ITIDO PRIVACY NOTICE TO CLIENTS

PRIVACY POLICY

ITIDO is a provider of software solutions and services operating in full compliance with all applicable legislations. In view of the entry into force of the General Data Protection Regulation (GDPR) in May 2018 the company has upgraded its policies, procedures and practices regarding personal data protection. In all our activities we abide strictly by the requirements of the GDPR, the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. These regulations require that all controllers, processors and sub-processors ensure the best possible protection of personal data. We at ITIDO achieve this by appropriate organizational and technical measures, by endorsing policies and procedures aiming at adequate data protection by all our staff, sub-processors and freelancers.

1. Applicability

What are cookies?

This Privacy Policy describes the types of information we collect, process and retain through our website. It does not apply to information collected by us offline.

This Policy explains:

  1. Why we collect your information
  2. What purpose we are processing it for
  3. How long we store it
  4. Whether there are other recipients of your personal information
  5. Whether we intend to transfer it to another country, and
  6. Whether we do automated decision-making or profiling.

ITIDO collects, processes and retains personal data only on the as-needed principle in order to comply with the applicable legislation and to perform its services. The data collected from our clients and sub-processors normally include business contact data but when personal data are present in documents such as agreements, these documents are handled within the best data security practices.

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have made an information request to us.
  • You have placed an order for one of our services.
  • You have applied for a job or secondment with us.
  • You are representing your organisation.

The purpose for which we collect and process your personal data is to ensure that we provide the services you are interested in. The legal basis for processing your data is either a specific regulatory requirement or your explicit consent to use your personal data. We store your information as long as needed depending on the reason it has been collected. For instance, data of persons who have become our full- or part-time employees are stored for the periods specified in the labour legislation. The data of job applicants are stored for the period specified by the applicant (if applicable) or for a maximum of 3 years unless the applicant requests “to be forgotten”. The data of persons with whom we have signed agreements and payments have been made, the data are stored under the Accounting Law. We ensure that you can benefit from the rights granted to you by the GDPR within the respective legal framework such as your right of access, right to rectification, right to erasure and right to restriction of processing (within limitations specified in the respective legislation), and right to data portability (if applicable). We do not apply profiling techniques and do not transfer your personal data to third parties except in case of legal requirements by the law enforcement authorities or your explicit consent.

2. Disclosure to third parties

Personal data may be disclosed to third parties only when required by the law enforcement authorities or other public authorities which have legal right of access to these data. Disclosure to any other parties (such as our business partners) may be done only with the explicit permission of the data subject. Whenever possible, personal data in documents such as CVs are de-identified by pseudonymization or other appropriate methods. Whenever personal data are transferred to countries outside the European Union or the Privacy Shield areas, the same level of data security is demanded by all processors (e.g., subcontractors).

3. Personal data protection

ITIDO has developed appropriate policies and procedures to ensure compliance with all applicable laws and regulations regarding data security and personal data protection. The company has developed a Quality Management System where data security policies and procedures are appropriately integrated. These include the following, but are not limited to:

  • Organizational and technical security measures regarding data collection, processing and retention of hard copies and electronic files.
  • GDPR-compliant Information Security Policy and Data Protection Policy with specific guidance to ITIDO employees and contractors.
  • Non-disclosure and confidentiality agreements with employees and contractors.
  • Providing guidance and demanding from our contractor’s full compliance with the best possible data protection measures.
  • Appropriate procedures and methods of data transfer via secure channels of communication and additional measures such as encryption.
  • Appropriate procedures for retention of documents containing personal data and deletion whenever this is requested by the data subject, or when the document is no longer needed, or when this is specified in the respective procedure.
  • Adequate measures to ensure the preservation of documents from loss or destruction.
  • Continuous review of data security practices to ensure full compliance with the applicable legislation and the client requirements set forth in agreements or specific instructions.
  • Procedures to meet all obligations under the GDPR such as providing access and allowing data subjects to exercise their rights under the GDPR, including the right of notification in case of actual or suspected personal data breach.

4. Information and complaints

The law which governs this Policy and all disputes arising under it is the GDPR and the Switzerland Data Protection Act. All disputes of whatsoever nature including failure to perform and performance shall be determined by the courts of the Republic of Bulgaria. Any claims may be raised to the Committee for Personal Data Protection at No. 2, Tsvetan Lazarov Street, 1592 Sofia, Bulgaria (www.cpdp.bg). ITIDO has appointed a person responsible for data protection who is available to provide any additional information and explanations regarding personal data protection and accept any claims regarding data security. You may send your requests and/or claims at: wedo@itido.eu.

Yours faithfully, Christian Makedonsky – COO, ITIDO.