PRIVACY POLICY

1. INTRODUCTION

1.1 BACKGROUND

a.  The data accessed and processed within Visionet Group of companies, being personal or not, are of great value for Visionet and Visionet pays great attention to its compliance with any data privacy law in any country where Visionet operates. For this reason, the data shall be protected against unauthorized access and other threats. This present Visionet’s Global Data Privacy Policy (“Data Privacy Policy”) is applicable to Personal Data processed by any Company of Visionet Group (individually referred to as the “Company”) when it acts as Data Controller and/or as Data Processor.


b. The Company is aware that its customers, partners, contractors and employees expect that the entrusted data are especially protected and are handled with care.


c. Visionet is aware of its responsibility within the scope of its social commitment for a careful handling of Personal Data.

1.2 DEFINITIONS

i. Affiliate: means with respect to a party, any entity which directly or indirectly controls, is controlled by or is under common control with such party (where “control”, “controlled by” or “under common control” means the direct or indirect possession of more than fifty percent (50%) of the votes of holders of a company’s or entity’s voting securities, or a comparable equity or other ownership interest in any other type of entity).


ii. Personal Data: means any information relating to an individual or identifiable natural person (e.g., name, address, emails, phone number, IP address). Data exclusively containing information of legal entities are not considered as Personal Data.


iii. Data Controller: means a person or the Company who (either alone, or jointly, or in common) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed.


iv. Data Processor: is a natural person or the Company (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.

1. The Data Protection Officer (DPO) is either of the following:
a) The person required to be appointed in specific circumstances under the GDPR;
        or
b) Where a mandatory DPO has not been appointed, a data privacy manager or other voluntary appointment of a DPO or the Company data privacy team with responsibility for data protection compliance.

 

v. Data Subjects: are a living, identified or identifiable individual about whom Company holds Personal Data.


vi. “Company” and/or “Visionet”: means Visionet Deutschland GmbH and any other Visionet subsidiary located within the European Union, along with Visionet EMEA Limited (UK).


vii. Company Personnel: all Visionet Group employees, workers, contractors, agency workers, consultants, directors, members and others of Visionet Group. Third Party: is any entity outside the Visionet Group. Individual divisions or departments of Visionet shall not be considered as Third Party. Nevertheless, it is to be assessed in what extent Personal Data are allowed to be provided internally. Provided that an
agreement for Data Processing exists, a service provider will not be considered as a Third Party, because the service provider will be acting under the responsibility and instruction of Visionet.


viii. Data Processing: means every operation performed with or without automation or every operation chain in context with Personal Data such as collecting, organizing, storing, adjusting or modifying, reading out, querying, use, disclosing by transfer, publishing or any other form of provision, reconciliation or linkage, restriction, deletion or destruction.


ix. Special Categories of Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.


x. Visionet Group: shall mean any entity or Company that is an Affiliate to Visionet Systems Inc., including Visionet Canada Inc., At Close LLC., Visionet EMEA Limited, Visionet Ventures LLC., Visionet Deutschland GmbH, Visionet Systems Private Limited etc.

1.3 PURPOSE

I. This Data Privacy Policy is meant to create consistent privacy policy standards within Visionet Group. On one hand, the employees can use it as manual to comply with the privacy protection, on the other hand it provides the Company, including the management board, IT department and the Data Protection Officer the essential requirements for complying with and maintaining the privacy protection in the organization in accordance
with applicable data protection laws and regulation, being the GDPR (being the European Regulation EU2016/679 of 27 April 2016 and the UK GDPR based from the Data Privacy Act dated May 23rd, 2018).


II. By complying with the standards as defined in the Company policy the Company fulfils the obligations regarding the privacy protection and considers sufficiently the interests and rights of the Data Subjects.


III. The secure exchange of Personal Data between and within the entities composing the Visionet Group requires the consideration of this policy.

1.4 SCOPE

I. This Data Privacy Policy is applicable for every kind of processing activities of Personal Data within Visionet Group in Europe and from and to United Kingdom. It is applicable for all kinds of Personal Data, of Visionet’s employees, contractors, and providers when Visionet is the Data Controller.

