Our Commitment To Privacy
This website and all of the tools and services offered on our website are owned and operated by Candylio.. Your privacy on the Internet is of the utmost importance to us. At Candylio, we want to make sure your experience online is both satisfying and safe. If you have any questions at any time please contact Candylio at support@candylio.com.
This privacy policy (the “Policy”) explains how we collect and use visitors’ and customers’ information, particularly personal information, and the terms and conditions surrounding the capture and use of that information. By visiting our website www.Candylio.com and/or purchasing and using our products and services, you accept the practices described in this Policy. The use of information collected through our service shall be limited to the purpose of providing the service for which the Client has engaged Candylio. It also describes your choices regarding use, access and correction of your personal information.
Candylio complies with the U.S. – Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from Switzerland. Candylio has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.  To learn more about the Safe Harbor program, and to view Candylio’s certification, please visit https://safeharbor.export.gov/swisslist.aspx.
EU-U.S. Privacy Shield
Candylio (and its parent/subsidiary companies) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Candylio is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles.  To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov
Candylio is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf.  Candylio complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Candylio is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.  In certain situations, Candylio may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.  
Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
The Information We Collect
This Policy applies to all information collected or submitted through our Services. The information we collect and use is limited to the purpose for which the customers engage Candylio and other purposes expressly described in this Policy. For example: on our website, you can order products, make requests, and register to receive materials and/or sign up for services. The processing of your information or any information you provide through any of the Services will be done in accordance with the Policy. Personal Information means information or information set that identifies or could be used by or on behalf of Candylio to identify an individual.
Personal information collected through the use of our Services might include:
•	Name
•	Address
•	Email address
•	Phone number
•	Organization name
•	Credit/Debit Card Information
Through our Services, you can also submit information about other people. For example, if you register someone else for a Candylio course, or someone else, other than you, is paying for it, you will need to submit their information. In this circumstance, personal information collected might include:
•	Name
•	Address
•	Email address
•	Phone number
•	Organization name
•	Credit/Debit Card Information
On occasions, we may source personal information from a third party or a publicly-available source such as an outside credit reporting agency to help us with customer authentication and credit-related decisions. If you have not given your prior consent to us collecting your personal information from a third party, we will take reasonable steps to inform you that it has done so. As a general rule, we do not collect sensitive information about you. However, if we need sensitive information from you for any reason then we will only collect it if you consent to this. We require an opt-in consent for sharing any sensitive information.
Referrals
If you choose to use our referral service to tell a friend about our website, we will ask you for your friend’s name and email address. We will automatically send your friend a one-time email inviting him or her to visit the website. Candylio stores this information for the sole purpose of sending this one-time email and tracking the success of our referral program. Your friend may contact us at support@candylio.com to request that we remove this information from our database.
The Way We Use Information
We use the information you provide about yourself when placing an order ONLY to complete that order. We do not share this information with outside parties except to the extent necessary to complete that order. For example we may share your personal information with our third party service providers such as credit card processors, to provide the necessary services we use to operate the Services.
We may also disclose your personal information as required by law such as to comply with a subpoena or bankruptcy proceedings, if Candylio is involved in a merger, acquisition, or sales of all or a portion of its assets, you will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties. In the event any of your information is shared with an outside third party for the purposes stated herein, we require such third party to adhere in a written agreement to at least the same level of privacy protection as we afford you and as required by the relevant principles.
We use non-identifying and aggregate information to better design our website and Services. We use tracking information to determine which areas of our websites users like and don’t like based on traffic to those areas. We do on occasion track what individual users read to determine if a particular article has been read and if such subject matter is interesting to our users.
Finally, we NEVER use or share the personal information provided to us online in ways unrelated to the ones described above without also providing you an opportunity to opt-out or otherwise prohibit such unrelated uses. To this end, we would alert you prior to such disclosure and allow you to either electronically as part of the notification or in writing, to opt-out or prohibit us from sharing such information.
Our Commitment To Data Quality
We take reasonable steps to ensure that the personal information our Services collect is accurate, up to date and complete. In circumstances where your personal information has changed please contact us to enable us to update and correct the information. We may also contact you from time to time to check our record of your personal information is still correct.
Our Commitment To Data Security
To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online. We use industry standard methods of securing our electronic databases of personal information. For example, when you enter sensitive customer information (such as login credentials), this information is transferred via industry standard Secure Sockets Layers (SSL) and our databases are protected by 2 layers of firewalls. Except as provided elsewhere in this Policy, we limit access to personal information in electronic databases to those people in our organization that have a business need for such access. Your privacy is very important to us. Due to factors beyond our control, we cannot fully ensure that your personal information will not be disclosed to third parties other than those mentioned above. For example: we may be legally required to disclose information to the government or a third party under certain circumstances such as responding to a subpoena, court order or to exercise our legal rights or defend against legal claims, or third parties may unlawfully intercept or access transmissions or private communications. If you have any questions about security on our Web site, you can contact us at support@candylio.com.
The moment we successfully collect the payment from you, your Credit Card information is purged from our system.
Our Commitment To Children’s Privacy
Protecting the privacy of the very young is especially important to Candylio. For that reason, we never collect or maintain information at our website from those we actually know are under 13, and no part of our website is structured to attract anyone under 13.
Special Notification for California Residents
California Civil Code Section 1798.83, also known as the Shine The Light law, permits our clients who are California residents to request and obtain from us once a year, free of charge, information about the personal information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. To obtain such information, please contact us.
Information Collected on our Website
