Last modification: [November. 01, 2018 ]
Nothing in this Policy has theeffect of creating obligations for SPYPOINT beyond those imposed by applicable laws and regulations pertaining to protection of Personal Information.
Details of the policy
SPYPOINT is responsible for, and will be able to demonstrate compliance with this Policy, and has designated an individual or individuals accountable for SPYPOINT’s compliance with the Policy.
Accountability for SPYPOINT’s compliance with this Policy rests with the designated individual(s), even though other individuals within SPYPOINT may be responsible for the day-to-day collection and ProcessingProcessing of Personal Information. Other individuals within SPYPOINT may be delegated to act on behalf of the designated individual(s).
The identity of the individual(s) designated by SPYPOINT to oversee SPYPOINT’s compliance with this Policy will be made known upon request if not specified herein.
Any reference to SPYPOINT in this Policy refers to situations where SPYPOINT acts as Controller and excludes situations where SPYPOINT acts as Intermediary, unless specified otherwise.
Where SPYPOINT determines the purposes and means of Processing jointly with another Controller, SPYPOINT and such other Controller will be joint Controllers who, in a transparent manner, will determine their respective duties and responsibilities for compliance with the obligations under the applicable laws and regulations, by means of an arrangement between them (the essence of which will be made available to you) reflecting their respective roles and relationships vis-à-vis you. Irrespective of the terms of the arrangement, you may exercise your rights under the applicable laws and regulations in respect of and against each of those joint Controllers.
2. Purposes and purpose limitation
The purposes for which Personal Information is collected will generally be identified by SPYPOINT at or before the time the Personal Information is collected, for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
SPYPOINT will document the purposes for which Personal Information is collected. Depending upon the way in which the Personal Information is collected, this can be done orally or in writing. An online application form or notes related thereto, for example, may give notice of the purposes.
Identifying the purposes for which Personal Information is collected at or before the time of collection allows SPYPOINT to determine the Personal Information it needs to collect to fulfil these purposes. SPYPOINT will collect only the Personal Information necessary for the purposes that have been identified.
Unless stated otherwise at or before the time the Personal Information is collected the specified, explicit and legitimate purposes for which SPYPOINT may collect your Personal Information include:
- providing, maintaining, personalizing and improving the services and any of SPYPOINT’s products;
- allowing SPYPOINT to perform internal operations in relation to its services; and
- sending or facilitating communications between SPYPOINT and you in relation to the services.
When Personal Information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified and documented prior to Processing and SPYPOINT will provide you prior to that further Processing with information on that other purpose and with any relevant further information as referred to in section 9 of this Policy [Individual Access and Other Rights], unless you already have the information. Unless the new purpose is required by law, your Consent will be requested before Personal Information can be used for that purpose.
SPYPOINT will be able to explain to you the purposes for which the Personal Information is being collected.
If the purposes for which SPYPOINT processes Personal Information do not or do no longer require your identification by SPYPOINT, SPYPOINT will not be obliged to maintain, acquire or process additional information in order to identify you for the sole purpose of complying with applicable laws and regulations. However, in such cases, SPYPOINT will not refuse to take additional information that you provide in order to support the exercise of your rights relating to Processing of your Personal Information.
Your knowledge and Consent are required for the Processing of Personal Information, except where inappropriate. (For example, legal, medical, or security reasons may make it impossible or impractical to seek Consent.)
3.1. Consent in General
Your Consent to the Processing of your Personal Information will be unambiguous, manifest, freely given and enlightened, and will be given for specific purposes by a statement or by a clear affirmative action. Such Consent will be valid only for the length of time needed to achieve the purposes for which it was requested.
SPYPOINT will be able to demonstrate that you have Consented to Processing of your Personal Information where such Processing is based on Consent.
Typically, SPYPOINT will seek Consent for the Processing of the Personal Information at or before the time of collection. In certain circumstances, Consent with respect to Processing may be sought after the Personal Information has been collected but before use (for example, when SPYPOINT wants to use Personal Information for a purpose not previously identified).
To make the Consent meaningful, the purposes for which the Personal Information will be used will be stated in such a manner that you can reasonably understand how the Personal Information may be used or disclosed.