II. The origin of the data is not relevant for the applicability of this Data Privacy Policy. The processing of the data by the Company is decisive.

III. This Data Privacy Policy applies to all Company Personnel. Company Personnel must read, understand and comply with this Data Privacy Policy when Processing Personal data on Visionet’s behalf and attend training on its requirements. This Data Privacy Policy sets out what we expect from Company Personnel for the Company to comply with applicable law. Company Personnel’s compliance with this Data Privacy Policy is mandatory. Any breach of this Data Privacy Policy may result in disciplinary action.

2. PRINCIPLES OF DATA PROCESSING

2.1 LAWFUL BASIS OF DATA PROCESSING

I. For each Data Processing operation, it must be checked whether the intended processing of Personal Data is lawful. If the lawful basis is doubted the Data Protection Officer shall be contacted.


II. The lawful basis of Data Processing may arise from various aspects. First of all, the lawful basis can result from the Data Subject’s consent to Data Processing. Data Processing can also be permitted without the consent of the Data Subject, if a lawful basis for processing is lawful pursuant to the article 6 of the GDPR (e.g. to carry out activities relating to the employment contract of an employee with Visionet, legitimate business interest, performance of a contract, or to establish, exercise or defend the Visionet’s legal rights or for the purpose of legal proceedings).


III. As part of lawful basis test, it shall be checked by the DPO if the Data Processing is necessary in consideration of the principle of data minimization.

2.2 LAWFUL BASIS PRINCIPLES:

Pursuant to Article 6 of the GDPR the processing of Personal Data is lawful based on different grounds.


I. Processing of Personal Data may be necessary to enter into or perform a contract with the Data Subject.


II. A necessity and authorization for Data Processing may arise due to a legal obligation of Visionet, e.g. directly resulting from a legal regulation or a binding official decision. As legal authorization, especially a request for information by a data privacy authority comes into question.


III. Processing of Personal Data is also lawful if required for the assertion, exercise or defence of legal claims in court. The same applies to protect the vital interests.


IV. The processing of Personal Data is also lawful in case Visionet raises a legitimate interest and no reason leads to the assumption that the protection worthy interest of the Data Subject prevails the exclusion of Data Processing. The result of such a balancing of interests shall be recorded in writing by the DPO.


V. If lawful basis is determined for the processing of Personal Data the Data Processing is allowed.

2.3 CONSENT AND RECORDING:

I. When the lawful basis retained is the consent of the Data Subject, latter shall be sufficiently informed and, as a consequence, shall give his/her clear, active and voluntary consent for the intended Data Processing.


II. Sufficient information is given when the important procedures of Data Processing are explained in a comprehensive manner and when the explanation clearly shows the purpose of the Data Processing. The Data Subject shall be informed that the consent can be withdrawn at any time. Furthermore, attention shall be paid that declarations of consent are optically highlighted and marked out in contrast to other declarations. A linkage of the consent with other declarations shall be avoided.


III. Generally, Visionet does not rely on consent as a legal basis for processing the Personal Data of Data Subjects. Occasionally, Visionet relies on consent and ensures that any consent given is a valid, informed, active and free.


IV. For proving purposes, the dated consent of the Data Subject shall be taken in text form. It is important in any case that a clear declaration of the Data Subject is available. The respective declarations of consent shall be recorded for a possible investigation at a later date.


V. The original of a consent given in writing can be scanned and destroyed afterwards. As far as a consent is taken online a verification shall be made, e.g. through a double opt in procedure.


VI. The same regulations apply for a withdrawal of a consent.

2.4 PURPOSE LIMITATION:

I. Personal Data are only allowed to be processed for the purpose for which they have originally been collected. When collecting a consent of a Data Subject the purpose shall be clearly indicated. The purpose of Data Processing always shall be lawful.


II. If data is to be processed at a later date, for another purpose, either a consent or a legal authorization principle will be required, if the new purpose of the Data Processing is not in compliance with the original purpose.

