Privacy And Data Protection Policy

  1. Purpose

    1.1: Expandigo Privacy Policy (hereinafter “the Policy”) defines requirements to ensure compliance with laws and regulations applicable to collection, use, processing, and transfer of personal data.

  2. Scope

    2.1: The Policy applies to all Company full and part time employees, contractors, and any other category of collaborators, suppliers, partners, who have access to personal data collected or processed by the Company, regardless of the geographic location.

    2.2: The Company will establish its status for all data processing as either a Data Controller, or Data Processor acting for another Data Controller.

  3. Consent

    3.1. Consent means “any freely given specific and informed indication of his wishes by which the Data Subject signifies agreement to personal data relating to him being processed.” Nevertheless, consent may be obtained by a number of methods. These may include clauses in employment contracts, check boxes on replies to application or purchase forms, and click boxes on online forms where personal data is entered. In most European Union countries, consent to the processing of sensitive personal data needs to be clear and unequivocal. This generally means that some form of specific active consent is required.

  4. Group Compliance

    4.1: The Company’s data compliance program will be overseen by Mr. Valerio Tenace (hereinafter “data privacy official - DPO”), one of the two founders of the Company. DPO may be assisted by locally appointed compliance staff and internal auditors and delegate competencies to qualified data protection specialists.

    4.2: DPO or an appointed data protection specialist will implement the Company’s international data protection policy and procedures, as well as any additional duties laid down by Data Protection Laws, including and not limited in:

    • Determining whether notification to one or more data protection Authorities is required as a result of the Company’s data processing.
    • Defining programs for training employees to ensure compliance with data protection regulation.
    • Establishing procedures and standard provisions to comply with the Policy by customers, suppliers, and any third parties who may receive personal data from the Company, have access to personal data collected or processed by the Company, or who provide information to the Company, regardless of geographic location.
    • Establishing mechanisms for periodic audits of compliance with this Policy, implementing procedures, and applicable law.
    • Establishing, maintaining, and operating a system for prompt and appropriate responses to Data Subject requests to exercise their rights.
    • Establishing, maintaining, and operating a system for the prompt and appropriate automatic disclosure to the relevant authorities and data subjects of any loss of personal data.
    • Informing any employees, senior managers, officers, contractors, etc. of the Company of the potential corporate and personal civil and criminal penalties which may be assessed against the Company and/or its employees, collaborators, etc. for violation of applicable data protection legislation.
    • Ensuring that the risk management plans in relation to data protection are implemented effectively and promptly.
  5. Data Protection Principles

    5.1: The Company has adopted the following principles to govern the collection, use, processing and transmittal of personal data:

    • Personal Data shall only be processed fairly and lawfully.
    • Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.
    • Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or processed.
    • Personal Data shall not be collected or processed unless a legal basis for processing is properly established.

    5.2: Any measures shall be taken to:

    • Prevent and/or to identify unauthorized or unlawful collection, processing, and transmittal of personal data; and
    • Prevent accidental loss or destruction of, or damage to, personal data.
  6. Transfers To Third Parties

    6.1: Personal data shall not be transferred to another entity, country or territory, unless reasonable and appropriate steps have been taken to establish and maintain the required level of data security.

    6.2: Personal data may be communicated to third persons only for reasons consistent with the purposes for which the data was originally collected or other purposes authorized by law.

    6.3: All transfers of personal data to third parties for further processing shall be subject to written agreements.

    6.4: EU personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless the transfer is made to a country or territory recognized by the EU as having an adequate level of data security or to the United States under the EU-US, and Swiss-US Agreements in place.

    6.5: Subject to the provisions of the above, personal data may be transferred where any of the following apply:

    • The data subject has given consent to the proposed transfer;
    • The transfer is necessary for the performance of a contract between the data subject and the Company;
    • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Company and a third party;
    • The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise, or defense of legal claims;
    • The transfer is required by law;
    • The transfer is necessary in order to protect the vital interests of the data subject.
  7. Prevention Of Non-Complying IT Systems

    7.1: The Company’s DPO shall establish a procedure for assessing the impact of any new or existing technology on the privacy and security of personal data.

