1.1 In order to serve customers, the company collects personal data from customers, prospective customers and employees.
The reason for this is that the company wants to provide a high level of customer protection, as confidentiality is the most important factor in gaining and maintaining trust between the company and its employees, suppliers and customers.
The assurance of a high level of personal data protection is accompanied by compliance with certain organisational and technical measures. The company has therefore put in place a number of internal and external data protection policies that are mandatory for employees to comply with.
It is also the Company's responsibility to document, review and monitor internal compliance with its data protection policy and the relevant statutory data protection requirements, which includes the GDPR (General Data Protection Regulation).
1.2 By “ personal data” is meant any information that can relate to an identified or identifiable natural person. For a general understanding, an identified natural person is one that can be recognised directly or indirectly, in particular by an identifier: name, location data, telephone number, age, gender. Identified natural persons can be customers, employees, applicants, suppliers, business partners and others. To all this we can add that the document includes different categories of personal data and sensitive information, which includes: health indicators, account number, identification number, location data, online identity and one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
1.3 Information about companies or business enterprises is not personal data, but it should be noted that contact details at such companies or business enterprises, such as name, job title, work email address, work telephone number and others are considered personal data.
1.4 The Company collects personal data solely for legitimate business purposes, which include establishing and maintaining relationships with customers and suppliers, fulfilling purchase orders, hiring and managing all aspects of employment, exchanging information, fulfilling legal obligations and requirements, fulfilling contracts, providing customer service and other.
1.5 Personal data will be:
- be processed lawfully, appropriately and transparently in relation to the data subject;
- be collected for the stated explicit and legitimate purposes and will not be subsequently processed for any other purpose that is inconsistent therewith;
- be appropriate and relevant to the purpose of the treatment and used only to the extent necessary for that purpose;
- all possible measures must be taken to ensure that personal data which is inaccurate as to the purpose of the processing is deleted or corrected within a reasonable time;
- be stored in a form that ensures the identification of data subjects only for the period required for the purposes for which such personal data is being processed;
- be processed in a manner that ensures the security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
1.6 It is the company's responsibility to comply with the above points.
2. Legal basis for processing personal data
2.1 Legal basis on which the principle of personal data processing is based:
- a legal obligation or claim;
- fulfilment of the terms of a contract to which the data subject is a party;
- the consent of the data subject for one or more specific purposes;
- legitimate interests pursued by the Company
2.2.1 The collection, registration and further processing of personal data of customers, suppliers, business partners and employees is based on the consent of the identified individual to the processing of his/her personal data for one or more specific purposes. In turn, the company;must be able to confirm that the data subject has consented to the processing of such personal data.
2.2.2 Consent to the processing of personal data by an identified individual must be specific, unambiguous and given voluntarily after receiving the necessary explanations. The data subject must therefore promptly provide personal consent to the processing of his or her personal data by means of a declaration or explicit confirmatory action.
Indeed, the data subject must provide personal consent to the processing of his or her personal data through a declaration or explicit confirmatory action.
2.2.3 A request by the Company for an agreement on the part of the data subject must be provided in a clear and comprehensible form, using plain literate language.
2.2.4 In order for the Company to be able to process categories of personal data, i.e. personal data, consent on the part of the Customer must be expressed in a structured way.
2.2.5 A data subject has the right to refuse to provide personal data at any time. Once the opt-out follows, the Company undertakes to cease collecting and processing any personal data of the subject, provided that the Company is not legally obliged or entitled to do so.
Indeed, the Company shall not be obliged or entitled to do so.
2.3 Performance of the terms of the contract:
2.3.1 The collection and processing of personal data in connection with the performance of the terms of a contract to which the data subject is a party, or to carry out actions requested by the data subject prior to signing the contract, is lawful. This statement applies to all contractual obligations and agreements signed by the company, including those during the pre-contract period, regardless of the outcome of contract negotiations.
2.4 Compliance with legal obligations on the part of the Company and the Client
2.4.1 It is the responsibility of the Company to comply with any and all legal obligations that are based on the requirements and legislation of the European Union or its member states. Similar legal circumstances that are relevant to the Company may constitute a legitimate justification for processing the Customer's personal data.
2.4.2 Legal agreements include the obligation to collect, register and (or) provide certain types of information about employees, customers, etc. Similar legal requirements are the legal basis for the processing of personal data.
2.5 Company interests
2.5.1 All data will be processed in the case of legitimate interests pursued by the company, such interests or fundamental rights have priority legal effect over the rights of the data subject. At the time of making the decision to process the data, the Company will first ensure that the legitimate interests have priority in law over the rights and freedoms of the individual and that the processing will not cause unlawful harm.
