any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personally identifiable information shall mean the same as personal data

UBS carries on business projects where we have to process Your personal data in order to:

• Online train and assess independent freelancers (contractors);
• Manage paperwork and records;
• Assess a performance of services rendered by freelancers;
• Perform other implied activities (support, IT, security, marketing etc.) within UBS and in collaboration with our business partners;
• Ensure professional staff for all the above;
• Comply with legal obligations (e.g. tax, accounting, etc.).

• Regarding freelancers:
  • Identification data (name, surname, date of birth, etc.)
  • Personal Credentials (passport, ID etc.)
  • Financial data (bank name, account number, etc.)
  • Experiences, skills (languages, work experience etc.)
• Regarding employees:
  • Workplace data (communication, organizational matters, security, taxes, bookkeeping, employment record management etc.)
  • Experiences, skills (professional, personal etc.)
  • Education (institutions, credentials etc.)
  • Legal status (ownership, litigations, insurance etc.)
  • Social data (social media, cookies, communication means, contact lists, events etc.)
  • Sensitive (special category data, e.g. assessment of the working capacity of the employees, trade union membership)
• Other data categories (e.g. cookies)

^1. The list of categories is non-exhaustive and might be supplemented from time to time

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Change of control: We may share Your data in case of change of control/owners of UBS.

Service providers: We may share Your data with suppliers who perform services on our behalf and have agreed in writing to protect and not further disclose Your information.

Business partners: We may share Your data with various business partners. We may also share Your information for ask our partner to create a survey, form, application, or questionnaire, for the purpose to know the degree of Your satisfaction with our services. We may also share Your information as otherwise described to you at the time of collection. We may also share anonymous aggregated usage information with partners.

Information shared in public: If you provide us a review of Your experience being freelancer, you authorize us to publish it on all our Platforms under the screen name you provided. You also authorize us to aggregate it with other reviews.

Authorities: We may disclose data if required by LAWS, for example to law enforcement or other authorities.

What is Cookies?
Cookies is a small piece of data sent from UBS Platform and stored on the Your device (computer, smartphone etc.) by Your web browser while the You are on our website and sometimes down the line¹. Without Cookies it would be impossible to provide you information and services You are requesting through the Internet. Cookies remember stateful information (such as language You use) or record Your browsing activity. They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.

Categories of Cookies used by UBS

Technical and strictly necessary Cookies

In most cases UBS uses cookies which main task is to ensure technical feasibility to connect our Platform with Your device and provide services requested by You. This cookies is integrated by default into our Platforms.

In case, You try to block/ turn off any of such cookies You might not receive some essential part of services, requested by You. Some examples of such cookies are:

• User input cookies (session-id), e.g. when You are filling online form/ applying with resume.
• Security cookies used to detect and prevent malicious attacks.
• Multimedia content player session cookies, such as flash player cookies.
• Load balancing session cookies facilitate faster processing of your requests.
• User interface customization cookies (e.g. language, text size preferences).
• Third party social plug-in content sharing cookies.

Functionality Cookies

Such Cookies not strictly necessary to You as a Platforms’ user, but they help us to optimize and make more user-friendly our Platforms, enhance security level, facilitate faster and more convenient use of Platforms, receive valuable statistics in anonymized way etc.
In case we are collecting Your data for statistical purposes, the results of the processing shall be without any negative impact to Your privacy or there should not be any decisions made against You.
You are able to block/ turn off Functionality Cookies at any time².
Retention period of Functionality Cookies usually is very short. In case of longer periods, please, be aware that we always assess the risk level of such processing and include Cookie into opt-out category only, if processing of Functionality Cookies is not so intrusive for Your privacy, so it could adversely affect Your privacy.

Under the strict supervision we might allow third parties to collect Functionality Cookies on our Platforms in order to provide us with aggregated statistics. In such cases we require third parties to aggregate or erase data obtained from Your device.

Advertising Cookies

Third party vendors, including Google, use Advertising cookies to serve ads based on Your prior visits to UBS Platform.
Advertising cookies enables to such vendors and its partners to serve ads to You based on Your visit to UBS Platforms.
You may opt out of personalized advertising by visiting vendors website, e.g. Ads Settings.
Third-party vendors and ad networks might serve targeting ads on our Platforms.
You may opt out of the use of Advertising cookies by visiting www.aboutads.info.

^1. Additional information on Cookies: https://cookies.insites.com/, https://en.wikipedia.org/wiki/HTTP_cookie etc.

^2. https://cookies.insites.com/disable-cookies/

• Content encryption;
• Limited/ authorised access to personal data;
• Pseudonymization;
• Audit trials;
• Access restriction;
• Backup systems;
• Timely communication on data protection breaches, maximally mitigating possible adverse effects;
• Firewalls;
• Strong Password Criteria;
• Staff training;
• Etc.

