Six Seconds Privacy Policy

Version 4.3
Last Revised: February 16th, 2022

 

Introduction

Maintaining your Personal Data (the same as Personal Information) secure, while ensuring your Privacy is really a big deal to us at Six Seconds.

A Privacy Policy/ Notice goal is to inform everyone of:

  • what data we collect and why;
  • how your data is handled by us;
  • what entitles us to process it;
  • and your rights under applicable Personal Data Protection laws.

We (at Six Seconds) do not, nor will ever sell Personal Data.

We will modify this Privacy Policy, from time to time, on a need basis, always posting a time-stamped updated version.

 

Applicable Laws

This Privacy Policy is provided to you, in line with the following Applicable Personal Data Protection Legislation:

  • The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 also known as the General Data Protection Regulation (the GDPR), which became enforceable across the EU and the EEA from May 25th, 2018 having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’).

  • The Personal Information Protection Law of the People’s Republic of China (Adopted at the 30th meeting of the Standing Committee of the 13th National People’s Congress on August 20, 2021)

 

  • The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws;

 

  • The California Consumer Privacy Act 2018 (the CCPA), assembly Bill of the State of California United States of America No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by Governor June 28, 2018. Filed with Secretary of State June 28, 2018 and enforceable from January 1st, 2020 onwards.

 

  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

 

The primary goal of Processing Personal Data (also defined under some of these laws as Personal Information) is to allow Six Seconds the identification those natural persons who have either joined programs that are supported by Six Seconds’ under the scope of Emotional Intelligence Assessments or act as Certified Practitioners towards such assessments (the “Certs”).

Six Seconds also retails 3rd party products which implies the need to Process Personal Data pertaining to those Customers who acquire them, both in terms of the sale as the delivery of those products.

Six Seconds (both as an organization as each of its staff members) is perfectly aware of the fact that Personal Data/ Health Information may represent a risk towards you if accessed by unauthorized 3rd parties; and that is why a set of Policies, Operational Processes, and mechanisms (technological and human-based) has been developed, ensuring that the Personal Data entrusted by you to Six Seconds will be maintained, handled and shared in a manner that warrants its Security, Accuracy, Confidentiality, and Privacy, hence assuring your Personal Data Protection.

Each and every Data Subject maintains full control over the Personal Data that pertains to him/ her) as well as the Personal Data Processing Activities undertaken by Six Seconds.

Anyone who is identified as being under 18 years of age is not allowed to use our service, therefore if any Personal Data has been gathered pertaining to such an individual, it shall be immediately erased from all repositories, and the user privileges will be revoked.

 

What we do with Personal Data

We do not process any data that is not required as an enabler for the delivery of our services to you.

The Personal Data under processing through our Services or otherwise consist of the following categories:

  • If you are undergoing an emotional assessment or coaching support supported by our platform and methodology:
    • Business and personal contact data, such as your first and last name, e-mail and mailing addresses, phone number, job title and organization name.
    • Assessment data, including the responses you provide to any behavioral assessments we make available to you and any Personal Data about you which is contained within reports issued by us, based on those responses.

 

The purpose and scope of Processing such categories of Personal Data pertaining to you consist of:

    • create and, providing assessment reports based on provided replies when completing our assessments;
    • enable security features of the Services, such as sending you security codes via email or SMS, and remembering devices from which you have previously logged in;
    • communicate with you about the Services, including sending you announcements, updates, security alerts, and support and administrative messages;

 

These data sets (above) are processed under either the Legal Basis of fulfilling a Contractual Obligation (where we have been hired by your employer or a “Cert” is using our services to deliver his/ her services to you or your organization), so the case of a registered user; or Legitimate Interest while the natural person inputting the data has not yet been identified, yet doing so on his/ her free will.

 

IMPORTANT NOTE:

SixSeconds will exclusive entice assessments regarding China resident natural persons via Chinese CERTs (meaning local certified accessors) and only SixSeconds staff will be processing such assessments.

  • If you are a certified assessor (“Cert”):
    • Profile data, such as your first and last name, e-mail address, and password when you create an account to log in to our Services (“Account”). You are also required to tell us where you are based.
    • Demographic data, such as your city, state, country of residence, postal code, and age.
    • Content you choose to upload to the Services, such as text and images, along with the metadata associated with the files you upload.

 

The purpose and scope of Processing such categories of Personal Data pertaining to you consist of:

    • provide, operate and improve the Services, including to facilitate the creation of, maintain and secure your Account;
    • enable security features of the Services, such as by sending you security codes via email or SMS, and remembering devices from which you have previously logged in;
    • communicate with you about the Services, including by sending you announcements, updates, security alerts, and support and administrative messages;

 

This data set is processed under the Legal Basis of Explicit Consent (meaning you are fully aware and informed about the purpose and scope of SixSeconds Processing Activities and may exercise your legal rights at any time of your choosing by reaching out to SixSeconds)

  • If you are a user taking an assessment on our Services, a certified assessor, a Customer or any other type of website visitor:
    • Feedback or correspondence, Personal Data you provide when you contact us with questions, feedback, or otherwise correspond with us online.This data set is processed under the Legal Basis of Legitimate Interest since it is mandatory for the delivery and quality assurance of the services that we deliver to you.
    • Transaction data, consists of data about payments to and from you and other details of products or services you have purchased from us.This data set is processed under the Legal Basis of Explicit Consent that derives from the fact that you have taken action to purchase a product or service from us.

