20 - 05 - 2021
The primary goal of Processing Personal Data is to identify authorized users (logged in users) of FlavorWiki platform, so they can benefit from its functionalities as per their user profile’ credentials.
FlavorWiki (both as an organization as each of its staff members) is perfectly aware of the fact that Personal Data may represent a risk towards you if accessed by unauthorized 3rd parties; and that is why a set of Policies, Operational Processes, and mechanisms (technological and human-based) has been developed, ensuring that the Personal Data entrusted by you to FlavorWiki will be maintained, handled and shared in a manner that warrants its Security, Accuracy, Confidentiality, and Privacy, hence assuring your Personal Data Protection.
Personal Data is exclusively Processed under the scope and purpose of agreed Services between FlavorWiki and the Data Subject who has enlisted as a “test subject”.
Each and every Data Subject maintains full control over the Personal Data that pertains to him/ her as well as the Personal Data Processing Activities undertaken by FlavorWiki (as defined under both the GDPR as Data Subject’s Rights and also the rights described under the CCPA).
* * * * *
* * * * *
The Data Controller
FlavorWiki DPO contacts
Mr. Rui Serrano
Country: Portugal, European Union
* * * * *
FLAVORWIKI Core Activity – Service Catalog and “Lawful Basis”
FlavorWiki renders a set of services towards other companies as well as natural persons, which successful completion requires “Personal Data Processing Activities”.
Under this scope, FlavorWiki’ Service Catalog comprehends the following services and applicable “Legal Basis” for processing Personal Data (respectively), meaning how is FlavorWiki permitted by law to process “Personal Data” under such services scope:
FlavorWiki, in general, does not directly reach out to natural persons with whom it has no established relationship (although it could do so under the GDPR Article 14); the way in which FlavorWiki reaches out to prospects (individuals who may be interested in its Services Portfolio), consists of publishing information on Social Media platforms about its services. Those prospects who are members of such platforms and become interested in the posted message may click on the links made available which will lead them to one of FlavorWiki’s website landing pages.
Nevertheless, the “Legal Basis” towards reaching out to prospects, including directly while strictly observing by GDPR article 14, consists of Legitimate Interest.
This is the service towards Data Subjects, where people may join FlavorWiki to participate with their feedback on several “Experience Testimonial” projects that range from Flavor Tests towards food and beverage products, to usage experience of other types of products or even services (customer satisfaction).
The Legal Basis in the case of this service consists of “Explicit Consent”.
The Data Subjects (also referred to as “Test Subjects” under the scope of FlavorWiki’ services) adhere to their own free will and having understood the context, purpose, and scope of this service (and inherent “Personal Data Processing Activities”) while providing their Consent to it.
In this case, the applicable Legal Basis for the Processing of Personal Data by FlavorWiki consists of the fulfillment of contractual obligations, since it plays the role of a “Processor” (as defined under the GDPR), while its Corporate Client assumes the “Controller” role by operating the platform features and functionalities.
In the case of “Experience Testimonials” as a Service, the Controller (Corporate Client) is the sole responsible entity for ensuring that the Data Subject is fully aware and informed of Personal Data Processing scope, context, and purpose including the service components enabled by FlavorWiki’ platform and that there is a documented Legal Basis in place from its side towards the Data Subject.
Besides allowing its Corporate Clients to conduct their own “Experience Testimonials” over FlavorWiki’ platform as a Service, the company also provides this service on its own towards Corporate Clients.
In this case, the Corporate Client is still the Controller, for it is the one entity that establishes the tests that shall run addressing what products or services and towards what type of Customers (Data Subjects).
Notwithstanding what has been mentioned above, in this specific case, FlavorWiki is the party under a Services Contract (with its Corporate Client) which directly addresses the Data Subjects and Processes their Personal Data. Under this Service scope, no Personal Data is shared by FlavorWiki with its Corporate Client, merely anonymized Data.
FlavorWiki’ Legal Basis for Processing Personal Data under this specific service consists of Explicit Consent from the Data Subjects, making FlavorWiki the sole Controller.
FlavorWiki sends out information towards its registered “Test Subjects” (meaning those Data Subjects who have participated or have enlisted to participate in “Experience Testimonials”) under the Legal Basis of Legitimate Interest that derives from the fact that those individuals have demonstrated interest to participate in such “Experience Testimonials”, hence are interested to know which “Experience Testimonials” are available as well as related information.
