1. Who collects your personal data
As from 25 May 2018, Superablemind (S.A.M) will be subject to and will comply with the revised data protection rules applicable in the European Union under the General Data Protection Regulation (the “GDPR”)
In line with our commitment to protect your personal data, we want to inform you and explain in all transparency:
– why and how S.A.M collects, uses and stores your personal data
– what your rights and our obligations are in relation to such processing
2. What type of personal data do we collect?
This information may either be directly provided by you, communicated to us by the legal entity for whom you work (e.g. if you are the contact person designated by your employer to manage the S.A.M programme), supplied to us by one of our service providers (e.g. financial institutions or recruiters) or obtained from publicly available sources (e.g. social media profiles).
3. Website visitors
For visitors we may in addition also collect the following information :
- information in relation to your visit (such as the day, time) ; and
- electronic identification data (http header fields, IP address, browser identification information, information on hardware and software location data if available) ; and information regarding your browser and device (e.g. internet service provider’s domain, browser’s type and version, operating system and platform, screen resolution, device manufacturer and model).
Whenever personal data is collected (e.g. in forms), we will indicate whether the provision of such data is mandatory (e.g. with an asterisk) and the consequences of a refusal to provide the requested data.
4. When do we collect personal data?
Personal data will be collected by S.A.M:
- whenever individuals apply to become a client of S.A.M
- whenever clients interact with S.A.M, its personnel, its IT equipment and other systems;
- whenever S.A.M interacts with (the representatives of) our professional contacts and suppliers;
- whenever individuals visit our website
5. On which legal basis and for what purposes do we process personal data?
We are not allowed to process personal data if we do not have a valid legal ground. Therefore, we will only process personal data if;
- we have obtained your prior consent;
- the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
- the processing is necessary to comply with our legal or regulatory obligations;
- the processing is necessary to protect your vital interests or those of another natural person; or the processing is necessary for the legitimate interests of S.A.M and does not unduly affect your interests or fundamental rights and freedoms. Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interest and your privacy. Examples of such ‘legitimate interests’ are :
o to obtain another expert opinion from within the S.A.M team
o to facilitate communications with (representatives of) our professional contacts (e.g. we may communicate professional contact details of one of our employees to a business relation, indicating that this person is the contact person within the S.A.M organisation) ;
o to prevent fraud or criminal activity as well as to protect the security of our IT systems, architecture and networks; and
o to meet our corporate and social responsibility objectives
5. Purposes of processing
In relation to prospective, current and former clients of S.A.M, we process personal data for :
- recruitment activities;
- personnel administration
- payroll management
- performance reviews (such as appraisals, client support, practitioner support, evaluations and benefit analysis)
- monitoring employees’ activities in the workplace, including compliance with policies as well as health and safety rules in place;
- managing any disciplinary action and handle internal complaints relating to violence, moral harassment and undesirable (sexual) conduct;
- replying to an official request from a public or judicial authority with the necessary authorisation;
- ensuring compliance and reporting (such as complying with our policies and legal requirements, income tax and insurance deductions, managing alleged cases of misconduct fraud; conducting audits, defending litigation);
- ensuring business continuity;
- managing mergers and acquisitions involving our company;
- any other purposes imposed by law and authorities.
In relation to our professional contacts, we process personal data to :
- manage our public relations ;
- organise events (including sending out invitations, thank you notes) ;
- respond to donations to charities linked to S.A.M (such as sending thank you notes and tax deduction forms) ; and as the case may be,
· handle limited sales of goods.
· Billing and invoicing
(Website) visitors and any third parties following our company, such as journalists
In relation to the S.A.M (website) visitors and any third parties following our company such as analysts and journalists, we process personal data to :
- manage suppliers and service providers, analysts and journalist relationships ;
- improve our website (e.g. diagnose server problems, optimise traffic, integrate and optimise web pages where appropriate) ;
- measure the usage of our website (e.g. by drawing up statistics about the traffic or by gathering information regarding the users’ behaviour and the pages they visit) ;
- monitor and prevent fraud, infringement and other potential misuse of our website ; and
- manage our premises.