By using our Services, you consent to the terms of this Policy. If you do not agree with any term of this Policy, please do not use our Services. You are advised that there are inherent risks in transmitting information across the internet. We gather information about our website users collectively. Such information includes the areas that users visit, and the services that users access, most frequently. We will only use this data anonymously and in the aggregate. By doing so, we can optimize the services our website provides to our customers. We may also collect personal information that individuals choose to provide via online forms or by email. Any personal information provided online is treated in the same manner as any personal information collected through other means.
Choice/Opt-Out
You may choose to stop receiving our newsletter or marketing emails by following the unsubscribe instructions included in these emails or you can contact us at support@candylio.com.
Cookies and other Tracking Technologies
Technologies such as: cookies, beacons, tags and scripts are used by Candylio and our marketing partners, affiliates, or service providers. These technologies are used in analyzing trends, administering the website, tracking users’ movements around the website and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
We use cookies for our shopping cart, to remember users’ settings (e.g. language preference), for authentication. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our website, but your ability to use some features or areas of our website may be limited.
Log Files
As is true of most web sites, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. We do link this automatically collected data to other information we collect about you. We may combine this automatically collected log information with other information we collect about you. We do this to improve services we offer you, to improve marketing, analytics, or site functionality.
Local Storage Objects (HTML 5) & Local Shared Objects (Flash)
We use Local Storage, such as HTML5, to store content information and preferences. Third parties with whom we partner to provide certain features on our website or to display advertising based upon your Web browsing activity use LSOs such as Flash cookies or and HTML 5. Various browsers may offer their own management tools for removing HTML5 LSOs. To manage Flash cookies, please click here.
Behavioral Targeting / Re-Targeting
We partner with a third party to either display advertising on our website or to manage our advertising on other sites. Our third party partner may use technologies such as cookies to gather information about your activities on this site and other sites in order to provide you advertising based upon your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union click here). Please note this does not opt you out of being served ads. You will continue to receive generic ads.
Widgets
Our Web site includes Social Media Features, such as the Facebook Like button and Widgets, such as the Share this button or interactive mini-programs that run on our site. These Features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Site. Your interactions with these Features are governed by the privacy policy of the company providing it.
Single Sign-On
You can apply for an open position on our website using sign-in services such as LinkedIn Connect. These services will authenticate your identity and provide you the option to share certain personal information with us such as your name and email address to pre-populate our sign up form. Services like LinkedIn Connect give you the option to post information about your activities on this website to your profile page to share with others within your network.
Blogs
Anytime you post on our blog please be aware that you are posting using a third party application and we have no access or control over this information.
To request removal of your personal information from our blog, you can either log into the third party application and remove your comment or you can contact the appropriate third party application. Your interaction with these features is governed by the privacy policy of the company providing it.
Testimonials
We display personal testimonials of satisfied customers on our website in addition to other endorsements. With your consent we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at support@candylio.com.
Accessing and Updating your Information
Whenever you use our Services, we aim to provide you with access to your personal information. If that information is wrong, we strive to give you ways to update it quickly or to delete it – unless we have to keep that information for legitimate business or legal purposes. When updating your personal information, we may ask you to verify your identity before we can act on your request.
We may reject requests that are unreasonably repetitive, require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), risk the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup tapes).
Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort. Please contact us at support@candylio.com. We will respond to such queries within a reasonable timeframe.
Data Retention
We will retain personal information we process on behalf of yourself for as long as needed to provide the Services to you, subject to our compliance with this Policy. We may further retain and use the information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Links to Other Web Sites
Our Site includes links to other Web sites whose privacy practices may differ from those of Candylio. If you submit personal information to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy statement policy of any Web site you visit.
Changes to This Policy
If we make any material changes to this Policy, we will notify you by email or by posting a prominent notice on our website prior to the changes becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices. We will also keep prior versions of this Policy in an archive for your review. Your continued use of the Services constitutes your agreement to be bound by the changes to the Policy. Your only remedy if you do not accept the terms of this Policy is to discontinue use of the Services.
Enforcement
We regularly review our compliance with our Policy. When we receive formal written complaints, we will contact the person who made the complaint to follow up within a reasonable timeframe. We work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot resolve with our users directly.
How To Contact Us
Please contact us if you have one of the following requests:
•	if you would like to access your personal information collected by us
•	if you would like us to change any of your personal information
•	if you would like your personal information removed from our database
•	if you have a general query relating to this Policy
To assist us with your request, please provide sufficient information (for example: name, address and contact details) to enable us to locate your record on its database. We will use commercially reasonable efforts to fulfill your request in a timely manner, but no more than 30 business days.
Should you have other questions or concerns about our Policy, please contact us at support@candylio.com or:
Candylio Inc.
Attn: Privacy Officer
2741 Middlefield Rd, Suite 200
Palo Alto, CA 94306
UNITED STATES
Information Related to Data Collected through Learndot
Candylio collects information under the direction of its Clients, and has no direct relationship with the individuals whose personal data it processes.
Choice
We collect information for our clients, if you are a customer of one of our Clients and would no longer like to be contacted by one of our Clients that use our service, please contact the client that you interact with directly.
Service Provider, Sub-Processors/Onward Transfer
Candylio may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our Clients
Access to Data Controlled by our Clients
Candylio has no direct relationship with the individuals whose personal data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his query to the Candylio’s Client (the data controller). If the Client requests Candylio to remove the data, we will respond to their request within a reasonable timeframe.
Upon request Candylio will provide you with information about whether we hold any of your personal information. You may access, correct, or request deletion of your personal information by contacting us at mailto:support@candylio.com.  We will respond to your request within a reasonable timeframe.
Data Retention
Candylio will retain personal data we process on behalf of our Clients for as long as needed to provide services to our Client. Candylio will retain and use this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

