European Data Privacy Addendum

Last Updated May 25, 2018

PURPOSE FOR ADDENDUM

This European Data Privacy Addendum, including any future modifications (the "Addendum"), forms a material part of O’Neil’s Privacy Policy and applies to any “personal data” (as defined under the GDPR) that we may “process” (as defined under the GDPR) through your use of the Services, whether as a guest or a registered user. The purpose of this Addendum is to briefly describe: 1) your rights under the GDPR; 2) the legal bases that support O’Neil’s processing activities; and 3) whether any automated processing methods are used for processing your personal data.

YOUR RIGHTS AS A EUROPEAN DATA SUBJECT

The GDPR provides “data subjects” (essentially natural persons that are the subject of personal data and are residents of the EU) with a wide array of rights related to data privacy. If you are a direct customer of 
O’Neil, O’Neil is considered to be a “data controller” under the GDPR with respect to its processing of your personal data. A data controller is essentially a person or organization that can determine how and why your personal data is processed and is responsible for ensuring that you are able to exercise certain privacy rights. Although O’Neil’s affiliates, service providers, and business partners will also collect and process your personal data, as described in the Privacy Policy, O’Neil will always be the data controller with respect to such processing.

O’Neil also acts as a “data processor” to process personal data on behalf of certain of its clients. If O’Neil is processing your personal data as a data processor, it is only allowed to process your information in accordance with the instructions it receives from the data controller that you have a relationship with (e.g., a company that you do business with).

If you wish to exercise any of the rights detailed below, please send an e-mail sufficiently detailing such request to: Privacy@daicompanies.com. Please note that if we receive a request from you to exercise your rights, O’Neil has the right to have you take reasonable steps to confirm your identity, including your residency within the EU.

RIGHT TO TRANSPARENT COMMUNICATION

You are entitled to a receive information from O’Neil regarding its collection and processing of your personal data. All such information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Such information has been provided by O’Neil in its Privacy Policy (available at: https://www.oneildata.com/privacy-policy/), as it is amended from time to time.

RIGHT TO ACCESS BASIC INFORMATION

You have the right to obtain confirmation from O’Neil as to how your personal data are being processed, including the following information:

You may also request to receive an electronic copy of your personal data that are processed by O’Neil. O’Neil is required to provide any requested information within one (1) month of receiving an access request. However, if O’Neil receives a large numbers of requests, or especially complex requests, this time limit may be extended by a maximum of two (2) further months as long as O’Neil provides you with an explanation for the delay within the original one (1) month timeframe. If O’Neil fails to meet these deadlines, you may complain to the relevant Data Protection Authority (explained below) and may be able to seek a judicial remedy in the relevant EU Member State’s court system.

RIGHT TO DATA PORTABILITY

You have the right to transfer your personal data between data controllers (e.g., to move account details from one online platform to another). Specifically, you have the right to:

Please note that any inferred or derived data (data derived through use of analytical processes) do not fall within the right to data portability, because such data are not provided by you. Additionally, O’Neil is not obliged to retain personal data for longer than is otherwise necessary simply to service a potential data portability request.

RIGHT TO RECTIFY INFORMATION

O’Neil is required to ensure that inaccurate or incomplete data are erased or corrected. You have the right to request O’Neil correct or erase personal data that you believe to be inaccurate or incomplete.

RIGHT TO WITHDRAW CONSENT

Your consent can provide a lawful basis for O’Neil to process your personal data and/or transfer your data internationally. However, you have the right to withdraw such consent. However, please note that other lawful bases may apply to the processing or transfer of your data.

RIGHT TO ERASURE/RIGHT TO BE FORGOTTEN

Under the GDPR, in certain circumstances, you may have the right to have O’Neil erase your personal data, cease further dissemination of the data, and potentially have third parties halt processing your data upon your request. This right is commonly referred to as the “right of data erasure” or “the right to be forgotten.” You have the right to erasure of your personal data if:

RIGHT TO OBJECT TO PROCESSING PERSONAL DATA FOR PUBLIC OR LEGITIMATE INTERESTS

Where your personal data are processed on the bases of "public interests" or "legitimate interests", those bases are not absolute and you may have a right to object to such processing. If you object, such processing must cease unless it either: 1) demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms; or 2) requires the data in order to establish, exercise, or defend legal rights.

RIGHT TO OBJECT TO PROCESSING FOR THE PURPOSES OF DIRECT MARKETING

You have the right to object to the processing of your personal data for the purposes of receiving direct marketing (including “profiling” activities as detailed further below).

RIGHT TO OBJECT TO PROCESSING FOR SCIENTIFIC, HISTORICAL OR STATISTICAL PURPOSES

Where your personal data are processed for scientific and historical research purposes or statistical purposes, you have the right to object, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

RIGHT TO NOT BE EVALUATED SOLELY ON THE BASIS OF AUTOMATED DECISION-MAKING PROCESSES

Subject to certain exceptions detailed below, you generally have the right to not have any decisions made about you that are based solely on “automated decision-making” processes. An automated decision-making process involves using automated processing activities (activities that do not use human intervention) to make a decision about you that will materially affect you (i.e., a decision that would produce “legal effects” or otherwise have a similar “significant effect”). A legal effect is something that will affect your legal rights, such as your freedom to associate with others, vote in an election, or take legal action. A legal effect could also be something that affects your legal status or rights under a contract, e.g., something that could lead to cancellation of a contract. For data processing to have a significant effect, the effects of the processing must be sufficiently great or important to be worthy of attention. In other words, the decision must have the potential to: significantly affect your circumstances, behavior, or choices; have a prolonged or permanent impact; or at its most extreme, lead to exclusion or discrimination. Please note that if a human being reviews and takes other factors into account in making a final decision, that decision is not considered to be “based solely” on automated processing.