Nevertheless, those Data Subjects may opt-out from this information service at any time by requesting it towards FlavorWiki while exercising their Rights under either the GDPR or CCPA (as applicable).
* * * * *
WHAT “Personal Data” is subject to Processing by FlavorWiki
In the case of FlavorWiki “Direct Experience Testimonials” service the following categories of Personal Data will be directly processed:
The univocal identification and documentation of the “Data Subject”
FlavorWiki adherent “Test Subjects” will be registered on FlavorWiki digital platform, therefore having a Login which enables their univocal identification and authentication towards the Service.
In those cases where “Data Subjects” who may interact with FlavorWiki cannot be identified through their Login, FlavorWiki will resort to a two-factor authentication consisting of sending/ receiving messages that imply some action or permission/ objection to “Personal Data Processing Activities” by e-mail and having it confirmed with a unique individual code that was conveyed to those “Data Subjects” by SMS to their mobile phones.
* * * * *
WHAT Treatment occurs over “Personal Data”
As previously mentioned, although in general FlavorWiki exclusively gathers the Personal Data directly from the Data Subjects themselves, when they reach out to FlavorWiki via the Social Media published Links, it may happen that FlavorWiki gathers a minimum amount of “Personal Data” that enables to entice contact with a “Data Subject” from a 3rd party source.
In such case the type of “Personal Data” collected consists of basic minimum Contact and Location Data as well as Personal Information that is relevant to decide whom will be contacted, namely (yet not exclusively):
Where “Personal Data” was collected from a 3rd party (including “public sources”), FlavorWiki will act as per “GDPR” Article 14 ruling, meaning the “Data Subject” will be contacted and informed about which type of “Personal Data” was gathered by FlavorWiki, for which purpose and from which source and the “Data Subject” will be requested to provide his/ her Explicit Consent towards “Personal Data” Processing under the conveyed service scope.
If the “Data Subject” either does not reply within 28 days or his/ her answer is of not consenting towards FlavorWiki Processing his/ her “Personal Data”, FlavorWiki shall erase the “Personal Data” which has been collected about that “Data Subject”.
To prevent further contact within the same scope, the “Data Subject’s” Name and e-mail address will be “blacklisted” (therefore maintained by FlavorWiki) on a dedicated repository that is accessible to relevant internal Departments only.
Detailed and extensive amounts of “Personal Data” that is vital for rendering FlavorWiki services will exclusively be collected either directly towards the “Data Subjects” themselves or through 3rd party entities having the “Data Subject” fully informed of such collection process and once he/ she has provided his/ her explicit consent to it.
FlavorWiki does not profile “Data Subjects” without their knowledge and consent, least of all from public platforms such as Social Media or “Affiliate” entities’ information repositories.
When a Data Subject visits FlavorWiki’ websites, session cookie files are either placed on his/ her browser device, or the website reads such already existing files.
FlavorWiki exclusively uses those cookies that record information about the “IT architecture and Landscape” of the device being used by the visitor (e.g. browser; browsing preferences; other…) however, without identifying that visitor personally (as a Data Subject).
This information, except for IP addresses, is never combined with the data pertaining to either “Prospect Customers” or “Customers”, thus not leading to the identification and habits “profiling” of any particular Data Subject.
IP addresses are exclusively cross-referenced with other data for the purpose of safekeeping the company from fraud attempts plus with regards to “Customers” documenting operations by (1) verifying the identity of a person signing in, and (2) making records of your consent and other legally binding actions (Legitimate Interest).
The IP address is also used (while segregated) for the purposes of web analytics (via Google Analytics).
For detailed information about cookies in use and similar employed technologies please refer to the Cookies Policy.
FlavorWiki is a Digital company, which means that the overwhelming amount of Data and information the company requires to operate is exclusively maintained under Digital format on its IT Systems.
Paper is used exclusively either for short periods of time and once no longer required properly disposed of (shredders) or if mandatory under any accessory local legal requirement which implies having “Personal Data” printed and stored.
FlavorWiki Service “IT Landscape” consists of a core dedicated Service Platform for “Experience Testimonials” registry, that is segregated by FlavorWiki’ direct Services and all the other Corporate Clients which use it as a Service. In the latter case, each Corporate Client “work area” is also fully segregated to ensure Data Security, Confidentiality and the Data Subject’s privacy.