SPYPOINT will not, as a condition of the performance of a contract, including the supply of a product or service, require your Consent to the Processing of Personal Information beyond that required for the performance of that contract or to otherwise fulfil the purposes.
The form of the Consent sought by SPYPOINT may vary, depending upon the circumstances and the type of Personal Information. In determining the form of Consent to use, SPYPOINT will take into account the sensitivity of the Personal Information.
The way in which SPYPOINT seeks Consent may vary, depending on the circumstances and the type of Personal Information collected. SPYPOINT will generally seek express Consent when the Personal Information is likely to be considered sensitive. Implied Consent may generally be appropriate when the Personal Information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). Consent will not be obtained through deception.
You can give Consent in many ways. For example:
- an online application form may be used to seek Consent, collect Personal Information and inform you of the use that will be made of the Personal Information. By completing and sending the form, you are giving Consent to the collection and the specified uses;
- a checkbox may be used to allow you to expressly agree that your name and address be given to other organizations;
- Consent may be given orally when Personal Information is collected over the telephone; or
- Consent may be given at the time that you use a product or service.
If your Consent is given in the context of a written declaration which also concerns other matters, the request for Consent will be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
You may withdraw Consent at any time, subject to legal or contractual restrictions and reasonable notice, as easily as it is to give Consent. Such withdrawal will not affect the lawfulness of Processing based on Consent before its withdrawal, and you be informed thereof prior to giving Consent.
Consent to the disclosure of Personal Information from a Third Party may be given by you to SPYPOINT in order to collect the Personal Information from the Third Party.
SPYPOINT will collect Personal Information only from you, unless you Consent to collection from Third Partys. However, SPYPOINT may, without your Consent, collect Personal Information from a Third Party if the law so authorizes. It may also do so if it has a serious and legitimate reason and either of the following conditions is fulfilled:
- the Personal Information is collected in your interest and cannot be collected from you in due time; or
- collection from a Third Party is necessary to ensure the accuracy of the Personal Information.
The Platform is hosted in Canada, and is intended for, amongst others, Canadian, American and European visitors. When we proceed to such transfer of your Personal Information from the European Union to Canada, we use various mechanisms to ensure that your Personal Information is appropriately protected.
3.2. Child's Consent in Relation to Information Society Services
Where a child gives Consent to the Processing of his or her Personal Information for one or more specific purposes in relation to the offer of services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services, the child must be at least 16 years old unless such Consent for such Processing is given or authorized by the holder of parental responsibility over the child.
SPYPOINT will make reasonable efforts to verify in such cases that Consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology.
4. Limited collection, data minimization, fairness and lawfulness
The collection of Personal Information will be adequate, relevant and limited to that which is necessary for the purposes identified by SPYPOINT for which it is processed. Information will be collected by fair and lawful means.
SPYPOINT will specify the type of Personal Information collected as part of its information-handling policies and practices. Personal Information collected may include, but is not limited to your first and last name, your language, your postal and email address, your telephone number and information about your credit card.
If you visit the Platform, you are logged into your account and have a SPYPOINT connected device, we may record adjustments you make to such device’s settings through the Platform interface. We may store such data along with information about your SPYPOINT device, such as the name and model of such device, its serial number and SIM card number as well as its purchase date, data collected by the device, a history of your device settings and any other information collected about your use of SPYPOINT’s products and services in general.
We could also log information collected through cookies and other tracking technology in order to collect information about your browsing behavior when you visit the Platform, such as your page views, IP address, length of visits on the Platform, etc. We may also collect and log information on your browser type and version. However, such information is collected on an anonymous aggregate basis, which means no Personal Information is associated with this information. Most Internet browsers automatically accept cookies, but you may be able to change the settings of your browser to reject cookies. If you set your browser to reject cookies, parts of the Platform and/or services may however not be accessible to you.
SPYPOINT may choose to refrain from requiring your Consent for the Processing of Personal Information relating to you if and to the extent that Processing is necessary:
- for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
- for compliance with a legal obligation to which SPYPOINT is subject;
- in order to protect your vital interests or those of another natural person;
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in SPYPOINT;
- for the purposes of the legitimate interests pursued by SPYPOINT or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of Personal Information.
SPYPOINT may establish a file on you.
