Odro Ltd- GDPR & Privacy Policy


How we jointly process data about candidates and clients with Recruitment Agencies

Last Updated: October 12, 2018

Data Protection Officer: Mark Beeby (support@odro.co.uk)

This policy sets out how we process Personal information about Data Subjects to produce Content for Viewers, provided to us by Account Owners and Users, where they are defined as below:

“Odro Ltd” - Provider of Odro Properties, acting as Joint Data Processor under GDPR definitions.

“Odro Properties” - In this context Odro Properties refers specifically to the the website meet.odro.co.uk, including all Odro Ltd owned domains and subdomains which redirect or otherwise render this website.

“Account Owner” - the company which is a licence holder of Odro properties.

“User” - a direct or indirect employee of the Account Owner, who provides personal information about the data subject, and controls access to it

“Data Subject” - a party with whom the User engages with on the platform, but does not have access to data stored on the Account Owner’s platform, except their own, and is not a direct or indirect employee of the Account Owner.

“Viewer” - any party reviewing information such as recordings of the Data Subject, submitted to them by a User.

“Content” - any Personal information processed by Odro Ltd and rendered in a viewable format

Odro Ltd respects the Account Owner’s privacy, and the information of any Data Subjects that Account Owners or Users, ask us to process on their behalf, and is committed to protecting it through our compliance with this privacy policy (“Privacy Policy”).

Please read this Policy carefully to understand how Odro Ltd uses and protects the information collected from Users, Data Subjects and Viewers within Odro Properties.

This Policy applies to information collected by Odro Ltd through Odro Properties, any Odro computer software downloadable or otherwise available from the Odro Properties ("Odro Software") and any Odro services purchased or otherwise made available from the Odro Properties ("Odro Services").

Odro Ltd complies with General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”). For Data Subjects, Odro Ltd and the Account Owner act as Joint Data Processors, and the Account Owner considered the Data Controller.

For all data matters pertaining to Users and Account Owners such as payment information, Odro Ltd is the Data Controller and Data Processor. For more information on this, please see Odro Account Owner and User privacy policy within the administration section of Odro Properties.

This Privacy Policy does not apply to the practices of any third party websites, applications or services that Odro Ltd does not own or maintain (collectively, “Third Party Services”) or to any third parties that use the Odro Application Programming Interface (API) to perform any function related to the Odro Properties (“Integrated Platforms”). In particular, this Privacy Policy does not cover any information or other content you can view via the Odro Properties on Integrated Platforms or information you provide to Third Party Services accessed via the Odro Properties. As further detailed below, we cannot take responsibility for the content or privacy policies of any Third Party Services.

If you are a Viewer we encourage you to carefully review the privacy policies of the Account Owner and User, whose Content you view and the privacy policies of any Integrated Platforms or Third Party Services used by such User which you may access via the Odro Properties. This Privacy Policy details standard policies with regards to privacy of data, however Odro Ltd does offer some level of configuration to account owners ("Account Owners"). This Privacy Policy is written in a context from which the Account Owner refers to "Odro Ltd", however this Account Owner may change on other
areas of the Odro Properties.

This Privacy Policy also does not cover any information, recorded in any form, about more than one individual where the identity of the individuals is not known (non-personally identifiable information, referred to as non-PII hereafter) and cannot be inferred from the information (“Aggregated Information”). Odro Ltd retains
the right to use Aggregated Information in any way that it reasonably determines is appropriate.

By using a Service or otherwise providing us with your Personal Information (as defined below), you are accepting the practices described in this Privacy Policy, as they may be amended by us from time to time, and agreeing to our collection and use of your information in accordance with this Privacy Policy. If you do not agree to the collection, use and disclosure of your information in this way, please do not use any of the Odro Properties or provide Odro Ltd with personal information.

The Data we collect Odro Ltd collects only the information required to provide products and services to Account Owners, Users, Data Subjects and Viewers. The amount of information provided to, and collected by Odro, depends on the circumstances.