Personal Data Processing by FlavorWiki requires the contribution of some Partners that deliver part of the Service and with which only the minimum amount of Personal Data that is mandatory for those service components to be delivered shall be shared, namely:
FlavorWiki acts as the Controller and these “Partners” as “Processors”, meaning they will not undergo any “Personal Data Processing Activities” activities towards information registered, submitted, or conveyed by FlavorWiki unless under the scope of contracted services and that is agreed and documented under an existing Dat Processing Agreement (DPA) between the parties; a mutual commitment towards observing by the ruling of applicable Personal Data Protection Legislation.
“Personal Data Processing Activities”, in specifics Processing Consists of:
Processing activities (as well as storing) by FlavowWiki side occurs in the EU.
A portion of FlavorWiki’ “IT Landscape” is Cloud-based, therefore tools and services are either hosted or enabled by 3rd parties (“Partners”) and “Personal Data” is shared with those entities, not in the sense that they will change it or process it but that they will either store it or have their software processing it with FlavorWiki users logged.
The existing Data Processing Agreemenets with these types of “Partners” rule that these companies may not copy, use or process “Personal Data” “submitted” by FlavorWiki unless to enable FlavorWiki with storage or processing results that derive from the services rendered by FlavorWiki under defined “Legal Basis” towards the “Data Subjects”.
Yet (as previously mentioned) another set of “Partners” actively processes “Personal Data” submitted by FlavorWiki within the scope of complementary specific services that are part of FlavorWiki’s overall Service Catalog. These companies have agreed under a DPA to exclusively process “Personal Data” “enabled” by FlavorWiki as per FlavorWiki definitions and not to share or make it available to any third parties which do not play the role of “Sub-processors” within the scope of those shared services.
In both cases, the DPAs also gather mutual commitment (from FlavorWiki and its “Partners”) to ensure that their “Sub-processors” will act in strict observance of “GDPR”.
If some products from our Corporate Clients have to be delivered to “Test Subjects”, FlavorWiki may share with logistics operators or the post office the minimum amount of Personal Data that allows the delivery of such products to those Data Subjects.
Last, FlavorWiki (as any company) and under specific circumstances may be bound by local legislation to share or make available some “Personal Data” to legal/ government authorities (as an example we have the case of invoices).
The Principle of Data Minimization
FlavorWiki takes every reasonable step to ensure that Personal Data under its direct Processing activities (as the Controller) is absolutely limited to the amount and type that is necessary to deliver its Services towards its Customers and Corporate Clients as it has been agreed by those, either via Consent or a Contract not maintained over redundant repositories nor for any longer than required under the scope of agreed services.
However, Customers and Corporate Clients alike will act also as Joint Controllers and the same is not “arguable” by FlavorWiki with regards to those for it solely depends on their Personal Data Processing “scope” and “purpose”.
* * * * *
International Data Transfers
Some of FlavorWiki’s partners (Processors or Controllers) are established on 3rd countries (meaning not the EU Member States nor within the European Economic Area), as well as FlavorWiki itself; therefore not enjoying an adequacy qualification by the European Commission pursuant to GDPR Article 45 ruling.
To make such transfers fully compliant with the GDPR, the Data Processing Agreements with those partners include the EU Standard Contractual Clauses in accordance with the Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council and the European Court of Justice decision of July 16th, 2020 that renders the Privacy Shield not applicable and rules instead to solely use the Standard Contractual Clauses.
And, more relevant, FlavorWiki both ensures having internal Security Measures and Processes in place as performing a detailed assessment regarding such partners.
* * * * *
HOW is “Personal Data” Security, Privacy and Confidentiality assured
FlavorWiki has its “IT Landscape” configured and monitored under the strictest Security market standards and it has reviewed and adopted changes to its operational processes in a manner that ensures compliance with the requirements posed under “GDPR” towards “Personal Data” Protection. This means to assure its Confidentiality and Privacy while under “Personal Data Processing Activities” performed by itself and its “Partners” within the scope of FlavorWiki rendered services.
* * * * *
For HOW LONG is “Personal Data” maintained
Data retention is one major potential risk generator towards “Personal Data”, since having the Data available means it may be accessed if a “Personal Data Breach” occurs.
