Data Protection Policy

Last updated: May 24, 2018

Introduction

This Data Protection Policy sets out the policy which Crassula group has adopted in order to facilitate compliance with the General Data Protection Regulations (the "GDPR") when we establish and manage customer and business relationships and execute transactions.

The GDPR regulates the "processing" of "personal data".

"Personal data" is defined as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly.

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the GDPR. This can include:

  • names of individuals;
  • an identification number;
  • location data;
  • an online identifier;
  • email addresses;
  • telephone numbers;
  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and
  • any other information relating to individuals.

"Processing" covers any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Scope

This policy applies to:

  • the EU offices of Crassula group;
  • all staff and volunteers of Crassula; and
  • all contractors, suppliers and other people (authorised persons) working on behalf of the Crassula group.

A copy of this Policy will be supplied to each such person mentioned above. The requirements set out in this Policy are mandatory unless otherwise stated and must be followed by all persons involved in the data processing activities. It is the responsibility of each such person to acquaint themselves with the requirements of this Policy. Failure to comply with this Policy may constitute a serious disciplinary offence and could result in dismissal.

Purpose

Crassula processes personal data in various situations and in relation to various categories of individual. This Policy deals specifically with personal data collected in the context of the establishment and management of our customer relationships and the execution of transactions on the instructions of our customers. The individuals to whom personal data relate, whether customers or otherwise, are known as "data subjects".

The Data State Inspectorate (DSI) is responsible for enforcement of the GDPR and has published a range of guidance on data protection issues, all of which is available on the Inspectorate's website at http://www.dvi.gov.lv.

The DSI in Latvia is also a Lead supervisory authority chosen by Crassula group.

Policy Statement

Our principal obligations under the GDPR include:

  • Respect individuals’ rights;
  • Processing personal data lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  • Collecting personal data for specified, explicit and legitimate purposes and not further process in a manner that is incompatible with those purposes (‘purpose limitation’);
  • Ensuring that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • Ensuring that personal data are accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • Ensuring that personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);
  • Ensuring that personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  • Provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently; and
  • Responding appropriately when data subjects seek to exercise their statutory rights of access, correction and objection.

This Policy is supplementary to our other published policies.

Customer and partner data

Data processing for a contractual relationship

Personal data of the relevant prospects, customers and partners can be processed in order to establish, execute and terminate a contract. This also includes advisory services for the partner under the contract if this is related to the contractual purpose. Prior to a contract – during the contract initiation phase – personal data can be processed to prepare bids or purchase orders or to fulfill other requests of the prospect that relate to contract conclusion. Prospects can be contacted during the contract preparation process using the information that they have provided. Any restrictions requested by the prospects must be complied with.

Crassula processes the following personal data for this purpose:

  1. Name and Surname
  2. Residential address
  3. Phone
  4. Email
  5. Postal code
  6. Credit card data (umber, expiration date, cvc/cvv)
  7. ID document (passport, driver license, other ID)
  8. Customer IP-address

Data processing for advertising purposes

If the data subject contacts a Crassula company to request information (e.g. request to receive information material about a product), data processing to meet this request is permitted.

Customer loyalty or advertising measures are subject to further legal requirements. Personal data can be processed for advertising purposes or market and opinion research, provided that this is consistent with the purpose for which the data was originally collected. The data subject must be informed about the use of his/her data for advertising purposes. If data is collected only for advertising purposes, the disclosure from the data subject is voluntary. The data subject shall be informed that providing data for this purpose is voluntary. When communicating with the data subject, consent shall be obtained from him/her to process the data for advertising purposes. When giving consent, the data subject should be given a choice among available forms of contact such as regular mail, e-mail and phone.

If the data subject refuses the use of his/her data for advertising purposes, it can no longer be used for these purposes and must be blocked from use for these purposes. Any other restrictions from specific countries regarding the use of data for advertising purposes must be observed.

Crassula processes the following personal data for this purpose:

  1. Name and Surname
  2. Residential address

Consent to data processing

Data can be processed following consent by the data subject. Before giving consent, the data subject must be informed of the Privacy Policy with the similar to this Data Protection Policy provisions in regards of personal data protection.

The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone conversations, consent can be given verbally. The granting of consent must be documented.

