Table of Contents
Section I: Commitment to
Data Privacy 3
Section II: Scope 3
Section III:
Retention of GDPR Data 3
Section IV: Right of Transparency
of Information 4
Section V: Right of Erasure & Right of
Restriction of Processing 4
Section VI: Right to Object 5
Section VII: Right to Rectification 6
Section VIII:
Right to Data Portability 6
Section IX: Personal Data Types
(customer & employee) 6
Section X: Customer Consent 7
Section XI: Applicant and Employee Consent 9
Section
XII: Routine Erasure & Blocking of Personal Data 10
Section XIII: GDPR Principles in Practice 10
Section
XIV: Contact Information 11
1. Des-Case USA-Europe & RMF Systems Commitment to Data
Privacy
Des-Case Corporation and its Affiliates respects your privacy.
Data protection is of high priority for its management and its
affiliates. Directive 94/46/EC of the European Parliament and of
the Council is called the General Data Protection Regulation
(GDPR). The fundamental guiding principle of the GDPR is the
protection of natural persons with regard to the processing of
their personal data with respect of their fundamental rights and
freedoms, regardless of nationality or residence, in particular
their right to the protection of personal data (Preamble:1,2
GDPR). If there is any conflict between this Privacy Policy and
the GDPR, the GDPR principles for natural citizens of the European
Union (also EEA) shall govern respectively unless otherwise
required by a local jurisdiction or provided for in a subsequent
or different notice.
By means of this data protection
declaration, our Company would like to inform the General Public
of the nature, scope, and purpose of the personal data we collect,
use and process. Furthermore, Data Subjects are informed by means
of this data protection declaration of the rights to which they
are entitled.
The protection of personal data is a
fundamental right. Our Company is committed to international
compliance with data protection laws.
2. Scope
This Privacy Policy applies
to all customers and employees of the Des-Case Group.
For
the sake of clear definitions for this policy, personal data is
considered any information relating to an identified natural
person. An identifiable person is one who can be identified,
directly or indirectly, by a reference to an identifier such as a
name, an identification number, location, data, an online
identifier or to one or more factors related to any social
identifier (Article 4:1 GDPR).
3. Retention of GDPR Data
The length
of time for which GDPR personal data is held will vary depending
upon the purposes for which the data is being used and relevant
requirements related to legal compliance, applicable laws, rules
and regulations.
Personal data will be destroyed or erased
from our systems when no longer required for the purposes set
forth with collection of such data (Article 3:63 GDPR) unless
applicable laws or regulations support and/or require retention of
specific data.
4. Right of Transparency of Information
The Data Subject shall be informed before his or her personal
data is collected and recorded. He or she shall expressly consent
to having this data received (Preamble:58 GDPR). The Company
provides opportunities for consent wherever personal data is
collected.
Per the GDPR, consent should be given by a clear
affirmative act establishing a freely given, specific, informed
and unambiguous indication of the Data Subject’s agreement to the
processing of personal data relating to him or her, such as a
written statement, including electronic means, or an oral
statement (Preamble:32 GDPR). In our Company, ticking a box when
visiting our website is one such example. The button used to do so
on the web platform provides complete access to this Privacy
Policy.
5. Right of Erasure & Right to Restriction of Processing
Each customer Data Subject has the right to request of the
Controller erasure of personal data (Article 17 GDPR) concerning
him or her without undue delay.
The Company shall have the
obligation to erase personal data without undue delay where one of
the following grounds applies if processing is not necessary:
1. Customer Data Subject requests erasure of personal
data as his or her fundamental right unless deemed a non-compliant
action based on applicable laws, rules or regulations.
2.
Customer Data Subject requests erasure of personal data as his or
her fundamental right with the understanding that the lack of
basic customer data may result in the Company’s inability to
effectively transact with the customer.
3. Personal data are
no longer necessary in relation to the purposes for which they
were collected, and/or otherwise processed, and/or have exceeded
relevant retention requirements.
4. The Data Subject
withdraws consent to which the processing is based according to
point Article 6:1a of the GDPR, or Article 9:2a of the GDPR, and
where there is no other legal ground for the processing.
5.
Data Subject objects to the processing pursuant to Article 21:1 of
the GDPR and there are no overriding legitimate grounds for the
processing, or the Data Subject objects to the processing pursuant
to Article 21:2 of the GDPR.
6. Personal data must be erased
for compliance with a legal obligation in Union or Member State
law to which the Controller is subject.
