2.1: The Policy applies to all Company full and part time employees, contractors, and any other category of collaborators, suppliers, partners, who have access to personal data collected or processed by the Company, regardless of the geographic location.
2.2: The Company will establish its status for all data processing as either a Data Controller, or Data Processor acting for another Data Controller.
Consent: consent means “any freely given specific and informed indication of his wishes by which the Data Subject signifies agreement to personal data relating to him being processed.” Nevertheless, consent may be obtained by a number of methods. These may include clauses in employment contracts, check boxes on replies to application or purchase forms, and click boxes on online forms where personal data is entered. In most European Union countries, consent to the processing of sensitive personal data needs to be clear and unequivocal. This generally means that some form of specific active consent is required.
Data: Data (whether or not having an initial capital letter) as used in the Policy shall mean information which either:
Data Controller: data controller means a person who (alone or with others) determines the purposes for which and the manner in which any personal data is, or is to be, processed. Generally, Company itself will be the data controller in most cases.
Data Exporter: data exporter means the data controller or data processor who transfers the personal data abroad.
Data Importer: data importer shall means the data controller or data processor who agrees to receive from the data exporter personal data for further processing in accordance with the terms of the Policy and the relevant data transfer agreement.
Data Processor: data processor means any person, other than an employee of the data controller, who processes the data on behalf of the data controller. A company may be a data processor if defined as such under contractual terms with the data controller.
Data Protection Authority: a body that is tasked with the protection of data and privacy. The authorities are set up to uphold information rights in both the public and private interest.
Data Security: measures that the controller and processor must implement for compliance with the data protection principles by design and default and to ensure a level of security appropriate to the risk to the rights and freedoms of individuals, taking account of the state of the art, the cost of implementation and the nature, scope, context and purposes of processing.
Data Subject: data subject means the person to which data refers. Data subjects include customers and web users, individuals on contact /e-mailing lists or marketing databases, employees, contractors and suppliers.
EU-US and Swiss-US privacy shield frameworks: the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law. On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.
Personal Data: personal data means data related to a living individual who can be identified from those data or from those data and other information in the possession of, or likely to come into the possession of, a data controller or data processor. Personal data does not include information that has been anonymized, encoded or otherwise stripped of its identifiers, or information that is publicly available, unless combined with other non-public personal information.
Processing: processing covers a wide variety of operations relating to data, including obtaining, recording or holding the data or carrying out any operation or set of operations on the data, including:
Relevant Filing System: relevant filing system means any set of information relating to individuals, whether kept in manual or electronic files, structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. Therefore any digital database and/or organised manual files relating to identifiable living individuals fall within the scope of data protection laws and regulations, while a database of pure statistical or financial information (which cannot either directly or indirectly be related to any identifiable living individuals) will not.
Sensitive Data: sensitive data means personal data containing information as to the data subject’s:
Technology: technology is to be interpreted broadly, to include any means of collecting or Processing Data, including, without limitations, computers and networks, telecommunications systems, video and audio recording devices, biometric devices, closed circuit television, etc.
4.1: The Company’s data compliance program will be overseen by Mr. Steven Clay Turner (hereinafter “data privacy official -DPO”), one of the two founders of the Company. DPO may be assisted by locally appointed compliance staff and internal auditors and delegate competencies to qualified data protection specialists.
4.2: DPO or an appointed data protection specialist will implement the Company’s international data protection policy and procedures, as well as any additional duties laid down by Data Protection Laws, including and not limited in:
5.1: The Company has adopted the following principles to govern the collection, use, processing and transmittal of personal data:
5.2: Any measures shall be taken to:
6.1: Personal data shall not be transferred to another entity, country or territory, unless reasonable and appropriate steps have been taken to establish and maintain the required level of data security.
6.2: Personal data may be communicated to third persons only for reasons consistent with the purposes for which the data was originally collected or other purposes authorized by law.
6.3: All transfers of personal data to third parties for further processing shall be subject to written agreements.
6.4: EU personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless the transfer is made to a country or territory recognized by the EU as having an adequate level of data security or to the United States under the EU-US, and Swiss-US Privacy Shield.
6.5: Subject to the provisions of the above, personal data may be transferred where any of the following apply:
7.1: The Company’s Chief Information Officer (CIO) shall establish a procedure for assessing the impact of any new or existing technology on the privacy and security of personal data.
7.2: No new system or new version of an existing system shall be made available for use until the DPO has obtained confirmation, in writing, from the CIO that there would be no breach of any data protection legislation.
8.1: Personal data shall be collected only from the data subject unless the nature of the business purpose requires collection of the data from other persons or bodies.
8.2: If personal data is collected from someone other than the data subject, the business unit collecting the data must have confirmation, in writing, from the supplier of the data that there is a lawful basis for the transfer and processing of the personal data to the Company.
9.1: Data subjects shall be entitled to obtain the information about their own personal data held by the Company by making a written request.
9.2: The Company shall provide its response to a request above within 40 days from the date of the written request, or within a shorter timescale if required by applicable data protection legislation.
9.3: Data subjects shall have the right to require the Company to correct or supplement erroneous, misleading, outdated, or incomplete personal data held about them.
10.1: Sensitive personal data should not be processed unless:
11.1: Personal data must be kept only for the period necessary for permitted uses.
11.2: Personal data shall be erased if its storage violates any data protection law or at the request of the data subject.
12.1: If the Company relies on another group company to assist in its processing activities, the Company will enter into a Data Transfer Agreement based upon the EU Model Clauses with that other group company in order to ensure that responsibility for the data is clearly identified, as both parties may be considered as Data Controllers.
12.2: Where the other group company is located in a different country, the group companies involved in the processing shall be identified respectively as the data exporter and the data importer.
13.1: Similarly where the Company relies on third parties to assist in its processing activities, the Company must choose a data processor who provides sufficient security measures and takes reasonable steps to ensure compliance with those measures, and in the case of any third party within the US, that they are also registered for the EU-US, Swiss-USA Privacy Shield.
14.1: The Company shall enter into a written contract with each data processor requiring it to comply with data protection legislation and security requirements imposed on the Company under local legislation.
15.1: As part of the Company’s internal data auditing process, the Company shall conduct periodic checks on processing by third party data processors, and in particular relating to the hand-off procedures for the data especially in respect of security measures.
16.1: The DPO shall notify employees and contractors of the Company that:
18.1: The DPO shall establish a schedule for and implement a privacy compliance audit.
19.1: This Policy shall be available to employees
19.2: This Policy may be revised at any time but at least annually by the DPO. Notice of significant revisions shall be provided to employees through the company compliance system and to others via the Company’s website.