GDPR

General

1. What internal steps have you taken across your platforms to support GDPR requirements?
   We have taken the following steps around our platforms to support GDPR:

Analyzed, map and report Personal Information throughout its lifecycle with us, that means from the time we collect it through its destruction.
Designed intake channels to allow users to exercise their rights in due time, such as access , modify and delete their Personal Information.
Implemented process to fulfil users rights, such as access, modification and deletion within one month.
Re-designed our registration process and privacy consent experience in our products.
Rolled-out Privacy-by-Design training to teams to incorporate privacy minimization concepts in their engineering processes.

2. What external steps will you be requiring from users once GDPR requirements are live?
   The most visible change users will experience in the future is more granular options when it comes to obtaining their consent for marketing purposes as well as data sharing with third parties for marketing and advertising purposes.
3. How have/will you determine Consent? What data will fall under your requests for Consent? Will you be considering/applying any exceptions?
   We have performed a group wide analysis of where and for which purpose we collect and use Personal Information, and especially what the legal basis is for each and every processing activity. In the future we will not gather general consent from our users by simply accepting our new User Privacy Notice. We will rather collect users’ consent for all use cases where we rely on consent to process or use your PI. For all cases, that we rely on legitimate interest, we conducted a balancing test to ensure our user’s interests, rights and freedoms did not outweigh ours.
4. What information and to whom does Sellted disclose personal information?
   We may disclose Personal Information of users to other members of the our corporate family and to third parties. This disclosure may be required for us to provide users access to our services, to comply with our legal obligations, to enforce our User Agreement, to facilitate our marketing and advertising activities, or to prevent, detect, mitigate, and investigate fraudulent or illegal activities related to our services. We do not disclose users’ Personal Information to third parties for their marketing and advertising purposes without users’ consent. To read more about the Personal Information Sellted discloses, please visit our User Privacy Notice.
5. Are there any areas where you will qualify for Article 30, Paragraph 5 Exemption?
   According to Article 30 GDPR, we have compiled a group wide register of data processing activities. We do not assume that there are any areas within our corporate family which qualifies for the Article 30, Paragraph 5 Exemption.

Additional FAQs for each GDPR implementation workstream

1. Data Discovery and Mapping
   How does Sellted know what Personal Information it has about its users?
   We have analyzed and mapped Personal Information throughout its lifecycle with us, that means from the time we collect it through destruction.

Does Sellted share my information with third parties?
We may disclose Personal Information of users to other members of our corporate family and to third parties. This disclosure may be required for us to provide users access to our services, to comply with our legal obligations, to enforce our User Agreement, to facilitate our marketing and advertising activities, or to prevent, detect, mitigate, and investigate fraudulent or illegal activities related to our services. We do not disclose users’ Personal Information to third parties for their marketing and advertising purposes without users’ consent. To read more about the Personal Information Sellted discloses, please visit our User Privacy Notice.

2. Data Subject Rights
   What are the types of Personal Information that Sellted collects about its users? OR Tell me what information Sellted has about me?
   Personal Information is information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

We do not consider personal information to include information that has been anonymized or aggregated so that it can no longer be used to identify a specific natural person, whether in combination with other information or otherwise.

We collect personal information from you when you use our Services. To read more about what Personal Information Sellted collects, please visit our User Privacy Notice.

How does a user get copies of their Personal Information?
In most cases, users may locate the Personal Information we have about them by viewing their account profile under their account. If they do not find the data they are looking for, or are looking to submit a formal access request as defined under GDPR, users may contact the customer service team.

How does a user correct their personal data?
We take steps to ensure that the Personal Information we collect from users is accurate and up to date, and that users have the ability to access and make corrections to it. Users may edit their Personal Information on their account. If they would like to request any additional corrections, users may contact the customer service team.

How long does it take for Sellted to complete a users’ privacy request?
We make every effort to complete a users’ request as quickly as possible and at the latest within one month of receipt. For some requests, the response timeframe may be extended by an additional two months where requests are complex or numerous. We will contact our users within one month of their request to inform you of any timeframe extensions.

How does a user submit a privacy complaint?
In case a user has a privacy complaint, they can submit a complaint online by contacting our Customer Support Team.

How does a user submit a data deletion request?
In case a user has a data deletion request, they can contact the Customer Support Team to submit a formal data deletion request as defined under GDPR. Their account will also be closed as part of fulfilling the data deletion request.

Will Sellted delete users’ Personal Information after a period of inactivity?
Yes, after a period of inactivity we will close the respective users’ account and delete his/her Personal Information based on its retention schedule.

Can a user submit a request on behalf of an incapacitated or deceased family member?
Yes, a user may submit a request on behalf of an incapacitated or deceased family member, however, the user will be required to provide proof that he/she has the authority to act on their behalf.

3. Data Retention
   How long does Sellted retain users’ Personal Information?
   We retain users’ Personal Information for as long as necessary to provide the Services they have requested, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our policies.

What happens to users’ Personal Information once it is no longer needed?
After it is no longer necessary for us to retain users’ Personal Information, we will dispose it in a secure manner according to our information security, data retention and deletion policies.

4. Legal Basis of Processing
   How does Sellted determine that all of the Personal Information they have about their users was collected and is being processed legally?
   We have performed an analysis of where we collect and use Personal Information, and what controls exist to make sure that it is being processed appropriately and legally, in line with our User Privacy Notice.

How can a user determine what legal basis Sellted is processing his/her Personal Information under?
Our User Privacy Notice gives an overview of the ways that we use users’ Personal Information and the associated legal basis.

What can a user do if he/she wants to object to his/her data being processed?
If a user objects to his/her Personal Information being processed, he/she can contact Customer Service and request that we cease processing the respective Personal Information as described in the User Privacy Notice.

5. Privacy Operations
   How does Sellted consider privacy of Personal Information when it is developing new products or services?
   We incorporate an assessment of privacy risks into our processes for developing new products or services that will collect, use or otherwise process Personal Information. Our privacy risk assessment process takes into account the complexity of the project and the sensitivity of the personal information being used and recommends controls to reduce risks to personal information being misused.

How does Sellted train its employees in privacy?
We provide training to employees with access to Personal Information utilizing industry leading training modules, consistent with industry norms.

6. Crisis Management / Breach Response
   How does Sellted determine whether a security incident has occurred?
   We have a dedicated global team to monitor our platforms. When this team receives information that could represent an incident, an analysis is performed to validate that an incident has occurred. If Personal Information is involved in an incident, our process incorporates further analysis to determine potential impact on rights and freedoms of individuals.

How does Sellted determine when to notify affected individuals about a security incident?
We incorporate notification requirements for all jurisdictions in which we operate. As data protection laws are updated, we monitor their changes to ensure that we meet our legal obligations. In addition, we review data security issues for their potential of harm to determine if we should proactively notify individuals, even when notice is not legally required.

7. Privacy Control Environment
   How does Sellted make sure that they have appropriate controls on personal data throughout its lifecycle?
   We have developed and implemented a control framework based on industry standards that comprises controls at every stage of the data lifecycle, from before we collect Personal Information through to when it is deleted or otherwise transformed. This control framework was reviewed and enhanced during 2017 to take into account changes in internal processes and external requirements.

How does Sellted make sure that they are complying with the requirements stated in their external User Privacy Notice as well as, their internal Privacy Policy?
Our updated Privacy Controls framework maps our external User Privacy Notice, as well as our internal Privacy Policy to requirements of GDPR. Our team has been testing against the requirements of these policies for several years and are expanding their work to include validation of new controls implemented for GDPR throughout the data lifecycle.