2.5 PROPORTIONALITY:

I. When processing Personal Data, the principle of proportionality should be considered and Visionet hereby commits to respecting this principle. The principle of Proportionality is assessed if

(a) the Data Processing is suitable to achieve a legitimate purpose;

(b) furthermore, no less severe, is there an equally suitable means to achieve the intended
purpose; and

(c)finally, one needs to check if the Data Processing is opposed to by predominant interests of the Data Subject.

 

II. A milder means could be, for example, the processing of aggregated data or other data without personal reference.


III. When checking the proportionality especially the origin of the Personal Data (for business reasons, private or intimate) shall be considered. Furthermore, the risk of impairing personal rights linked with the Data Processing shall be assessed.


IV. Within the scope of the check of proportionality the extent of Data Processing shall be investigated according to the principles of good faith and in transparent manner.

2.6 DATA MINIMIZATION AND STORAGE RETENTION

I. Within Visionet the Data Processing shall be organized in a way that as few Personal Data as possible are processed. Personal Data which are not needed any more shall be permanently deleted by Visionet’s representatives.


II. Attention shall be paid that as default settings only the mandatory data are requested and all other data on a voluntary basis. Default settings and specifications for Data Subjects shall be designed as privacy protective friendly as possible.


III. A period of storage time shall be stipulated for data which are stored by Visionet. Statutory retention or storage obligations shall be considered. After expiry of the legal retention period in respect of the storage period the data shall be deleted, ideally by an automated procedure.


IV. Within the scope of Data Processing, checks shall be made whether it is necessary to anonymize or to pseudonymize Personal Data for the required purposes. For respective measures attention shall be paid that the recipient of the data cannot deduce a personal relation through the processed data, at least not with proportionate efforts.


V. Company Personnel may only process Personal Data as part of their employment
obligations . Company Personnel cannot Process Personal Data for any reason unrelated
to their employment obligations.

2.7 COLLECTION OF PERSONAL DATA FROM A THIRD PARTY:

I. For transparency reasons, Personal Data shall be collected directly from the Data Subject. A collection through Third Party shall be considered if legitimate reasons exist, e.g. if the procedure is on behalf of the Data Subject or if a direct collection would only be possible with a disproportionate effort.


II. The Data Subject shall be informed when his/her Personal Data are processed. Within the scope of information obligation all relevant details being important for the Data Subject and exercise of its rights shall be indicated. Separate information can be omitted if the Data Processing is known to the Data Subject. This can be assumed when the consent of the Data Subject has been collected and the Data Subject has been informed in advance.


III. Data collection through Third Party: if Visionet obtains Personal Data from Third Party and not directly from the Data Subject the Data Subjects shall be informed within an appropriate period of time and prior to further processes. 

2.8 DATA ACCURACY:

I. Company Personnel shall take care that Personal Data are accurate and where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.


II. Incorrect or incomplete data shall be corrected or deleted by Visionet. As far as a Data Subject demands the correction, the completion, their legitimate request should be immediately complied with by Visionet. Visionet must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

3. SPECIFIC FORMS OF DATA PROCESSING

3.1 ADVERTISEMENT MEASURES:

I. Prior to a contract and within the phase of contract initiation it is admissible to process data to issue offers, to prepare contract documents and to execute other contracttargeted works (cf. paragraph 5 on lawful basis).


II. Prospects and future customers’ Personal Data can be processed for direct marketing purposes based on legitimate interest and lawful basis. Under such case and bearing in mind those prospects shall be informed and have the right to oppose such processing, Visionet can propose new products and services.


III. Every marketing measure conducted by email shall contain a standard wording for:
a) Information of the reason why the email is asked and processed; and
b) offering the possiblilty to opt-out for further notifications.


IV. The Company is subject to certain rules and privacy laws when marketing to our customers.


V. For example, a Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as “soft opt-in” allows an organisation to send marketing texts or emails if it:
a) Has obtained contact details in the course of a sale to that person.
b) Is marketing similar products or services.
c) Gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.