In general, the use of automated decision-making processes are permitted where:

If a data controller is making decisions based on any automated decision-making processes, you are entitled to a description of what portions of the decision-making will be automated, reasons why automation is logical, and the significance and consequences behind the decision to automate the processing. O’Neil does not currently utilize any automated decision-making processes that will materially affect you.

RIGHT TO RESTRICT PROCESSING

In some circumstances, you may be entitled to limit the purposes for which your personal data may be processed. Specifically, you have the right to restrict the processing of your personal data if:

FEES FOR REQUESTS

O’Neil is required to give effect to your rights of access, rectification, erasure, and the right to object free of charge. However, O’Neil may charge a reasonable fee for repetitive requests, unfounded or excessive requests, or further copies beyond the initial copy provided.

RIGHT TO MAKE A COMPLAINT TO THE RELEVANT DPA

Data Protection Authorities (“DPAs”) are the regulatory authorities responsible for monitoring and enforcing data protection laws at a national level and providing guidance on the interpretation of those laws. DPAs are empowered to oversee enforcement of the GDPR, investigate breaches of the GDPR, and bring legal proceedings where necessary. If you believe that your rights have been infringed by O’Neil, you have the right to ask O’Neil to remedy the situation. If you believe you have not received an adequate response from O’Neil, you may file a complaint with the relevant DPA (either the DPA for the EU Member State in which you live or work or the Member State in which the alleged infringement occurred). A list of DPAs may be found at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080 (current as of April 2018).

O’NEIL’S LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA AS A DATA CONTROLLER

Under the GDPR, in order to process your personal data, data controllers are required to identify a legal basis (or bases) for their processing activities. O’Neil’s legal bases for processing your personal data when it is acting as a data controller are as described below.

CONSENT

O’Neil is permitted to process your personal data to the extent you have given consent for O’Neil to perform processing activities. Please note that your consent to processing can be revoked at any time (though there may be other applicable legal bases that may justify ongoing processing of your personal data). Your consent may be revoked by sending an email to: Privacy@daicompanies.com.

CONTRACTUAL NECESSITY

O’Neil is permitted to process your personal data to the extent the Processing is necessary:

In order for you to be able to access the Services, it is critical that O’Neil be able to process your personal data. Without being able to process your personal data, including your payment information, O’Neil would be unable to provide the Services to you.

LEGITIMATE INTERESTS

O’Neil is permitted to process your personal data to the extent the processing is necessary for the purposes of legitimate interests pursued by O’Neil or a third party (“legitimate interests”), except where those legitimate interests are overridden by your interests, fundamental rights, or freedoms. In order to establish that O’Neil has a legitimate interest in processing your information, it will complete a Legitimate Interest Assessment Form (“LIA Form”) to ensure that there is adequate consideration and accountability for the decision to conduct the processing. The LIA Form is intended to: 1) assess whether a legitimate interest exists; 2) establish the necessity of the processing; and 3) perform a balancing test to ensure that a particular processing operation does not cause undue interference with your interests, rights, or freedoms. You have the right to object to O’Neil’s processing of your personal data on the basis of legitimate interests; if you wish to raise such an objection, please send an email detailing your objection to Privacy@daicompanies.com. O’Neil’s identified legitimate interests for processing your personal data include:

BINDING LEGAL OR REGULATORY OBLIGATIONS

O’Neil is permitted to process your personal data where it has a binding legal or regulatory obligation to perform the processing to stay in compliance with applicable laws or regulations (e.g., tax reporting purposes). Other examples could include where O’Neil or one of its affiliates is required to respond to a court order, subpoena, or law enforcement agency request, to prevent fraud or abuse, or to protect the safety of individuals. Were O’Neil not able to process your personal data for such purposes, O'Neil could be subject to fines, penalties, and/or civil or criminal liability.

INTERNATIONAL DATA TRANSFERS

If you access the Services from the EU, you are voluntarily transmitting your personal data to the United States so that O’Neil can conduct certain processing activities as identified in the Privacy Policy. Your data will also be processed by certain third party data processors located in the United States (including O’Neil’s affiliated entities, business partners, and service providers). O’Neil shall ensure that any transfers made between itself and any data processors are made with appropriate safeguards in place to protect the information from unauthorized uses or disclosures to the extent reasonably possible. For processors that process your personal data on O’Neil’s behalf, and will then transfer data to the United States or another jurisdiction that is not deemed to have adequate safeguards, O’Neil shall ensure that appropriate safeguards (e.g., “Standard Contractual Clauses”), are in place between O’Neil and the processor. Standard Contractual Clauses are a set of standard data protection clauses approved by the European Commission (“EC”) as an appropriate safeguard for protecting personal data when personal data are transferred internationally. The applicable Standard Contractual Clauses may be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=EN.

PERSONAL DATA OF DATA SUBJECTS UNDER THE AGE OF SIXTEEN (16)

The Services are for a general audience and are not targeted to data subjects under the age of sixteen (16).  O’Neil and its affiliates do not knowingly process personal data from EU residents under the age of sixteen (16) without parental consent. If such a situation is discovered, we will delete that information immediately. If you believe O’Neil has any information from an EU resident under the age of sixteen, please contact us at askinvestorshelp.zendesk.com.