TERMS AND CONDITIONS REGARDING THE RECEIPT, STORAGE AND
DEALING WITH CUSTOMER/SUPPLIER DATA
The EU General Data Protection Regulation (the Regulation) enhances the rights of data subjects and also introduces new data subject rights. As a controller and processor of client data, Forward Microsystems Ltd have certain obligations under the Regulation to data subjects (our Customers and Suppliers) and we will take all necessary steps as required by the Regulation to help facilitate the exercise of the rights of our Customers and Suppliers.
PERSONAL DATA COLLECTED DIRECTLY FROM YOU
When we receive data from you we will inform you about the following:
- Our full identity and contact details.
- Contact details for our Data Protection Officer.
- The purpose for which we will processing any personal data collected.
- The legal basis for the processing.
- Identification of your legitimate interests (if appropriate) when they serve as the legal basis for data processing.
- The recipients or categories of recipients of your personal data if any.
- Whether we as the Data Controller intend to transfer personal data outside of the jurisdiction and the data transfer mechanism we will use to legalise the transfer.
- How long we as the Data Controller store the personal data or the criteria we use to determine retention periods.
- Whether you must provide the personal data by statute, contract or for another reason and the consequences of not providing the personal data.
- We confirm we do not use automated decision-making such as profiling.
Your rights include:
- Rights of access; correction, erasure, objection and data portability.
- The right to withdraw consent and how to exercise that right.
- The right to make a complaint with a local Data Protection Authority to processing. You may exercise that right if applicable by complaining to the Information Commissioner – see website for details.
If we intend to use personal data for a purpose different than it was originally collected for we must provide notice of the new purpose to you before processing.
PERSONAL DATA COLLECTED FROM A THIRD PARTY
Where we obtain personal data about you from a third party we must also provide notice to you, the data subject. This notice will include the same information as the notice required when we collected personal data directly from you. However we must add the following additional information:
- The categories of personal data that we collect.
- The sources of the personal data including whether it comes from a publicly accessible source.
PERSONAL DATA ACCESS RIGHTS
When requested we must provide you with a copy of the personal data we are processing to you free of charge. When you make the request electronically we must provide the information in a commonly used electronic form unless you request the information in a different format. We may charge a reasonable fee for additional copies. If your request is unfounded or excessive we may as Data Controller either charge a reasonable fee to provide the information or take the requested action or refuse to act on the request.
As Data Controller of your data we must ensure the following as regards your Personal Data.
- We must process and use your personal data lawfully, fairly and in a transparent manner in relation to you.
- Personal data must be collected only for specified explicit and legitimate purposes. It will not be further processed in any manner incompatible with those purposes.
- Personal data must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
- Personal data must be accurate and where necessary kept up-to-date. Every reasonable step will be taken to ensure that data which is inaccurate, having regard to the purpose for which it is processed, is erased or rectified without delay.
- Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purpose for which the data is processed.
- Personal data must be processed in a manner that ensures its appropriate security and with full integrity and confidentiality.
- We as the Data Controller are responsible for and must be able to demonstrate compliance with these data protection principles.
DATA PORTABILITY RIGHT
The right to Data Portability is distinct from the right to access personal data. Your rights to data portability include the right to:
- Receive a copy of your personal data from us as the Data Controller in a commonly used and machine readable format and store it for further personal use on a private device.
- Transmit the personal data to another Data Controller.
- Have your personal data transmitted directly from one Data Controller (i.e. us) to another where this is technically possible.
BREACH OF NOTIFICATION RIGHT
When a personal data breach is likely to result in a high risk to your rights we must notify you of the security breach without undue delay.
If we notify you of a personal data breach then we will do so in clear and plain language and include at least the following information:
- Name and contact details of the Data Protection Officer or other contact person within our organisation.
- The security breach’s likely consequences.
- The measures taken to address the security breach including measures to mitigate potential adverse effects.
COMMUNICATING WITH YOU
Where we supply you with information and communicate with you we will do so concisely, transparently, in a way which is easy to understand and easily accessible and in clear plain language.
STEPS WE WILL TAKE AS DATA CONTROLLER TO HELP YOU EXERCISE YOUR DATA SUBJECT RIGHTS
To help satisfy the obligations imposed on us under the Regulation and to help you to exercise your data subject rights, we will take the following steps but not limited to the following:
- Implementing internal procedures and protocols to help the exercise of your rights.
- To review and revise privacy notices to ensure they comply with the Regulation and our obligations.
- Implement internal procedures and protocols for handling and responding to data subject requests in a timely and appropriate manner.
- Implement authentication procedures to verify the identity of data subjects making access or other requests.
- Develop template response letters.
- Develop forms to collect additional information where necessary for preparing data subject request responses.
- Create an inventory or log for recording data subject requests and for tracking responses.
- Develop interoperable formats and other means that allow data portability.
- Consider portals that allow direct data subject access to personal data through user names and passwords.