- Controller is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data;
- Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- Third party is a natural or legal person, public authority, agency or body other than the Data Subject, the controller, the processor and persons, who under direct authority by the Controller or the Processor are authorised to process Personal Data.
- Personal data is any information relating to an identified or identifiable natural person (Data Subject).
- Data Subject is an identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or being made available otherwise, alignment or combination, restriction, erasure or destruction.
- Customer is any natural or legal person who uses, has used, or has expressed a wish to use any services provided by SIA Mitigate or is in any other way related to them.
- Cooperation Partner is any natural or legal person with whom the Company works on joint projects or whose objectives are shared by the Company.
2. General Provisions
- 2.2 The Company shall ensure the confidentiality of personal data within the framework of applicable laws and regulations and has implemented appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful processing or disclosure, accidental loss, alteration or destruction.
- 2.3. In cases where the Company acts as a controller of personal data, it shall determine the purposes and means of personal data processing.
- 2.4. In cases where the Company acts as a processor of personal data, the Company shall process personal data on behalf of the controller.
- 2.5. In cases where the Company acts as a third party, the Company is authorised to process personal data under the direct supervision of the controller or processor.
- 2.6. In cases where the Company processes data, the Company may use approved personal data processors for personal data processing. In such cases, it shall take the necessary measures to ensure that such processors process personal data in accordance with the instructions of the Company and in accordance with applicable laws and regulations and require appropriate security measures to be taken.
3. How the Company obtains the data of natural persons (you)
- 3.1. The Data Subject (You) submits his/her data to the Company;
- 3.2. The Company receives personal data from its Customers or Cooperation Partners;
- 3.3. Company receives personal data from third parties;
- 3.4. The Company records your data, which is located in the public space (social networks, your workplace website, etc.);
- 3.6. You participate in corporate events organised by us, where you can be photographed or filmed;
- 3.7. You participate in our surveys, contests, etc.;
- 3.8. You participate in business forums, business networking, your contact information in social networks is created for the exchange of mutual communication, such as LinkedIn, etc.
In cases where the Company obtains data from the controller, any responsibility for informing the Data Subject shall rest with the relevant controller.
4. What personal data may be processed by the Company?
Depending on the nature of the data processing, the Company may process the following personal data.
- Personal identification data - name, surname, personal identification number/ID, date of birth;
- Personal contact information - address, telephone number, e-mail address;
- Personal workplace data - workplace, position held;
- Actions taken on internet websites - IP address, actions taken, date and time;
- Data published by a person on social networks;
- Survey and contest data - name or date of the survey or contest, date of the answer, questions/tasks of the survey and answers provided;
- Photos, videos of corporate events, date, place of the photos;
- Data of various categories, including, in exceptional cases, data of special categories, which the Company processes within the framework of various projects as a controller, processor or as a third party on the basis of the authorisation of the Controller.
5. Legal basis for data processing
- 5.1. Conclusion and performance of the agreement - in order for the Company to be able to conclude and perform the agreement concluded with the Customer or the Cooperation Partner, providing high-quality services, it must collect and process certain personal data.
- 5.2. Legitimate interests of the Company - in order to observe the interests of the Company based on compliance with the requirements of applicable laws and regulations and provide high-quality services and timely support to the Customer and/or Cooperation Partner, the Company may process personal data of the Customer or Cooperation Partner to the extent objectively necessary and sufficient. In addition, the processing of personal data providing information about news in the field in which the Company operates, new development opportunities, including direct marketing, as a result of which the Company can individually address various persons to inform them about news in the field, education and development opportunities, on opportunities to provide a new and/or individually prepared offer of the Company's products and services, shall be considered a legitimate interest. However, the Company respects the wishes of the Data Subject and provides an opportunity to opt out of receiving the above information.
- 5.3. Fulfilment of legal obligations - the Company is entitled to process personal data in order to comply with the requirements of the laws and regulations, as well as to provide answers to lawful requests of the state and local government authorities.
- 5.4. Consent of the Data Subject. The Data Subject himself/herself consents to the collection and processing of personal data for specified purposes. Consent is his/her free will and an independent decision that can be given at any time, thus allowing the Company to process personal data for specified purposes. The Data Subject may withdraw his/her prior consent at any time through the specified channels of communication with the Company. The applied changes shall come into effect within three working days. Revocation of consent shall not affect the lawfulness of processing which is based on the consent before revocation.
- 5.5. Protection of vital interests. The Company may process personal data in order to protect the essential interests of the Customer, Cooperation Partner or other natural person, for example if processing is necessary for humanitarian purposes, monitoring of natural disasters and epidemics caused by human beings and the spread thereof, or in emergency humanitarian situations (acts of terror, in technological disaster situations, etc.).
- 5.6. Exercise of official authority or public interest. The Company may process data in order to perform a task in the public interest or in the exercise of official authority legally granted to the Company. In such cases the grounds for personal data processing are included in the laws and regulations.
- 5.7. If the Company processes the data as a processor on the basis of a duly concluded agreement with the data controller, the Company shall follow the instructions given by the controller.
- 5.8. If the Company performs activities with personal data as a third party on the basis of a duly concluded agreement with the data controller, the Company shall comply with the authorisation granted by the controller.
