EP02 – Fing Data Controller Policy Version: 1.1 – 2018 05 15
1. POLICY STATEMENT
.1 This Data Controller Policy (this “Policy”) establishes Fing’s approach to compliance with data protection law when processing that information for its own purposes.
1.2 This Policy applies to all personal information processed by Fing as a controller and used for its own business activities, employment, administration and vendor management. As such, the personal information to which this Policy applies includes the follow data subjects:
• Personal data of Individual users of the Fing products and services
• CRM data about its Enterprise Customers
• HR data about Company members
• Vendor data about Fing’s suppliers and service providers
1.3 Fing employees (including new hires and individual contractors) must comply with, and respect, this Policy when processing personal information for their own purposes.
1.4 This Policy does not apply to personal information that Fing processes in the course of providing services to a third party controller, which instead must be protected in accordance with the Data Processor Policy.
1.5 This Policy does not replace any specific data protection requirements that might apply to a business area or function.
1.6 When Fing collects and uses personal information, the personal information in question is covered and regulated by data protection law.
1.7 When an organization collects, uses or transfers personal information for its own purposes, that organization is deemed to be a “controller” of that information and is therefore primarily responsible for meeting the legal requirements under data protection law.
1.8 On the other hand, when an organization processes personal information on behalf of a third party that organization is deemed to be a “processor” of the information. In this case, the relevant controller of the personal information (i.e. the relevant third party) will be primarily responsible for meeting the legal requirements.
1.9 This Policy describes how Fing will comply with data protection law in respect of processing it performs as a controller.
1.10 Fing must take proper steps to ensure that it uses personal information on an international basis in a safe and lawful manner. This Policy therefore sets out a framework to satisfy data protection law requirements and in particular, to provide an adequate level of protection for all personal information used and collected in Europe.
1.11 Fing will apply this Policy in all cases where it processes personal information as a controller both manually and by automatic means.
1.12 This Policy applies to all Fing employees worldwide (including new hires and individual contractors), and they must comply with, and respect, this Policy when collecting and using personal information.
1.13 If you have any questions regarding the provisions of this Policy, your rights under this Policy, or any other data protection issues, you can contact firstname.lastname@example.org.
1.14 This Policy applies in all situations where Fing collects, uses and transfers personal information as a controller.
2. COMPLIANCE WITH LOCAL LAWS
2.1 Fing will always comply with local data protection laws where they exist.
2.2 As an organization, Fing will comply with any applicable data protection legislation for the protection of personal information. Fing will ensure that all personal information is collected and used in accordance with applicable local data protection law.
2.3 Where there is no law, or where the law does not meet the standards set out by the Policy, Fing will process personal information in accordance with the Rules in this Policy.
3. TRANSPARENCY AND PURPOSE LIMITATION
3.1 Fing will explain to data subjects, at the time their personal information is collected, how that information will be used.
3.1.1 Fing will ensure that data subjects are told in a clear and comprehensive way how their personal information will be used (usually by means of an easily accessible fair processing statement). The information Fing has to provide to data subjects includes all information necessary in the circumstances to ensure that the processing of personal information is fair, including the following:
• the identity of the data controller and its contact details;
• information about a data subject’s rights to access, rectify or delete their personal information;
• the uses and disclosures made of their personal information (including the secondary uses and disclosures of the information); and
• the recipients or categories of recipients of their personal information.
3.1.2 This information will be provided when personal information is obtained by Fing from the individual or, if not practicable to do so at the point of collection, as soon as possible after collection.
3.1.3 Where Fing collects personal information for the purposes described in the introduction to this Policy, Fing will be the controller of that information. In all other cases, Fing will be a processor of personal information disclosed to it by customers.
3.1.4 Where Fing is the processor, it will comply with the requirements of the Data Processor Policy.
3.1.5 Fing will follow this principle unless there is a legitimate basis for not doing so (for example, where it is necessary to safeguard national security or defense, for the prevention or detection of crime, legal proceedings, or where otherwise permitted by law).
3.2 Fing will only obtain and use personal information for those purposes which are known to the individual or which are within their expectations and are relevant to Fing.
3.2.1 Principle 2.1 provides that Fing will comply with any applicable data protection legislation for the protection of personal information. This means that where Fing collects personal information in Europe and local law requires that Fing may only collect and use it for specific, legitimate purposes, and not use that personal information in a way that is incompatible for those purposes, Fing will honour these obligations.
3.2.2 Under Principle 2.2, Fing will identify and make known the purposes for which personal information will be used (including the secondary uses and disclosures of the information) when such information is obtained or, if not practicable to do so at the point of collection, as soon as possible after that, unless there is a legitimate basis for not doing so as described in Principle 2.1.
