ELM Europe Privacy Policy

Please read below to find about what data we store and what we use it for.

ELM Europe (‘we’ or ‘us’) are committed to protecting and respecting your privacy.

This policy (together with our terms of use and any other documents referred to on it) sets out how we process your personal data and your rights in respect of that data.

The data controller is ELM Europe of Unit 1,Christchurch Business Park, Radar Way, Christchurch, Dorset, BH23 4FL.

GDPR
The GDPR legislation recently introduced by the EU Parliament requires all companies who hold data to be compliant. ELM EUROPE makes it compulsory for all its customers to opt-in to have their details saved and stored. You must give us consent to hold this information, which comprises name, address, email address, phone number, order history and IP address. If you have any questions on this, please contact us.

Data we may collect from you
We may collect and process the following data about you: Information that you provide by filling in any forms on our sites – www.elm-europe.co.uk or any others that we own and may from time to time use to collect data or when otherwise contacting us; if you contact us, we may keep a record of that correspondence; details of transactions you carry out through our site and of the fulfilment of your orders; details of your visits to our site and the resources that you access.

You are able to opt out of us holding this information at any point. Please contact us to request this.

IP Addresses and Cookies
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual. For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on your hard drive of your computer. Cookies enable us to improve our service to you, estimate our audience size and usage pattern, store information about your preferences, and recognise you when you return to our site. You can set your browser up to refuse the setting of cookies. However, if you do this you may be unable to enjoy full use of the site and you may not be able to take advantage of certain promotions we may run from time to time. Please note that entities who advertise on our site may also use cookies, but we do not have access to them or control over them.

Using your Data
We use information held about you in the following ways:
To ensure that content from our site is presented in the most effective manner for you and for your computer. To provide you with information, products, services or offers via e-mail, SMS, phone or post, that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes

To notify you about changes to our service.

Third Parties
We do not and never will sell or pass your data on to third parties.

Opt In
As well as legally having to opt in to continue a business relationship with ELM EUROPE you also are given the opportunity to opt out at any point and have your data removed from our records. To effect this, please contact us.

Disclosure of your Data
We may disclose your personal information to third parties:
In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets; if Elm Europe Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any of our terms and conditions.