VI. The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.


VII. A Data Subject’s objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

3.2 PROCESSING OF SPECIFIC KINDS OF DATA:

I. When processing Personal Data it is important to consider that sensitive data or data of subjects being particularly worth protecting are only allowed to be processed upon fulfilment of certain requirements and/or when complying with specific protective measures.

 

II. Data about racial and ethnic origins, political opinions, religious or ideological convictions and union membership as well as about genetic data, biometric data, health data, data about the sexual life and sexual orientation are particularly worth protecting (identified as
“Special Categories of Personal Data”). An explicit consent from the Data Subject, or another exemption, is required for processing data of the aforementioned categories. Furthermore, appropriate safety measures shall be implemented and documented.


III. Additional attention shall be paid on processing data of minors whose data are also specifically worth protecting. Measures of Data Processing which are directly addressed to the minor shall not be taken without prior investigation and approval of the DPO. 

3.3 DATA PROCESSING SERVICES:

I. If a Third Party (including a service provider) is processing Personal Data on behalf of Visionet, such Third Party should be qualified as “Data Processors”, and accordingly such Third Party shall be strictly compliant with the article 28 and 30 of the GDPR.


II. The Data Processor acts on behalf and under the responsibility of Visionet. This requires a careful selection of the said service provider by Visionet and sufficient warranties, in particular in terms of knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of the GDPR must be obtained from the services provider by Visionet. Therefore, contractual arrangements have been put in place which comply with any applicable cross-border transfer restrictions.


III. When a Sub Processor processes Personal Data for Visionet a special agreement for Data Processing services pursuant to Art. 28 GDPR shall be made at the earliest. The Company may audit the Data Processor or a sub Processor to assess if they are in compliance with this policy.

3.4 CROSS BORDER TRANSFER FROM THE EEA TO COUNTRIES LOCATED OUTSIDE THE EEA:

I. The transfer of Personal Data to Third Parties shall be seen as Data Processing according to this Company policy.


II. Visionet GmbH and any other Visionet subsidiary are part of the Visionet Group companies which is an international group of companies and, as such, a transfer of Personal Data can happen to various countries where Visionet parent company (Visionet Systems Inc, NJ, USA) and its subsidiaries operate.


III. The Company may transfer Personal Data between Visionet group companies and data centres for the purposes described in this Policy. Visionet may also transfer Personal Data to its Third Party data processors, suppliers, customers or business partners in different geographic locations.


IV. Where Visionet transfers Personal Data from the European Economic Area (“EEA”) to a country located outside the EEA, Visionet must ensure that it is protected and transferred in a manner consistent with applicable data privacy laws. This can be done in a number of different ways, for instance:
a) the country to which Visionet sends the Personal Data may be recognized by the European Commission as a country offering an “adequate” level of Data Privacy Laws (e.g. United Kingdom);
b) The recipient company has signed a contract based on “model contractual clauses” approved by the European Commission (SCCs version dated, June 4th 2021), obliging them to protect your Personal Data.


V. In other circumstances, data privacy laws may allow Visionet to use other transfer mechanism to transfer Personal Data outside of Europe. In all cases, however, any transfer of Personal Data has to comply with applicable Data Privacy Laws and requires Visionet to implement additional (technical, contractual and/or organisational) measures to secure the transfer of Personal Data.


VI. The Data Subjects can obtain more details on the protection given to their Personal Data when it is transferred outside the EEA (including a sample copy of the safeguards) by contacting the DPO using the contact details set out within this Policy.

4. INTERNAL PROCESS

4.1 THE DPO OFFICE OF VISIONET:

I. Data Protection Coordinator: The role of a Data Protection Coordinator is created. The Data Protection Coordinator is the internal contact person of the Data Protection Officer and supports him/her in all questions relating to the data protection regulations. To contact the Data Protection Coordinator, please write to DPO@Visionet.com.


