Uberall GmbH, uberall B.V., uberall France, uberall Ltd, uberall Inc, Momentfeed UB, Inc., SweetIQ Analytics Inc. (each individually hereinafter also referred to as "Company" and individually or together hereinafter referred to as “Companies”) process personal data (which within the meaning of the Privacy Notice includes personal information as defined under California Data Protection Law) of the participants of video- and/or audiocalls (hereinafter also referred to as the "Data Subject") for which automated (Gong) recordings have been activated by the Companies (“Recorded Calls”) to automatically record and transcript and/or summarise such Recorded Calls in accordance with, applicable data protection laws which may in particular include (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and any applicable national implementations of the GDPR by member states of the European Union, such as the German Bundesdatenschutzgesetz (“BDSG”), (together with GDPR “EU Data Protection Law”); (ii) the GDPR as it forms part of UK law (“UK GDPR) by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together with UK GDPR “UK Data Protection Law”); (iii) the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) and any applicable provincial Canadian data protection laws (together with PIPEDA “Canadian Data Protection Law”); (iv) the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”; CCPA and CPRA together “California Data Protection Law”).
Pursuant to applicable data protection laws (such as, as applicable, Art. 13 and 14 GDPR, Art. 13 and 14 UK GDPR, Section 1798.130 (5) (a) CCPA or Sections 6.1, 7 (1) - 7 (3) PIPEDA) the Companies are obliged to provide the Data Subject with the following information about the processing of his/her personal data, which may be updated from time to time:
I. Responsibilities and Contact Information
The joint data controllers within the meaning of Art. 26 GDPR (or Art. 26 UK GDPR or collectively responsible businesses within the meaning of California Data Protection Law or organizations within the meaning of Canadian Data Protection Law), so the person(s) responsible for the processing of personal data of the Data Subjects in connection with the Recorded Calls, are the Companies:
Contact: uberall GmbH
Address: Hussitenstraße 32-33, 13355 Berlin, Federal Republic of Germany
Email: legalemea@uberall.com
Contact: uberall B.V.
Address: Weteringschans 109, 1017 SB Amsterdam, Netherlands
Email: legalemea@uberall.com
Contact: uberall France
Address: 229 rue Saint-Honoré, 75001 Paris, France
Email: legalemea@uberall.com
Contact: uberall Ltd
Address: 27 Old Gloucester Street London WC1N 3AX, United Kingdom
Email: legalemea@uberall.com
Contact: uberall Inc
Address: 19 Clifford Street, Detroit, Michigan 48226, USA
Email: legalna@uberall.com
Contact: Momentfeed UB, Inc.
Address: 19 Clifford Street, Detroit, Michigan 48226, USA
Email: legalna@uberall.com
Contact: SweetIQ Analytics Inc. (in French: Analytiques SweetIQ inc.)
Address: 3700-1 Place Ville-Marie, Montréal (Québec), H3B 3P4, Canada
Email: legalna@uberall.com
The contact information of the data protection officer (DE: Datenschutzbeauftragter; FR: Délégué à la protection des données; NL: Functionaris voor gegevensbescherming) of uberall GmbH, uberall B.V., uberall France, uberall Ltd and (the Privacy Officer of) SweetIQ Analytics Inc is as follows: dataprotection@uberall.com
uberall Inc and Momentfeed UB, Inc., have each not appointed a data protection officer. For matters regarding this privacy notice it can be contacted together with uberall GmbH under the contact information stated above.
II. Purposes, data categories and legal basis of processing
The Companies processes personal data of the Data Subject(s) in order to
a) utilize artificial intelligence (AI) to automatically create transcripts and summaries and/or anonymised data (“Derived Information”) of the Recorded Calls for the below purposes as well as business call documentation and collaboration;
b) analyze business and market trends and developments;
c) evaluate, train and coach employees of the Companies through the use of the Recorded Calls and its Derived Information.
These Data Subjects may be in particular employees or service providers of current or prospective customers or partners of the Companies (“Recorded Partners”) and employees of the Companies (“Recorded Group Employees”), in particular of its departments Account Management, BDR, Customer Success, Sales and Partnership.
Such personal data may include video/audio recordings of the Recorded Call(s), automatically created transcript data of Recorded Calls, contact data (first & last name, email address etc.), communication data and other personal data included in the conversations of the respective Recorded Call(s) and, in the event and to the extent that Recorded Group Employees are registered to the platform through which the Recorded Calls are made available by the Companies, access data.