Third Party Websites
Our site may, from time to time, contain links to third party websites. If you follow a link to any of these websites, please note that these websites have their own terms and privacy policies and that we do not accept any responsibility or liability for these sites and their terms and policies.
Where we store your data
Our site may, from time to time, contain links to third party websites. If you follow a link to any of these websites, please note that these websites have their own terms and privacy policies and that we do not accept any responsibility or liability for these sites and their terms and policies.
Access to Information
Regulation (EU) 2016/679 of the European Parliament gives you the right to access the information that we hold about you at any point. Should you wish to receive details that we hold about you please contact us.
Scope of Processing.
Customer’s Instructions. By entering into this Data Processing Amendment, The customer instructs ELM EUROPE to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as further specified via Customer’s use of the Services and related technical support; (c) as documented in the form of the applicable Agreement, including this Data Processing Amendment; and (d) as further documented in any other written instructions given by Customer and acknowledged by ELM EUROPE as constituting instructions for purposes of this Data Processing Amendment.
ELM EUROPE’s Compliance with Instructions. As from the Full Activation Date, ELM EUROPE will comply with the customer instruction (including with regard to data transfers) unless EU or EU Member State law to which ELM EUROPE is subject requires other processing of Customer Personal Data, in which case ELM EUROPE will inform Customer For clarity, ELM EUROPE will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services. ELM EUROPE will only retain data from Customers who have made a purchase and thus have given consent.
Data Deletion.
Deletion During Term. ELM EUROPE will enable Customer and/or End Users to delete Customer Data during the applicable Term.ELM EUROPE will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
Deletion on Term Expiry. On expiry of the applicable Term Customer instructs ELM EUROPE to delete all Customer Data (including existing copies) from ELM EUROPE’s systems in accordance with applicable law. ELM EUROPE will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
Data Security.
ELM EUROPE’s Security Measures, Controls and Assistance.
ELM EUROPE’s Security Measures. ELM EUROPE will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix (the “Security Measures”). As described in Appendix , the Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of ELM EUROPE’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. ELM EUROPE may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Security Compliance by ELM EUROPE Staff. ELM EUROPE will take appropriate steps to ensure compliance with the Security Measures by its employees to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
ELM EUROPE’s Security Assistance. Customer agrees that ELM EUROPE will (taking into account the nature of the processing of Customer Personal Data and the information available to ELM EUROPE) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of personal data and personal data breaches, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
(a) implementing and maintaining the Security Measures in accordance with ELM EUROPE’s Security Measures
(b) complying with the terms of Data Incidents) and
(c) providing Customer with the Security details requested in any SAR
Data Incidents.
Incident Notification. If ELM EUROPE becomes aware of a Data Incident, ELM EUROPE will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
Details of Data Incident. Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps ELM EUROPE recommends Customer take to address the Data Incident.
Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at ELM EUROPE’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid.
No Assessment of Customer Data by ELM EUROPE. ELM EUROPE will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
No Acknowledgment of Fault by ELM EUROPE. ELM EUROPE’s notification of or response to a Data Incident will not be construed as an acknowledgement by ELM EUROPE of any fault or liability with respect to the Data Incident.
Customer’s Security Responsibilities and Assessment.
Customer’s Security Responsibilities.
Customer agrees that, without prejudice to ELM EUROPE’s obligations under ELM EUROPE’s Security Measures, Controls and Assistance :
(a) Customer is solely responsible for its use of the Services.
(b) ELM EUROPE has no obligation to protect Customer Data that Customer elects to store or transfer outside of ELM EUROPE’s systems (for example, offline or on-premise storage), or to protect Customer Data by implementing or maintaining Additional Security Controls except to the extent Customer has opted to use them.
Customer’s Security Assessment.
(a) Customer is solely responsible for reviewing the Security Documentation and evaluating for itself whether the Services, the Security Measures, the Additional Security Controls and ELM EUROPE’s commitments under this Section 7 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.
(b) Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by ELM EUROPE as set out in(ELM EUROPE’s Security Measure provide a level of security appropriate to the risk in respect of the Customer Data.
Customer’s Audit Rights.
If the European Data Protection Legislation applies to the processing of Customer Personal Data, ELM EUROPE will allow Customer to apply via Subject Access Request (SAR)to verify ELM EUROPE’s compliance with its obligations under this Data Processing Regulation.ELM EUROPE will submit to such audits within thirty days.
Impact Assessments and Consultations. Customer agrees that ELM EUROPE will (taking into account the nature of the processing and the information available to ELM EUROPE) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the information contained in the applicable Agreement including this Data Processing Amendment.
Data Subject Rights; Data Export.
Access; Rectification; Restricted Processing; Portability. During the applicable Term, ELM EUROPE will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by ELM EUROPE as described above, and to export Customer Data.
Data Subject Requests.
Customer’s Responsibility for Requests. During the applicable Term, if ELM EUROPE receives any request from a data subject in relation to Customer Personal Data, ELM EUROPE will advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
ELM EUROPE’s Data Subject Request Assistance. Customer agrees that (taking into account the nature of the processing of Customer Personal Data) ELM EUROPE will assist Customer in fulfilling any obligation to respond to requests by data subjects, including if applicable Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR
Data Transfers.
Data Storage and Processing Facilities. Customer agrees that ELM EUROPE may, store Customer Data in the United States and any other country in which ELM EUROPE or any of its Parent Companies maintains facilities.
Transfers of Data Out of the EEA.
ELM EUROPE’s Transfer Obligations. If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EEA and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), ELM EUROPE will:
