Terms and Conditions

General Data Protection Regulation GDPR

Please read these Terms of Use (“Terms”, “Terms of Use”) carefully before using this platform, website (the “Service”) operated by Friendsvow Inc (“us”, “we”, or “our”).

Your access to and use of the Service is conditioned on your acceptance of and compliance with these Terms. These Terms apply to all visitors, users and others who access or use the Service.

By accessing or using the Service you agree to be bound by these Terms. If you disagree with any part of the terms then you may not access the Service.

Accounts

When you create an account with us, you must provide us information that is accurate, complete, and current at all times. Failure to do so constitutes a breach of the Terms, which may result in immediate termination of your account on our Service.

You are responsible for safeguarding the password that you use to access the Service and for any activities or actions under your password, whether your password is with our Service or a third-party service.

You agree not to disclose your password to any third party. You must notify us immediately upon becoming aware of any breach of security or unauthorized use of your account.

Intellectual Property

The Service and its original content, features and functionality are and will remain the exclusive property of Friendsvow and its licensors.

Friendsvow GDPR Data Protection Officer

The General Data Protection Regulation (GDPR) has established the concept of a Data Protection Officer (DPO) in Europe. Contrary to popular belief, decisive for the legal obligation to appoint a Data Protection Officer is not the size of the company but the core processing activities which are defined as those essential to achieving the company’s goals. If these core activities consist of processing sensitive personal data on a large scale or a form of data processing which is particularly far reaching for the rights of the data subjects, the company has to appoint a DPO. Public bodies on the other hand always have to appoint a DPO, with the exception of courts who are acting in their judicial capacity. In addition, the legal norm to appoint a Data Protection Officer has a flexibility clause for Member States. These are free to decide whether a company has to appoint a Data Protection Officer under stricter requirements (e.g. Section 38 German Federal Data Protection Act). If such an obligation exists under the General Data Protection Regulation or a more specific national law, a group of undertakings can also appoint a single Data Protection Officer. If the group decides to do so, he must be easily accessible for the supervisory authorities, employees and external data subjects. If no legal obligation exists, companies can appoint a DPO on a voluntary basis to help with data protection compliance (which is for example recommended by the French data protection authority CNIL).

Groups and companies have two possibilities to meet their obligation to appoint a Data Protection Officer. Either they name an employee as an internal Data Protection Officer, or they appoint an external Data Protection Officer. In selecting such a person, they must ensure that an internal Data Protection Officer is not subject to a conflict of interest due to his work in the IT Department, HR Department or senior management, where he would have to supervise himself. Regardless of which option is chosen, a Data Protection Officer must provide expert professional knowledge in data protection law and IT security, the scope depending on the complexity of data processing and the size of the company.

The duties of a Data Protection Officer include: Working towards the compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly, as well as collaborating with the supervisory authorities. Therefore, the employee acting as Data Protection Officer must not be dismissed or penalised due to his fulfilment of his tasks. Despite his monitoring function, the company itself remains responsible for complying with data protection laws. Therefore it has to involve the Data Protection Officer in all issues which relate to the protection of personal data “properly and in a timely manner”. When a Data Protection Officer is appointed, his superior must publish his contact data, and communicate his appointment and contact data to the data protection supervisory authorities. If a company voluntarily appointed a DPO they also must adhere to the criteria and provisions laid out above. Also note that the willful or negligent failure to appoint a Data Protection Officer despite a legal obligation is an infringement subject to fines.

Links To Other Web Sites

Our Service may contain links to third-party web sites or services that are not owned or controlled by Friendsvow.

Friendsvow has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services. You further acknowledge and agree that Friendsvow shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods or services available on or through any such web sites or services.

We strongly advise you to read the terms and conditions and privacy policies of any third-party web sites or services that you visit.

GDPR Email Marketing

Newsletter mailings and e-mail marketing are a fixed part of the online marketing universe. Basically, the principle that processing is prohibited but subject to the possibility of authorisation also applies to the personal data which is used to send e-mails. Processing is only allowed by the General Data Protection Regulation (GDPR) if either the data subject has consented, or there is another legal basis. This could be, for example, preserving the legitimate interest of the controller to send e-mail marketing. Recital 47 of the General Data Protection Regulation expressly states that the law also applies to the processing of personal data for direct marketing as a legitimate interest of the controller.

In addition, such an interest could be seen, for example, if there is a relevant and proportionate relationship between the data subject and the controller. This could be the case if the data subject is a customer of the controller or is in the latter’s service. Therefore, much indicates that e-mail marketing is allowed without consent, at least for existing customers. If the company has a justified interest in ‘cold’ calling through e-mail marketing, the marketing e-mails may be sent to potential customers without consent. To receive no further information by newsletter or e-mail, the customer receiving them need only object to processing for marketing purposes. According to Art. 21(2), (3) GDPR the data subject always has the right to object the processing of personal data for direct marketing purposes. If the data subject objects, the controller only has to stop the processing for marketing purposes, but can still process the data for other purposes, e.g. for the performance of a contract. The legitimate interest of the controller to process data for marketing purposes can never outweigh the objection of the data subject. One must note, however, that according to Art. 95 of the General Data Protection Regulation, this applies to all data protection-related purposes unless special rules with the same regulatory scope are contained in the ePrivacy Directive (see also recital 173). The consequence is that e-mail marketing is currently only allowed with the consent of the parties concerned (Art. 13(1) of Directive 2002/58/EC). One must wait to see whether the coming ePrivacy Regulation provides more clarity about this issue.