PRIVACY POLICY – TRUST & TRANSPARENCY
1. What our policy covers
Your privacy and the integrity of your personal data is very important to CANDYLIO, and so is being transparent about how we may receive, collect, use, and share information about you. This policy is intended to help you understand CANDYLIO’s Privacy Policies.

This Privacy Policy covers the information we receive from you or collect about you when you use our Site or Services, or otherwise interact with us (for example, by attending our events), unless a different policy is displayed.  CANDYLIO, we and us refers to Pyramid Consulting SA and any of our corporate affiliates.  CANDYLIO’s mission is to help its clients “build Digital teams and solutions” in doing so we offer web and software development services as well as staffing and recruitment services, we refer to these as "Services" in this policy.

If you do not agree with this Privacy Policy, do not access or use our Site or Services or interact with any other aspect of our business.

Where we provide the Services under contract with an organization or yourself that contract may further control the information processed by CANDYLIO.
2. What information we collect about you
We collect information about you when you provide it to us, when you use our Services, and when other sources provide it to us, as further described below.
Information you provide to us: We collect information about you when you input it into the Services or otherwise provide it directly to us.

Content you provide through our websites: The Services also include our websites owned or operated by us. We collect other content that you submit to these websites, which include social media or social networking websites operated by us. For example, you may provide content to us when you apply to online job openings, spontaneously send us your résumé, use our contact form to make business or Services enquiries, provide feedback or when you participate in any interactive features, surveys, contests, promotions, activities or events.

Device and Connection Information: We may collect information about your computer, phone, tablet, or other devices you use to access the Site. This device information includes your connection type and settings when you install, access, update, or use of our Services. We may also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the device you use to access the Services. Server and data center Service administrators can disable collection of this information via the administrator settings or prevent this information from being shared with us by blocking transmission at the local network level.