7. Personal data
have been collected in relation to the offer of information
society services referred to in Article 8:1 of the GDPR.
6. Right to Object
The Data Subject
may, related to differing purposes and use, object to the
processing of his or her data at any time. This objection must
occur no later than the time of first communication with the Data
Subject. As per the language of the GDPR, the “right to object”
shall be explicitly brought to the attention of the Data Subject
and shall be presented clearly and separately from any other
information (Article 21 GDPR). This Privacy Policy helps to serve
as notification to the Data Subject.
Regarding employment or
contractual work inside/outside of the EEA, objection of the
processing may result in the Company’s inability to employ or work
contractually with a Data Subject as certain documents and forms
may be required due to the sensitive nature of such relationships
(e.g. intellectual property or NDA’s). Regardless, it is the Data
Subject’s right to object to the processing of his or her personal
data.
If the Company processes personal data for direct
marketing purposes, the Data Subject shall have the right to
object at any time to processing of personal data concerning him
or her for such marketing. In such cases, the Company will no
longer process the personal data for these purposes. In addition,
the Data Subject has the right to object to processing of personal
data concerning him or her by the Company for scientific or
historical research purposes, or for statistical purposes pursuant
to Article 89(1) of the GDPR, unless such processing is necessary
for the performance of a task carried out for reasons legally
legislated in for the sake of public interest.
In order to
exercise the right to object, the Data Subject may contact any
employee of the Des-Case Group. In addition, the Data Subject is
free in the context of the use of information society services,
and notwithstanding Directive 2002/58/EC, to use his or her right
to object by automated means using technical specifications. Each
Data Subject shall have the right granted by the European
legislator for those natural citizens in the EEA not to be subject
to a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her, or
similarly significantly affects him or her, as long as the
decision: (1.) is not necessary for entering into, or the
performance of, a contract between the Data Subject and a data
controller, or (2.) is not authorized by Union or Member State law
to which the controller is subject and which also lays down
suitable measures to safeguard the Data Subject’s rights and
freedoms and legitimate interests, or (3.) is not based on the
Data Subject’s explicit consent. If the decision is necessary for
entering into, or the performance of, a contract between the Data
Subject and a data controller, or is based on the Data Subject’s
explicit consent, the Company shall implement suitable measures to
safeguard the Data Subject’s rights and freedoms and legitimate
interests, at least the right to obtain human intervention on the
part of the controller, to express his or her point of view and
contest the decision.
Ultimately, the Data Subject may
exercise his or her rights concerning automated individual
decision-making to withdraw data protection consent at any
time.
7. Right to Rectification
The Data
Subject shall have the right to obtain without undue delay the
rectification of inaccurate personal data concerning him or her
(GDPR Article 16).
8. Right to Data Portability
Each
Data Subject shall have the rights granted by his or her
respective governing legal entity to receive personal data
concerning him or her. In the EU, EEA and other jurisdictions with
similar legal requirements, all Data Subjects have the right to
request and receive their personal data in a structured, commonly
used and machine-readable format given it does not affect the
rights and freedoms of others (Article 20:4 GDPR). In other
countries and jurisdictions, personal data related to employment
may receive different treatment based on applicable laws, rule,
and regulations.
In exercising his or her right to data
portability (Article 20:1 GDPR), the Data Subject shall have the
right to have the personal data transmitted from one controller to
another where technically feasible, legally required, and
allowable without impeding upon the rights and freedoms of others.
In order to assert the right to data portability, the Data Subject
may at any time contact RMF Systems.
9. Personal Data Types (customer & employee)
Any processing of personal data with the Des-Case Group must be
lawful and fair (Article 3:39 GDPR). It must be transparent to
natural persons that personal data concerning them are collected,
used, consulted or processed, with the scope of such processing
aligned with the Data Subjects’ rights.
The Company
considers the lawful and correct treatment of personal data as a
vital component of its operations. The personal data of both
employees and customers is handled ethically and responsibly with
a high level of confidentiality and security. Not an all-inclusive
list, the following key principles concerning Personal Data
(Article 3 GDPR) are adhered at the Des-Case Group:
1.
Personal data is only processed with consent of the Data Subject
2. Policies on personal data are transparent and clearly
communicated
3. Only relevant personal data is collected and
limited to what is necessary
4. All third-party contracts
involving personal data must contain clauses requiring respective
third parties to comply with GDPR where applicable
5.