Data processing pursuant to legal authorisation

The processing of personal data is also permitted if national legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorised data processing activity, and must comply with the relevant statutory provisions.

Data processing pursuant to legitimate interest

Personal data can also be processed if it is necessary for a legitimate interest of the Crassula Group. Legitimate interests are generally of a legal (e.g. collection of outstanding receivables) or commercial nature (e.g. avoiding breaches of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection.

Automated individual decisions

Automated processing of personal data that is used to evaluate certain aspects (e.g. creditworthiness) cannot be the sole basis for decisions that have negative legal consequences or could significantly impair the data subject. The data subject must be informed of the facts and results of automated individual decisions and the possibility to respond. To avoid erroneous decisions, a test and plausibility check must be made by an employee.

User data and internet

If personal data is collected, processed and used on websites or in apps, the data subjects must be informed of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the data subjects.

If use profiles (tracking) are created to evaluate the use of websites and apps, the data subjects must always be informed accordingly in the privacy statement. Personal tracking may only be affected if it is permitted under national law or upon consent of the data subject. If tracking uses a pseudonym, the data subject should be given the chance to opt out in the privacy statement.

If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the data subject must offer sufficient protection during access.

Special categories of personal data (sensitive personal data)

Crassula does not seek to collect or process personal data identified by the GDPR as "sensitive" for Customer and/or Transaction Management purposes. You should not collect or process sensitive personal data for these purposes and should delete them if you become aware that we have collected them, except with the approval of the Data Protection Officer given on the basis of an assessment of the requirements of the GDPR. Sensitive personal data is defined as personal data consisting of information as to:

  1. Racial or ethnic origin;
  2. Political opinion;
  3. Religious or philosophical beliefs;
  4. Trade union membership;
  5. Physical or mental health or condition;
  6. Genetic data, and biometric data where processed to uniquely identify an individual;
  7. Sex life or sexual orientation.

If at any time Crassula will need to process such sensitive personal data in the future due to the changes in the purposes of data processing, the processing will be carried out in accordance with the principles set out in the GDPR.

Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

It means to process personal data about criminal convictions or offences, Crassula must have both a lawful basis and either legal authority or official authority for the processing.

Currently, Crassula does not seek to collect or process personal data relating to criminal convictions and offences.

If at any time Crassula will need to process such personal data in the future due to the changes in the purposes of data processing or under the instruction of the controller of personal data, the processing will be carried out in accordance with the principles set out in the GDPR.

Rights of the data subject

Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject.

1. Right to be informed

The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected.

The information Crassula supplies about the processing of personal data must be:

What information must be supplied?

Data obtained directly from data subject

Data not obtained directly from data subject

Identity and contact details of the controller and the data protection officer

V

V

Purpose of the processing and the lawful basis for the processing

V

V

The legitimate interests of the controller or third party, where applicable

V

V

Categories of personal data

V

 

Any recipient or categories of recipients of the personal data

V

V

Details of transfers to third country and safeguards

V

V

Retention period or criteria used to determine the retention period

V

V

The existence of each of data subject’s rights

V

V

The right to withdraw consent at any time, where relevant

V

V

The right to lodge a complaint with a supervisory authority

V

V

The source the personal data originates from and whether it came from publicly accessible sources

V

 

Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data

V

 

The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences

V

V

When should information be provided?

At the time the data are obtained.

Within a reasonable period of having obtained the data (within one month)

If the data are used to communicate with the individual, at the latest, when the first communication takes place; or

If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

The table below summarises the information Crassula should supply to individuals and at what stage.

2. Right of access

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.

Individuals will have the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data; and
  • other supplementary information as shown in the table above.

Email subject access requests from individuals should be addressed to dpo@crassula.io. If the request is made electronically, the information should be provided in a commonly used electronic format. Postal requests should be sent to:

Data Protection Officer
Crassula
Brivibas gatve 214M, office 417,
Riga, LV-1039,
Latvia

DPO or the relevant person must verify the identity of the person making the request.

Crassula will provide a copy of the information free of charge. However, Crassula can charge a ‘reasonable fee’ or refuse to respond when a request is manifestly unfounded or excessive, particularly if it is repetitive.

