Privacy
Effective from April 17th, 2023
EON is an industry leader in its approach to supporting data privacy and personal data rights. As a pioneering force in the creation of product digital identities and the circular economy, EON has led the fight to revolutionize how data is used to enable its clients and partners to move beyond their historical boundaries while creating new industry best practices that safeguard the rights of data owners and data subjects.
Managing hundreds of different data privacy laws is increasingly challenging and promotes inequality in how data subjects are treated. Our approach to data privacy and personal data rights is to apply the most stringent interpretation of relevant legislation and to apply it to all data subjects unless explicitly forbidden, even to residents of countries with weak or no data privacy or rights protections. As global legislation on data privacy and rights continues to be enacted, and new case law clarifies obligations of controllers and processors, EON’s support of data privacy, protection, and data subjects’ rights will continue to evolve.
From inception, EON’s purpose-built technology and services have been highly focused on product data, not personal data. Where EON processes personal data, we have embraced and developed new standards in support of the principles of data minimization and privacy by design, and implemented encryption which is optional under most data privacy legislation such as the GDPR. We also apply supplementary measures, such as pseudonymization, and have automated erasure processes (erasure by design), which reduces the compliance burden and risk to our clients, partners, and consumers.
Data subjects’ personal data privacy and rights are very important to us. EON is committed to providing safe, secure, and trustworthy experiences within our sites and platforms.
In the wake of the European Union’s GDPR going into effect in 2018, data privacy legislation has spread throughout the globe and directly impacted businesses and consumers alike. Through case law and guidance provided by supranational, national, and state level authorities, interpretation of these laws continues to evolve, as do businesses’ efforts to comply. EON regularly monitors changes to these laws and in turn, evolves its practices accordingly. The laws and regulations listed below represent the main data privacy laws to which EON is commonly subject, based on the location of those who share personal data with us. This is not meant to be a complete list and it will change as countries pass new legislation and consolidate related legislation. This list is for reference only and should not be considered legal guidance.
EU General Data Protection Regulation (“GDPR”; text): The European Union’s data privacy law that came into effect on May 25, 2018.
UK Data Protection Act 2018 (“DPA” inc. “UK GDPR”; text; ): The United Kingdom’s version of the EU GDPR legislation.
The Swiss Data Protection Act 2020 (“DPA”; text-fr, text-de): The Swiss data protection law with updates that come into force later in late 2022 or early 2023.
Canadian Consumer Privacy Protection Act (“CPPA”; text): The successor to the Personal Information Protection and Electronic Documents Act (PIPEDA; text), the CPPA aims to simplify consent, while maintaining it as a central part of Canadians' data privacy rights.
California Consumer Privacy Act of 2018 (USA, California; “CCPA”; text): The CCPA data privacy law came into effect on Jan 1, 2020. The California Privacy Rights Act (“CPRA”; text) expands on the rights included in CCPA and went into full effect on January 1st, 2023. The CPRA expands on the rights protected under the California Consumer Privacy Act (CCPA), closing most of the gap between CCPA and GDPR. Compared to regulations in other U.S. states, the CCPA and CPRA grant California residents significantly more control over their personal data and require the highest level of compliance obligations on affected companies.
Consumer Data Protection Act (USA, Virginia; text): The VCDPA went into effect on Jan. 1st, 2023.
Colorado Privacy Act (USA, Colorado; text): The CPA is effective as of July 1st, 2023.
Connecticut Data Privacy Act (USA, Connecticut; text): The CDPA is effective as of July 1st, 2023.
Utah Consumer Privacy Act (USA, Utah; text): The CPA is effective as of Dec. 31st, 2023.
Note: Several U.S. states including Nevada, Maine, and New York have passed bills offering consumers partial protections, but are not considered comprehensive data privacy and protection laws and are therefore not listed here.
Brazil Lei Geral de Proteção de Dados (“LGPD”; text): The enforcement provisions of the LGPD came into effect as of August 2021, and provide a legal framework for the use of personal data in Brazil, covering both private and public sectors. The law is largely similar to the EU’s GDPR.
China Data Security Law (“DSL”; text): Effective as of September 2021, the DSL supplements China’s existing Cybersecurity Law (text). The DSL regulates data-processing activities and business operations in China. Compared to the EU’s GDPR, the DSL does not have the same level of consumer protections on how the government may access consumer data and has heightened requirements for data export out of China.
New Zealand Privacy Act 2020 (text): Effective as of December 2020, this legislation replaces the Privacy Act 1993.
Australia Privacy Legislation Amendment Bill 2022 (“PLA”; text): This bill amends the Privacy Act of 1988 (text) to more closely align with the EU’s GDPR and support an adequacy decision.
Depending on where you are located, some approved 3rd parties with access to your personal data may be located outside your country or have offices in countries where data protection laws may provide a different level of protection than the laws in your country. When transferring personal data to such recipients, we contractually require appropriate safeguards. These safeguards include technical, physical, and organizational ways in which we minimize their access to personal data and ways it can be misused, along with contractual obligations of the 3rd party recipient.
Prior to the Schrems II decision, EON had implemented, and continues to use, the following to comply with data transfer rules and regulations: 1) Standard Contractual Clauses (SCCs), 2) Data Processing Agreements (DPA), 3) Internal codes of conduct, 4) Exclusive use of encrypted transfer and storage means.
The European Union and the United States are currently negotiating a data privacy framework (text) that would provide the United States with an adequacy decision and we are closely monitoring these efforts.