Odro Ltd may collect two (2) types of information about Data Subjects, Users, Account Owners and Viewers- Personal and Non-Personal.

“Personal Information.” Personal Information means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural
or social identity of that individual.

“Non-Personal Information.” Non-Personal Information refers to information that, by itself, does not identify you as a specific individual (e.g. demographic information or website visitations). Odro Ltd may collect Non-Personal Information through any of the methods discussed above as well as automatically through use of industry standard technologies described further below.

Odro Ltd does not automatically collect Personal Information about Data Subjects, we do however allow Account Owners and Users the ability to provide us with Personal information about Data Subjects, to process on their behalf. We collect this information in the form of recorded content, free text boxes and document uploads.

How Odro Collects Your Information

Collection of Personal information takes place when information about Data Subjects is provided to us by Account Owners and Users. This is the most common type of information processed by Odro Ltd in our role as Joint Data Processor and we do so under legitimate business interest.

Examples of Personal information that may be collected about Data Subjects and processed, only when
provided to us, is below:

1. Full name 2. Registered address 3. Date of birth 4. Email addresses 5. Telephone contact numbers 6. Website address 7. Professional profiles available in the public domain, e.g. LinkedIn, Twitter or Facebook 8.CV or Resume 9. Skillset 10. Current employer / client 11. passport / visa details 12. Current salary/ employment conditions 13. Desired salary / employment conditions 14. Further employment related documentation.

We also collect non-personal information about Users, Data Subjects and Viewers. Odro Ltd automatically collects and receives certain information from your computer or mobile device, including the activities you perform on the Odro Properties, the type of hardware and software you are using (for example, your operating system or browser), and information obtained from cookies (see below). If you have an Account, we may link this Non-Personal Information to your Account to better understand your needs and the needs of Users in the aggregate, diagnose problems, analyze trends, provide services, improve the features and usability of the Odro Properties, and better understand and market to our customers and Users.

We use technology to automatically gather information by the following methods:
IP Address: You may visit many areas of Odro Properties anonymously without the need to become a registered User. Even in such cases Odro Ltd may collect IP addresses automatically.

Cookies: These are small pieces of text stored in your browser, and though are used by Odro Properties contain no identifying information and are never used for marketing purposes. Cookies are used as a mechanism to authorise access to media and to track usage and activity within Odro Properties, providing Odro Ltd and the Account Owner with anonymous statistics. If you use the Odro Services and you post audio visual materials including, without limitation, videos, links, logos, artwork, graphics, pictures, advertisements, sound and other related intellectual property contained in such materials (collectively, “Content”) to your website or to a third party website, Odro Ltd tracks and captures Non-Personal Information associated with User accounts and the use of Content by those that access your Content, typically Viewers.

Information You Provide About a Third Party:
You may have the opportunity to communicate with others from the Odro Properties, such as by sending an invitation to a colleague or friend. If you choose to take advantage of this functionality, we may ask you to provide us with certain information about the person with whom you wish to communicate (e.g., name, email address, etc.). Odro Ltd collects such information for the purposes of facilitating the requested communication, which may contain a specific promotional message from you (e.g., an invitation to watch a video). Unless we explicitly say otherwise, Odro Ltd will not use this information for other marketing purposes without first obtaining consent from the person to whom the relevant information pertains. Please be aware that when you use any invitation functionality on the Odro Properties, your email address, name or username, and message may be included in the communication sent to your addressee(s).

