The terms “Privacy”, “Data Privacy” and “Data Protection” may be used in the same sense, as they refer to the complex set of legal requirements that apply to Personal Data, which is much broader than just Information Security and Confidentiality. For example, it includes requirements around transparency of data usage and the retention of data.
This Policy is based on the principles set out in GDPR. In case of any doubt, please contact the Data Controller at email@example.com.
2. Data Protection Principles
In the course of our business, we process Personal Data. This may include Personal Data we receive through our service opportunities, our client engagements, from marketing activities or from a range of other related and support activities. The data may be received directly from a Data Subject (for example, in person, via mail, email, telephone or from other sources), including, but not limited to, third parties, joint controllers, technical and non-technical subcontractors and support services.
All Staff should only collect Personal Data that is relevant and necessary to accomplish a corporate function and responsibility.
Market Engine is committed to adhering to the data protection principles set out by the GDPR, which are:
- Lawfulness, fairness and transparency: this means that we should have a legitimate basis for which we are processing Personal Data, for example a contractual relationship with the Data Subject, or that the processing is necessary for compliance with a legal obligation to which we are subject. It also means that we should inform the Data Subject about the processing in accessible and easy to understand communication;
- Purpose: we should only collect Personal Data for specified, explicit and legitimate purposes and not process the data further than for the purpose for which it was collected;
- Data Minimization: the Personal Data processed should be adequate, relevant and limited to what is necessary in relation to the purposes;
- Accuracy: we have an obligation to ensure that Personal Data is accurate and to keep Personal Data up to date, where required;
Storage: we should not retain Personal Data for a longer period than what is necessary for the purposes for which it was processed, although we may retain certain data for historical and statistical purposes;
- Integrity and Confidentiality: we should have the right security controls in place to protect against unauthorized and unlawful processing and against accidental loss or destruction of, or damage to, Personal Data. This includes both technical and organizational measures such as defined processes and training and awareness;
- Data Subject Rights: Data Subjects have a number of rights that we should adhere to (for example the right to access a copy of the data we hold on them, and the right to opt out of direct marketing, which they have previously opted in to).
3. Fair and lawful Processing
Whenever we collect Personal Data, we must have a legal basis on which to collect and process the data. In accordance with GDPR, we must be able to identify at least one of the following reasons for handling Personal Data:
- Consent: The Data Subject has given consent for the data to be processed for one or more specific purposes;
- Contractual: The processing is necessary for the execution of a contract that the Data Subject is part or for pre-contractual procedures;
- Legal: The processing is necessary to comply with a legal obligation, to which the Data Controller is subject;
- Vital interests: The processing is necessary to protect the vital interests of the Data Subject;
- Public interest: The processing is necessary for the performance of a task carried out in the public interest;
- Legitimate interests: The processing is necessary for the purposes of the legitimate interests of the Data Controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.
When we act as a Data Controller, we must ensure that we have a legitimate ground to collect and process the Personal Data.
In some cases, we will be acting as a data processor on behalf of our client, in which case it is ultimately the responsibility of our client to ensure they have the correct basis for processing the Personal Data, including the right to share with us. However, we should take steps to ensure that our contract is clear on our own responsibilities in this regard, and that if we are collecting Personal Data directly from Data Subjects on behalf of clients, that we have the support to do so legitimately.
When a Special Category of Data is being processed, there are a further set of conditions that should be met. Please contact the Data Controller for further guidance at firstname.lastname@example.org.
GDPR requires us to provide the Data Subjects with information about the processing in order to ensure fair and transparent processing. Wherever we collect Personal Data from Data Subjects, we should ensure that we provide appropriate Information on why we require the Information, and how we are going to process it. When Information is collected through our website, this Information is given in the form of a ‘Privacy Notice’.
4. Processed for specific purposes only
Whenever we collect and process Personal Data, we should ensure that we only use the data for the specific purposes that have been communicated to the Data Subject.
Market Engine should never process Personal Data for additional purposes that have not been communicated to the Data Subject. Only then will we be enlightened as to the purpose of the treatment and we must understand the purposes for which our clients may have collected the Personal Data.
5. Adequate, relevant and non-excessive Processing
When we collect and process Personal Data, we should follow the principle of data minimization. This means that we should only collect the minimum Personal Data necessary to do a particular task.
At the same time, we should ensure that we have an adequate amount of Personal Data to do a particular assignment properly. For example, collect no more than the required and necessary Personal Data to be able to identify them uniquely.
This also applies to any sharing and other processing activities. It is important to minimize the data held and processed; we should ensure that if we are sharing data internally or externally, or using data in activities such as testing, we should only use / share the minimum amount of data at each point.
6. Accuracy of Personal Data
We have an obligation to ensure that Personal Data is kept accurate and up to date. We should ensure that we have reasonable processes in place to keep data accurate where required, for example employee Personal Data or existing and prospective client Personal Data held by the relevant areas.
