also called ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or your consent for the processing of that data has been withdrawn, or the personal data has been unlawfully processed.
The right to restrict processing; this gives the Data Subject the right to ask for a temporary halt to processing of personal data, such as in the case where a dispute or legal case has to be concluded, or the data is being corrected.
The right to data portability; a Data Subject has the right to ask for any data supplied directly to the Data Controller by him or her, to be provided in a structured, commonly used, and machine-readable format.
The right to object; the Data Subject has the right to object to further processing of their data which is inconsistent with the primary purpose for which it was collected, including profiling, automation, and direct marketing.
Rights in relation to automated decision making and profiling; Data Subjects have the right not to be subject to a decision based solely on automated processing.