6. Purposes of data processing
The following purposes of data processing are distinguished:
- 6.1. General management of relations with the Customer and the Cooperation Partner and provision and administration of access to products and services, in order to enter into and execute an agreement with the Customer and the Cooperation Partner; to ensure high-quality, timely service and cooperation during the term of the contractual relationship; to ensure the timeliness and accuracy of the data by checking and supplementing the data.
- 6.2. The Company shall process personal data in order to improve the provided services, inform the Company's existing and potential Customers and Cooperation Partners about news in the industry, opportunities for development, new and individualised offers.
- 6.3. Create a corporate link between the Company, Customers and Cooperation Partners.
- 6.4. Find out the opinion of the Customers, Cooperation Partners and others about the work of the Company, necessary improvements.
- 6.5. The Company is entitled to process the data for the above, as well as for other purposes, if there is a legal basis for it.
7. Rights of the Data Subject
The Data Subject has the following rights with regard to the processing of his/her data:
- 7.1 If the Company receives personal data from the Data Subject, the Company shall provide all the following information to the Data Subject during the acquisition of personal data:
- 7.1.1. registration number and legal address, contact information of the Company;
- 7.1.2. the contact details of the data protection specialist, if any;
- 7.1.3. the purposes of processing for which the personal data is intended, as well as the legal basis for the processing;
- 7.1.4. legitimate interests if the processing is based on Article 6 (1) (f) of the Regulation;
- 7.1.5. recipients or categories of recipients of personal data, if any;
- 7.1.6. whether the data shall be transferred to a third country or international organisation, if so, the relevant information in accordance with the requirements of applicable laws and regulations.
- 7.2. In addition to the above, during the collection of personal data the Company shall show the Data Subject this Policy, which ensures fair and transparent processing, i.e.:
- 7.2.1. the Data Subject has the right to be informed of the period for which his or her personal data will be stored or, if that is not possible, the criteria used to determine that period;
- 7.2.2. the Data Subject has the right of access to his or her data, i.e. the right to rectify, erase, object to the processing as well as the right to data portability;
- 7.2.3. where processing is based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, the right to withdraw consent shall be without prejudice to the lawfulness of the processing based on which the consent was given before the withdrawal;
- 7.2.4. the Data Subject has the right to submit a complaint to the supervisory authority;
- 7.2.5. the Data Subject has the right to know whether automated decision-making, including profiling, exists.
- 7.3 If the Company has personal data that is not obtained from the Data Subject, in cases where the Company is the controller, the Company, in addition to the above, shall inform the Data Subject about the source from which the personal data has been received.
- 7.4 If the controller intends to further process personal data for a purpose other than the purpose for which the personal data were obtained, the Company shall inform the Data Subject of such other purpose before further processing and provide it with all relevant additional information, unless the provision of such information requires a disproportionate effort.
- 7.5. In cases where the Company is a processor or a third party, the Company shall act in accordance with the task or authorisation of the controller; in the case of a request from the data subject, the controller of the request received shall be informed immediately.
8. Retention period
Personal data is only processed for as long as necessary for achieving the purpose of processing. The retention period may be based on the concluded agreements, the Company's legitimate interests or applicable laws and regulations.
9. Technical and organisational requirements for data protection
- 9.1. The Controller shall ensure, review on a regular basis and improve the personal data protection measures in order to protect personal data of the Data Subject from unauthorised access, accidental loss, disclosure or destruction. To ensure this, the Company shall use modern technologies, technical and organisational requirements, including appropriate software, using firewalls, intrusion detection, analysis software and data encryption, as well as physical data protection (access code at the front door), alarm.
- 9.2. The Company shall carefully inspect all service providers who process personal data on behalf and upon instruction of the Company, as well as assess whether cooperation partners (processors of personal data) apply appropriate security measures to ensure that personal data is processed in accordance with the Company's delegation and requirements of the laws and regulations.
- 9.3. The Company shall regularly train its employees and ensure their qualifications are maintained.
- 9.4. The Company shall not be liable for any unauthorised access to personal data and/or loss of personal data if it is beyond the Company's control, for example due to the fault and/or negligence of the Customer or the Cooperation Partner or the Data Subject.
10. Processing area
- 10.1. Personal data shall be normally processed in the European Union/European Economic Area (EU/EEA), but in some cases it may be transferred and processed in non-EU/EEA countries.
- 10.2. The transfer and processing of personal data outside the EU/EEA may take place if there is a legal basis for doing so, namely to fulfil a legal obligation, enter into or perform an agreement, or in accordance with the Customer's consent, and appropriate security measures have been taken. Appropriate security measures include:
- An agreement has been concluded, including standard clauses of the EU Treaty or other approved provisions, codes of conduct, certifications, etc., which have been approved in accordance with the General Data Protection Regulation;
- In the non-EU/EEA country where the recipient is located, an adequate level of data protection is ensured in accordance with the decision of the EU Commission;
- The recipient is certified under the Privacy Shield (applies to recipients located in the United States).
- 10.3. Upon request, the Customer can receive more detailed information on the transfer of personal data to countries outside the EU/EEA.
11. Contact information
- 11.1. The Data Subject may contact the Company regarding any matter, withdraw his/her consent, make requests for information, use Data Subject rights and submit complaints on the use of personal data.
- 11.2. The contact information of the Company is available at www.mitigate.dev in the contact section.
- 11.3. Responsible for data processing email@example.com
Approved on 01 July 2020. Revised on 29 September 2022. The next review shall take place by no later than 29 September 2023.