Crassula may also charge a reasonable fee to comply with requests for further copies of the same information. The fee is based on the administrative cost of providing the information.

Information must be provided without delay and at the latest within one month of receipt of the request.

Crassula will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, Crassula will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Annex I. Request for Access to Personal Data form

3. Right to rectification

Individuals have the right to have personal data rectified if it is inaccurate or incomplete. If Crassula has disclosed the personal data in question to others, it must contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. If asked to, Crassula must also inform the individuals about these recipients.

To perform an action on request Crassula should verify the identity of the natural person making this request. The additional information necessary to confirm the identity of the data subject should be requested.

Crassula must respond to such request within 1 month. This can be extended by two months where the request for rectification is complex. Where Crassula is not taking action in response to a request for rectification, it must explain why to the individual without delay and at the latest within one month of receipt of the request, informing him or her of his or her right to complain to the supervisory authority and to a judicial remedy.

4. Right to erasure (‘right to be forgotten’)

This right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.

When the individual withdraws consent.

When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.

The personal data was unlawfully processed (ie otherwise in breach of the GDPR).

The personal data has to be erased in order to comply with a legal obligation.

The personal data is processed in relation to the offer of information society services to a child.

To perform an action on request Crassula should verify the identity of the natural person making this request. The additional information necessary to confirm the identity of the data subject should be requested.

If Crassula has disclosed the personal data in question to others, it must contact each recipient and inform them of the erasure of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, Crassula must also inform the individuals about these recipients.

Information on action to the individual must be provided without delay and at the latest within one month of receipt of the request.

Crassula will be able to extend the period of compliance by a further two months where necessary. If this is the case, Crassula will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where Crassula is not taking action in response to a request for erasure, it must explain why to the individual without delay and at the latest within one month of receipt of the request, informing him or her of his or her right to complain to the supervisory authority and to a judicial remedy.

5. Right to restrict processing

Individuals have a right to ‘block’ or suppress processing of personal data.

Crassula will be required to restrict the processing of personal data in the following circumstances:

  • Where an individual contests the accuracy of the personal data, Crassula should restrict the processing until it have verified the accuracy of the personal data.
  • Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and Crassula is considering whether its organisation’s legitimate grounds override those of the individual.
  • When processing is unlawful and the individual opposes erasure and requests restriction instead.
  • If Crassula no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.

To perform an action on request Crassula should verify the identity of the natural person making this request. The additional information necessary to confirm the identity of the data subject should be requested.

Information on action to the individual must be provided without delay and at the latest within one month of receipt of the request.

Crassula will be able to extend the period of compliance by a further two months where necessary. If this is the case, Crassula will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

If Crassula has disclosed the personal data in question to others, it must contact each recipient and inform them of the restriction on the processing of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, Crassula must also inform the individuals about these recipients.

Where Crassula is not taking action in response to a request for restrict processing, it must explain why to the individual without delay and at the latest within one month of receipt of the request, informing him or her of his or her right to complain to the supervisory authority and to a judicial remedy.

Crassula must inform individuals when it decides to lift a restriction on processing.

6. Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to data portability only applies:

  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.

To perform an action on request Crassula should verify the identity of the natural person making this request. The additional information necessary to confirm the identity of the data subject should be requested.

Crassula must provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.

The information must be provided free of charge. If the individual requests it, Crassula may be required to transmit the data directly to another organisation if this is technically feasible. However, Crassula is not required to adopt or maintain processing systems that are technically compatible with other organisations.

If the personal data concerns more than one individual, Crassula must consider whether providing the information would prejudice the rights of any other individual.

Crassula must respond without undue delay, and within one month. This can be extended by two months where the request is complex or Crassula receives a number of requests. Crassula must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where Crassula is not taking action in response to a request, it must explain why to the individual without delay and at the latest within one month of receipt of the request, informing him or her of his or her right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

7. Right to object

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

Crassula must stop processing the personal data unless:

  • Crassula can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.

To perform an action on request Crassula should verify the identity of the natural person making this request. The additional information necessary to confirm the identity of the data subject should be requested.

Crassula must stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse. Crassula must deal with an objection to processing for direct marketing at any time and free of charge.