Personal data is subject to confidentiality and secured with
appropriate organizational and technical measures to prevent
unauthorized access or illegal processing or distribution
10. Consent – Customer
As a customer, there are three sets of business processes for
which the GDPR may impact your personal data. The first set of
processes are related to use of the Company websites at:
www.descase.com and www.rmfsystems.cloud
The second set of business processes are to all
transactional activities in the buying or selling of products,
services, or subscriptions with Des-Case and its affiliates.
First and foremost, when visiting the Company website, two
action items are requested (1.) acceptance of website cookies, and
(2.) review of this Privacy Policy. As an important note, since
internet-based data transmissions are not guaranteed to be
protocol-free of security gaps, absolute protection of data
transmitted via the internet is not guaranteed. For this reason,
every Data Subject is free to transfer personal data to us through
alternative means. Per the GDPR, consent should be given by a
clear affirmative act establishing a freely given, specific,
unambiguous indication of the Data Subject’s agreement to the
processing of personal data relating to him or her. This includes
ticking a statement when visiting a website (Preamble:32 GDPR).
The following website activities take place to help the
organization both better serve website customers and ensure
website effectiveness:
1. Cookies
Session cookies is one method for
which the Des-Case Group collects information. Cookies are text
files stored in a computer system via an internet browser. A
“cookie” is a unique numeric code used to identify with a user’s
computer to optimize future visits and enhance Company web pages.
More specifically, the Company website uses persistent cookies in
conjunction with a third party technology partner to analyze
search engine usage and web traffic patterns. Users may set
preferences regarding the storage of cookies within
their
individual web browsers, which can also be used to remove stored
cookies. If you choose to limit cookies, some website
functionality may be limited.
2. Google Analytics
Our website uses Google
Analytics, a web analytics service of Google Inc. In similar
fashion to session cookies, Google Analytics uses cookie text
files to analyze how the website is being used. More specifically,
Google uses the data stored on these cookies to compile reports on
website activities with the intention of providing analytics that
best service the needs of the website visitors. For more
information, please visit:
www.google.com/policies/privacy/partners/
Users can
opt-out of the collection and use of information by blocking third
party cookies and other tracking mechanisms via web browser
settings or operating systems settings.
3. Server Logs
All web servers collect very
basic visitor information to monitor site usage and performance.
4. Social Media
Our website uses social media
features, such as the Tweet share button. These features may
collect your IP address and the specific page visited on the
Company website. A cookie may be need to be enabled for this
functionality.
Since social media features are hosted by
third parties, user interactions with these third parties are
governed by the organization providing the service.
5. Contact Us
Should a website visitor wish
to contact the organization via the website, the Des-Case Group
will store the personal data required to enable the interaction.
This personal information will be used consistent with the
intended purposes of engagement.
6. Website Promotions, Company Blogs, Subscription to
Newsletters
On Company websites, users may be given the opportunity to
subscribe to newsletters. The input mask used for this purpose
determines what personal data are transmitted, as well as when the
newsletter is ordered from the controller. The Company may choose
to inform its customers and business partners regularly by means
of a newsletter and related products and services offers. The
Company’s newsletter may only be received by the Data Subject if:
(1.) the Data Subject has a valid email address and (2.) the Data
Subject registers for the electronic delivery of the newsletter. A
confirmation email may be sent to the email address registered by
a Data Subject upon sign-up commencement with an opt-in procedure
that includes the option to review the Company Privacy Policy.
During website registration for any Company web platform-based
service, IP addresses are stored on the computer system assigned
by the internet service provider (ISP) as well as the date and
time of the registration. Personal data collected as part of a
registration for the newsletter will only be used for purposes
described upon registration. There will be no transfer of personal
data collected by the Company to third parties. The subscription
to our newsletters, blogs, etc. may be terminated by the Data
Subject at any time. The consent to the storage of personal
data, which the Data Subject has given for shipping the
newsletter, may be revoked at any time. For the purpose of
revocation of consent, a corresponding link is found in each
newsletter for said purposes. It is also possible to unsubscribe
from the newsletter at any time directly on the Company websites
or via communication with the controller.
7. Tracking Pixels
Newsletters, blog pages,
and email blasts may contain tracking pixels. A tracking pixel is
a miniature graphic embedded in such emails, which are sent in
HTML format to enable log file recording and analysis. This allows
a statistical analysis of the success or failure of online
marketing campaigns. Based on the embedded tracking pixel, the
Company is able to learn when/if emails are opened by a Data
Subject. Such personal data collected as tracking pixels are
stored and analyzed by the controller in order for the Company to
optimize the production of content that best serves our customers.