• the identity and the contact details of the controller;
• the contact details of the data protection officer;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• the legitimate interests pursued by the controller or by a third party, where applicable;
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
• where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• the right to lodge a complaint with a supervisory authority;
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
• the existence of automated decision-making, including profiling, referred to in GDPR Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Information we are providing to You, if we are collecting Your data indirectly

• the identity and the contact details of the controller and, where applicable, of the controller's representative;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• the legitimate interests pursued by the controller or by a third party, where applicable;
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
• where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• the right to lodge a complaint with a supervisory authority;
• from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
• the existence of automated decision-making, including profiling, referred to in GDPR Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

(b) if the personal data are to be used for communication with You, at the latest at the time of the first communication; or

(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

• obtaining or disclosure of Your data is expressly laid down by LAWS, or
• the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; in such cases we will provide appropriate safeguards.

In case the data is not collected from You, we are prohibited to inform you on it, if and insofar as the data must remain confidential subject to an obligation of professional secrecy regulated by LAWS, including a statutory obligation of secrecy

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from us rectification or erasure of Your data or restriction of processing of Your data or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from You, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in GDPR Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for You;
• about appropriate safeguards we are providing regarding Your data transfers to a third country or to an international organization taking into account GDPR Article 46.

• Your data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• You withdraw consent on which the processing is based and we have no other legal ground for the processing;
• You object to the processing pursuant to GDPR Article 21(1) and there are no overriding legitimate grounds for the processing, or You object to the processing pursuant to GDPR Article 21(2);
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in LAWS to which the we are subject;
• the personal data have been collected in relation to the offer of information society services referred to in GDPR Article 8(1).

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by LAWS to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
• for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise or defense of legal claims.

• You are contesting the accuracy of Your data, for a period enabling us to verify the accuracy of Your data;
• the processing is unlawful and You oppose the erasure of Your data and request the restriction of their use instead;
• we no longer Your data for the purposes of the processing, but they are required by You for the establishment, exercise or defense of legal claims;
• You have objected to processing pursuant to GDPR Article 21(1) pending the verification whether our legitimate grounds override those of Your interests.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to GDPR Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a) national security;
(b) defense;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
(a)the purposes of the processing or categories of processing;
(b)the categories of personal data;
(c)the scope of the restrictions introduced;
(d)the safeguards to prevent abuse or unlawful access or transfer;
(e) the specification of the controller or categories of controllers;
(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
(g) the risks to the rights and freedoms of data subjects; and
(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

Automated individual decision-making, including profiling

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

Where point (a) of Article 6(1) applies, in relation to the offer of information society services* directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

* ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Transfers subject to appropriate safeguards

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorization from a supervisory authority, by:
(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3. Subject to the authorization from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5. Authorizations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization. Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

For the purposes of this definition: (i) ‘at a distance’ means that the service is provided without the parties being simultaneously present;
(ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;
(iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.

An indicative list of services not covered by this definition is set out in Annex I;

1. Services not provided ‘at a distance’

Services provided in the physical presence of the provider and the recipient, even if they involve the use of electronic devices:
(a) medical examinations or treatment at a doctor's surgery using electronic equipment where the patient is physically present;
(b) consultation of an electronic catalogue in a shop with the customer on site;
(c) plane ticket reservation at a travel agency in the physical presence of the customer by means of a network of computers;
(d) electronic games made available in a video arcade where the customer is physically present.

2. Services not provided ‘by electronic means’

— services having material content even though provided via electronic devices:
(a) automatic cash or ticket dispensing machines (banknotes, rail tickets);
(b) access to road networks, car parks, etc., charging for use, even if there are electronic devices at the entrance/exit controlling access and/or ensuring correct payment is made, — offline services: distribution of CD-ROMs or software on diskettes,
— services which are not provided via electronic processing/inventory systems:
(a) voice telephony services;
(b) telefax/telex services;
(c) services provided via voice telephony or fax;
(d) telephone/telefax consultation of a doctor;
(e) telephone/telefax consultation of a lawyer;
(f) telephone/telefax direct marketing.

3. Services not supplied ‘at the individual request of a recipient of services’

Services provided by transmitting data without individual demand for simultaneous reception by an unlimited number of individual receivers (point to multipoint transmission):
(a) television broadcasting services (including near-video on-demand services), covered by point (e) of Article 1(1) of Directive 2010/13/EU;
(b) radio broadcasting services;
(c) (televised) teletext.

1. Processing shall be lawful only if and to the extent that at least one of the following applies:
…..
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
….

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.