An overview of privacy at CAST
CAST is committed to ensure the highest standards of privacy in compliance with the applicable legislation of countries where CAST has its registered offices (cf. “Who is CAST” here below) and/or uses the infrastructures of CSP to serve CAST Highlight platforms.
- in Europe, with reference to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”).
o in non-European countries where CAST Highlight collects, stores and processes PII (Personally Identifiable Information) of European citizens, CAST relies on:
– adequacy decisions and mutual recognition of GDPR (eg. Switzerland, Israel, Japan, New Zealand, Argentina, Canada, …),
– sectoral adherence to a data protection code of conduct (eg. AWS to CISPE, GCP and AZURE to EU Cloud CoC)
- in the US, there is no nationwide law that would cover the protection of citizens’ PII, but related state laws exist instead (California Privacy Rights Act, Colorado Privacy Act, Connecticut Personal Data Privacy and Online Monitoring Act, Maryland Online Consumer Protection Act, Massachusetts Data Privacy Law, New York Privacy Act, …)
GDPR is one of the most restrictive laws in the world regarding PII protection. Some national laws such as LGPD in Brazil or PIPA in South Korea (considered to be one of the strictest privacy rules in the world) are strongly inspired from GDPR. We are confident, to the best of our knowledge, that compliance with GDPR meets the laws of most countries.
Based on these elements, we consider GDPR as our main law regulation. However, we remain attentive to legal developments on the protection of personal data in the world in order, if necessary, to improve our best practices.
This current document aims to illustrate:
- which personal data CAST collects and/or processes in the context of the use of the CAST Highlight application
- what your rights are in relation to said activities
- how to contact CAST
Who is CAST
CAST has its registered office at 321 W. 44th St., Suite 501, New-York, USA and 3, rue Marcel Allégot, Meudon, FRANCE.
CAST acts as Data Controller in the context of the CAST Highlight service.
Any question or query about personal data can be addressed to the Data Protection Officer (DPO) of CAST:
- by e-mail at the following address: firstname.lastname@example.org
- or by post at the following address:
Attn. Data Protection Officer
3, rue Marcel Allégot, Meudon, FRANCE.
Which Personal Data is necessary for CAST to provide the service?
- The professional/business email address of the person using the CAST Highlight service
- The first name of the person using the CAST Highlight service (optional)
- The last name of the person using the CAST Highlight service (optional)
No sensitive personal data is necessary for CAST to provide the CAST Highlight service. This data will never be shared with or transferred to any other organisation.
Why does CAST needs to process Personal Data?
A professional/business email address is required by those wishing to register and log in to CAST Highlight. Without this information, it is not possible to use the service provided by CAST Highlight. First name and last name are optionally collected (based on the decision of the Portfolio manager of the organisation) and are used to improve user friendliness (a person using CAST Highlight is addressed by their name where possible).
Which are the legal grounds on which CAST processes Personal Data?
The applicable data protection legislation establishes that personal data can only be processed if supported by a valid legal basis (which is listed and identified by articles 6 and 9 of the GDPR). As a matter of principle, the following legal basis may be applicable to the use of CAST Highlight:
- A person using CAST Highlight, as the data subject, has given their consent to the processing of their personal data in an explicit and active way.
- Processing of collected personal data is necessary for the use of CAST Highlight, which is the subject of the contract established between the customer’s organisation and CAST.
How does CAST collect Personal Data?
Collecting the professional/business email address, first name and last name of those using the service is part of the CAST Highlight portfolio user provisioning process. User provisioning is not performed by CAST but instead by the individual designated as the portfolio administrator on the customer side.
The only account created by CAST is the portfolio administrator account.
Where are stored Personal Data?
The professional/business email address of the person using the CAST Highlight service is stored in the CAST Highlight database. It is encrypted in transit and in storage.
PII is never transferred to any third party or to another jurisdiction for CAST Highlight usage.
Do people using CAST Highlight have the right to have their personal data rectified or deleted
Yes, by contacting their company portfolio administrator (cf. “How does CAST collect Personal Data”). Please be aware that deleting or altering the professional/business email address of the person using the CAST Highlight server will prevent them from using the service. Individuals can obtain the contact details of their company portfolio manager by sending an email to email@example.com.
How long does CAST store Personal Data?
Contractually, all data collected, processed and stored by CAST Highlight is deleted 2 years after the end of the contract. This delay may be shortened upon customer request.
Other rights and how to exercise them
- In accordance with the applicable provisions, data subjects may access and obtain a copy of their personal data (art. 15 of the GDPR).
- Within the limits foreseen by the applicable data protection legislation, data subjects may object to the processing of their data (art. 21 of the GDPR), provided that the legal constraints and obligations coming from their employer allow them to do so.
- In certain cases, data subjects have the right to limit processing (article 18 of the GDPR) and the right to the portability of their personal data (article 20 of the GDPR). At any time, data subjects have the right to withdraw their consent to process their data (article 7).
In order to exercise these rights, the easiest way is to contact the portfolio administrator to manage the issue. In all cases, these rights may also be exercised by sending an email to the DPO of CAST via the following email address: firstname.lastname@example.org. The request will be analyzed and answered within 8 business days.
Moreover, data subjects have the right to lodge a complaint with the law enforcer principal, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes his/her applicable Regulation (CNIL in France, FTC in the US, EU regulation bodies …).