 

  • Profiling
    • Usage data, data on how you use the Services and interact with us, including where you use any interactive features of the Services
    • Marketing data, such as your preferences for receiving communications about our activities, events, and publications, and details about how you engage with our communications.

 

The purpose and scope of Processing such categories of Personal Data pertaining to you consist of:

    • improve the quality of experience when you interact with our Services;
    • respond to your requests, questions and feedback;
    • understand your needs and interests, and personalize your experience with the Services and our communications.

Our Legal Basis for Proceeding with this Profiling activities is Legitimate Interest, however and because it is “Profiling”, you may exercise your Right to Opt-out or object to such Processing activities at any time.

  • Information and Marketing. We may send you Six Seconds-related marketing communications (including newsletters, surveys and other promotional materials related to the Services and other products and services we offer) as permitted by law. You will have the ability to opt-out of our marketing and promotional communications by exercising your Rights under the law.

We do not share Personal Data with any 3rd party that is not involved in the delivery of our services, unless under a legal obligation.

 

The Controller

The Controller (as defined under the GDPR) is Six Seconds Europe a company established in the European Union, 2a Drinan Street OSullivans Quay, Cork. T12 CY28 Ireland, being the for profit affiliate of sixseconds.org, a non-profit company out of the U.S.

Nevertheless the Processing Entity (as defined under PIPL) is Six Seconds China.

 

DPO contacts

We have someone in our team who is responsible for ensuring our on-going compliance towards applicable Personal Data Protection laws and here is his identification and contacts:

Mr. Rui Serrano

Country: Portugal, European Union

email – [email protected]

 

Data Retention

We will maintain your Personal Data for the duration of the service contract with our Corporate Client (where that is the case) or until you ask us to erase it by exercising your Rights under the law.

Note that if you have been enlisted towards us by our Corporate Clients (including “CERTs” that resort to our tools) and you ask for your Personal Data to be erased, we will inform our Corporate Client of that request and it shall be that Client decision either to erase the data or not, since our contractual obligation is to assure the service towards all of its registered users.

The erasure of your Personal Data takes place over both “live repositories” as well as backups as determined under the law upon 30 days of either your valid request for it to be erased or after termination of the service contract with our Corporate Client.

 

Ensuring the Security and Confidentiality of your Data

We resort to secure and encrypted hosting environments to host and process your Personal Data, observing by the highest market standards and operated under market best practices, and all transfer of Data from and to your browser is also encrypted.

Regardless of the potential need of transferring your Personal Data to other countries (so our partners may provide their component of our service) we have in place all required by law technical and legal measures/ commitments.

Our partners (in the delivery of our service) consist of:

  • Amazon Web Services – for the hosting of our service on the Cloud in the U.S.;
  • Slack and Zoom – as a communication channel;

 

IMPORTANT NOTE:

If you are a Certified, your certification process includes your Explicit Consent for the Transfer of Personal Data/ Personal Information pertaining to you from China to our Data Centers in the European Union.

If you are a natural person being assessed or coached by a CERT or otherwise having enlisted towards Six Seconds, in doing so you are providing your Explicit Consent to the transfer of Personal Data pertaining to you form China to the SixSeconds.

You may, nevertheless, exercise your Rights under the law at any time; yet that may render the delivery of the Services not longer possible, hence lead to service termination.

 

Your Rights under the Law

You may exercise the following Rights where these apply to you (detailed by applicable local legislation):

[HIPAA] The right to receive a notice of privacy practices. Please refer to this Privacy Policy plus the information provided to you upon requesting your Explicit Consent to become a “Participant”.

[GDPR] Right of access. The right to obtain from us confirmation as to whether your Personal Data is being processed by us, and where that is the case, access to such Personal Data. To prevent violating your Privacy there may be the need to identify you prior to sharing the Personal Data with you.

[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California resident natural persons have the right to:

  • Know the categories of personal information we collect and the categories of sources from which we got the information;
  • Know the business or commercial purposes for which we collect and share personal information;
  • Know the categories of third parties and other entities with whom we share personal information; and
  • Access the specific pieces of personal information we have collected about you.

 

[PIPL] Right of Access/ Consultation, Information and Transfer – Under the provisions of Article 45 of the PIPL, natural persons are entitled to consult or get a copy of Personal Data/ Personal Information pertaining to them which is under processing by a 3rd party entity, meaning Six Seconds (except as determined under the provisions of article 18 of the PIPL).

