General Data Protection Regulation (GDPR)

Overview

Bevy takes privacy seriously and is committed to complying with privacy and data protection laws. 

The EU GDPR is a comprehensive data protection law that governs the processing of personal data of individuals who are in the European Economic Area (EEA). Following Brexit, the majority of the EU GDPR has been saved into domestic law by virtue of the European Union (Withdrawal) Act 2018 (Section 3). It is now the "UK GDPR" (along with an amended version of the Data Protection Act 2018) which governs data protection in the UK. In addition, Switzerland has its own data protection law, the Swiss Federal Data Protection Act and its corresponding ordinance. 

This notice focuses on providing a general overview of Bevy's implemented measures to comply with the EU/UK GDPR (here referred to collectively as the GDPR). Personal data, as defined under the GDPR, includes any information relating to an identified or identifiable individual, which includes information like names, email addresses and phone numbers, location data or online identifiers, among others.

Bevy's Role under the GDPR

The GDPR distinguishes between "controllers" and "processors". The difference between these roles is important, because each has different responsibilities. In simple terms, a "controller" makes decisions about personal data –it decides "how" and "why" data is processed. By contrast, a "processor" only processes personal data on behalf of a controller –it is generally a service provider and only uses the data as instructed by its controller.

In some situations, Bevy may act as a controller under the GDPR. For example, if you sign up to attend an event via the CMX Website, we may be a controller with respect to the personal data you share with us.

In other situations, Bevy may act as a processor. For example, if a customer contracts with Bevy for access to the Bevy Service and shares personal data with Bevy, the company may be the controller with respect to such data and Bevy may be a processor. This means that Bevy, in addition to complying with its customers' processing instructions, needs to comply with the legal obligations that apply to processors under the GDPR.

Transparency

The GDPR mandates that personal data must be processed in a transparent manner and, accordingly, imposes some specific disclosure requirements. Where we act as a controller, our privacy policy explains how we collect and process personal data and includes the necessary GDPR disclosures. You can read our privacy policy here.

Individual's Rights

Individuals are entitled to certain rights under the GDPR. These include, for example, the rights to access, correct and delete their personal data, and to restrict or object to processing of their personal data.

As a matter of law, these rights can only be exercised against controllers rather than processors. Accordingly, we have an approach in place to handle data subject rights requests made to Bevy, whether in its capacity as a controller (where we handle the requests directly) or a processor (where we will refer the request back to our customer, the controller).

Security

The GDPR requires that controllers and processors implement appropriate technical and organisational measures to protect personal data. These measures must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to individuals.

Bevy has put in place a number of robust security measures to protect personal data. These include:

  • Encrypting data in transit and at rest and implementing strong access controls.
  • Developing our platform using best practices from security industry frameworks and adhering to rigorous security standards (SOC 2 and ISO 27001:2013 certification)

You can read more about our security practices here.

Customer Data Processing Addendum

Where we process personal data on behalf of our customers and we act as a processor, we make a Data Processing Addendum (DPA) available as part of the contracting process. Our DPA contains the required provisions under the GDPR.

Sub-Processors

Where we act as a processor, we require appropriate security due diligence to ensure that our customers' information remains protected. As such, sub-processors are part of our overall risk management process and vendor risk assessments occur at a minimum prior to vendor selection, upon relevant changes (such as our own requirements or noteworthy changes in their security posture) or annually.

You can find a list of our sub-processors in our DPA.

International Data Transfers

The EU GDPR places restrictions on the transfer of personal data outside the European Economic Area (EEA) to non-EEA recipients unless an adequacy decision or appropriate transfer mechanisms are in place. This requirement may apply where, for example, we receive information from a customer based in the EEA and the customer's information is stored on our US servers.

Where we are party to a transfer of personal information originating in the EEA, the UK (and Gibraltar) and Switzerland to third countries and territories which have been formally recognized as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” and “adequacy regulations” from the European Commission, Swiss and UK authorities. This includes relying on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.

Where the transfer is not or cannot be subject to an adequacy decision, we take appropriate safeguards to ensure that your personal information will remain protected in accordance with applicable laws. These safeguards include implementing the European Commission’s Standard Contractual Clauses as issued on 4 June 2021 under Article 46(2) GDPR for transfers originating in the EEA and Switzerland; and the UK Addendum under Article 46(2) of the UK GDPR for the transfer of data originating in the UK.

Our Standard Contractual Clauses entered into by our group companies and with our third-party service providers and partners can be provided upon request. Please note that some sensitive commercial information will be redacted.

EU-U.S. Data Privacy Framework, UK Extension and Swiss-U.S. Data Privacy Framework

Bevy Labs, Inc. has certified to the U.S. Department of Commerce that it adheres to : (i) the EU-U.S. Data Privacy Framework Principles with regards to the processing  of personal information received from the EEA in reliance on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), (ii) the UK Extension to the EU-U.S. DPF with regards to the processing of personal information received from the UK (and Gibraltar), and (iii) the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) with regards to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF.  The Federal Trade Commission has jurisdiction over our compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

You can learn more about the DPF program and view our certification here.

Other measures

We have also taken steps to ensure that our contracts with vendors incorporate the terms required by the GDPR and an appropriate data transfer mechanism, as well as implemented internal data protection policies to address GDPR requirements.

Further information

Please reach out to privacy@bevy.com with further questions and/or feedback.