II. DPO for Visionet Deutschland GMBH – Pursuant to Art. 37 GDPR, Visionet Germany has engaged an external DPO:
Mr. Dr. Christian Lenz,
dhpg IT-Services GmbH,
Bunsenstraße 10a
51647 Gummersbach


Phone: 02261 – 8195 – 0
email: datenschutz@dhpg.de


Deputy Data Protection Officer:
Mr. René Manz,
dhpg IT Services GmbH (see above)


III. For Visionet EMEA:
Persons can write to DPO@visionet.com
The Data Protection Officer who operates for Visionet Group in European Union and or UK performs the duties assigned to him by law and under this policy independently by use of his/her expert knowledge and his/her professional qualification.


IV. The DPO informs and gives advice to the management board as well as to the Visionet employees with regard to their data protection obligations. The monitoring of compliance of the privacy protection provisions are incumbent on the DPO as well as the implementation of the
annual online training of the employees.


V. In case of high-risk Data Processing the DPO will advise the responsible person on the assessment of the risk.


VI. The DPO is involved in all data protection issues at an early stage by means of a registration form and is supported by both board of the Company and staff members in the performance of his duties. Questions regarding this Data Privacy Policy or the correct handling of Personal Data can be addressed to the Data Protection Coordinator.

 

VII. The board of management delegates the task of providing information (Art. 15 GDPR) to the DPO. The DPO is responsible for processing reports, information, etc. to the data privacy authority. The specialist departments provide the information, documents etc. required for this purpose. The same applies to enquiries, complaints, or requests for information from Data Subjects.


VIII. The DPO annually reports to the management board by means of an activity report about checks which have taken place, complaints and organizational deficiencies that need to be remedied and thus contributes to the data protection management system of the Visionet entity. The data
privacy authority may also integrate other audit reports (e.g. ISAE, ISO) into his audit.


IX. The DPO is also entitled to review this policy and to monitor the compliance with the statutory provisions of the privacy protection law. However, this monitoring does not relieve the Company Personnel of their responsibility.

 
X. If needed, the DPO may issue recommendations for action on specific topics in addition to this policy.


XI. Company Personnel may address the concerns regarding the implementation of this Policy by writing to DPO@visionet.com.


XII. For Visionet Deutschland GMBH, the Company’s Data Processing is monitored by the state data privacy authorities:
Bayrisches Landesamt für Datenschutzaufsicht
Postfach 1349
91504 Ansbach
Phone: +49 (0) 981 180093-0
E-Mail: poststelle@lda.bayern.de

4.2 REQUIREMENTS ON THE COMPANY PERSONNEL:

I. In accordance with their employment agreement Company Personnel must keep confidential the Personal Data they get access to during the course of their engagement with Visionet.


II. Also, the Company requires that only those Company Personnel get access to Personal Data, who need access for the completion of their tasks for the Company.


III. Company Personnel shall be trained on data protection topics at the start of their employment with Visionet and at regular intervals thereafter, i.e. at least once a year.

4.3 DOCUMENTATION OBLIGATIONS:

I. The Company records the processing activities about the Personal Data Processing which is administered by the DPO (Records of Processing Activities) including records of Data Subjects’ consents and procedures for obtaining consents.

 

II. These records should include, at a minimum:
a) the name and contact details of the Data Controller and the DPO; and
b) clear descriptions of:
 1. the Personal Data types;
 2. the Data Subject types;
 3. the Processing activities;
 4. the Processing purposes;
 5. the Third-Party recipients of the Personal Data;
 6. the Personal Data storage locations;
 7. the Personal Data transfers;
 8. the Personal Data’s retention period; and
 9. the security measures in place.


III. To create the records, data maps should be created which should include the detail set out above together with appropriate data flows.


IV. In order to keep the list of processing activities complete and up to date, the Company Personnel shall report all procedures to the DPO of their entity in accordance with his instructions.


V. Part of the documentation is a risk identification of critical procedures. Depending on the result of the risk assessment, a comprehensive data protection impact assessment shall be prepared in cooperation with the Data Protection Officer in addition to the standard documentation.

4.4 IMPLEMENTATION OF NEW SYSTEMS FOR DATA PROCESSING:

I. The introduction of new IT systems or applications (e.g. fully automated processing of Personal Data) for processing Personal Data shall be notified in advance to the DPO so that he/she can check whether it is permissible under data protection law. In the selection of hardware and software, the principle of data privacy by design and guaranteeing data protection through technology design and data protection-friendly default settings are taken into account as a fundamental criterion.


