ICONEX LLC GENERAL DATA PROTECTION POLICY
Iconex LLC respects your privacy and is committed to protecting your personal data. This Privacy Notice will inform you as to how we collect, process and look after your personal data. It will tell you about your privacy rights and how the law protects you.
Background to the General Data Protection Regulation (GDPR). The General Data Protection Regulation of 2016 replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge and wherever possible that it is processed with their consent. The GDPR became effective May 25, 2018.
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016
The Definitions and Frequently Asked Questions (FAQs) below provide further clarity:
- Material Scope – the GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer).
- Territorial Scope – the GDPR will apply to all controllers that are established in the European Union (EU) who process the personal data of data subjects, in the context of that establishment. It will also apply to controllers outside of the EU that process personal data in order to offer goods and services.
- Personal Data – any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in a particular by reference to an identifier such as a name, an identification number, or location data.
- Controller – the person, which alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor – is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Processing – any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, organization, structuring, storage, use, erasure, or destruction.
- Restriction of processing – the marking of stored personal data with the aim of limiting their processing in the future.
- Data Protection Officer (DPO) – responsible for reviewing the GDPR policy and resolving any discrepancies.Pseudonymization – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- Pseudonymization – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
- Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.
- Data subject consent – means of any freely given and specific indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data.
The management of Iconex LLC, located at:
3237 Satellite Blvd.
Suite 550 Duluth, GA 30096
Phone: (678) 649-1036
Email: [email protected]
is committed to compliance with all relevant EU laws in respect of personal data and the protection of the “rights and freedoms” of individuals whose information Iconex LLC collects and processes in accordance with the General Data Protection Regulation (GDPR). Compliance with the GDPR is described by this policy.
The Iconex, LLC Data Protection Officer is responsible for reviewing this policy with regard to daily activities of Iconex LLC for any discrepancies. Once discrepancies are discovered, they will resolved immediately.
Responsibilities and roles under the General Data Protection Regulation
Iconex LLC is a data controller and data processor under the GDPR.
Management and those in supervisory roles throughout Iconex LLC are responsible for
encouraging good information handling practices within Iconex LLC.
The Iconex GDPR Data Protection Officer, Mili Mladenovic is a member of the senior
management team, is accountable to the Board of Directors of Iconex LLC for the management
of personal data within Iconex LLC and for ensuring the compliance with data protection
Legal Basis for Processing
Personal data must be processed lawfully, fairly, and transparently.
• Lawful – identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing”, for example consent.
• Fairly – in order for processing to be fair, the data controller has to make certain information available to the data subjects as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources.
• Transparently – the GDPR includes rules on giving privacy information. When data is collected, the data subject has the right to know the identity of the Controller, the purpose of data processing, and third parties to whom the data might be transmitted.
Personal data can only be collected for specific and legitimate purposes. Data obtained for specific purposes must not be used for a purpose that differs from the necessity to conduct business at Iconex LLC. Data collected must be limited to what is necessary for processing.
Personal data must be accurate and kept up to date with every effort to erase or rectify without delay. The Iconex DPO is responsible for responding to requests for rectification from data subjects.
In general, data collected is used for the purpose of order processing, correspondence, per customer request, of sales information, quotations, project progress, project questions, billing. Information is not sold to third parties. Information is solely for the use of Iconex LLC to provide service to customers and potential customers.
• Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6(1) lit. b GDPR.
• The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services.
• If our company is subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR.
• In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR.
• Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the above mentioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are permissible since a legitimate interest exists when data subjects are clients of or are in service of the controller (Recital 47 Sentence 2 GDPR).
The legitimate interests pursued by the controller or by a third party
Where the processing of personal data is based on Article 6(1) lit. f GDPR our legitimate interest is to carry out our business in favor of the well-being of all our employees and the shareholders.
Provision of personal data as statutory or contractual requirement; possible consequences of failure to provide such data.
We clarify that the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual provisions (e.g. information on the contractual partner). Sometimes it may be necessary to conclude a contract that the data subject provides us with personal data, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with him or her. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded. Before personal data is provided by the data subject, the data subject must contact any employee. The employee clarifies to the data subject whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences of non-provision of the personal data.
Iconex LLC understands ‘consent’ is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Type of Personal Data Collected
The information collected on the data subject may include but is not limited to:
• Job title
• Phone number
• Email address
Collection of general data and information via the Iconex web site.
The Iconex website collects a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that may be used in the event of attacks on our information technology systems.
When using these general data and information, Iconex, does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website as well as its advertisement, (3) ensure the long-term viability of our information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, Iconex, analyzes anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
To assist in providing a safe physical environment, Iconex LLC has in place a CCTV system. Iconex LLC is responsible for the overall management and operation of the CCTV system, including activities relating to installations, recording, reviewing, monitoring and ensuring
compliance with this policy. The system operates within buildings and around the perimeter of Iconex sites. Signage is in place to inform employees and visitors that CCTV is in operation. Cameras are not sited to focus on private areas. The CCTV system is operational and is capable of being monitored for 24 hours a day, every day of the year.
The principal purposes of the CCTV system are as follows:
• for the prevention, reduction, detection and investigation of crime and other incidents,
• to ensure the safety of employees and visitors.
The CCTV system will be used to observe Iconex sites in order to identify incidents requiring a response. Any response should be proportionate to the incident being witnessed.
Iconex LLC seeks to operate its CCTV system in a manner that is consistent with respect for the individual’s privacy.
Images are recorded centrally on servers located securely on Iconex sites. The cameras installed provide images that are of suitable quality for the specified purposes for which they are installed.
Unless required for evidential purposes, the investigation of an offence, or as required by law, CCTV images will be retained for no longer than 60 days from the date of recording. Images will be automatically overwritten after this point.
All employees involved in the operation of the CCTV system are aware of this policy and will only be authorized to use the CCTV system in a way that is consistent with the purposes and procedures contained therein.
Period for which the personal data will be stored
The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfillment of the contract or the initiation of a contract.
Security of Data
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification, or destruction. To this end, Iconex LLC has implemented a strict security protocol including:
• Security checks
• Application / systems development and maintenance
• Data backup strategy
• Help desk and PC controls
• Governance control including a disaster recovery solution
All employees are responsible for ensuring that any personal data that Iconex LLC holds and for which they are responsible, is kept securely. To this end, Iconex LLC consistently promotes employee awareness and has implemented an employee security protocol.
Breach of Security
Personal data must be processed in a manner that ensures the appropriate security. The DPO will consider the extent of possible damage or loss that might be caused to individuals if a security breach occurs, the effect of any security breach on Iconex LLC itself, and any likely reputational damage including the possible loss of customer trust.
Data Subjects’ Rights
Right of confirmation
Each data subject shall have the right granted by the European legislator to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact any employee of the controller.
Right of access
Each data subject shall have the right granted by the European legislator to obtain from the controller free information about his other personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:
• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
• the existence of the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
• Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organization. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact any employee of the controller or use the mailbox: [email protected]
Right to rectification
Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller or use the mailbox: [email protected]
Right to erasure (Right to be forgotten)
Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:
• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
• The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing. The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR. The personal data have been unlawfully processed.
• The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
• The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by Iconex he or she may, at any time, contact any employee of the controller or use the mailbox: [email protected] An employee of Iconex shall promptly ensure that the erasure request is complied with immediately.
Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. An employee of Iconex will arrange the necessary measures in individual cases.