How Odro Ltd Uses Your Information

Odro Ltd processes Personal Information provided to us by Account Owners and Users about Data Subjects to produce Content which can be provided to Viewers, by Users. To process this Personal Information we use the following sub-processors:

Amazon Web Services – Used to store and process all media held by Odro Properties, the full GDPR statements from Amazon Web Services can be found here: https://aws.amazon.com/compliance/gdpr-center/

MongoDb Atlas – A cloud hosted database providing GDPR compliant security features and significant resilience for Odro Properties. The relevant GDPR compliance statement can be found here: https://www.mongodb.com/cloud/compliance/gdpr

Tokbox – Provides video infrastructure for some meetings held within Odro Vision, a relevant GDPR statement can be found here: https://support.tokbox.com/hc/en-us/articles/360000108304-EU-General-Data-Protection-Regulation-GDPR-

Odro Ltd does not use any Personal Information about Data Subjects for marketing, sales, or on any other basis except to fulfil any need of the lawful processing on behalf of our Account Owners and Users.

Data Security

All Personal information about Data Subjects is encrypted in flight using industry standard and secured at rest using secure protocols. Odro Ltd provides individual usernames and passwords that must be entered each time a User logs on. These safeguards help protect against unauthorized access, maintain data accuracy, and provide for the appropriate use of personal data. Nevertheless, no method of transmission over the Internet, or method of electronic storage, is one hundred percent (100%) secure, however. Therefore, we cannot guarantee absolute security. Account Owners and Users (Data Controllers) are able to password protect access to all information related to Data Subject’s. It is the responsibility of the relevant Account Owner and User (Data Controller) to enforce these security measures to keep data safe when providing Content about Data Subjects to a Viewer. Odro utilises Amazon Web Services (AWS) and processes all data through their Dublin data centre, except in
situations where the Viewer is located outside of the EU, at which point Data can be temporarily transferred (cached) at a server located more closely to that Viewer. This is done so using the Cloudfront Content. Distribution Network (CDN) offered by Amazon Web Services. All data accessed in this manner is still stored
securely, with authentication and encryption maintained end to end. For more information about Cloudfront

GDPR compliance please see:
https://aws.amazon.com/compliance/gdpr-center/

Data Breach

Should a breach occur on any Personal Information processed on Odro Properties, Odro Ltd will notify the relevant Account Owner (Data Controller) within 72 hours. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will inform the Account Owner with the expectation they inform the Data Subject in line with the GDPR regulations. Odro Ltd will also keep track of all data breaches whenever possible, regardless of whether we are required to notify the individual Data Subjects.

Who Can Access Personal Data

The Account Owner is able to access all Personal information throughout the data retention period for legitimate business uses. Account Owners may also share personal information with Viewers, where a legitimate use applies or they have consent.

Odro Ltd staff may be granted access to Personal information when approved by the Data Protection Officer (Mark Beeby) using Role Based Authentication. All staff accessing data never share or use data for reasons other than diagnosis of problems or queries. Data will never be accessed without prior consent from the Data Subject or relevant Account Owner (Data Controller). Access to Personal Data can also be provided to Viewers in the form of Content.

Account Owner and User Responsibility

As per the licence agreement, the Account Owner (Data Controller and Joint Data Processor) is required to gain consent from Data Subjects prior to the gathering of information from and about, Data Subjects using Odro Platforms, or have legitimate business interest to do so.

How To Access, Change And Erase Personal Information

Upon request, Odro Ltd will allow Users to update or correct Personal Information previously submitted about Data Subjects, but only to the extent such activities will not compromise privacy or security interests. Additionally, upon request, Odro Ltd will delete Personal Information from the Odro Properties databases where such information is stored; however, it may be impossible to entirely delete a User’s entry without some residual information being retained due to the manner in which data backups are maintained.

Requests to delete Personal Information may be submitted to our Data Protection Officer (Mark Beeby) via support@odro.co.uk.

Data Subjects also have the right to receive their Personal Information from us in a structured, commonly used and machine-readable format, and the right to transmit their Personal Information to another controller without hindrance from us (data portability).

Disclosure Of Information To Third Parties

Except as described below, we do not sell, transfer or otherwise disclose, sell, trade, or otherwise transfer your Personal Information to outside parties. This statement does not include trusted third party service providers who assist us in administering and providing the Odro Properties or provide services to us.