3.3 Fing may only process personal information collected in Europe for a different or new purpose if Fing has a legitimate basis for doing so, consistent with the applicable law of the European country in which the personal information was collected.
3.3.1 If Fing collects personal information for a specific purpose in accordance with Principle 1 (as communicated to the individual via the relevant fair processing statement) and subsequently Fing wishes to use the information for a different or new purpose, the relevant individuals will be made aware of such a change unless:
• it is within their expectations and they can express their concerns; or
• there is a legitimate basis for not doing so consistent with the applicable law of the European country in which the personal information was collected.
3.3.2 In certain cases, for example, where the processing is of sensitive personal information, or Fing is not satisfied that the processing is within the reasonable expectation of an individual, the individual’s consent to the new uses or disclosures may be necessary.
3.3.3 In all cases, Fing must not use personal information collected in Europe in a way that is incompatible with the specific, legitimate purposes for which it was originally collected, consistent with the requirements of Principle 2.2 and applicable local law.
4. ENSURING DATA QUALITY
4.1 Fing will keep personal information accurate and up to date. In order to ensure that the personal information held by Fing is accurate and up to date, Fing actively encourages individuals to inform Fing when their personal information has changed or has otherwise become inaccurate.
4.2 Fing will only keep personal information for as long as is necessary for the purposes for which it is collected and further processed. Fing will comply with its record retention policies and guidelines as revised and updated from time to time.
4.3 Fing will only keep personal information which is adequate, relevant and not excessive. Fing will identify the minimum amount of personal information necessary in order to properly fulfil its purposes.
5. TAKING APPROPRIATE SECURITY MEASURES
5.1 Fing will adhere to its security policies. Fing will implement appropriate technical and organizational measures to protect personal information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where processing involves transmission of personal information over a network, and against all other lawful forms of processing. To this end, Fing will comply with the requirements in the security policies in place within Fing, as revised and updated from time to time, together with any other security procedures relevant to a business area or function. Fing will implement and comply with breach notification policies as required by applicable data protection law.
5.2 Fing will adhere to its security policies will choose providers of services that also adopt appropriate and equivalent policy levels. Where Fing appoints a service provider to process personal information on its behalf, it must impose strict contractual terms, in writing, on the service provider that require it:
• to act only on Fing’s instructions when processing that information, and
• to have in place appropriate technical and organizational security measures to safeguard personal information.
6. TAKING APPROPRIATE SECURITY MEASURES
6.1 Fing will respond to any queries or requests made by individuals in connection with their personal information in accordance with applicable law. Data subjects may ask Fing to provide them with access to, and a copy of, the personal information Fing holds about them (including information held in both electronic and paper records). This is known as the right of subject access in European data protection regulations. Fing will respond to these requests according to the personal data protection regulations.
6.2 Fing will deal with requests to delete, rectify or block inaccurate personal information or to cease processing personal information. Individuals may ask Fing to delete, rectify or block the personal information that Fing holds about them, as appropriate, where inaccurate or incomplete. In certain circumstances, individuals may also object to the processing of their personal information. Fing will respond to these requests according to the personal data protection law in such circumstances.
7. SAFEGUARDING THE USE OF SENSITIVE PERSONAL INFORMATION
7.1 Fing does not process or collect any sensitive personal information. However, should Fing collect any sensitive personal information, it will only be stored or used under the explicit consent of the data subject, unless Fing has an alternative legitimate basis for doing so consistent with applicable data protection law. Fing will assess whether sensitive personal information is required for the proposed use. Sensitive personal information is information relating to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and criminal convictions. In principle, Fing must obtain individuals’ explicit consent to collect and use their sensitive personal information, unless Fing is otherwise required to do so by local law or has another legitimate basis for doing so consistent with the applicable law of the European country in which the personal information was collected. This permission to use sensitive personal information by Fing must be an explicit, freely given, specific and informed indication of the individual’s wishes.
8. LEGITIMISING DIRECT MARKETING
8.1 Fing will allow customers to opt-out of receiving marketing information. All individuals have the data protection right to object, free of charge, to the use of their personal information for direct marketing purposes and Fing will honour all such opt-out requests.
9. AUTOMATED INDIVIDUAL DECISIONS
9.1 Where decisions are made by automated means, individuals will have the right to know the logic involved in the decision and Fing will take necessary measures to protect the legitimate interests of individuals. Under European data protection law, no evaluation of or decision, which produces legal effects concerning an individual, or significantly affects that individual, can be based solely on the automated processing of that individual’s personal information, unless such automated processing is authorized by law or measures are taken to protect the legitimate interests of the individual.