These personal data will not be passed on to third parties. Data
Subjects are at any time entitled to revoke the respective
separate declaration of consent issued by means of the
double-opt-in procedure. After a revocation, these personal data
will be deleted by the controller. The Company automatically
regards a withdrawal from the receipt of the newsletter as a
revocation.
8. CRM, Marketing Campaigns, and Other Related Sales and
Marketing Activities
In order to comply with the GDPR’s data protection provisions
regarding sales and marketing activities in our Companies,
explicit consent is the practice for which Data Subject
information is gathered. The online declaration of consent form
includes the following fields:
• Purpose of use
•
Specific communication channel
• Contact data fields
•
The Des-Case Group’s GDPR Principles in Practice overview (see
XIII)
• Right to withdraw reminder
• Consent checkbox
With some activities, the simple opt-in process is replaced
by the double-opt-in process in which the interested party is
required to confirm his or her original consent. For such cases,
email correspondence is typically used for confirmation.
The
third set of business processes are related to the use and
licenses of the Learning Management System which is hosted by a
third party provider. Very basic user information and site usage
and performance are tracked.
11. Consent – Applicant and Employee
In
employment relationships, personal data can be processed if needed
to initiate, carry out and terminate the employment agreement.
When initiating an employment relationship, the applicant’s
personal data can be processed. If the candidate is rejected, his
or her personal data must be deleted in observance of the required
retention period, unless the candidate has agreed to remain on
file for future selection process.
We generally obtain
consent from the Data Subject on required personal data for
employment and contractual work. In addition, many Company
benefits and state reporting requirements (i.e. remuneration,
taxation, pensions, etc.) are inextricably tied to the use of Data
Subject personal data. Declarations of consent will be required
whenever applicable to such processes.
The Des-Case Group
will only process personal data in employment engagements that are
both relevant and legal in relationship to the respective employee
or contractor natural resident laws, rules and regulations.
Ultimately, data processing must always relate to the purpose of
the employment agreement or contract of employment (Article 88
GDPR).
Based on local laws, rules and regulations,
employment records will be kept in accordance with both allowable
Company retention policies and state legal requirements. No Data
Subject employment personal data will be kept without purpose and
plan for eventual erasure.
12. Routine Erasure and Blocking of Personal Data
The data controller shall process and store the personal data of
the Data Subject only for the period necessary to achieve the
purpose of storage, or as far as this is granted by the EU or
other legislators in laws or regulations to which the controller
is subject to. If the storage purpose is no longer required or
applicable, or if a storage period prescribed by the EEA
legislator or another competent legislator expires, personal data
are routinely blocked or erased in accordance with legal
requirements (Article 17 GDPR).
13. GDPR Principles in Practice
As a final
statement of our Company’s commitment to your privacy, the
following (not an all-inclusive list) includes fundamental GDPR
principles that embody our commitments to Data Subjects:
1.
Personal data shall be processed lawfully, fairly, and in a
transparent manner.
2. Less is more. Data shall be adequate,
relevant and limited to what is necessary in relation to the
purposes for which they are processed.
3. Personal data
shall be accurate and, where necessary, kept up to date. Every
reasonable step must be taken to ensure that personal data that
are inaccurate is erased or rectified without delay.
4.
Personal data shall be kept in a form which permits identification
of the data subject for no longer than it is necessary for the
purposes for which it is processed. Thereafter, the personal data
shall be blocked or erased without delay.
5. Personal data
shall be processed in a manner that ensures appropriate security
of the personal data, including protection against unauthorized or
unlawful processing.
6. Should a data breach occur with
probability of resulting in high risk to the rights and freedoms a
Data Subject, the controller shall communicate the personal data
breach to the Data Subject without undue delay.
7. The
controller is responsible for compliance and accountability and
must be able to demonstrate compliance.
8.
14. Contact
Information USA
If you have any question concerning this
notice, please contact Jacques Cartier (Chief Financial Officer
and Data Protection Controller for the US) at 00 1 (615) 672-8800
or via email at
jacques.cartier@descase.com
or in
writing at Des-Case Corporation, 675 N. Main Street,
Goodlettsville, TN 37072.
Contact Information EMEA
If you have any questions
concerning this notice, please contact Leon Stoof (Regional
Controller and Data Protection Controller) at +31 (0) 182-24-48-88
or via email at
leon.stoof@descase.com
or in writing
to RMF Systems BV, Coenecoop 99, 2741 PH Waddinxveen, The
Netherlands.
Please configure the Privacy Tools page in the
admin interface.