Crassula must inform individuals of their right to object “at the point of first communication” and in Crassula's privacy notice (Privacy policy). This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

Information on action to the individual must be provided without delay and at the latest within one month of receipt of the request.

Crassula will be able to extend the period of compliance by a further two months where necessary. If this is the case, Crassula will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where Crassula is not taking action in response to a request for object, it must explain why to the individual without delay and at the latest within one month of receipt of the request, informing him or her of his or her right to complain to the supervisory authority and to a judicial remedy.

8. Rights related to automated decision making including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Automated individual decision-making is a decision made by automated means without any human involvement.

The GDPR restricts companies from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.

The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision.

A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

Crassula must:

  • provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual;
  • use appropriate mathematical or statistical procedures;
  • ensure that individuals can:
  • obtain human intervention;
  • express their point of view; and
  • obtain an explanation of the decision and challenge it;
  • put appropriate technical and organisational measures in place, so that it can correct inaccuracies and minimise the risk of errors;
  • secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.

Responsibilities

Everyone who works for or with Crassula has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

Data Protection Officer

Contact details for the Data Protection Officer and staff are as follows:

Crassula, Data Protection Officer,
Address: Brivibas gatve, 214M, office 417, Riga, LV-1039, Latvia
E-mail: dpo@crassula.io

Transfers to Third Parties

We will share personal data information with third party service providers, who are acting on behalf of Crassula as our data processor.

Crassula uses trusted third parties, who assist us in operating our website, conducting our business, or servicing our customers, so long as those parties agree to keep this information confidential. We may also disclose information when we believe disclosure is appropriate to comply with the law, enforce our policies, or protect ours or others’ rights, property, or safety.

Where external companies are used to process personal data on behalf of Crassula, responsibility for the security and appropriate use of that data remains with Crassula.

International Transfer of Personal Data

In some cases Crassula may transfer personal data to third countries. Crassula is committed to adequately protecting personal data information regardless of where the data resides and to providing appropriate protection for information where such data is transferred outside of the EEA. When transferring one of the following conditions should be met:

  • the data subject has given consent to the transfer;
  • the transfer is necessary for the performance of the contract between the data subject and data controller;
  • the transfer is necessary for the conclusion of the contract between the data subject and data controller;
  • the transfer is necessary or legally required due to important public interest grounds;
  • the transfer is necessary in connection with the exercise of the defence of legal proceedings/obtaining legal advice; and
  • the transfer is necessary to protect the vital interests of the data subject.

Disclosing data for other reasons

In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Crassula will disclose requested data. However, as a data controller the organisation will ensure the request is legitimate, seeking assistance from the Board and from the company’s legal advisers where necessary.

Personal data breaches

General information

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Types of personal data breaches:

  • “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or access to, personal data.
  • “Integrity breach” - where there is an unauthorised or accidental alteration of personal data.
  • “Availability breach” - where there is an accidental or unauthorised loss of access to, or destruction of, personal data.

Notification timeframes

In the case of a personal data breach, Crassula as the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

General staff guidelines

  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data should not be shared informally. When access to confidential information is required, employees/authorised persons can request it from their line managers.
  • Crassula will provide training to all employees to help them understand their responsibilities when handling data.
  • Persons, whom this policy apply to, should keep all data secure, by taking sensible precautions and following the guidelines below.
  • In particular, strong passwords must be used and they should never be shared.
  • Data should not be disclosed to unauthorised people, either within the company or externally.
  • Persons, whom this policy apply to, should sign the Declaration of acceptance of Personal Data Protection requirements set by this Data Protection Policy.

Monitoring and Revising the Data Protection Policy

Data Protection Officer is responsible for keeping this Data Protection Policy up to date. DPO, in conjunction with the relevant management team, will monitor the following factors to anticipate when the Data Protection Policy objectives and provisions need revision:

Findings of any deficiencies in the current version of Data Protection Policy and extension of it to any relevant provisions that were not previously covered or documented by this policy.

Changes in the GDPR or other Union or Member State data protection provisions.

Issuing of recommendations or additional guidances to specific Articles of the GDPR by the supervisory authority or the European Data Protection Board.

Regardless of whether these factors took place, DPO shall revise and declare the policy comply with the relevant legislation at least once per year on the scheduled base agreed.