Data Protection Statement
The EU's General Data Protection Regulation ("GDPR") will enter into force across the European Union on 25 May 2018 and will bring the most significant changes to data protection legislation in two decades. Based on the concept of "privacy by design" and adopting a risk-based approach, the GDPR has been designed to meet the requirements of the digital age. The 21st century brings with it a wider use of technology, new definitions of what constitutes personal data and a considerable increase in cross-border processing. The new Regulation aims to standardise data protection laws and data protection processing across the EU; giving individuals more extensive and consistent rights to access and control their personal information.
Poulo-Condor is committed to ensuring the security and protection of the personal information we process and to providing a compliant and consistent approach to data protection. We have always maintained a robust and effective data protection program that complies with applicable legislation and complies with data protection principles. However, we recognise our obligation to update and extend this programme to meet the requirements of the GDPR. Poulo-Condor is dedicated to the protection of personal information under our control and to the development of an effective data protection regime, tailored to this objective and demonstrating an understanding of and compliance with the new regulations. Our preparation and compliance objectives for the PPMR have been summarised in this statement and include the development and implementation of new roles, policies, procedures, controls and data protection measures to ensure maximum and ongoing compliance. Poulo-Condor already has a high level of data protection and security throughout our organisation. However, our goal is to be fully compliant with the PPMR. So our preparation includes:
conduct a company-wide information audit to identify and assess the personal information we hold, where it comes from, how it is processed and who has access to it.
POLICIES AND PROCEDURES
We also revise our data protection policies and procedures to meet the requirements and standards of the GDPR and all relevant data protection laws.
our key data protection policy and procedure document has been revised to meet the standards and requirements of the PPMR. Accountability and governance measures are in place to ensure that we adequately understand, communicate and demonstrate our obligations and responsibilities.
DATA RETENTION AND DELETION
we have updated our retention policy and schedule to comply with the principles of "data minimization" and "limiting storage" and to maintain, archive and destroy personal information in a compliant and ethical manner. We have dedicated deletion procedures in place to meet the new "Right to Erase" obligation and are aware of the application of this right and the rights of other data subjects; as well as all exemptions, response times and notification responsibilities.
- All the so-called sensitive data such as chats, photos, emails will be automatically deleted after a period of 12 months following their creation. Customers will not have access to them after this period.
- The customer wishing to close his account will see all his personal data (except billing data) deleted.
- Poulo-Condor keeps only the minimum amount of customer data necessary for the correct operation of the platform.
- The emails of the customers are only used for email marketing and only if the customer gives his consent (opt-in). Any customer who no longer wishes to receive emails from us can let us know by contacting us, his or her email address will then be removed from the list.
- Absolutely no customer data is resold/disclosed to third party users.
- The experts do not have access to any customer data other than their pseudonyms and the emails & chats/photos exchanged between the customer and the expert.
- We also strongly advise clients not to give private data such as first and last names, phone numbers, email addresses etc. to the experts.
Our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breaches as soon as possible. Our procedures are robust and have been communicated to all employees, making them aware of reporting lines and steps to follow.
INTERNATIONAL DATA TRANSFERS AND THIRD PARTY INFORMATION
In the event that Poulo-Condor stores or transfers personal information outside of the EU, we have robust procedures and safeguards in place to secure, encrypt and maintain the integrity of the data. Our procedures include an ongoing review of the procedures and laws of those countries; standard data protection clauses or codes of conduct approved for those countries. We conduct rigorous due diligence on all recipients of personal data to assess and verify that they have appropriate safeguards to protect the information, guarantee the rights of data subjects and have effective legal recourse for data subjects where necessary.
REQUEST FOR ACCESS TO YOUR DATA
We have revised our procedures to reflect the 30-day time limit for providing the requested information and to make this provision free of charge. Our new procedures detail how to verify the individual concerned, what steps to take to process an access request, what exemptions apply and a series of response templates to ensure that communications with the individuals concerned are compliant, consistent and appropriate.
LEGAL BASIS FOR THE DATA PROCESSING
We review our consent mechanisms for obtaining personal data, ensure that individuals understand what they provide, why and how we use it, and provide clear and defined means for us to process their information. We have developed rigorous processes for recording consent, ensuring that we can prove your acceptance, as well as date and time records; and an easy way to see and access your consent at any time. Data Protection Impact Assessments (DPIAs) - where we process personal information considered to be high risk; We have developed rigorous assessment procedures and templates to carry out impact assessments that comply with the requirements of Article 35 of the GDPR. We have put in place documentation processes that record each assessment, allow us to assess the risk posed by the processing activity and implement mitigation measures to reduce the risk posed to the data subject(s). Use of third party services - where we use a third party to process personal information on our behalf (e.g. PAYPAL, SOFORT, OGONE, MAILCHIMP), we have verified that the processing is in compliance with the PDPR obligations. This includes initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR.
When we obtain and process sensitive information, we do so in full compliance with the requirements of Article 9 and have encryption and protections on all such data. Sensitive data is not processed. Your consent for processing is explicit and the right to change or withdraw consent is clearly indicated.
YOUR RIGHTS AS USERS OF OUR SERVICES
In addition to the policies and procedures mentioned above which ensure that individuals can assert their data protection rights, we provide easily accessible information through our Poulo-Condor site. Users of our services may therefore request:
- What personal data we hold about them
- Why we hold this information
- Who has access to this data
- How long we store personal data
- The deletion of personal data
Also, users have the right to object to any direct marketing from us and the right to file a complaint or seek legal recourse and who to contact in such cases.
INFORMATION SECURITY AND TECHNICAL AND ORGANIZATIONAL MEASURES
Poulo-Condor takes the privacy and security of individuals and their personal information very seriously and takes all measures and precautions to protect and secure the personal data we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and include multiple layers of security measures, including: SSL encryption, access controls, password policy, screen name recognition, data access restrictions, and internal company data management practices.