We may transfer your personal data to approved 3rd party recipients, where and when it is legally permitted, who may be located anywhere in the world, except for counties under international embargo or where the data subjects’ data privacy rights cannot be reasonably guaranteed. We only transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to 3rd party countries, on the basis of model clauses or as otherwise authorized by applicable law. Other than transfers to 3rd party countries providing an adequate level of data protection according to the European Commission, EON requires the necessary safeguards be in place (ex. with data protection contracts adopted by the European Commission (ex. standard contractual clauses) with the recipients, or through other measures provided for by law. We regularly review the measures taken to assess requirements resulting from new regulatory guidance and case law, such as that from the Court of Justice of the European Union (CJEU) decisions.
EON is a processor for our clients and partners for all other means of personal data collection (e.g. client account platform access, client branded consumer experience, etc.). As a solutions provider, any requests for data subjects’ rights where EON is the processor will be referred to the appropriate controller.
EON is a controller for personal data captured through its eon.xyz and eongroup.co domains (e.g. you signed up for an EON newsletter or EON webinar).
Use of the Services
The EON company responsible for the collection and processing of your personal data in connection with the provision of our Services or collected through our websites can be contacted at privacy@eongroup.co or by mail at:
EON Group Holdings, Inc.
Attn: Data Privacy
11 West 30th Street, 6th FL
New York, NY 10001
United States of America
Please refer to our current Privacy Policy (here) for the most up-to-date explanation of your rights. Subject to restrictions on EON under supranational (e.g. the European Union), national, or state law, you as a data subject have the right to access, rectification (i.e. “correct”), restriction of processing, data portability, erasure, and not to have your data sold (we don’t sell personal data), with regard to your personal data. In addition, you may withdraw your consent and object to our processing of your personal data on the basis of our legitimate interests. You may also file a complaint with a supervisory authority. Where EON is the controller, you may execute your rights directly with EON. Where EON is the processor, rights requests will be directed to the controller.
Your personal data rights:
You may withdraw your consent to the processing of your personal data by EON at any time. As a result, we may no longer process your personal data based on this consent in the future. Such withdrawal of consent has no effect on the lawfulness of processing based on consent before its withdrawal and EON may reject this request if it is needed to fulfill a legitimate business need such as delivering a service you have contracted with us.
You may access your personal data that is being processed by us. In particular, you may request:
Your right to access shall not affect the rights and freedoms of others. Your right to access may be limited by national or supranational law (e.g. the EU).
You may request from us, without undue delay, the rectification (e.g. “correction”) of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
You have the right to request from us the erasure of personal data concerning you under certain conditions (e.g. when the personal data are no longer necessary in relation to the purposes for which they were processed or when they are no longer required for overriding legitimate grounds, such as the detection/prevention of fraud), unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, or for exercise or defense of legal claims. The right to erasure may be limited by national or supranational law.
You have the right to request from us restriction of processing your personal data to the extent that:
You have the right to request a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller ("right to data portability"). For client and partner users, this data may exclude any data to which the client or partner has Intellectual Property right or other rights.
You have the right to file a complaint with a supervisory authority. You may contact the supervisory authority associated with your place of residence, your place of work, or the registered office of the controller.
If your personal data is processed on the basis of our legitimate interests, you have the right to object to the processing of your personal data on grounds relating to your particular situation. This also applies to profiling. If your personal data is processed by us for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Exercising your rights and managing your settings
You can exercise your rights as a data subject by contacting us via email at privacy@eongroup.co or by mail at:
EON Group Holdings, Inc.
Attn: Data Privacy
11 West 30th Street, 6th FL
New York, NY 10001
United States of America
In addition, you are free to contact the controller who is responsible for the processing of your personal data at any time (for further information, see section on Controller & Processor above). A list of country specific EU/EEA/UK Data Protection Authorities can be found here.
Your exercise of the above rights (ex. right to access or erasure) is generally free of charge except where otherwise permitted or required by law. Where requests are manifestly unfounded or excessive, in particular because of their repetitive nature, we may charge an appropriate fee (our actual costs), in accordance with the applicable statutory regulations, or refuse to process the application. If refused, you will be notified and a reason will be provided.
As a product focused company, our processing of client and partner related consumer personal data is relatively limited and is solely done as permitted in writing by the respective client or partner. Where we do process consumer personal data, in many cases we do not process enough personal data, only have an encrypted version without the ability to decrypt it, or do not retain it long enough to confirm the identity of any data subject. As a processor for our client brands, your data rights requests will be referred to the controller in such cases. Where EON is the controller, such as for those on our newsletter, you may have your rights executed directly by EON.
Managing your communication preferences
If you would like to change your preferences regarding EON marketing, you can do so at any time by clicking on the “update your preferences” and “unsubscribe” links contained in all of our marketing communications. You may also contact us at EON Group Holdings, Inc., Attn: Data Privacy, 11 West 30th Street, 6th FL, New York, NY 10001, United States of America. The implementation of changes or removal from communications platforms may take a few days as permitted by law. For information on how to manage your cookie and similar technology preferences, privacy policy and cookie policy.
Client and partner users’ personal data is generally retained for as long as the client or partner grants their individual approved users’ access to their client or partner account within EON’s services. Upon data subject request or termination of the associated client or partner agreement, all personal data not necessary for closure of the account, completion of contractual requirements, or as required by law, will be deleted. In some cases, a user who works for a client or partner may have their request rejected by the controller. Resolution of data subjects’ rights will be at the direction of the controller, which for client or partner users will be the respective client or partner, not EON.
Please refer to our previous privacy policies below:
