Introduction – General Data Protection Regulation (“GDPR”)
“Personal Data” or “Personal Information”: this means information capable of identifying an individual, being “personal data” as defined in the Data Protection Legislation.
“Processing” and related expressions: this means any operation Senseon performs on Personal Data, such as collection, organising, storing, updating, using, disclosing and erasing it.
“You”, “your” and/or the “Data Subject”: this means an individual who can be identified from or as a result of the Personal Data.
Who we are and How to Contact Us
In relation to Senseon’s processing of Personal Data or for any other data protection or data privacy matters, Senseon’s contact details are as follows: Frances@Senseon.io].
Typical Data Subjects
Senseon typically (but without limitation) processes Personal Information relating to the following categories of data subject:
individuals employed or otherwise engaged by its customers, suppliers and other businesses, organisations or authorities with whom it deals; and
individuals whose details we collect from sources in a B2B context and contact because it is in our legitimate interests; and
individuals who interact with Senseon on their own account.
Types of Personal Data Typically Processed
Senseon typically (but without limitation) processes Personal Data consisting of contact information, such as name, email address, physical address and, where the data subjects are themselves its customers or suppliers, bank account and payment card information.
Purposes for which Senseon Processes Personal Data
Senseon processes Personal Data for the following purposes.
to manage its business and its relationship with its customers, including providing them with products and/or services, communicating with them and maintaining its relationship with them you effectively, lawfully and appropriately.
to manage its relationship with its suppliers, including procuring products and/or services from them, communicating with them and maintaining its relationship with them
to manage relationships with authorities, intermediaries and other third parties
to inform customers and potential customers about its products and services, including by direct marketing
to invite relevant individuals to events
to inform suppliers and potential suppliers about its requirements
to provide features on its websites
to develop and improve its products and services
for account and promotional purposes
to comply with any legal obligations it may have including requests from Governmental Authorities, law enforcement agencies or to comply with legal processes
for internal administration
to detect and prevent fraud
to ensure information and networking security
to exercise its rights
to protect the rights, property or personal safety of its employees, third parties, business partners and the general public
in relation to its proposed corporate activities, such as a sale or merger.
Legal bases for Senseon’s processing of Personal Data
The legal bases on which Senseon processes Personal Data are as follows, depending on the purpose of the processing:
Legitimate Interests. In most cases, the purposes set out above represent the legitimate interests of Senseon in operating its business and the processing is necessary to achieve them and does not override the interests, fundamental rights or freedoms of the individuals concerned.
Performance of a contract. In certain cases, Senseon needs to process Personal Data to perform a contract to which the data subject is a party or to take steps at the data subject’s request before entering into a contract, for example to provide goods or services to customers who are individuals or to purchase goods or services from suppliers who are individuals.
Legal Obligation. Senseon may need to process Personal Data to comply with a legal obligation, such as an enforceable request from Government.
Consent - in certain specific situations, Senseon may process Personal Data as a result of having obtained the specific freely given consent of the individual concerned. When doing so, Senseon will inform the individual of the purpose of the processing and the individual can withdraw consent at any time.
Recipients of Personal Data
Senseon may disclose or transfer Personal Data to the following recipients:
third-party service providers for the purposes of providing services to Senseon itself
third-party service providers for the purposes of providing services to the customers and suppliers of Senseon or other persons with whom it deals;
[companies or organisations which are affiliated to Senseon, for example affiliates or subsidiary companies or other companies or organisations under common ownership with Senseon, in either case for administrative or internal purposes [and/or so that they can contact individuals or those engaging them with information about products or services which may be of interest to them]
authorities and other bodies who can compel Senseon to do so under applicable law.
Transfer of Personal Data outside the EU
Senseon may transfer Personal Data outside the EU, for example where any of the recipients described above are located outside the EU or in respect of any operations of Senseon outside the EU from time to time. With respect to Personal Data, Senseon emphasises that Non-EU countries do not have the same data protection laws as the EU (or the UK) and therefore often do not provide the same safeguards. On occasion, such transfer is necessary to perform a contract with an individual. In other cases, where such transfer occurs, Senseon will ensure at least one of the following safeguards is implemented:
the transfer is to a country that has been deemed to provide an adequate level of protection for Personal Data by the European Commission; or
Senseon transfers the Personal Data under a specific contract with the recipient in a form (such as standard contractual clauses) approved by the European Commission; or
Senseon transfers the Personal Data under approved binding corporate rules of Senseon; or
where the transfer is to the USA, the recipient is within the EU-US Privacy Shield.
Copies of the relevant safeguards can be obtained from Senseon using the contact details set out above.
Period of storage of Personal Data
Senseon only keeps Personal Data for the period necessary for the purposes for which it processes it. This is determined in accordance with its retention policy.
The criteria used to determine the retention periods of Senseon include: (i) the nature of the Personal Data; (ii) the length of time Senseon has a continuing relationship with the individual or the organisation engaging the individual; (iii) whether there is a legal obligation to which Senseon is subject requiring it to retain the Personal Data (iv) whether retention for a period is advisable in light of the Senseon’s legitimate interests (such as with regard to applicable statutes of limitations or regulatory investigations).
Based on the above, Senseon’s policy is to retain Personal Data about individuals for 2 (two) years from the last contact with the individual or organisation concerned except where it relates to a transaction or includes financial data in which case Senseon retains it for up to seven (7) years from the data of the transaction or last active use of the financial data, except where statutory, regulatory, legal or security reasons require a longer period.
Rights of Individuals in relation to their Personal Data
Individuals have the following rights where Senseon processes their Personal Data:
to obtain confirmation as to whether or not Senseon processes their Personal Data;
to access a copy of their Personal Data that Senseon does process;
to request the correction of inaccurate Personal Data held by Senseon;
to request that Senseon erases their data or to object to Senseon continuing to process it;
where Senseon relies on having obtained consent for the purposes of the processing, the right to withdraw such consent, without affecting the lawfulness of processing before such withdrawal;
in certain cases to receive Personal Data, which they have provided to Senseon, in a structured, commonly used and machine readable format and to transmit it to another controller or have it directly so transmitted;
to lodge a complaint with their local data protection regulator — in the UK, this is the Information Commissioner’s Office, https://ico.org.uk/.