1. PREAMBLE AND PURPOSE
As part of the operation of the website accessible at the address https://www.saniflo.ie/ (the "Website"), Saniflo Ltd, the data controller ("we", "us", "our") processes personal data of users of the Website ("Data Subjects").
We undertake to process the personal data of Data Subjects in accordance with the applicable regulations (the "Applicable Regulations"), and in particular Regulation No. 2016/679 (EU) of 27 April 2016 known as the General Data Protection Regulation ("GDPR").
In this respect, we undertake to respect our obligation of transparency and information towards the Data Subjects by making available to them the present privacy policy, the purpose of which is to inform them about the characteristics of the processing of personal data that we implement in the context of the use of the Website, and about the rights that they have in this respect.
2. DEFINITIONS
Terms beginning with a capital letter are either defined herein or have the meaning given to them by the Applicable Regulations, and in particular the GDPR, such as, in particular, the terms "Personal Data", "Processing", "Data Subjects", "Controller", "Processor", "Recipient" or "Data Breach".
3. CHARACTERISTICS OF THE PROCESSING
The Processes that we implement from Data Subjects' Personal Data are presented in the following tables .
3.1 Contact form
Purpose of the Processing | Management of contacts by and with Data Subjects |
Legal basis of the Processing | Legitimate interest / Precontractual measures |
Category of Personal Data |
|
Duration of Processing |
1 year from collection 3 years for personal data relating to a prospect, from the date of their collection or the last contact from the prospect. |
3.2 Warranty registration form
Purpose of the Processing |
|
Legal basis of the Processing | Execution of an agreement |
Category of Personal Data |
|
Duration of Processing | 3 years from their collection or last contact with the client. |
3.3 Deposit of cookies
For more information on the processing of your data in connection with the placement of cookies and other tracking devices, please see our Cookie Policy .
3.4 Management of possible disputes, litigation and pre-litigation
Purpose of the Processing |
|
Legal basis of the Processing | Legitimate interest |
Category of Personal Data | All of the above-mentioned Data as soon as they are necessary for the management of the dispute. |
Duration of Processing | Retention throughout the duration of the dispute and until exhaustion of the means of appeal (litigation). |
4. RECIPIENTS OF THE PERSONAL DATA
We may disclose the Personal Data of Data Subjects to authorized Recipients who are subject to an appropriate obligation of confidentiality, which may be internal or external as appropriate:
The internal recipients are as follows:
- The members of our staff whose duties, functions and missions justify that they process the Personal Data of the Data Subjects (e.g. communication department, marketing department, customer and prospect relations department, IT department) for the sole purposes provided for in this Privacy Policy and within the framework of the technical and organizational measures that we implement to preserve the confidentiality and security of the Personal Data detailed below;
The external recipients are:
- SFA Group subsidiaries and the parent company in their capacity as Processors whose duties, functions and tasks justify their processing of Data Subjects' Personal Data (e.g. SFA Tech in charge of IT services at Group level);
- The service providers or Processors that we may use in the context of the Processing (e.g. hosting service provider, call centers, emailing);
- Entities in charge of advice, audit and financial control (auditor, lawyer);
- Administrative or judicial authorities within the scope of their powers;
- In the event of a proposed fund raising, acquisition or disposal of a business or assets by any means including by disposal of the business carrying on that business or owning those assets, the potential acquirer(s) and their advisors as part of a pre-audit of the transaction. In the event of an acquisition by a third party, Personal Data will form part of the transferred assets and as such will be processed by the acquirer who will act as the new Data Controller under its own privacy policy.