Regardless of whether a company bases its marketing measures afterwards on its legitimate interest or on consent, the controller has to adhere to the data subject’s right to be informed. The content of said information depends on which justification reason is used. Please be aware that there might be certain additional national laws (e.g. competition law) which might be slightly stricter or which may impose additional restrictions.

Suitable GDPR articles

Art. 6 GDPR Lawfulness of processingArt. 7 GDPR Conditions for consentArt. 21 GDPR Right to objectArt. 95 GDPR Relationship with Directive 2002/58/EC

Suitable Recitals

(32) Conditions for Consent(33) Consent to Certain Areas of Scientific Research(39) Principles of Data Processing(40) Lawfulness of Data Processing(41) Legal Basis or Legislative Measures(42) Burden of Proof and Requirements for Consent(43) Freely Given Consent(47) Overriding Legitimate Interest(171) Repeal of Directive 95/46/EC and Transitional Provisions(173) Relationship to Directive 2002/58/EC

Termination

We may terminate or suspend access to our Service immediately, without prior notice or liability, for any reason whatsoever, including without limitation if you breach the Terms.

All provisions of the Terms which by their nature should survive termination shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity and limitations of liability.

We may terminate or suspend your account immediately, without prior notice or liability, for any reason whatsoever, including without limitation if you breach the Terms.

Upon termination, your right to use the Service will immediately cease. If you wish to terminate your account, you may simply discontinue using the Service.

All provisions of the Terms which by their nature should survive termination shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity and limitations of liability.

Disclaimer

Your use of the Service is at your sole risk. The Service is provided on an “AS IS” and “AS AVAILABLE” basis. The Service is provided without warranties of any kind, whether express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, non-infringement or course of performance.

GDPR Fines / Penalties

National authorities can or must assess fines for specific data protection violations in accordance with the General Data Protection Regulation. The fines are applied in addition to or instead of further remedies or corrective powers, such as the order to end a violation, an instruction to adjust the data processing to comply with the GDPR, as well as the power to impose a temporary or definitive limitation including a ban on data processing. For the provisions which relate to processors, he may be subject to sanctions directly and/or in conjunction with the controller.

The fines must be effective, proportionate and dissuasive for each individual case. For the decision of whether and what level of penalty can be assessed, the authorities have a statutory catalogue of criteria which it must consider for their decision. Among other things, intentional infringement, a failure to take measures to mitigate the damage which occurred, or lack of collaboration with authorities can increase the penalties. For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term “undertaking” is equivalent to that used in Art. 101 and 102 of the Treaty on the Functioning of the European Union (TFEU). According to case law of the European Court of Justice, “the concept of an undertaking encompasses every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financed”. An undertaking can therefore not only consist of one individual company in the sense of a legal person, but also out of several natural persons or corporate entities. Thus, a whole group can be treated as one undertaking and its total worldwide annual turnover can be used to calculate the fine for a GDPR infringement of one of its companies. In addition, each Member State shall lay down rules on other penalties for infringements of the Regulation which are not already covered by Art. 83. Those are most likely criminal penalties for certain violations of the GDPR or penalties for infringements of national rules which were adopted based on flexibility clauses of the GDPR. The national penalties must also be effective, proportionate and act as a deterrent.

A punishable situation in a company can be revealed through proactive inspection activities conducted by the data protection authorities, by an unsatisfied employee or by customers or potential customers who complain to the authorities, through the company making a self-denunciation, or by the press in general, especially through investigative journalism.

The Enforcement Tracker gives an overview of reported fines and penalties which data protection authorities within the EU have imposed so far.GDPR article

Governing Law

These Terms shall be governed and construed in accordance with the laws of Nigeria without regard to its conflict of law provisions.

Our failure to enforce any right or provision of these Terms will not be considered a waiver of those rights. If any provision of these Terms is held to be invalid or unenforceable by a court, the remaining provisions of these Terms will remain in effect. These Terms constitute the entire agreement between us regarding our Service, and supersede and replace any prior agreements we might have between us regarding the Service.

Changes

We reserve the right, at our sole discretion, to modify or replace these Terms at any time. If a revision is material we will try to provide at least 30 days notice prior to any new terms taking effect. What constitutes a material change will be determined at our sole discretion.

GDPR Encryption

Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data. The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber-attacks are nearly unavoidable for companies above a given size. Therefore, risk management plays an ever-larger role in IT security and data encryption is suited, among other means, for these companies.

In general, encryption refers to the procedure that converts clear text into a hashed code using a key, where the outgoing information only becomes readable again by using the correct key. This minimises the risk of an incident during data processing, as encrypted contents are basically unreadable for third parties who do not have the correct key. Encryption is the best way to protect data during transfer and one way to secure stored personal data. It also reduces the risk of abuse within a company, as access is limited only to authorised people with the right key.