SPYPOINT, when establishing a file on you or recording Personal Information in such a file, will make an entry indicating the source of any Personal Information collected from a Third Party when the Third Party is a person carrying on an enterprise. The entry is part of your file.
SPYPOINT may not refuse to respond to a request for goods or services or to a request relating to employment by reason of the applicant's refusal to disclose Personal Information except where:
- collection of that Personal Information is necessary for the conclusion or performance of a contract;
- collection of that Personal Information is authorized by law; or
- there are reasonable grounds to believe that the request is not lawful.
SPYPOINT will not process Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, unless one the situations enumerated in GDPR Article 9(2) applies.
The Platform may contain links to third-party websites, which are not under the control of SPYPOINT. These third-party websites may collect information, such as Personal Information, about you. We invite you to consult the Personal Information management policies applicable to such third-party websites, as they may differ from this Policy.
5. Limited use, disclosure and retention
Personal Information will not be processedfor purposes other than those for which it was collected, except with your Consent or as required by law. Personal Information will be retained only as long as necessary for the fulfilment of those purposes in a form which permits your identification for no longer than is necessary for the purposes for which the Personal Information is processed.
SPYPOINT will develop guidelines and implement procedures with respect to the retention and destruction of Personal Information. These guidelines and procedures will include minimum and maximum retention periods. (SPYPOINT may be subject to legislative requirements with respect to retention periods.)
SPYPOINT will not disclose to a Third Party your Personal Information unless you Consent thereto, or such disclosure or use is provided for by law.
For instance, in the carrying on of its enterprise, SPYPOINT’s authorized employees, mandataries or agents or any supplier into a contract with SPYPOINT for work or services may have access to Personal Information without your Consent if the Personal Information is needed for the performance of their duties or the carrying out of their mandates or contracts.
SPYPOINT may, without your Consent, disclose Personal Information contained in a file to an archival agency if the archival agency is a person whose object is the acquisition and preservation of documents for their general informational value and if the Personal Information is disclosed as part of the transfer or deposit of the archives of SPYPOINT.
Personal Information may also be disclosed without your Consent for research purposes if the documents containing the Personal Information are not structured so as to allow retrieval by reference to your name or identifying code or symbol and the Personal Information cannot be retrieved by means of such a reference.
Any person holding Personal Information on behalf of SPYPOINT may refer to the latter every request for access or rectification received from an individual to whom Personal Information relates.
6. Accuracy, integrity, confidentiality and right to rectification
Personal Information will be as accurate, complete and kept up-to-date as is necessary for the purposes for which it is to be used. Every reasonable step will be taken to ensure that Personal Information that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
Personal Information that is used on an ongoing basis, including Personal Information that may be disclosed to third parties, will be generally accurate and up-to-date, unless limits to the requirement for accuracy are set out.
SPYPOINT will not routinely update Personal Information, unless such a process is necessary to fulfil the purposes for which the Personal Information was collected.
The extent to which Personal Information will be accurate, complete and up-to-date will depend upon input (i) from you or (ii) resulting from data generated by you using SPYPOINT products or services, and the use of the Personal Information, taking into account your interests.
You will have the right to obtain from SPYPOINT without undue delay the rectification of inaccurate Personal Information concerning you. Taking into account the purposes of the Processing, you will have the right to have incomplete Personal Information completed, including by means of providing a supplementary statement.
Personal Information will be protected by security safeguards appropriate to the sensitivity of the Personal Information, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
7.1. Security measures
SPYPOINT will take the security measures necessary to ensure the protection of the Personal Information processed and that are reasonable given the sensitivity of the Personal Information, the purposes for which it is to be used, the quantity and distribution of the Personal Information and the medium on which it is stored.
The security safeguards of SPYPOINT will protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
The nature of the safeguards will vary depending on the sensitivity of the Personal Information that has been collected, the amount, distribution and format of the Personal Information and the method of storage.
The methods of protection will include:
- physical measures (such as restricted access to offices);
- organizational measures (such as security clearances); and
- technological measures (such as the use of passwords).
SPYPOINT will make its employees aware of the importance of maintaining the confidentiality of Personal Information, and care will be used in the disposal or destruction of Personal Information, to prevent unauthorized parties from gaining access to the Personal Information.