2.5.1 All data will be processed in the event of legitimate interests pursued by the company such interests or fundamental rights prevail over the rights of the data subject.
3. Principle of processing and transmission of personal data
3.1 Company as the primary regulator of personal data processing
3.1.1 When a data subject signs an agreement with the company, it begins to be regarded as the controlling entity processing personal data in its entirety. Such provisions allow the Company to make certain decisions on how the subject's personal data will be processed.
3.2 Use of data processing companies
3.2.1 External data processors are those companies that process personal data on behalf of the company and as directed. An example would be the Company's control of HR systems, third party IT vendors and others. If the Company engages third parties to process personal data, the company requires them to ensure a high level of confidentiality. If this condition is not guaranteed, the Company is obliged to choose another data processor.
The Company is also obliged to choose another data processor.
3.3 Data processing agreements
3.3.1 Before making any transfer of personal data the company undertakes to enter into a written data processing agreement with the data processor. The agreement allows for control by the Company over the processing of personal data that is carried out outside the Company and for which the Company is responsible.
3.3.2 If the data processor or co-processor is geographically outside the EU/EEA, the conditions in 3.4.4 below shall apply.
3.4 Regulation on disclosure of personal data
3.4.1 Before disclosing personal information to trusted parties, it is the Company's obligation to verify whether the recipient is bound by a cooperative agreement with us. Please note, the Company has the right to share personal information internally provided that the disclosure is justified by a legitimate business purpose.
3.4.2 The Company shall ascertain from the recipient whether there is a legitimate purpose for obtaining personal data and shall require that the transfer of personal data be limited and kept to the minimum necessary.
3.4.3 The company must consider all risks involved in the transfer of personal data to individuals, data subjects or legal entities outside the organisation.
3.4.4 In a situation where a third party recipient is located outside the EU/EEA in a country where the appropriate level of data protection is not ensured, the transfer of information is only permitted subject to the conclusion of a data transfer agreement between the Company and the third party. Please note that the data transfer agreement commits to be based on the EU Model Contractual Clauses.
4. Rights of data subjects
4.1 Information obligations
4.1.1 Where the Company performs the collection and registration of the personal data of subjects, the Company undertakes to inform such persons of:
- the purposes for which the personal data are to be processed, as well as the legal basis for the processing;
- categories of personal data affected;
- the legitimate interests pursued by the Company if the processing is based on a balance of interests;
- the recipients or categories of recipients of personal data, if any;
- if applicable, that the Company intends to transfer the personal data to a third country, and the legal basis for such transfer;
- the period during which the personal data will be retained or, if that is not possible, the criterion used to determine such period;
- the right to request access, rectification or deletion of personal data, to restrict or oppose the processing of the data subject, as well as the right to data portability;
- where the processing is based on the consent of the data subject, the right to withdraw the consent at any time, without affecting the lawfulness of processing on the basis of the consent prior to withdrawal;
- the right to complain to the Company through due process or to a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement or a requirement for entering into a contract, and whether the data subject is obliged to provide personal data and the possible consequences of not providing such data;
- have an automated decision-making process, including profiling, and provide meaningful information on the logic applied and the importance and possible consequences of this processing for the data subject.
4.2 Access control
4.2.1 The Company processes the personal data of any person, including employees of the organisation, job applicants, external suppliers, potential clients, business partners and others who have the right to request access to their personal data, which the Company processes and stores.
4.2.2 The data subject has the right of access to personal data and the right to know the reasons for processing the data in accordance with the criteria, provided that the Company has access to the storage and processing of the data subject's personal data.
4.3 Company undertakes to correct the subject's accurate personal data upon first request and without undue delay.
4.4 The data subject has the right to request the complete deletion of personal data from the Company. In return, the Company undertakes to delete the personal data without undue delay if it is not obliged to retain any information for a specified period as required by law (meaning the requirements of the Financial Supervision Authority or the tax authorities).
4.5 If the request is applicable, the data subject has the right to request that the Company restrict the processing of personal data.
4.6 The data subject has the right to have personal data recorded, which will be in a machine-readable format and presented in a common and structured way.
4.7 Subject to the specific personal situation, a data subject has the right to challenge the processing of personal data in respect of such a data subject at any time if the processing is based on a balance of interests, including profiling.
