Collection of Personal Information
Technology Insight Corporation may collect a variety of information from you including IP address(es), information provided on resumes, name, contact information (telephone numbers, email addresses, and physical addresses, etc.), and employment information (company name, previous employment, desired types of future employment, geographical location interests, etc.). TIC will also collect personal information that you voluntarily provide anytime you subscribe to or inquire about any of our services. TIC may collect this information directly from you through our website or a variety of other sources (email, telephone, etc.), or any other source TIC uses to collect user information. If you choose to communicate with us via a web form, email, or by telephone, we may keep a copy of our communication together with your email address or phone number and our responses. Additionally, when you visit any TIC website or use our services, we may also collect device related information.
We collect this information on behalf of our clients about their employees, and we do not disclose this information to third parties or providers, except as specifically requested by the clients providing the data or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
We are upfront about the purposes and use for information we collect when we collect it and will not spontaneously change our purposes or uses.
In collecting and using this data, the organization is subject to the GDPR, and the purpose of this policy is to set out this legislation, and to describe the steps that Technology Insight is taking to ensure that it complies with it.
This policy applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Technology Insight systems.
- Storage and Use of Personal Information
Any information Technology Insight Corporation collects from or about you may be stored by TIC in one or more database systems maintained by TIC (either directly or indirectly). TIC may process and use this information in order to perform our services. We may additionally use this information to contact you concerning a variety of matters, including, but not limited to, employment opportunities and satisfaction surveys.
- Sharing of Your Personal Information
Technology Insight Corporation will not share your information with any third party. Further, TIC secures your personal information from unauthorized access, use or disclosure. TIC secures all personally identifiable information that you provide on our servers in a secure environment, protected from unauthorized access, use or disclosure.
You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the website.
- IP Addresses
Technology Insight Corporation captures usage information, such as location, date and time of visit and visitor’s Internet Protocol (IP) address. This information helps us to protect and improve the operation of the site.
The GDPR (General Data Protection Regulation), is a European regulation, related to the protection of personal data, and applicable to all companies with data of citizens of the European Union. Significant fines are applicable if a breach is deemed to have occurred under the GDPR. It is Technology Insight’s policy to ensure that our compliance with the GDPR is clear and demonstrable at all times.
There are a total of 26 definitions listed within the GDPR and it is not appropriate to reproduce them all here. However, the most fundamental definitions with respect to this policy are as follows:
Personal data is defined as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”
So, considering that we are a provider for European companies, and we are storing personal data of European citizens, we are processor of personal data. Our client is the controller of this personal data. So:
- Controller: European companies
- Processor: Technology Insight
Affirmative commitment to comply with the Privacy Shield Framework
Independent recourse mechanism
In compliance with the Privacy Shield Principles, Technology Insight commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Technology Insight at:
- Email address: firstname.lastname@example.org
- Phone: (508) 480-8990
Technology Insight has further committed to refer unresolved Privacy Shield complaints to JAMS (free of charge) at:
JAMS is an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit JAMS (https://www.jamsadr.com/eu-us-privacy-shield) for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Also, an individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Additional information about binding arbitration can be found here:
Cooperation with EU Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC)
Technology Insight commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and complies with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
Principles relating to processing of personal data
There are a number of fundamental principles upon which the GDPR is based.
These are as follows:
- Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
Technology Insight must ensure that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing, such as new IT systems. The operation of an information security management system (ISMS) that conforms to the ISO/IEC 27001 international standard is a key part of that commitment.
Rights of the individual
The data subject also has rights under the GDPR. These consist of:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Each of these rights must be supported by appropriate procedures within Technology Insight that allow the required action to be taken within the timescales stated in the GDPR.
These timescales are shown in this table:
|Data Subject Request||Timescale|
|The right to be informed||When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)|
|The right of access||One month|
|The right to rectification||One month|
|The right to erasure||Without undue delay|
|The right to restrict processing||Without undue delay|
|The right to data portability||One month|
|The right to object||On receipt of objection|
|Rights in relation to automated decision making and profiling.||Not specified|
Individuals can update their personal data, ask us to remove information, or submit us a request to exercise rights. To do so, please an email must be sent to email@example.com
Unless it is necessary for a reason allowable in the GDPR, explicit consent must be obtained from a data subject to collect and process their data. In case of children below the age of 16, parental consent must be obtained. Transparent information about our usage of their personal data must be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.
