Although Merlin is not currently registered under the Privacy Shield program, and the program itself is under challenge, we are committed to handling data coming from EU countries in accordance with the Privacy Shield framework. That program would authorize Merlin to store and host EU personal data with appropriate procedures for data subjects to request a copy of, or modifications to personal data. Merlin doesn’t presently process or otherwise receive data from the EU but can join the program when required.
Here is more information about how Merlin would handle EU data subject to the GDPR.
Data Controller and Data Processor
Our clients act as data controllers under the GDPR. A data controller determines the purposes for which and the means by which personal data is processed.
For our clients, we act as data processors. A data processor processes personal data only on behalf of the controller.
For our users and visitors, we act as data controllers. Our client determines what data to store in the Merlin platform, who can sees that data, and the ultimate disposition of that data. Our clients must obtain permission or have other legitimate bases to collect and process information in accordance with the GDPR. As a data processor, our responsibility is to provide services and keep the data we maintain secure in accordance with client instructions.
We regularly review our policies, processes, and procedures to ensure that they are addressing our obligations to GDPR as a data processor. In general, we employ what we believe are reasonable efforts to maintain the accuracy and integrity of personal data received from our clients or its agents and, at the client’s direction will endeavor to update or correct it as appropriate.
We have implemented physical and technical safeguards to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. For example, electronically stored personal data is stored on a secure network with firewall protection, and access to our systems requires user authentication via password or other means. Data is transmitted in encrypted form.
Right to Access, Change or Delete Data
For data provided by our clients, Subject Access Requests (SARs) should be routed through the client. We will take directions from our client, acting as data controller, with regard to making personal data available to a data subject. If we receive a SAR for access to personal data, then, unless otherwise required under law or contract, we will forward the request to the client for instructions.
When Merlin is the data controller for users of our platform, users are authorized by our clients. As such, we will treat data collected about users as equivalent to client provided data. We will look to the data controller for guidance. When Merlin is the data controller for visitors to our websites, you may contact firstname.lastname@example.org for help with SAR requests.
Should there be a dispute between the client and the data subject over the right to correct, edit, amend, block, erase or otherwise change their personal data, we will seek guidance from the client or other appropriate authority before taking any action.