The Regulation also recognizes these risks when processing personal data and places the responsibility on the controller and the processor in Art. 32(1) of the General Data Protection Regulation to implement appropriate technical and organisational measures to secure personal data. The GDPR deliberately does not define which specific technical and organisational measures are considered suitable in each case, in order to accommodate individual factors. However, it gives the controller a catalogue of criteria to be considered when choosing methods to secure personal data. Those are the state of the art, implementation costs and the nature, scope, context and purposes of the processing. In addition to these criteria, one always has to consider the severity of the risks to the rights and freedoms of the data subject and how likely those risks could manifest. This basically boils down to the following: The higher the risks involved in the data processing and the more likely these are to manifest, the stronger the taken security measures have to be and the more measures must be taken. Encryption as a concept is explicitly mentioned as one possible technical and organisational measure to secure data in the list of Art. 32(1) of the GDPR, which is not exhaustive. Again, the GDPR does not mention explicit encryption methods to accommodate for the fast-paced technological progress. When choosing a method one must also apply the criteria catalogue above. To answer the question of what is currently considered “state of the art” data protection officers usually rely on the definitions set out in information security standards like ISO/IEC 27001 or other national IT-security guidelines.

Encryption of personal data has additional benefits for controllers and/or order processors. For example, the loss of a state of the art encrypted mobile storage medium which holds personal data is not necessarily considered a data breach, which must be reported to the data protection authorities. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per Art. 83(2)(c) of the GDPR.

Suitable GDPR articles

Art. 6 GDPR Lawfulness of processingArt. 32 GDPR Security of processingArt. 34 GDPR Communication of a personal data breach to the data subject

By continuing to access or use our Service after those revisions become effective, you agree to be bound by the revised terms. If you do not agree to the new terms, please stop using the Service.

Key Issues Friendsvow Considers

Welcome to the section “Key Issues”. Under the various keywords you can find a brief introduction and the Articles of the GDPR as well as the recitals that are relevant to the topic.

For more detailed information we compiled a list of links with expert contributions and opinions of the data protection authorities. The latter are also only a possible interpretation of the law which is not legally binding. The final interpretation of the GDPR is exclusively within the jurisdiction of the European Court of Justice. However, the opinions of the supervisory authorities are of considerable practical relevance due to their supervision through their investigative and corrective powers.

• Consent
• Data Protection Officer
• Email Marketing
• Encryption
• Fines / Penalties
• Personal Data
• Privacy by Design
• Privacy Impact Assessment
• Processing
• Records of Processing Activities
• Right of Access
• Right to be Forgotten
• Right to be Informed
• Third Countries

GDPR Consent

Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR). The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.

The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. In doing so, the legal text takes a certain imbalance between the controller and the data subject into consideration. For example, in an employer-employee relationship: The employee may worry that his refusal to consent may have severe negative consequences on his employment relationship, thus consent can only be a lawful basis for processing in a few exceptional circumstances. In addition, a so-called “coupling prohibition” or “prohibition of coupling or tying” applies. Thus, the performance of a contract may not be made dependent upon the consent to process further personal data, which is not needed for the performance of that contract.

For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent. Where relevant, the controller also has to inform about the use of the data for automated decision-making, the possible risks of data transfers due to absence of an adequacy decision or other appropriate safeguards.

The consent must be bound to one or several specified purposes which must then be sufficiently explained. If the consent should legitimise the processing of special categories of personal data, the information for the data subject must expressly refer to this.
There must always be a clear distinction between the information needed for the informed consent and information about other contractual matters.

Last but not least, consent must be unambiguous, which means it requires either a statement or a clear affirmative act. Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing. That being said, there is no form requirement for consent, even if written consent is recommended due to the accountability of the controller. It can therefore also be given in electronic form. In this regard, consent of children and adolescents in relation to information society services is a special case. For those who are under the age of 16, there is an additional consent or authorisation requirement from the holder of parental responsibility. The age limit is subject to a flexibility clause. Member States may provide for a lower age by national law, provided that such age is not below the age of 13 years. When a service offering is explicitly not addressed to children, it is freed of this rule. However, this does not apply to offers which are addressed to both children and adults.

As one can see consent is not a silver bullet when it comes to the processing of personal data. Especially considering that the European data protection authorities have made it clear “that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent.” Strictly interpreted, this means the controller is not allowed to switch from the legal basis consent to legitimate interest once the data subject withdraws his consent. This applies even if a valid legitimate interest existed initially. Therefore, consent should always be chosen as a last option for processing personal data.

Suitable GDPR articles

Art. 4 GDPR DefinitionsArt. 6 GDPR Lawfulness of processingArt. 7 GDPR Conditions for consentArt. 8 GDPR Conditions applicable to child’s consent in relation to information society servicesArt. 9 GDPR Processing of special categories of personal dataArt. 22 GDPR Automated individual decision-making, including profilingArt. 49 GDPR Derogations for specific situations

Contact Us

If you have any questions about these Terms, please contact us.