In addition to the above specific purposes, we process all collected personal data for the following general purposes :
- storing contact details (e.g. business cards) ;
- manage and administer the relationship between S.A.M and our clients
- manage our IT resources, including infrastructure management & business continuity;
- preserve S.A.M’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation) ;
- comply with any legal obligations imposed on S.A.M in relation to its activities;
- reply to an official request from a public or judicial authority with the necessary authorisation ;
- accounting, archiving and record-keeping; and
- manage mergers and acquisitions involving S.A.M.
7. How do we protect personal data?
We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data. These measures take into account :
(i) the state of the art of the technology ;
(ii) the costs of its implementation ;
(iii) the nature of the data ;
(iv) and the risk of the processing.
The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.
Moreover, when handling your personal data, we:
- only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes ; and
- ensure that your personal data remains up to date and accurate. For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.
8. Who has access to personal data and with whom are they shared?
Transfers within S.A.M
We may transfer personal data to our members of personnel (S.A.M neuro-practitioners) to provide support and to gain a better understanding of our clients, depending on the expert in that area. In all cases, the personal data will be processed only for the purposes set out in Section 4.2.
Transfers to third parties
We may transfer or give access to personal data to third parties outside the S.A.M to complete the purposes listed in Section 4 above, to the extent they need it to carry out the instructions we have given to them. Such third parties may include:
· our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets ; and
· any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request. The above third parties shall be contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.
Transfers outside the European Economic Area
The personal data transferred by S.A.M may also be processed in a country outside the European Economic Area (“EEA“), which covers the EU Member States, Iceland, Liechtenstein and Norway. Non-EEA countries may not offer the same level of personal data protection as EEA countries.
If your personal data is transferred outside the EEA, we will therefore put in place suitable safeguards to ensure such transfer is carried out in compliance with the applicable data protection rules. You may request additional information in this respect and obtain a copy of the relevant safeguard by exercising your rights as set out below.
9. How long do we store your data?
We will only retain personal data for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.
We only keep data related to candidates for recruitment purposes for a maximum period of two years. For current employees, the retention period is the time of your employment, unless overriding legal or regulatory schedules require a longer or shorter retention period.
For clients, the retention period is the term of your (or your company’s) contract with us, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period.
Personal data collected and processed in the context of a dispute are deleted (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.
When the above retention periods expire, your personal data is removed from our systems. However, if individuals wish to have their personal data removed from our databases, they can make a request as described in Section 8, which we will review as set out below.
10. What are your rights and how can you exercise them?
You have a right of access to your personal data as processed by S.A.M under this policy. If you believe that any information we hold about you is incorrect or incomplete, you may also request the correction thereof. S.A.M will promptly correct any such information.
You also have the right to:
• request the erasure of your personal data;
• request the restriction of the processing of your personal data ;
• withdraw your consent where S.A.M obtained your consent to process personal data (without this withdrawal affecting the lawfulness of processing prior to the withdrawal) ;
• object to the processing of your personal data for direct marketing purposes; or
• object to the processing of your personal data for other purposes in certain cases where S.A.M processes your personal data on another legal basis than your consent,
S.A.M will review such requests, withdrawal or objection and honour them as required under the applicable data protection rules.
In addition, you also have the right to data portability. This is the right to obtain the personal data you have provided to S.A.M in a structured, commonly used and machine-readable format and to request the transmission of such personal data to a third party, without hindrance from S.A.M and subject to your own confidentiality obligations.
Exercising your rights
If you have a question or want to exercise the above rights, you may send an email to Anastasia Hatzavasilou (Anastasia@superablemind.com) with a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.
If you are not satisfied with how we process your personal data, please address your request to Anastasia Hatzavasilou (firstname.lastname@example.org) Superablemind Ltd, Central Working Victoria, 25 Eccleston Place, London, SW1W 9NF, United Kingdom who will investigate your concern.
In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.
11. Updates to this policy
This policy may be subject to amendments. Any future changes or additions to the processing of personal data as described in this policy affecting you will communicated to you through an appropriate channel, depending on how we normally communicate with you.