1. Introduction
Noventiq (its subsidiaries, including each Noventiq operating company - together, "Noventiq") is committed to ensure the protection of Personal Data of its Customers, Employees, Business Partners and any other individual.
The Data Protection Policy (hereinafter, the "Policy") shows how Noventiq process the personal data of clients, suppliers, employees and other categories of natural persons, namely describes the principles applicable to the personal data processing within Noventiq.
Noventiq's mission and objective is to observe privacy/data protection legal obligations and highest standards in all data processing instances, throughout the entire personal data life cycle.
The Policy is the document that provides a high-level guidance on Noventiq's actions relating to personal privacy and data protection and it is the statement of the management of Noventiq of the standards that need to be met.
2. Definitions
|
Personal Data |
Any information regarding an identified or identifiable natural person |
|
Data Subject |
The natural person identified or identifiable through the personal data processing. An identifiable natural person is a person who can be identified, directly or indirectly, especially through referral to an identification element, such as a name, an identification number, localization data, an online identifier or one or more specific elements, characteristic to their physical, physiological, genetic, psychic, economic, cultural or social identity |
|
Processing |
Any operation or set of operations performed on personal data or personal data sets, with or without the use of automatic means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, usage, disclosure through transmittal, dissemination or making available through any other means, alignment or combination, restriction, erasure or destruction |
|
Recipient |
The natural person or legal entity, public authority, agency or other organism to which (whom) the personal data is disclosed, regardless if it is a third party or not |
|
Data Protection Officer/Responsible |
The person in Noventiq responsible for meeting the demands regarding personal data protection, whether they were appointed as Data Protection Officer in the sense of the applicable data protection law or was only assigned certain tasks in this sense, if there is not a Data Protection Officer appointed |
|
Record of processing activities” or Personal Data Registry |
Registry created by Noventiq in order to keep the record of the processing activities performed by Noventiq |
|
Processor/data importer |
The natural person or legal entity, public authority, agency or other organism that processes personal data on behalf of the controller/operator |
|
Controller/operator |
The natural person or legal entity, public authority, agency or other organism which, alone or together with others, establishes the purposes and means of the personal data processing |
|
Third party |
A natural person or legal entity, public authority, agency or organism, other than: the data subject, the controller/operator, the processor and the people who, under the direct authority of the person mandated by the controller/operator, are authorized to process personal data |
|
Noventiq group |
All Noventiq operating companies partially or wholly owned unless specifically excluded |
|
LATAM |
Latin America |
|
MENA |
Middle East and North Africa |
|
APAC |
Asia Pacific region |
|
CIS |
Commonwealth of Independent States |
3. Scope
Noventiq processes personal data from several general purposes, which are listed in the record of personal data processing activities, under the form of a registry. This Policy applies to any Personal Data Processing that is done for or by Noventiq.
This Policy shall be complied with by all employees, contractors, consultants, including all personnel affiliated with third parties who may have access to any Noventiq resources.
4. Application of national law
The present Policy presents the principles applicable to personal data processing, which must be observed within Noventiq, without replacing the legislation on data protection applicable in all countries where Noventiq is established or does business in. The legislation prevails over this Policy, if it contains divergent provisions or additional conditions. In particular, any conditions regarding reporting and authorization existing in the legislation concerning data processing based in the national legislation must be observed.
5. Principles of data processing
Each personal data processing must observe the rights and freedoms of the data subject, in accordance with the principles stated below. These must be observed even when new data processing is initiated or when the existing ones are extended or diversified.
Personal data processing is fair and lawful, meaning Noventiq has a legitimate business purpose (and, where required, a legal basis) for processing personal data. Where Noventiq acts as a processor, it will generally rely on the controller to establish this legal basis.
Personal data processing is limited to the minimum necessary, meaning Noventiq collects and retains the minimum amount of personal data necessary for the business purpose. Where Noventiq acts as a processor, it must also process personal data only as directed by the controller.
Noventiq is transparent with data subjects how and why their personal data will be processed. Where Noventiq is a processor, this information is likely to be provided to the data subjects by the controller.
Personal data is processed in accordance with the rights of data subjects (e.g. to access, erase or correct personal data). Where Noventiq acts as a controller, it must respect and observe any exercise of these rights, and where it is a processor it will be required to assist the controller in responding.