FlavorWiki has set the Data Retention periods according to its services’ lifecycle, so that in one hand the company will not hold to “Personal Data” for any day longer that it is effectively necessary and on the other hand the risk of having needed information deleted prior to the end of its lifecycle within FlavorWiki Service Catalog scope and commitment is minimized.
This means, in the case of FlavorWiki’ platform as a Service component, where its Corporate Clients will use the platform on their own, that in case the contract ends or the service comes to an end, FlavorWiki will allow a 1 month period for the Corporate Client to withdraw all of the Data and Information stored under its segregated repository and then FlavorWiki will erase the Data contained on such repository.
In the case of FlavorWiki direct service, and besides the fact that each Data Subject is entitled to request the erasure of his/ her Personal Data as per defined under GDPR, where a Data Subject has not participated in the “Experience Testimonial” for over 6 months and after FlavorWiki has attempted contact with him/ her for the period of two calendar weeks by the contacts available to FlavorWiki, the Data Subject’ Personal Data shall be erased.
* * * * *
HOW to exercise “Data Subjects’” rights
Those Data subjects who are individual Customers may exercise their Rights directly towards FlavorWiki however, those who are staff members from FlavorWiki Corporate Clients must address those companies to exercise their rights towards FlavorWiki.
Under the GDPR, the Data Subject has the following set of established rights:
[GDPR] Right of access. The right to obtain from the Controller confirmation as to whether his/ her personal data is being processed, and, where that is the case, access to such personal data as well as related information. FlavorWiki will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may exercise this right by reviewing information on FlavorWiki’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not FlavorWiki Customer
[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California resident natural persons have the right to:
[GDPR] Right to rectification. The right to obtain the rectification of inaccurate Personal Data pertaining to that Data Subject. Customers may directly amend existing information on FlavorWiki’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not FlavorWiki Customers.
[GDPR] Right to erasure. The right to have Personal Data pertaining to him/ her that is under Processing by FlavorWiki erased and therefore Processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents FlavorWiki from observing such right, in which case the Data Subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
[CCPA] Right to deletion – again in a similar manner to what the GDPR rules, natural persons who reside in the state of California may, in some circumstances, ask us to delete their personal data/ information.
We may refuse the exercise of such right if it prevents us from exercising legal defense, we cannot do it driven from a legal obligation or there is the risk of by doing so, not being able to fulfill any open contractual obligations.
[GDPR] The right to restrict processing. Under relevant conditions set out by the law, the right to request and have in place processing restrictions (in scope and purpose) towards Personal Data that pertains to him/ her. When exercising this right, the Data Subject must be specific about which processing activities are being requested to be restricted and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
[CCPA] Right to opt out of sales – We do not “sell “ your data
[GDPR] Right to data portability. The right to receive the Personal Data pertaining to that Data Subject, in a structured, commonly used and machine-readable format as well as the right to transmit such Personal Data to another controller without hindrance. FlavorWiki will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may directly amend existing information on FlavorWiki’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not FlavorWiki Customers.
[GDPR] Right to be informed about a Personal Data Breach. The Data Subject has the right (and it is the Controller’s obligation by law to ensure it) to be informed of any unauthorized disclosure or potential disclosure of his/ her Personal Data to unauthorized 3rd parties within 72 hours of its occurrence.
[GDPR] Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding FlavorWiki’s Processing activities over his/ her Personal Data towards any of the EU Member States data protection Supervisory Authorities. FlavorWiki is however also available to provide any clarification towards those Data Subjects who may feel that it’s Processing of the Personal Data that pertains to them has negatively impacted them or somehow breached their rights under GDPR and/ or the right to Privacy, having such Personal Data processed in a secure manner and Confidentiality assurance. Data Subject may submit a complaint via the request process as per herein defined ahead.
[CCPA] Right to be free from discrimination – You may exercise any of the above rights without fear of being discriminated against. We are, however, permitted to provide a different price or rate to you if the difference is directly related to the value provided to you by your data.
For any of the above-mentioned CCPA related rights, you may designate an authorized agent to make a request on your behalf. In the request, you or your authorized agent must provide including information sufficient for us to confirm the identity of an authorized agent. We are required to verify that your agent has been properly authorized to request information on your behalf and this may take additional time to fulfill your request.