SPYPOINT will implement appropriate technical and organizational measures to ensure and to be able to demonstrate that Processing is performed in accordance with applicable laws and regulations, taking into account the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Those measures will be reviewed and updated where necessary. Where proportionate in relation to Processing activities, such measures will include the implementation of appropriate data protection policies by SPYPOINT.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SPYPOINT will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the Pseudonymisation and encryption of Personal Information;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
In assessing the appropriate level of security, account will be taken in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored or otherwise processed.
7.2. Data protection by design
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the Processing, SPYPOINT will, both at the time of the determination of the means for Processing and at the time of the Processing itself, implement appropriate technical and organizational measures, such as Pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the Processing in order to meet the requirements of the applicable laws and regulations and protect your rights.
7.3. Data protection by default
SPYPOINT will implement appropriate technical and organizational measures for ensuring that, by default, only Personal Information which are necessary for each specific purpose of the Processing are processed. That obligation applies to the amount of Personal Information collected, the extent of its Processing, the period of its storage and its accessibility. In particular, such measures will ensure that by default Personal Information is not made accessible without the individual’s intervention to an indefinite number of natural persons.
Where Processing is to be carried out on behalf of SPYPOINT, SPYPOINT will use only Intermediaries providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of the applicable laws and regulations and ensure the protection of your rights. The Intermediary will not engage another Intermediary without prior specific or general written authorization of SPYPOINT. Processing by an Intermediary will be governed by a contract that is binding on the Intermediary with regard to SPYPOINT and that sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Information and categories of individuals and the obligations and rights of SPYPOINT. Where an Intermediary engages another Intermediary for carrying out specific Processing activities on behalf of SPYPOINT, the same data protection obligations as set out in the contract between SPYPOINT and the Intermediary will be imposed on that other Intermediary by way of a contract. The Intermediary and any person acting under the authority of SPYPOINT or of the Intermediary, who has access to Personal Information, will not process those data except on instructions from SPYPOINT, unless legally required to do so by a statutorily-empowered public authority.
7.5.Notification of a Personal Information Breach
SPYPOINT will document any Personal Information Breaches, comprising the facts relating to the Personal Information Breach, its effects and the remedial action taken without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal Information Breach to the statutorily-empowered public authority appropriate in accordance with applicable laws and regulations, unless the Personal Information Breach is unlikely to result in a risk to the rights and freedoms of natural persons. Such notification will at least:
- describe the nature of the Personal Information Breach including where possible, the categories and approximate number of individuals concerned and the categories and approximate number of Personal Information records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the Personal Information Breach;
- describe the measures taken or proposed to be taken by SPYPOINT to address the Personal Information Breach, including, where appropriate, measures to mitigate its possible adverse effects.
SPYPOINT will communicate the Personal Information Breach to you without undue delay when the Personal Information Breach is likely to result in a high risk to the rights and freedoms of natural persons. Such communication will describe in clear and plain language the nature of the Personal Information Breach, and contain at least the information and measures referred to in points (b), (c) and (d) above.
8. Openness and transparency
SPYPOINT will make readily available to you specific information about its policies and practices relating to the management of Personal Information.
SPYPOINT is open about its policies and practices with respect to the management of Personal Information. You will be able to acquire information about SPYPOINT’s policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.
SPYPOINT may make information on its policies and practices regarding Personal Information Protection available in a variety of ways. The method chosen depends on the nature of its business and other considerations.
SPYPOINT will take appropriate measures to provide in a concise, transparent, intelligible and easily accessible form, using clear and plain language, any information that must be provided to you (whether Personal Information is collected from you, or have not been obtained from you subject to situations where the Personal Information must remain confidential due to an obligation of professional secrecy) and any communication regarding your rights relating to Processing of your Personal Information.
