Personal Data & Privacy Protection Policy
ORBYT has always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. This program has been updated and expanded to meet the demands of the EU General Data Protection Regulation (‘GDPR’) and to ensure maximum and ongoing compliance.
We are committed to ensuring the privacy of our website visitors and users and developing a data protection regime that is effective, fit for purpose and secure our compliance with the new Regulation.
This Personal Data & Privacy Protection Policy (the “Policy”) outlines the type of website visitors’ and users’ personal data collected by us and how we manage and process them, as well as well how we safeguard privacy. This Policy only applies to information provided during the visit to the Website and the use thereof.
Once you visit and use our website, you accept this Policy as well as explicitly agree with the collection, use and processing of your personal data in accordance with this Policy.
How and why we use your personal data?
The following types of data may be collected and processed by us for the reasons specified below:
- Data about your use of our website and services (“usage data”). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is Google’s analytics tracking system. This usage data may be processed for the purposes of analysing the use of the website and services. The legal basis for this processing is consent*.
- Information or personal or business data, in the following cases:
- in case you submit any enquiry to us via an e-mail (via the link in our website), regarding our products and/or services (“enquiry data”); The enquiry data may include company name, contact person, address information, postal code, telephone, VAT no., as well as any other necessary personal data and may be processed for the purposes of our business and commercial activities, namely offering, marketing and selling relevant goods and/or services to you. The legal basis for this processing is your request to establish a customer or business relationship with us.
- in case you contact us for any issue related to our business activities or for advertisement purposes. The data may include the one mentioned in the above case, whereas the legal basis for the processing is our legitimate interests.
- in case you express interest in a position with our company (“employment data”), by sending your CV and/or cover letter attached to an e-mail; The personal data collected may include the following: full name, city of residence, education information, professional experience, technical skills, language skills, as well as any data of third parties (past employers’ names for references). The legal basis for the processing is our legitimate interests for professional employment of new personnel. In case no vacancy is open at the time of sending your CV, any future processing of the collected employment data is subject to your prior consent.
- Information disclosed for the purpose of subscribing to our email notifications and/or newsletters (“notification data”). The notification data may be collected and processed for the above purposes and the legal basis is your consent. With respect to Direct Marketing , we are revising the wording and processes, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
- Information contained in or relating to any communication that you send to us (“correspondence data”). The correspondence data may include the communication content and data associated with the communication and may be processed for communication purposes. The legal basis of the processing is our legitimate interests.
- Personal data, which must be processed with respect to our compliance with a legal obligation, or to the protection of your vital interests or the ones of another natural person.
Obtaining Consent: we are revising our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time.
When and why will we provide your personal data to third parties?
Processing of personal information may be effected by third parties on our behalf, under compliant Processor Agreements and due diligence procedures for ensuring that they (as well as we), meet and understand their/our Data Protection obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organizational measures in place and compliance with the GDPR.
The following categories of third parties may process your personal data, on our behalf:
- Subsidiaries: Your personal data may be disclosed to any member of our group of companies (namely our subsidiaries or our holding companies), as it deems reasonably necessary.
- Professional advisers: Your personal data may be disclosed to third parties, which act as our insurers and/or professional advisers, as it deems reasonably necessary for the purposes of their activities and on the basis of our legitimate interests [indicatively insurance coverage, professional advice, management of legal claims (under either judicial or out of court procedures), advisory services on any job candidates’ recruitment process].
- Suppliers: Your personal data may be provided to our suppliers or subcontractors when such disclosure is essential for the purposes of our business administration and commercial activities.
- Other: Your personal data may be disclosed to any other third party, in any case such disclosure is required by law and/or the processing is mandatory with respect to our compliance with a legal obligation, or to the protection of your vital interests or the ones of another natural person.
- Overseas third party: In case your personal data may be transferred to parties, established outside the European Economic Area (EEA), this transfer will be safeguarded under procedures, which include a continual review of the countries with sufficient adequacy decisions, and provisions for binding corporate rules, standard data protection contractual clauses or approved codes of conduct for those countries without. Strict due diligence checks are carried out, involving all recipients of personal data to assess and verify the available appropriate safeguards, ensure enforceable data subject rights and available effective legal remedies for data subjects.
How long will we keep your data?
Data Retention & Erasure We have updated our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
Personal data that we process for any purposes shall not be kept for longer than is necessary for those purposes. Retention may be mandatory for our compliance with a legal obligation or for protection of vital interests, either yours or of another natural person.
Which are your rights, as Data Subjects?
Your principal rights under data protection law are:
(a) the right to access (requesting information on the purposes or legal basis of processing);
(b) the right to rectification of any inaccurate/incomplete personal data;
(c) the right to erasure (upon consent withdrawal/objection to the processing, etc);
(d) the right to restrict processing;
(e) the right to object to processing (in case of unlawful processing);
(f) the right to data portability;
(g) the right to complain to a supervisory authority; and
(h) the right to withdraw consent (if such is the legal basis of data processing).
(i) the right to lodge a complaint with a competent supervisory authority or seek judicial remedy.
In any case guidance from the regulatory authorities and professional advice on this issue are recommended.
Information Security & Technical and Organisational Measures
We take the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures, including but not limited to: –
- Encryption of storage media, backup devices, laptops, mobile phones etc.
- Firewall utilizing Intrusion Prevention System / Intrusion Detection System
- Accountability for any file access needed by the personnel
- Physical security utilizing card access control system
- Anti-virus and endpoint management software
- Secure LAN & Wi-Fi infrastructure
- Logging – Log analysis & Audit software
- All data media is monitored and all actions are logged
- All data leaving the Company is under Data Loss Prevention techniques
- All access outside the Company is under monitored way
- There is appropriate infrastructure providing accountability, creditability and authenticity
Cookies in use
This policy may be amended from time to time by publishing a new version on our website, without prior notice.