4.8 Any requests the Company receives from a data subject regarding the exercise of the rights described in this clause, the Company undertakes to respond promptly, but no later than 30 days after receipt of the request. The request will be immediately forwarded to the Service Centre. The specialist of the Company who is responsible for the data protection of the particular data subject is obliged to assist the Service Centre in processing the request in order to meet the deadline for response.
5. Methods taken to protect data
5.1 The Company undertakes to develop new products, services, technical solutions and other developments in such a way that they will be safe for use and comply with the principles of special data protection and data protection by default.
5.1.1 Special data protection methods are understood to mean that special attention should be paid to data protection during the development of new services or products.
- The Company on its part undertakes to accept the technical level, the cost of implementation and the nature, scope, context and purpose of the processing, as well as the risks of varying degrees of probability and criticality in relation to the rights and freedoms of natural persons conditioning the processing;
- The Company undertakes, both at the time of determining the manner of processing and during the processing itself, to apply appropriate technical and organisational measures, such as conversion into anonymous form, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate necessary safeguards into the data processing in order to meet data protection requirements and protect the rights of data subjects.
5.1.2 Default data privacy protection requires the implementation of innovative data minimisation techniques.
- The company undertakes to apply appropriate technical and organisational measures to ensure that only such personal data required for each specific purpose of processing is processed by default.
- Such a minimisation requirement applies to the amount of personal data collected, the extent of processing, the period of storage and the availability of such data.
- Such measures are designed to ensure that access to personal data is granted by default only after careful consideration.
6. stages of personal data processing
6.1 The Company acts as a supervisory organisation processing personal data. It is the Company's responsibility to maintain complete confidentiality during the recording of the processing. The following information should be recorded in the records:
- name and contact details;
- the purpose of the treatment;
- a description of the categories of data subjects and categories of personal data;
- recipients to whom personal data has been or will be disclosed, including recipients in third countries or international organisations;
- if applicable, details of transfers of personal data to third countries, including an indication of such third country and, if relevant, details of relevant safeguards;
- if applicable, time limits on the deletion of various categories of data are provided;
- if applicable, a general description of the technical and organisational security measures applied.
6.1.1 It is the Company's obligation to provide data records at the request of the relevant data protection authorities.
7. Elimination of personal data
7.1 The Company undertakes to dispose of personal data, provided there is no lawful reason to continue processing or storing personal data.
7.2 The Company's Data Retention and Sharing Policy sets out details of retention periods for different categories of personal data.
7.3 Upon termination of their relationship with the Company, clients or potential clients have the right to request the complete deletion and anonymisation of their personal account details.
7.4 Before commencing cooperation will analyse and assess its customers' (prospective customers') data protection right with the requirements of other relevant regulations. Please note that when registering personal data, any action is subject to legislation on financial transactions, accounting regulations, customer protection standards and others.
7.5 The Company warns that personal data will be deleted if there is no necessary legal basis for its continued retention. The standard timeframe for deleting customer information is the current year plus five years after the end of the customer relationship.
7.6 The Company Policy provides that the personal data of potential customers will be deleted or anonymised at their request within a short period of time, but the procedure may take up to one month.
7.7 The data of those customers who have caused losses to the Company may be retained for a longer period in order to protect against further losses or to satisfy legitimate financial claims.
7.8 The provision above states that at the end of any period of co-operation, the Company will permanently delete or anonymise all personal data.
8. Likely risks
8.1 If the processing of personal data exposes those individuals whose personal data is being processed to a high degree of risk, a Privacy Impact Assessment (DPIA) should be carried out.
8.1.1 Conducting privacy impact assessments assumes that the Company considers the full scope, context, nature, purpose of the processing, risks of varying degrees of probability and criticality in relation to the rights and freedoms of individuals, will apply appropriate technical and organisational measures to conduct the processing in accordance with data protection requirements and will be able to demonstrate such.
8.2 Technical and organisational measures shall be reviewed and updated at least once every six months.
8.2.1 As part of the demonstration of compliance with the relevant technical and organisational measures, compliance with the rules of conduct or approved certification mechanisms shall be required of both legal parties.
- to assess creditworthiness; To provide clients and potential clients with information about the company's products and services that may be of interest to them;
- to assist in identifying potential cases of financial crime
10. International requirements
10.1 The Company undertakes to observe the General Data Protection Regulation and the data protection laws of the individual countries.
10.2 If national law in a particular country requires a higher level of protection of personal data than the Company can provide, the Company will comply with those requirements. If policies or guidelines are stricter than local law, then the Company's policies or guidelines must be followed.
11. Contact details
11.1 If customers or prospective customers have any questions about the contents of this policy, they should contact the Company's data protection officer at [email protected]