If the personal data is not obtained directly from the data subject, then this information must be provided within a reasonable period after the data is obtained and definitely within one month.
Privacy by design
Technology Insight has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.
The Data Protection Impact Assessment (DPIA) will include:
- Consideration of how personal data will be processed and for what purposes
- Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
- Assessment of the risks to individuals in processing the personal data
- What controls are necessary to address the identified risks and demonstrate compliance with legislation
Use of techniques such as data minimization and pseudonymization should be considered where applicable and appropriate.
The DPIA is only required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. So, a DPIA is required at least in the following cases:
- A systematic and extensive evaluation of the personal aspects of an individual, including profiling
- Processing of sensitive data on a large scale
- Systematic monitoring of public areas on a large scale
According to the previous definition, in Technology Insight there is no high risk to the rights and freedoms of individual, there is no systematic and extensive evaluation of personal aspects of an individual, neither processing of sensitive data on a large scale, and neither systematic monitoring of public areas on a large scale, so currently we don’t perform a DPIA.
Transfer of Personal Data
Transfers of personal data (about European citizens) from EU to US are only possible through the Privacy Shield (https://www.privacyshield.gov). We have joined this program, obtaining self-certification in the year 2018.
The Federal Trade Commission has jurisdiction over Technology Insight’s compliance with the Privacy Shield.
If we disclose personal data to a third party, we will comply with the Accountability for Onward Transfer Principle. Furthermore, we remain responsible for the processing of personal data received under frameworks and subsequently transferred to a third party acting as an agent if the agent processes such personal data in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage. We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Data Protection Officer
A defined role of Data Protection Officer (DPO) is required under the GDPR if an organization is a public authority, if it performs large scale monitoring or if it processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider.
Based on these criteria, Technology Insight does not require a Data Protection Officer to be appointed.
It is Technology Insight’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority (DPA) will be informed within 72 hours. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.
Under the GDPR, the relevant DPA has the authority to impose a range of fines of up to four percent of annual worldwide turnover or twenty million Euros, whichever is the higher, for infringements of the regulations.
Addressing compliance to the GDPR
The following actions are undertaken to ensure that Technology Insight complies at all times with the accountability principle of the GDPR:
- The legal basis for processing personal data is clear and unambiguous
- All staff involved in handling personal data understand their responsibilities for following good data protection practice
- Training in data protection has been provided to all staff
- Rules regarding consent are followed
- Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively
- Regular reviews of procedures involving personal data are carried out
- Privacy by design is adopted for all new or changed systems and processes
- The following documentation of processing activities is recorded:
- Organization name and relevant details
- Purposes of the personal data processing
- Categories of individuals and personal data processed
- Categories of personal data recipients
- Agreements and mechanisms for transfers of personal data to non-EU countries including details of controls in place
- Personal data retention schedules
- Relevant technical and organizational controls in place
These actions will be reviewed on a regular basis as part of the management review process of the information security management system.
Our obligations as a Cloud Service Provider
Technology Insight stores and processes the personal data of our cloud customers. In doing so, there are a number of additional obligations that must be fulfilled to allow our customers to stay within the law. Our policy in this area, as well as recommending specific enhancements to ISO/IEC 27001 controls, also provides the following policy guidance:
- We must provide our customers with the facilities to meet their obligations under law in activities such as accessing, amending and erasing individuals’ Personally Identifiable Information (PII)
- We must only use the cloud customer’s PII for their purposes, not our own
- The customer must be informed if we are required by law to disclose any of their data, unless we are prohibited from doing so
- Details of disclosures must be recorded
- We must tell our customers if we use sub-contractors to process their PII
- We must tell our customers if their PII is subject to unauthorized access
- It must be clear in which country or countries the customer’s PII is stored
Additional recommendations are also included in the relevant policies and procedures within the ISMS.