    7.2: No new system or new version of an existing system shall be made available for use until the DPO has assessed that there would be no breach of any data protection legislation.

  8. Sources Of Personal Data

    8.1 To create an account you need to provide data including your name, email address and/or mobile number, a password, and you will need to provide payment (e.g., credit card) and billing information.

    8.2: Personal data shall be collected only from the data subject unless the nature of the business purpose requires collection of the data from other persons or bodies.

  9. Data Subject Rights

    9.1: Data subjects shall be entitled to obtain the information about their own personal data held by the Company by making a written request.

    9.2: The Company shall provide its response to a request above within 40 days from the date of the written request, or within a shorter timescale if required by applicable data protection legislation.

    9.3: Data subjects shall have the right to require the Company to correct or supplement erroneous, misleading, outdated, or incomplete personal data held about them.

  10. Sensitive Data 10.1: Sensitive personal data should not be processed unless:

    • Such processing is specifically authorized or required by law.
    • The data subject expressly and unambiguously consents.
    • Where the data subject is physically or legally incapable of giving consent, but the processing is necessary to protect a vital interest of the data subject.
    • Data relating to criminal offenses may be processed only by or under the control of the legal department.
  11. Data Quality Assurance

    11.1: Personal data must be kept only for the period necessary for permitted uses.

    11.2: Personal data shall be erased if its storage violates any data protection law or at the request of the data subject.

  12. Intra-Group Processing

    12.1: If the Company relies on another group company to assist in its processing activities, the Company will enter into a Data Transfer Agreement based upon the EU Model Clauses with that other group company in order to ensure that responsibility for the data is clearly identified, as both parties may be considered as Data Controllers.

    12.2: Where the other group company is located in a different country, the group companies involved in the processing shall be identified respectively as the data exporter and the data importer.

  13. Third Party Processors

    13.1: Similarly where the Company relies on third parties to assist in its processing activities, the Company must choose a data processor who provides sufficient security measures and takes reasonable steps to ensure compliance with those measures, and in the case of any third party within the US, that they are also registered for the EU-US, Swiss-USA Privacy current legislation.

  14. Written Contracts For Third Party Processors

    14.1: The Company shall enter into a written contract with each data processor requiring it to comply with data protection legislation and security requirements imposed on the Company under local legislation.

  15. Audits Of Third Party Data Processors

    15.1: As part of the Company’s internal data auditing process, the Company shall conduct periodic checks on processing by third party data processors, and in particular relating to the hand-off procedures for the data especially in respect of security measures.

  16. Notice To Employees And Contractors Of Potential Sanctions For Non-Compliance

    16.1: The DPO shall notify employees and contractors of the Company that:

    • Failure to comply with relevant data protection legislation may trigger criminal and civil liability, including fines, imprisonment, and damage awards; and
    • They can be personally liable where an offense is committed by the Company with their consent or connivance, or is attributable to any neglect on their part.
    • Prevention of unauthorized persons from gaining access to data processing systems in which personal data is processed.
    • Preventing persons entitled to use a data processing system from accessing data beyond their needs and authorizations.
    • Ensuring that personal data in the course of electronic transmission during transport or during storage on a data carrier cannot be read, copied, modified or removed without authorization.
    • Ensuring that personal data is protected against undesired destruction or loss.
    • Ensuring that data collected for different purposes can and will be processed separately.
    • Ensuring that data is not kept longer than stipulated in the data retention policy, including by requiring that data transferred to third persons be returned or destroyed.
  17. Compliance Measurement

    18.1: The DPO shall establish a schedule for and implement a privacy compliance audit.

  18. Implementation.

    19.1: This Policy shall be available to employees

    19.2: This Policy may be revised at any time but at least annually by the DPO. Notice of significant revisions shall be provided to employees through the company compliance system and to others via the Company’s website.