Examples include storing and managed Content, analyzing data, providing marketing assistance, integrations of Third Party Services such as CRM and MAP services, processing credit card payments, and providing customer service. These third party service providers will have access to Personal Information needed to perform their functions, but may not use it for other purposes.
We may use service providers located outside of the EU, and, if applicable, Personal Information may be processed and stored in other countries and therefore may be subject to disclosure under the laws of those countries. You explicitly consent and agree to such transfer, storing and/or processing of your Personal Information outside of the EU or other country from which you are located, any transfer of data will comply with GDPR regulations. We may share Payment Information with third parties for purposes of fraud prevention or to process payment transactions.

We may also release Personal information when we believe release is appropriate to comply with the law, enforce our policies, or protect our or others’ rights, property or for safety. We may also provide non-Personal Information to other parties for marketing.

Personal Information, which we collect from Users and Account Owners, but not Data Subjects, is considered to be a business asset. As a result, in the unlikely event that we go out of business, enter bankruptcy or if we are acquired as a result of a transaction such as a merger, acquisition or asset sale, this Personal Information may be disclosed or transferred to the third- party acquirer in connection with the transaction.

Lastly, we may provide Users with certain identifiable usage information directly related to the videos and/or other Content that they make available through the Odro Properties. Such information may include how many and which Content of a particular Data Subject was watched by a particular Viewer, from where a particular Content was watched by a particular Viewer and how many times a particular Content was watched by a particular Viewer. In addition, if you, as a Viewer, provide Personal Information (e.g. email
address) as part of accessing and viewing Content, that Personal Information may be collected by us, a provider of Third Party Services or an Integrated Platform on behalf of the User who owns the Content and shared with that User or Third Party Service providers to that User, as we and others are their service provider. The use of such information will be subject to the information and privacy practices and policies of such Users and Odro Ltd will not be responsible or liable or the use of any information by such Users and Odro Ltd will not be responsible for their use of your information.
Under certain exceptional circumstances, Odro Ltd may have a legal duty or right to collect, use or disclose your Personal Information without your knowledge or consent. In accordance with applicable laws, We will not disclose any consumer information (which may include Personal Information) without your written consent, except where consumer information is required to be disclosed: (i) for billing or market operation
purposes; (ii) for law enforcement purposes; or (iii) for the purpose of complying with a legal requirement.
You are deemed to consent to disclosure of your information for the above purposes. If your Personal Information is shared with third parties other than Users, those third parties may be, but are not always, subject to appropriate agreements with Odro Ltd and/or its Users to secure and protect the confidentiality of your Personal Information.

Safeguarding Your Personal Information

Odro Ltd takes appropriate security measures to protect against unauthorized access, alteration, disclosure or destruction of Personal Information. These include, but are not limited to, internal reviews of: (a) Odro Ltd data collection; (b) storage and processing practices; (c) electronic security measures; and (d) physical security measures to guard against unauthorized access to systems where Odro stores Personal Information.

All Odro Ltd employees, contractors and agents who access Personal Information are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution or unauthorized use or disclosure of Personal Information. Some or all of the Personal Information we collect may be stored or processed on servers located outside your jurisdiction of residence, whose data protection laws may differ from the jurisdiction in which you live. As a result, this information may be subject to access requests from governments, courts, or law
enforcement in those jurisdictions according to laws in those jurisdictions.

Retention Of Information

Odro Ltd retains the Personal Information that we collect about Data Subjects for as long as reasonably necessary for the purposes set out in this Privacy Policy.

Retention Controls

Odro Properties provide the Account Owner with the ability to set up an auto deletion policy. This allows the Account Owner to set a specific length of time over which personal data is permanently and irretrievably removed from all Odro Properties, including any back-ups. Odro Properties always offer the function of deleting specific data records on demand to Account Owners.

Children And Students
Odro takes the privacy of students and children extremely seriously. The Odro Services are not intended for children under 13 years of age. No one under age 13 may provide any information to or within Odro Properties. We do not knowingly collect Personal Information from children under 13. If you are under 13, do not use or provide any information to Odro Properties or via the Odro Services. If we learn we have collected
or received Personal Information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at support@odro.co.uk.