(a) if requested to do so by Customer, ensure that ELM EUROPE as the data importer of the Transferred Personal Data enters into Model Contract Clauses with Customer as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses; and/or
(b) offer an Alternative Transfer Solution, ensure that the transfers are made in accordance with such Alternative Transfer Solution, and make information available to Customer about such Alternative Transfer Solution.
Customer’s Transfer Obligations. In respect of Transferred Personal Data, Customer agrees that:
(a) if under the European Data Protection Legislation ELM EUROPE reasonably requires Customer to enter into Model Contract Clauses in respect of such transfers, Customer will do so; and
(b) if under the European Data Protection Legislation ELM EUROPE reasonably requires Customer to use an Alternative Transfer Solution offered by ELM EUROPE, and reasonably requests that Customer take any action (which may include execution of documents) strictly required to give full effect to such solution, Customer will do so.
Appendix 1: Subject Matter and Details of the Data Processing
Subject Matter
ELM EUROPE’s provision of the Services and related technical support to Customer.
Duration of the Processing
The applicable Term plus the period from expiry of such Term until deletion of all Customer Data by ELM EUROPE in accordance with the Data Processing Amendment.
Nature and Purpose of the Processing
ELM EUROPE will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing Amendment.
Categories of Data
Personal data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may include the following categories of data: user IDs, email, IP address, address, gender. ELM EUROPE do not store payment details (Bank accounts, debit or credit card numbers)
Appendix 2: Security Measures
As from the Amendment Effective Date, ELM EUROPE will implement and maintain the Security Measures set out in this Appendix 2 to the Data Processing Amendment. ELM EUROPE may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Office & Network Security.
Offices.
Infrastructure. ELM EUROPE stores all production data in physically secure office building.
Power. The office electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the office. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the office, at full capacity,for upto an hour
Server Operating Systems. ELM EUROPE servers use a WIndows based implementation. Data is stored using Sage Database and the Google cloud.
Businesses Continuity. ELM EUROPE replicates data over multiple systems to help to protect against accidental destruction or loss. ELM EUROPE has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
Networks & Transmission.
Data Transmission ELM EUROPE transfers data via Internet standard protocols, in encrypted form.
Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. ELM EUROPE’s intrusion detection involves:
1. Tightly controlling the size and make-up of ELM EUROPE’s attack surface through preventative measures;
2. Employing intelligent detection controls at data entry points; and
3. Employing technologies that automatically remedy certain dangerous situations.
Incident Response. ELM EUROPE monitors a variety of communication channels for security incidents, and ELM EUROPE’s security personnel will react promptly to known incidents.
Encryption Technologies. ELM EUROPE makes HTTPS encryption (also referred to as SSL or TLS connection) available, and also uses E2EE.
Access and Site Controls.
Site Controls.
On-site Security. ELM EUROPE maintain on-site security 24 hours a day, 7 days a week. ELM EUROPE monitor Closed Circuit TV (CCTV) cameras and all alarm systems.
Access Procedures. ELM EUROPE maintains formal access procedures for allowing physical access to the offices. The servers are housed in facilities that require electronic card key access, with alarms. All entrants to the office are required to identify themselves as well as show proof of identity. Only authorized employees, contractors and visitors are allowed entry to the servers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. office electronic card key access requests must be made through e-mail, and require the approval of the requestor’s manager and the director. All other entrants requiring temporary office access must: (i) obtain approval in advance from the office managers (ii) sign in
On-site office Security Devices. ELM EUROPE’s offices employ an electronic card key access control system. The access control system monitors and records each individual’s electronic card key and when they access doors, Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and offices is restricted based on zones and the individual’s job responsibilities. The fire doors at the offices are alarmed. CCTV cameras are in operation both inside and outside the offices. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the office building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the offices connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 7 days based on activity.
Access Control
Access Control and Privilege Management. Customer’s Administrators and End Users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Services. Each application checks credentials in order to allow the display of data to an authorized End User or authorized Administrator.
Internal Data Access Processes and Policies – Access Policy. ELM EUROPE’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. ELM EUROPE aims to design its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. ELM EUROPE employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and SSH certificates are designed to provide ELM EUROPE with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. ELM EUROPE requires the use of unique user IDs, strong passwords, and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with ELM EUROPE’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include password expiry, restrictions on password reuse and sufficient password strength.
Data.
Data Storage, Isolation & Authentication.
ELM EUROPE stores data on ELM EUROPE-owned servers. ELM EUROPE logically isolates data on a per End User basis at the application layer. ELM EUROPE logically isolates each Customer’s data, and logically separates each End User’s data from the data of other End Users, and data for an authenticated End User will not be displayed to another End User (unless the former End User or an Administrator allows the data to be shared).
Decommissioned Disks and Disk Erase Policy.
Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving ELM EUROPE’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed.
Personnel Security.
ELM EUROPE personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. ELM EUROPE conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel must acknowledge compliance with ELM EUROPE’s confidentiality and privacy policies. Personnel handling Customer Data are required to complete additional requirements appropriate to their role.ELM EUROPE’s personnel will not process Customer Data without authorization.

Contact
Questions, comments and requests regarding this privacy policy are welcomed and should be emailed to gdpr@elm-europe.co.uk. or addressed to ELM EUROPE Limited, Unit 1, Christchurch Business Park, Radar Way, Christchurch, Dorset, BH23 4FL.