The legal basis for the above processings of the personal data of the Data Subjects for the above purposes are as follows:
Purpose | Legal basis for processing of personal data… | |
…of Recorded Partners | …of Recorded Group Employees | |
as described under a) above | Consent (Art. 6 (1) lit. a GDPR) | Legitimate interest of the Companies (Art. 6 (1) lit. f GDPR) |
as described under b) above | Consent (Art. 6 (1) lit. a GDPR) | Legitimate interest of the Companies (Art. 6 (1) lit. f GDPR) |
as described under c) above | Consent (Art. 6 (1) lit. a GDPR) | For calls required by Company that is party to employment relationship: Necessity for the performance of a contract (Art. 6 (1) lit. b GDPR); For any other Companies and/or event: Legitimate interest of the Companies (Art. 6 (1) lit. f GDPR) |
To the extent that legitimate interest of the Companies (Art. 6 (1) lit. f GDPR) is the legal basis of a processing, such can be the legal basis of the processing to the extent that such interests are not overridden by the interests or fundamental rights and freedoms of the Data Subject. The Data Subject may ask for further information on such balancing of interests in the individual case for any of data processings based on point (f) of Art. 6 (1) GDPR as applicable.
III. Disclosure of Personal Data and use of third parties
Furthermore, the Companies can disclose personal data to processors (“Processors”) that are engaged by the Companies for the processing of personal data for the purposes specified in Section II, such as technical / IT service providers and operational platform services, e.g. Gong.io Inc (“Gong”).
Any such Processor acting on behalf of a Company is contractually obligated through a Data Processing Addendum (DPA) to only process the personal data on behalf of the Company solely for and the provision of the services and per its instructions. A Processor will receive access to personal data only to the extent it is necessary for their service.
In the event such disclosure is permitted or required to comply with statutory duties or legal obligations, each Company can – only to the extent legally permissible or required – transmit personal data to authorities (such as law enforcement agencies) and courts.
IV. International Transfer of Personal Data
Personal data processed by the Companies as a result of the Recorded Calls is processed within the European Economic Area (EEA) and the United States of America (USA).
For the transfer of personal data to which EU Data Protection Law or UK Data Protection Law is applicable outside of the European Economic Area (EEA) or United Kingdom (UK), as applicable.
The Companies have implemented appropriate technical and organizational security measures in accordance with Art. 46 (1) GDPR and Art. 46 (1) UK GDPR (“Appropriate Safeguards”) designed to protect personal data, in accordance with applicable law, including with respect to international data transfers.
An international data transfer may take place under an adequacy decision in the meaning of Art. 45 (1) GDPR and Art. 45 (1) UK GDPR, as applicable (“Adequacy Decision”). To the extent that an international data transfer takes place as a result of the utilization of Gong as a Processor, such an Adequacy Decision applies as Gong is registered under the EU/US Data Privacy Framework.
In the absence of an Adequacy Decision or Appropriate Safeguards, the Companies may process an international data transfer if the transfer is necessary for the conclusion or performance of a contract concluded by the Companies in the interest of the Data Subject. The legal basis for this data processing is point (c) of Art. 49 (1) GDPR or point (c) of Art. 49 (1) UK GDPR, as applicable. The Companies further may process an international data transfer if the transfer is necessary for the establishment, exercise or defense of claims. The legal basis for this data processing is point (e) of Article 49(1) GDPR or point (e) of Art. 49 (1) UK GDPR, as applicable.
V. Duration of Processing and Deletion of Personal Data
The Companies will process personal data of the Data Subject(s) as long as required for the respective purpose(s) described in Section II above.
The Companies will erase the personal data once they are no longer necessary to fulfill the purposes specified in Section II, including with respect to the legal obligations of the Companies, and once any applicable statutory retention requirements expire. Where statutory retention requirements are in effect and any purposes specified in Section II as otherwise expired, the Companies will restrict the processing of personal data.
VI. Rights of the Data Subject
Subject to the statutory requirements, the fulfilment of which must be assessed on a case-by-case basis, the Data Subject has the right to receive information about his/her personal data, to require rectification or erasure of his/her personal data or the restriction of the processing and to receive his/her personal data in a structured, commonly used and machine-readable format (data portability).
Subject to the statutory requirements, the fulfilment of which must be assessed on a case-by-case basis, the Data Subject also has the right to object to the processing of his/her personal data.
To the extent that Californian Data Protection Laws are applicable, the Data Subject further has the right to non-discrimination and right to object to opt out of sales of its personal data. For the purpose of clarification, the Companies will not sell any personal data to which is subject to this privacy notice.
The Data Subject can exercise any of the above rights by submitting a respective request to Companies to the contact information provided in section I above.
Further, the Data Subject is entitled to lodge a complaint with a supervisory authority regarding the processing of his/her personal data.