II. Personal hardware and software shall not be used for processing Personal Data by Company Personnel. The official use of private hardware and software (e.g. private notebooks) requires the prior written approval of the management in individual cases.


III. The Chief Information Security Officer’s department maintains a directory of the hardware and application programs used, which is attached to the directory of procedures. The DPO receives a copy.

 

IV. In the event of suspected theft of hardware and software, unauthorized access to Personal Data, sabotage, etc., the IT department and the Data Protection Coordinator should be informed immediately.

4.5 DATA STORAGE/TRANSFER/DELETION:

I. Personal Data must be stored on Visionet’s IT infrastructure provided for this purpose. Personal Data must not be kept by Visionet in an identifiable form for longer than is necessary for the purposes for which the data is processed or obliged by statutory laws or regulations.


II. The Company will maintain retention policies and procedures to ensure Personal Data is deleted after an appropriate time, unless a law requires that data to be kept for a minimum time.

4.6 AUTOMATED PROFILING AND DECISION MAKING:

I. Visionet hereby warrants that it does not use any automated decision making (including profiling) to process your Personal Data.

4.7 SECURITY OF PROCESSING:

I. For each procedure, a determination of the need for protection and an analysis of the possible risks for the Data Subject shall be prepared within the procedural register. These are based on the nature, extent, circumstances and purposes of the processing as well as the probability of such a risk occurring.


II. To ensure the availability, confidentiality and integrity of the data as well as the resilience of the Data Processing systems, a general security concept exists.


III. In addition to this policy, there are supplementary provisions which particularly relate to measures to be taken to implement the data protection requirements of Art. 32 GDPR. These include, but are not limited to

5. RIGHTS OF DATA SUBJECTS

5.1 RIGHT OF ACCESS AND DATA PORTABILITY:

I. Upon request by a Data Subject, the latter shall be informed as to whether the Company processes Personal Data relating to him or her. If this is the case, the Data Subject is entitled to access the corresponding Personal Data. The Data Subject shall specify the type of data for which he or she requests access. The Data Subject should receive a copy of the Personal Data within one month of receiving the request.


II. The copy of Personal Data shall be provided in a form and in a languageunderstandable to the Data Subject. When providing information to the Data Subject, the existing Personal Data and the purpose of the storage shall be communicated. Furthermore, the origin of the data shall be explained as far as available.


III. In addition to the right of access, the Data Subject is also entitled to receive the stored Personal Data in a structured form so that it can be transferred to another controller. However, this right to data portability only applies to data processed on the basis of consent, for the fulfilment of a contract or within the framework of automated processing.


IV. When providing information and fulfilling the right to data portability, it shall be ensured that the identity of the Data Subject is verified. It should also be noted that no Personal Data of Third Party will be disclosed within the framework of the portability of Personal Data.


V. The DPO shall be informed about all requests for access or claims for data portability so that the DPO can coordinate or take over further activities. Insofar as the DPO does not expressly assume responsibility for processing the request, the respective specialist department remains responsible for answering the request.


VI. If a request cannot be promptly answered or a claim cannot be promptly met, the Data Subject shall be provided at least with intermediate information indicating the estimated time to process the request.

5.2 RIGHT OF DELETION AND RESTRICTION OF PROCESSING:

I. In the event of a justified request by a Data Subject, the Personal Data relating to that Data Subject shall be deleted. In particular, a request is justified if there is no basis for processing the data or if the lawful basis has ceased to exist in the meantime. If there is (no longer) any lawful basis for storing Personal Data, these shall be deleted independently of a request from the Data Subject in accordance with Visionet’s data retention policy.


II. If a deletion is not possible, the extent to which the processing of Personal Data can at least be restricted shall be examined. In particular, processing should be restricted until the permissibility of further Data Processing has been clarified. If the Data Subject no longer wishes his or her data to be used, a restriction on processing shall be considered so that the data of the Data Subject are not (re-) used in the event of a new data collection. 