More specifically, whether Personal Information is collected from you, or have not been obtained from you, SPYPOINT will, at the time when Personal Information is obtained (or, where Personal Information have not been obtained from you, within a reasonable period after obtaining the Personal Information, but at the latest within one month, having regard to the specific circumstances in which the Personal Information is processed), provide you with the following information, unless (i) you already have it, or (ii) the provision of such information proves impossible or would involve a disproportionate effort, or (iii) the Personal Information must remain confidential subject to an obligation of professional secrecy:
- SPYPOINT identity and contact details and, where applicable, of SPYPOINT’s representatives (including the representatives’ titles and addresses) accountable for SPYPOINT’s policies and practices and to whom complaints or inquiries can be forwarded;
- the purposes of the Processing for which the Personal Information is intended as well as the legal basis for the Processing;
- the legitimate interests pursued by the SPYPOINT or by a third party here where the Processing is necessary for purposes of the legitimate interests pursued by SPYPOINT or by a third party;
- a description of the type of Personal Information held by SPYPOINT, including a general account of its use, and the categories of Personal Information concerned;
- the Recipients or categories of Recipients of the Personal Information, if any, including what Personal Information is made available to related organizations (e.g. affiliates such as subsidiaries and parent organizations);
- the means of gaining access to Personal Information held by SPYPOINT; and
- where applicable, the fact that SPYPOINT intends to transfer Personal Information to a third country or international organization and the existence or absence of an adequacy decision within the meaning of the GDPR, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
SPYPOINT will, at the time when Personal Information is obtained, provide you with the following further information necessary to ensure fair and transparent Processing, unless you already have it:
- the period for which the Personal Information will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from SPYPOINT access to and rectification or erasure of Personal Information or Restriction of Processing concerning you or to object to Processing as well as the right to data portability;
- where the Processing is based on your Consent, the existence of the right to withdraw Consent at any time, without affecting the lawfulness of Processing based on Consent before its withdrawal;
- the right to lodge a complaint with a statutorily-empowered public authority;
- from which source the Personal Information originates (if it does not originate from you), and if applicable, whether it came from publicly accessible sources;
- whether the provision of Personal Information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the Personal Information and of the possible consequences of failure to provide such data; and
- the existence of automated decision-making, including Profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for you.
The above-listed elements may be provided in combination with standardized icons (which may be machine-readable) in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended Processing.
9. Individual Access and other rights
Upon request, you will be informed of the existence and Processing of your Personal Information and will generally be given access to that Personal Information. You will be able to challenge the accuracy and completeness of the Personal Information and have it amended as appropriate.
9.1. Right of Access
Upon request, SPYPOINT will inform you whether or not SPYPOINT holds Personal Information about you and may indicate the source of this Personal Information. SPYPOINT will generally allow you access to this Personal Information. You may be required to provide sufficient information to permit SPYPOINT to provide an account of the existence and Processing of Personal Information.
You are entitled to obtain that any Personal Information collected otherwise than lawfully be deleted.
No request for access, rectification or deletion may be considered unless it is made in writing by you when you prove that you are the individual concerned (or the representative, heir or successor of that individual, or the liquidator of the succession, a beneficiary of life insurance or of a death benefit).
SPYPOINT, when holding a file that is the subject of your request for access, rectification or deletion, will respond to that request within a reasonable time after receipt of the request, without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. SPYPOINT will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. The requested information will be provided or made available in a form that is generally understandable. (For example, if SPYPOINT uses abbreviations or codes to record Personal Information, an explanation will be provided.)
The information will be provided in writing, or by other means, including, where appropriate, by electronic means. Where you make the request by electronic form means, the information will be provided by electronic means in a commonly used electronic form where possible, unless otherwise requested by you. When requested by you, the information may be provided orally, provided that your identity is proven by other means.
SPYPOINT will facilitate the exercise of your rights relating to Processing of your Personal Information and will not refuse to act on your request for exercising such rights unless SPYPOINT is not in a position to identify you.
In certain situations, SPYPOINT may not be able to provide access to all the Personal Information it holds about you. Exceptions to the access requirement are meant to be limited and specific. The reasons for denying access will be provided to you upon request.
Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons and information that is subject to solicitor-client or litigation privilege.
SPYPOINT may refuse to give communication of Personal Information to you where disclosure of the Personal Information would be likely to hinder an inquiry the purpose of which is the prevention, detection or repression of crime or statutory offences.
SPYPOINT will refuse to give communication of Personal Information to you where (i) disclosure would be likely to reveal Personal Information about a Third Party or the existence of Personal Information and (ii) the disclosure may seriously harm that Third Party, unless the latter consents to the disclosure of the Personal Information or in the case of an emergency that threatens the life, health or safety of an individual.