We will use the information you provide to make your CCPA rights requests to verify your identity, identify the personal information we may hold about you, and act upon your request.
We strongly recommend that you submit the email and postal address that you used when you created accounts, ordered subscriptions, or signed up for a newsletter. After you submit a CCPA rights requests you will be required to verify access to the email address you submitted. You will receive an email with a follow-up link to complete your email verification process. You are required to verify your email in order for us to proceed with your CCPA rights requests. Please check your spam or junk folder in case you can’t see the verification email in your inbox.
Any “Data Subject” may exercise his/ her rights under “GDPR” by reaching out to FlavorWiki’ “DPO” through the e-mail address dataprivacy@FlavorWiki.com.
If you have any questions, complaints or wish to exercise your rights under “GDPR”, please do make clear on your message:
Why the need to provide alternative personal contact?
Under “GDPR” only the “Data Subject” may exercise his/ her rights, hence companies must ensure and document that the “Data Subject” or his/ her legal representatives are the ones interacting with the company while acting over his/ her “Personal Data”. The way to ensure such “authentication” with regards to “Data Subjects” who do not have digital credentials on any FlavorWiki web-based platforms is to forward code to that “Data Subject” via an alternative communication channel to the standard e-mail address which served the purpose of the initial contact and has a code generated by FlavorWiki included on all messages that pertain the exercise of “Data Subjects’” rights or actions over such “Data Subject’” “Personal Data”.
* * * * *
“Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with each Party. Whereas “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the Party.
“Controller” means the “Party” which determines the “Personal Data” which is forward to the other “Party” under the “Services” scope, and the inherent “Personal Data” Treatment” purposes, processes and/ or workflows which must be observed by the other “Party” within the mutual relationship.
“Data Protection Officer”/ “DPO” means the natural person within a company who bear the responsibility of ensuring corporate compliance towards “GDPR” (as per defined under this Regulation), both by means of monitoring compliance status as well as acting towards the organization and management structure informing those about existing non-conformity points and the need for the organization to act upon them in order to make them compliant with “GDPR” rules, guidelines and requirements.
“Data Subject” means the identified or identifiable natural person to whom “Personal Data” relates. Both Parties understand that the “Data Subject” is the sole owner of “Personal Data” which pertains to him/ her.
“Data Subjects’ Rights” means the rights established towards the “Data Subjects” under “GDPR”. Please check the item below under the title “HOW to exercise Data Subjects’ rights”
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Personal Data” Treatment” and on the free movement of such data, while
Repealing and replacing the Directive 95/46/EC from May 25th, 2018 onwards.
“IT Landscape” means the set of IT assets and services of and at the disposal of each “Party” that enables their “Personal Data” Treatment” operation, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.
“Legal Basis” means the enlisted lawful grounds that a company has to entice “Personal Data” Treatment” activities under “GDPR”, namely (but not limited to) having documented: the “Data Subject’” Explicit Consent towards “Personal Data” Treatment” activities; the company Legitimate Interest in proceeding with ““Personal Data” Treatment” activities; accessory legal obligations that the company must observe and which entitled it to proceed with “Personal Data Processing Activities” activities within the limits of such ruling and inherent obligations; other as per defined under “GDPR”.
“Partner” means any 3rd party entity towards which each “Party” may resort in order to ensure “Personal Data Processing Activities” under a “Legal Basis” (as established by “GDPR”) and within the scope of agreed “Services”.
“Personal Data” means any data which by itself or when cross-referenced with other data enables one to univocally identify one given natural person, the “Data Subject”.
“Personal Data Processing Activities” means any operation or set of operations which is performed upon “Personal Data”, whether or not by automated means, such as collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).
“Personal Data Breach” means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data”.
“Processor” means the entity which proceeds with authorized “Personal Data Processing Activities” (under this DPA and the “Agreement”) on behalf of the “Controller”.
“Service Catalog” means the set of Services rendered by FlavorWiki that requires “Personal Data Processing Activities”.
“Sub-processor” means any “Processor” engaged by any of the “Parties” which performs complimentary “Personal Data Processing Activities” within the scope of the “Services”.
* * * * *
If You have any questions or complaints about this Policy, please contact Us at :
P: +1 (910) 722 1560 (U.S.) or +41 79 137 2228 (outside U.S.)