5.3 RIGHT OF CORRECTION:

I. Incomplete or incorrect Personal Data shall be corrected at the request of the Data Subject. The correction is also in the interest of the Company, as the entire database should be as accurate and of high quality, as much as possible.


II. If Company Personnel are aware that data stored by the Company is incomplete or incorrect, he/she should inform the relevant Visionet department so that a correction can be initiated.

5.4 RIGHT OF WITHDRAWAL, OPPOSITION AND APPEAL:

I. Any consent given by a Data Subject to the processing of his/her data may be freely revoked at any time. The Data Subject shall be pointed to the possibility of revocation. The revocation applies prospectively.


II. If the processing of data is made on the lawful basis of a legal obligation, legitimate interest, performance of a contract or steps prior to entering into a contract, performance of a task carried out in the public interest, protection of the vital interests of the Data Subjects, the consent of the Data Subject is not required (except, in some circumstances, where data are transferred outside the EU/EEE and/or Special Categories of Personal Data are processed). If the Data Subject withdraw his/her consent to the Data Processing, an examination shall show in what extent Data Processing may be waived in the future. If this is not possible, the Data Subject shall be informed accordingly.


III. The Data Subject has the right to complain to the Company about the handling of his/her Personal Data. The complaint shall be forwarded immediately to the DPO, through the Data Protection Coordinator, unless it was addressed directly to him or her. The DPO will reply to the complaint within a maximum period of 30 days and, if necessary, propose appropriate measures to improve the level of data protection.

6. COMPETENCE

6.1 RESPONSIBILITY:

I. The Company Personnel shall read, respect and abide by this Data Privacy Policy.


II. The Company remains responsible to the Data Subject, for the purposes of the data protection law. Therefore, Company Personnel acts on behalf of the Company and shall comply with requirements stated by the Company, including this policy.

6.2 REPORTING OF BREACH AND COOPERATION WITH DATA PRIVACY AUTHORITY:

I. The GDPR requires Data Controller to notify any Personal Data breach which results in a risk to the rights and freedoms of natural persons to the data privacy authority Information Commissioner and, in certain instances, the Data Subject.


II. Company Personnel shall report immediately to the DPO, through the Data Protection Coordinator, if they have knowledge of any violation of this Data Privacy Policy or any legal requirement relating to the protection of Personal Data.


III. In case of a suspicion of a breach, Company Personnel much inform the DPO, through the Data Protection Coordinator as soon as possible. The DPO should be involved at an early stage, in order clarify the matter.


IV. On the basis of the information received, the DPO examines if the data privacy authority is required to be informed.


V. In the event of a breach of data protection, including cases where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by the Company, the person, after having become aware of
the breach shall inform, without undue delay, the management of the Company and/or the DPO about the breach of this policy.


VI. Where Visionet acts as Data Processor, it shall notify the Personal Data breach to the Data Controller.


VII. Visionet shall cooperate fully with the responsible data privacy authority. In the event of a statutory obligation to provide information to the data privacy authority, the Company shall provide the requested information without delay. Measures and findings of the data privacy authority will be accepted by the Company, provided that they are lawful. Communication with the data privacy authority shall be made through the DPO.

7. FINAL PROVISION

7.1 PUBLICITY:

I. This Data Privacy Policy shall be made available to all Company employees in an appropriate manner, in particular through the intranet and communication at the time of hiring.

7.2 AMENDMENTS TO THIS DATA PRIVACY POLICY

II. The Company reserves the right to amend this policy as necessary. An amendment may be necessary in particular to comply with legal requirements, binding regulations, requirements of the data privacy authority or internal procedures.


III. The extent to which technological changes require an adjustment of this Data Privacy Policy will also be reviewed at regular intervals.

8. DOCUMENT OWNER AND APPROVAL

The Data Protection Officer / GDPR Owner is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the review requirements stated above.

 

A current version of this document is available to all members of staff on the Company Intranet Portal and is published.
This policy was approved by the management and is issued on a version controlled basis under the signature of the Global CIO / CISO.


Name: Norman E Gottschalk III 

Date: July 15th 2022