If SPYPOINT does not take action on your request, SPYPOINT will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a statutorily-empowered public authority and seeking a judicial remedy.
The transcription, reproduction or transmission of Personal Information and any communication and actions taken in relation to such transcription, reproduction or transmission will be provided free of charge, unless your requests are manifestly unfounded or excessive, in particular because of their repetitive character, in which case SPYPOINT may either refuse to act on the request or charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested. For any further copies requested by you, SPYPOINT may charge a reasonable fee based on administrative costs.
9.2. Right to Erasure (‘Right to be Forgotten’)
You will have the right to obtain from SPYPOINT the erasure of Personal Information concerning you without undue delay and SPYPOINT will have the obligation to erase Personal Information without undue delay where one of the following grounds applies:
- the Personal Information is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- you withdraw Consent on which the Processing is based, and where there is no other legal ground for the Processing;
- you object to the Processing and there are no overriding legitimate grounds for the Processing;
- the Personal Information has been unlawfully processed;
- the Personal Information has to be erased for compliance with a legal obligation to which SPYPOINT is subject;
- the Personal Information has been collected in relation to the offer of services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
Where SPYPOINT has made Personal Information public and is obliged to erase such Personal Information, SPYPOINT, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform Controllers who are Processing the Personal Information that you have requested the erasure by such Controllers of any links to, or copy or replication of, those Personal Information.
Such right to erasure will not apply to the extent that Processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires Processing by a statutorily-empowered public authority to which SPYPOINT is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in SPYPOINT;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that Processing; or
- for the establishment, exercise or defence of legal claims.
9.3. Right to Restriction of Processing
You will have the right to obtain from SPYPOINT Restriction of Processing where one of the following applies:
- the accuracy of the Personal Information is contested by you, for a period enabling SPYPOINT to verify the accuracy of the Personal Information;
- the Processing is unlawful and you oppose the erasure of the Personal Information and requests the restriction of their use instead;
- SPYPOINT no longer needs the Personal Information for the purposes of the Processing, but they are required by you for the establishment, exercise or defence of legal claims;
- you have objected to Processing pending the verification whether the legitimate grounds of SPYPOINT override yours.
Where Processing has been restricted pursuant to the foregoing, such Personal Information will, with the exception of storage, only be processed with your Consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of a statutorily-empowered public authority.
If you have obtained Restriction of Processing pursuant to the foregoing, you will be informed by SPYPOINT before the Restriction of Processing is lifted.
9.4.Right to Data Portability
You will have the right to receive the Personal Information which you have provided to SPYPOINT, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from SPYPOINT to which the Personal Information has been provided, where the Processing is based on Consent and the Processing is carried out by automated means.
9.5. Right to Object
You will have the right to object, on grounds relating to your particular situation, at any time to Processing of Personal Information concerning you which is necessary for the purposes of the legitimate interests pursued by SPYPOINT or by a third party or for the performance of a task carried out in the public interest or in the exercise of official authority vested in SPYPOINT, including Profiling based on those provisions. SPYPOINT will no longer process the Personal Information unless SPYPOINT demonstrates compelling legitimate grounds for the Processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
9.6. Automated Individual Decision-Making, Including Profiling
If, when or where applicable, you will have the right not to be subject to a decision based solely on automated Processing, including Profiling, which produces legal effects concerning yourself or similarly significantly affects you, but will not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and SPYPOINT;
- is authorized by the law to which SPYPOINT is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- is based on your explicit Consent.
In the cases referred to in points (a) and (c) above, SPYPOINT will implement suitable measures to safeguard the right to obtain human intervention on the part of SPYPOINT, to express your point of view and to contest the decision.
10. Challenging Compliance
You may address a challenge concerning SPYPOINT’s compliance with this Policy to the designated individual(s) accountable for such compliance.
SPYPOINT has put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of Personal Information. The complaint procedure is meant to be easily accessible and simple to use.
SPYPOINT will inform individuals who make inquiries or lodge complaints of the existence of the relevant complaint procedure.
SPYPOINT will investigate all complaints. If a complaint is found to be justified, SPYPOINT will take appropriate measures, including, if necessary, amending its policies and practices.
When a challenge is not resolved to your satisfaction, the substance of the unresolved challenge will be recorded by SPYPOINT.