When acting as a Data Processor in relation to a client engagement, we will not be required to put in place mechanisms to keep that data updated; that will be the responsibility of the Data Controller, i.e. our client.
7. Retention of Personal Data
Personal Data should not be retained longer than required. This means that we should set and apply maximum retention periods to Personal Data that we process and put in place processes to delete the Personal Data upon expiry of the set retention period. Therefore, the following retention periods may apply:
- as long as is necessary for the relevant activity or services;
- any retention period that is required by law;
- the end of the period in which litigation or investigations might arise in respect of the services; or
- for the minimum period foreseen by contract.
8. Data Subjects Rights
GDPR requires us to inform individuals about the Personal Data we collect and the purposes and means for which it is processed. This Information is given in the form of a ‘Privacy Notice’.
- Right to Access
- The Data Subject has the right to ask us the Information that we hold about them, the purpose of the Processing and the categories of Personal Data concerned.
- We should notify the Data Subject with whom we share their Personal Data, particularly if the recipient is in a third country or international organization.
- Where possible, we will define how long we need to retain Personal Data in order to meet its business purposes.
- We should communicate to the Data Subject the existence of their right to object to the processing and to their right to rectification and erasure of Personal Data.
- We should communicate to the Data Subject the existence of their right to complaint to the appropriate Supervisory Authority.
- When data has been collected from someone other than the Data Subject himself/herself, we should communicate the source of that data to the Data Subject.
- We should ensure that we have processes in place to identify and respond to Data Subject access requests without undue delay and no later than one month upon receipt of the request.
- Right to rectification
- Data Subjects are entitled to have inaccurate data corrected. Market Engine will endeavor to rectify inaccurate data without undue delay.
- Right to be Forgotten
- The Data Subject has the right to erasure (“right to be forgotten”). We will endeavor to erase data held without undue delay, except where there is legal requirement for the retention of data. Please contact email@example.com before erasing any data if a request is received from a Data Subject.
- Children’s Rights
- All individuals, including children, are protected under GDPR. For children below the age of 13, we should not process their Personal Data based on their consent, unless this is given or authorized by the person with parental responsibility over the child.
- We may send to our clients and third parties targeted marketing material from time to time to inform them of similar services, future events or other activities that we believe will be of interest to them. We will provide them with an option to opt-out if they no longer wish to be contacted.
- We will also ensure that we have processes in place that ensure that all opt-in preferences are recorded and respected.
For all matters concerning Data Subject rights please contact firstname.lastname@example.org.
9. Security of Data Held
Market Engine will maintain the information secure by protecting the Confidentiality, Integrity and Availability of the Personal Data, defined as follows:
- Confidentiality means that only people who are authorized can access the data;
- Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed;
- Availability means that authorized users should be able to access the data if they need it for authorized purposes.
10. Data Disclosure
All Staff should avoid any inappropriate disclosure of Personal Data and adhere to our general duties in relation to Confidentiality.
- Only disclose Personal Data we hold to third parties under instruction or where we have a legitimate basis to do so and no further restrictions are in place;
- Disclose Personal Data to third parties in the case where we sell or buy any business or assets, or where we are joint controller;
- Share Personal Data with a Third Party that is Processing data on our behalf. This may include transferring data to be processed in a third country.
Personal Data can usually be disclosed:
- To Employees or agents to enable them to perform their duties as Employees or agents;
- In instances where failure to do so would be likely to prejudice either the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty. Market Engine should have reasonable grounds for disclosing the data under this category in order to avoid criminal prosecution. All disclosers should be justified and documented.
For legal purposes data may be disclosed if:
- Required by statute, by any rule of law, by order of the regulator, supervisory authority or court;
- Made for the purpose of obtaining legal advice;
- Made for the purposes of, or in the course of, legal Processing or where it is necessary for defending or establishing legal right; or
- For the safeguarding of national security.
11. Log information, cookies, and web beacons
12. Employee Information
Collection and Storage
Market Engine, as an employer, collects, processes and stores Personal Data from Employees, contractors, consultants, and applicants. HR units and other units that process such Personal Data should understand and document on what legal basis they are Processing Personal Data. This Personal Data should only be processed where there is a valid and lawful business purpose to do so.
Collection of Personal Data relating to our Employees, contractors, consultants and applicants occurs through a variety of channels and formats, such as: application forms; electronic web-forms, for example during the recruitment process; data logs; staff photographs; data from other sources such as previous employers; credit checks and security checks; etc.
Creation and storage of Personal Data relating to our Employees occurs through a variety of channels and formats, such as: pay slips; appraisal records; employment contracts; emails; sickness records; etc.
Training and Awareness
We are committed to providing appropriate Data Protection training to all Employees. If necessary, we will provide tailored training and awareness to certain individuals based on their job roles.
Process Design and Change
For all proposed new systems and business processes involving Personal Data, consideration should be given to whether a Privacy and Information Security Impact Assessment is required to identify risks and controls.
All staff should contact the Data Controller before adopting new processes to determine whether this is required.