EU GDPR Regulations

Odro complies with the relevant legislation including EU GDPR framework and related data protect acts.We are bound by various obligations under the law and therefore, to comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully in respect of their personal data under the General Data Protection Regulation (“the Regulation”).

The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic,cultural, or social identity of that natural person.

This Policy sets out the procedures that are to be followed when dealing with personal data and how we aim to comply with the Regulation in so far as it is possible. In summary, the Regulation states that all personal data shall be: Processed lawfully, fairly, and in a transparent manner in relation to the data subject Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that
personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and
organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject; 6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,using appropriate technical or organisational measures.
The Fourth and Fifth Data Protection Principles require that any data should not be kept longer thannecessary for the purpose for which it is processed and when it is no longer required, it shall be deleted and that the data should be adequate, relevant and limited for the purpose in which it is processed. With this in mind, this policy should be read in conjunction with our other policies which are relevant such as our data protection policy and IT security policy. In compliance with the Regulation, Odro Ltd commits to resolve complaints about your privacy and our collection or use of your Personal Information. Inquiries or complaints should first contact Odro Ltd by email
at support@odro.co.uk or by phone at +44 (0) 141 465 9470

Subject Access Requests (SAR):

Data Subjects have the right to request all information held on them, and that this may be deleted. Mark Beeby, Odro Ltd CTO and DPO, will at all times have access to the data submitted to our servers from all Account Owners, Users, Viewers and Data Subjects, and will be responsible for actioning SAR and removal requests. The individual must follow the below guidance, and the actions we will take are then detailed below.

Individual must submit a written request (email permitted) detailing their name, the organisation they believe may be storing data with us on their behalf, and the date on which that recording took place, to the best of their knowledge, to support@odro.co.uk

This request will be acknowledged within 48 hours of receipt, and verification of identity will take place Acceptable forms of ID will include driving licence, passport, or two recent utility bill dated within the last 3 months

If for any reason this can’t be obtained, efforts will be made to confirm identity with processing partner. Once verified, this will be actioned immediately, and fulfilled within 30 days of initial receipt. We will also inform the source of this data (i.e Odro customer) of the request and whether this is simply a SAR or a removal request

All data will be sent to the individual, and permanently removed from our servers (and any back ups) if requested

Third Party Websites And Services

The Odro Properties may contain links to third party websites or services, including Third Party Services, (collectively, “Third Party Sources”) who may collect Personal Information and Non- Personal Information directly from you. Links to Third Party Sources are intended for convenience only. Third Party Sources are wholly independent from Odro Ltd. Third Party Source may have separate privacy policies and data collection
practices, independent of Odro Ltd. Odro Ltd: (a) has no responsibility or liability for these independent policies or actions; (b) is not responsible for the privacy practices or the content of such websites; (c) does not make any warranties or representations about the contents, products or services offered on such websites or the security of any information you provide to them; and (d) ensures to a reasonable degree all Third Party Services do comply with GDPR regulations.

Changes To This Privacy Policy

The terms in this Privacy Policy may be changed from time to time, so you should review it periodically for changes. We reserve the right, at any time, to modify or replace this Privacy Policy. The date of the most recent version of the Privacy Policy is noted below under “Effective Date of this Privacy Policy.” We may also notify you via email or other direct electronic communication method of any changes that, in our sole discretion, materially impact your use of the Odro Properties or the treatment of your Personal Information.

Your use of the Odro Properties following the posting of any changes to the Privacy Policy constitutes acceptance of those changes.

How To Contact Us

If you have any questions or concerns about this Privacy Policy or our privacy practices, you may contact us directly as follows:

Email us: support@odro.co.uk or phone us +44 (0) 141 465 9470.

Effective Date Of This Privacy Policy
This Privacy Policy was last revised on October 12, 2018.