Where a natural person requests to consult or copy his/her personal information, Six Seconds provide such information in a timely manner, meaning as soon as possible and up to 30 days of the request date.

Where a natural person requests to transfer his/her personal information to another personal information processor designated by him/her, the personal information processor shall provide the means for such transfer in a secure manner, ensuring its confidentiality and security while in transfer plus observing applicable conditions prescribed by the Chinese  State Cyberspace Administration.

Additionally, and as determined under article 48 of the PIPL, natural persons whose Personal Data is under processing by SixSeconds are entitled to request clarification on the rules on the processing of personal information.

[GDPR] Right to rectification – you can ask for the update of inaccurate Personal Data pertaining to you. You may directly amend existing information while logged-in towards us or by submitting a request as herein defined ahead.

[PIPL] – Right to rectification – under the provisions of article 46 of the PIPL where natural persons to whom the Personal Data pertains to find that such data is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.

[GDPR] Right to erasure – you can ask us to erase your Personal Data, which will be done unless there is a legal obligation or Legitimate Interest from our side to maintain it.

[PIPL] Right to erasure – Under article 47 of the PIPL and the following circumstances, a SixSeconds shall delete personal information on its own initiative where the Processing is no longer required for the delivery of SixSeconds services or the retention period has elapsed. If SixSeconds has not deleted it, the natural person to whom the data pertains to shall have the right to request deletion:

(I) where the purpose of processing has been achieved, unable to achieve, or is no longer necessary to achieve;

(II) where the personal information processor stops providing products or services, or the agreed storage period has expired;

(III) where the individual withdraws his/her consent;

(IV) where the personal information processor processes personal information in violation of laws, administrative regulations, or the agreement; or (V) any other circumstance as prescribed by laws and administrative regulations.

Where the storage period as prescribed by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, SixSeconds shall stop processing personal information other than storage and taking necessary security measures.

[CCPA] Right to deletion – again in a similar manner to what the GDPR rules, natural persons who reside in the state of California may ask us to delete their Personal Data.

[GDPR] The right to restrict processing – you may request of us to have in place specific processing restrictions. If you exercise this right make sure to explain which are those restrictions and the reason for the request and we will provide you a reply, either acknowledging your request or denying it and explaining why.

[GDPR] The right to object to processing – you may object to processing activities that occur under our Legitimate Interest, however we may refuse to comply if that means no longer being able to deliver our services.

[PIPL] Right to be informed and decided upon the Processing of Personal Data/ Personal Information – As defined under Article 44 of the PIPL, the natural person to whom the Personal Data pertains to, has the right to right to know and make decisions on the processing of his/her personal information, and the right to restrict or refuse others to process his/her personal information, unless otherwise provided for by laws and administrative regulations.

[CCPA] Right to opt-out of sales – As previously informed we do not “sell “ Personal Data

[GDPR] Right to data portability – you may ask us to provide all the Personal Data that we have pertaining to you or just some that you specifically ask us for.

[GDPR] Right to be informed about a Personal Data Breach – in case of an incident that breaches your Privacy (in the sense that your Personal Data under Processing by us has been/ or even potentially has been exposed to unauthorized 3rd parties) you have the Right to be informed within 72 hours of such incident. 

[GDPR] Right to lodge a complaint with a supervisory authority – you have the right to lodge a complaint regarding our Processing activities over your Personal Data towards any of the EU Member States data protection Supervisory Authorities.

[CCPA] Right to be free from discrimination – You may exercise any of the above rights without fear of being discriminated against.

For any of the above-mentioned CCPA related rights, you may designate an authorized agent to submit a request on your behalf. In the request, you or your authorized agent must provide sufficient information for us to confirm the identity of such authorized agent as well as your own. We are also required to verify that your agent has been properly authorized to request information on your behalf and this may represent additional time to fulfill your request.

[PIPL] Rights of relatives – as determined under article 49 of the PIPL, In the event of the death of a natural person, his/her near relatives may, for their own lawful and legitimate interests, exercise the rights of consulting, copying, correcting, and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless the deceased had otherwise arranged before his/her death.

 

IMPORTANT NOTE:

Unless some of the herein above mentioned rights application is somehow constrained by local country legislation or requirements, SixSeconds always applies the highest standard in protection of the natural persons to whom the Data pertains to and are exercising the herein mentioned rights; this means that Chinese resident natural persons are not limited to exercising the rights defined under the PIPL, yet and additionally, all applicable rights defined under this Privacy Policy.

 

Exercising your Rights

You may exercise your Rights towards us by sending us an email to [email protected]

 

Final note

Our service includes links to other websites whose privacy practices may differ from our own. If you submit personal data to any of those sites, your information is governed by their privacy policies, hence we strongly encourage you to carefully read the privacy policy of any website you visit.