5. RIGHTS OF THE DATA SUBJECTS
1. STATEMENT OF RIGHTS
In accordance with the applicable Regulations, Data Subjects have the following rights with respect to their personal data:
- A right to ask us for confirmation that their data is being processed, to obtain information on the characteristics of such processing, to access such data and to request a copy (right of access and copy);
- A right to rectify or complete any data concerning them that is incorrect or obsolete (right of rectification);
- A right to withdraw their consent at any time provided that the Processing concerned is exclusively based on this legal basis (right to withdraw consent);
- A right to object to the Processing of their Personal Data on grounds relating to their particular situation and to obtain their erasure, in which case we will grant this request unless the Processing is justified on legitimate and compelling grounds (right to object on legitimate grounds and right to erasure);
- A right to obtain the limitation of the Processing temporarily in case of a request for rectification or opposition on legitimate grounds while we analyses the request, which in practice means that the Personal Data is kept, but we cannot process it (right to limitation);
- A right to Data portability, i.e. a right to obtain from us the restitution of the Personal Data they have communicated in a format of common use when the Processing is automated and based on consent or on the execution of a contract;
- A right to formulate instructions concerning the Processing of their data after their death and to ask us to retain, delete or communicate their data to an expressly designated third party, it being specified that once we become aware of the death of a Data Subject and in the absence of instructions from him or her, he or she undertakes to destroy his or her Personal Data, unless its retention is necessary for evidentiary purposes or to comply with a legal obligation (post-mortem right).
2. HOW TO EXERCISE YOUR RIGHTS
If the Data Subject wishes to exercise any of the above rights, he or she may contact us via our contact form.
The Data Subject's request must be made exclusively by the Data Subject (unless a mandate is given to a third party in due form) and must be as clear and exhaustive as possible to enable us to respond as quickly as possible, within one to three months depending on its level of complexity.
We may ask the Data Subject to complete his or her request if it is not sufficiently precise, if the right he or she wishes to exercise is not easily identifiable, or if he or she is unable to establish his or her identity, in which case we may ask him or her to provide additional information, including proof of identity, which will be deleted as soon as possible after verification of his or her identity.
In addition, we will not be obliged to respond to the Data Subject's request if it is manifestly unfounded or excessive, and in particular if the request is repetitive or too complex to process and would have the purpose or effect of destabilizing our activities.
6. SECURITY
We implement appropriate technical and organizational security measures to preserve the confidentiality and security of the Personal Data we process and to prevent its unauthorized destruction, loss, alteration or disclosure.
As an example, the following measures have been put in place and are documented in a safety assurance plan:
- Hosting of Personal Data on servers located within the European Union on the soil of a member country;
- Awareness of our staff who process Data Subjects' Data;
- User authentication features with personal and secure access via strong, confidential and frequently changed logins and passwords;
- Procedure for managing authorizations (definition and review of authorization profiles according to the profile of users of its information system, removal of obsolete accesses);
- Access tracking, connection logging, incident management and, if necessary, encryption of certain Personal Data;
- Regular implementation of internal audits and, if necessary, differentiated penetration tests to control and evaluate the effectiveness of the security measures in place;
- Physical security of premises (codes, keys and access badges) and workstations (automatic session locking, antivirus and firewall).
Where we use Processors, i.e. service providers to whom we have delegated all or part of a Processing operation and who process the Personal Data of Data Subjects in accordance with our instructions, we undertake to require them to provide security guarantees equivalent to those that we implement to protect their Personal Data and reserve the right to audit them to ensure compliance with their obligations.
In the event of a Data Breach, we undertake to notify the competent supervisory authority in the manner prescribed by the applicable Regulations and, if the said Breach poses a high risk to the Data Subjects, to notify them and to provide them with any necessary information and recommendations.
7. UPDATING OF THIS POLICY
We may modify, supplement or update this policy at any time to consider legal, regulatory and/or jurisprudential developments, changes in the characteristics of the Processing or the implementation of a new Processing.
8. CONTACTS
Data Subjects may direct any questions or complaints regarding this policy, or make recommendations or comments regarding this policy, in writing to us at the following address
- By mail: Sanirish Limited, IDA Industrial Estate, Edenderry, Co Offaly, Ireland. R45 EH24
- By email: [email protected]
Data Subjects may also ask any question to the competent supervisory authority or lodge a complaint with the latter.