Data protection commitments:
At Wizkids, we process data in regards to GDPR legislation. By doing so, we create a data processing agreement with all of our customers, so all processing of data happens in compliance to any legal measures and fits our customer’s needs. All data received from our customers will only be processed in the way the customer has instructed us to do so.
Data return and deletion:
Upon termination of the personal data processing service, the data controller is obliged to delete or anonymise all personal data that has been processed on behalf of the data controller and confirm to the data controller that the data has been deleted or anonymised. This does not apply where EU law or Member States’ national law prescribes the storage of personal data. Some of our customers may want specific deletion routines, so the way in which data is deleted or returned may vary from customer to customer.
Use of subprocessors:
At Wizkids, we use a number of sub-data processors to perform a number of functions. These sub-processors will appear in a submitted data processor agreement. Our sub-data processor does not process personal sensitive information, as all processing of personal and/or sensitive information takes place on our own servers and data that is sent to the aforementioned sub-data processors will be sent encrypted. The sub-data processors we use process data in accordance with the sub-data processor agreement we have entered into with them.
Assistance to the controller:
Wizkids shall, taking into account the nature of the processing, assist the Data Controller as far as possible by employing appropriate technical and organizational measures. This will be done in compliance with the Data Controller’s obligation to respond to requests for the exercise of data subjects’ rights as set out in Chapter III of the Data Protection Regulation. This means that the data processor must, as far as possible, assist the data controller in connection with the data controller ensuring compliance with:
a. The duty to provide information when collecting personal data from the data subject.
b. The duty to provide information if personal data has not been collected from the data subject.
c. The right of access.
d. The right to rectification.
e. The right to delete.
f. The right to limit processing.
g. The duty to notify in connection with the correction or deletion of personal data or restriction of processing.
h. The right to data portability.
i. The right to object.
j. The right not to be the subject of a decision based solely on automatic processing, including profiling.
Data transfer to third countries outside of EU or international organizations:
Any transfers of personal data to third countries outside of the EU or international organizations may only be made by the processor on the basis of documented instructions from the data controller and must always be done in accordance with chapter V of the data protection regulation. If personal information is being transferred to third countries outside of the EU or international organisations that the data controller has not instructed the processor to do, then it is required by law, that the processor has to notify the data controller of the transfer and the reason of the transfer based on a legal standpoint before transferring data. This has to be done, unless prohibited by law in the public interest.
In order to show our interest and obligation to comply with personal data legislation, Wizkids has had an ISAE 3000 made. This could be forwarded if there is a desire to review it.