Personal data is accurate, up-to-date and complete. Where it acts as processor, Noventiq will assist the controller to ensure this.
Personal data is kept secure, meaning Noventiq applies appropriate security safeguards to personal data, including where processed by third parties. Where Noventiq acts as a processor, it will be required to implement its own appropriate safeguards and provide assistance to the controller in doing the same.
Personal data is transferred internationally in accordance with applicable law.
Noventiq is accountable and can demonstrate compliance with its obligations under applicable data privacy laws.
6. Rights of the data subject
Together with the principles mentioned above, Noventiq keeps in mind and observes the rights of the data subject in all personal data processing according with the applicable law, which might include:
- Right to information and transparency - Noventiq ensures that the data subject is informed with regard to the personal data processing;
- Right to access - Noventiq observes the procedure in order to ensure the access of data subject s to information regarding their data processing.
- Right to rectification - Regardless of the grounds for the processing, the data subject s have the right to request Noventiq to rectify or complete their data, as the case may be, on the basis of an additional statement.
- Right to restrict the processing - The data subjects can request Noventiq to restrict the processing of the personal data concerning them.
- Right to erasure ("right to be forgotten") - The data subjects have the right to request and obtain the erasure of personal data in some cases;
- Right to data portability - The data subjects have the right to request Noventiq to provide a copy of their personal data to the data subject or a Third Party in some cases.
- Right to oppose the processing/ Right to oppose the processing in direct marketing purposes: Noventiq shall not make decisions about data subjects based solely on automated processing.
7. Disclosure of personal data. Assignees. Transfer to Third-Party Countries
Type and purposes of personal data disclosures
Personal data shall only be disclosed if the party that receives it is personally liable for the data it has received or only if the party that receives them will use it in accordance with the instructions obtained from the party that discloses it.
Personal data can shall be disclosed for allowed purposes, mentioned in Noventiq's records, in view of the performance of Noventiq's activity, for observing legal obligations or if there is consent from the data subject.
Processors/Data importers
In situations in which the processing will be performed by another natural person or legal entity in the name of Noventiq, they will be an processor/data importer in the sense of the applicable law and must offer enough guarantees for the application of adequate technical and organizational measures for personal data protection, which it will process in the name of Noventiq and by observing the rights of the data subjects.
Transfer of data to a third-party country
There is a transfer to another country when the personal data is transmitted, visualized or accessed by persons who are in another country.
If the personal data collected and stored by Noventiq is transferred to a person situated in a different country than the one where Noventiq has its registered office, the person who received the data must guarantee a personal data protection level equivalent to the level ensured by Noventiq.
8. Contact points
|
Subject |
|
Address |
|
For inquiries on this Policy contact our Global DPO |
London |
|
|
For personal information collected from individuals INSIDE Europe and MENA, written inquiries to the data protection responsible may be addressed to |
London |
|
|
For personal information collected from individuals INSIDE LATAM, written inquiries to the data protection responsible may be addressed to: |
Buenos Aires |
|
|
For personal information collected from individuals INSIDE INDIA, written inquiries to the data protection responsible may be addressed to |
New Delhi (Gurugram) |
|
|
For personal information collected from individuals INSIDE APAC, written inquiries to the data protection responsible may be addressed to: |
Ho Chi Minh City |
|
|
For personal information collected from individuals INSIDE CIS, written inquiries to the data protection responsible may be addressed to |
Kazakhstan, Almaty, Medueskyi district, Dostyk ave., build. #210, BC "Koktem Grand", office 72, 050051 |
9. Compliance
The Global Data Protection Officer is owner of this Policy. Noventiq is committed to ensuring that this Policy is observed by all employees, contractors, consultants, including all personnel affiliated with third parties who may have access to any Noventiq resources.
Compliance with this Policy is verified by various means, including reports from available business tools, internal and external audits, self-assessment, and/or feedback to the policy owner(s). Noventiq monitors its compliance with this Policy on an ongoing basis. Any exceptions to this Policy requires the written approval of the Global Data Protection Officer.
Failure to comply with this Policy, including attempts to circumvent it may result in disciplinary actions, including termination, as allowed by local laws.
Violations of regulations designed to protect Personal Data may result in administrative sanctions, penalties, claims for compensation or injunctive relief, and/or other civil or criminal prosecution and remedies.
April 14th, 2023