Cookies and Other Tracking Technologies: CANDYLIO and our third-party partners, such as Google analytics, may use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Services and devices. A cookie disclaimer and acceptance banner conditions usage of our Site.
3. How we use information we receive and/or collect
Below are the specific purposes for which we use the information we receive or collect about you.
To communicate with you about the Services: We may use your contact information and information to communicate about our Services, offer you to engage into a Services Contract, enter into a partnership with CANDYLIO relating to the Services.

To market, promote and drive engagement with the Services: We may use your contact information and information to send promotional communications that may be of specific interest to you, including by email and by displaying CANDYLIO ads on other companies' websites and applications, as well as on platforms like Linked-In, Facebook and Google, etc.  These communications are aimed at driving, including information about new services, survey requests, newsletters, and events we think may be of interest to you.  You can control whether you receive these communications as described below under "Opt-out of communications."

To power our customer relationship management (CRM) database: Our CRM database may store personal data and information relating to individuals and/or companies with whom we already have a Services relationship or want to develop one. The information used for these purposes include relevant business information, such as: contact data, publicly available information (e.g. your public posts, information, publications on social media sites if relevant for business purpose), your responses to targeted e-mail. If you wish to be excluded from our CRM databases, please contact us at joseph@candylio.com.

For safety and security: We use information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies.

To protect our legitimate business interests and legal rights: Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.

Special Legal bases for collecting and processing information of EEA residents: If you are an individual residing in the European Economic Area (EEA), we may only collect and process information about you (i.e. “personal data” as defined in the General Data Protection Regulation 2016/679) where we have legal bases for doing so and under the strict respect of applicable EU laws and regulations.

This means we may collect and use your information only where:
It satisfies a legitimate business interest (which is not overridden by your data protection interests), such as to fulfill Service contracts we might have with you, to market and promote the Services, to conduct research and development and to protect our legal rights and interests;
You give us explicit consent to do so for a specific purpose;
We need to process your data to comply with a legal obligation.

If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, you also have the right to access personal information we may hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us at the following email address joseph@candylio.com.
4. How does CANDYLIO share information it receives and/or collects
We share information we receive and collect about you in the ways discussed below, including in connection with the Services, but we are not in the business of selling information about you to advertisers or other third parties.
Sharing with other Service users: When you accept to use the Services, we share certain information about you with other Service users.
If another Services user needs to access information about you for us to perform the Services, they do so under the obligation, to observe all policies and procedures designed to protect your information hereunder.

Links to Third Party Sites: The Site may include links that direct you to other websites or services whose privacy practices may differ from ours. If you submit information to any of those third party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.

With your consent: We share information about you with third parties when you give us consent to do so. For example, we may display personal testimonials of satisfied customers on our public websites. With your consent, we may post your name alongside the testimonial.

Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights: In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect CANDYLIO, our customers or the public from harm or illegal activities.

Sharing with CANDYLIO companies: We share information we receive or collect with affiliated companies. Affiliated companies are companies owned by CANDYLIO. The protections of this privacy policy apply to the information we share in these circumstances.

Business Transfers: We may share or transfer information we collect under this privacy policy in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. You will be notified via email and/or a prominent notice on the Services if a transaction takes place, as well as any choices you may have regarding your information.
5. How does CANDYLIO store and secure information it receives and/or collects
Information storage and security: We use data hosting service providers in the United States, France, Vietnam, and Singapore, to host the information we receive and/or collect, and we use technical measures to secure your data (data encryption, data segregation, physical security processes, etc.).

While we implement safeguards designed to protect your information, no security system is impenetrable and in case of breach of your information we will implement the following Personal Data Breach Notification Policy.

In our customer relationship management (CRM) database: Our CRM database may store personal data and information relating to individuals and/or companies with whom we already have a Services relationship or want to develop one. If you wish to be deleted from our CRM databases, please contact us at joseph@candylio.com.

How long we keep information: How long we keep information we collect about you depends on the type of information, as described in further detail below. After such time, we will either delete or anonymize your information.

Promotional information: If you have elected to receive information emails from us, we retain information about your promotional preferences for a reasonable period of time from the date you last expressed interest in our Services, such as when you last opened or answered an email from us. We retain possible information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.
6. How can you access and control your information?
You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations.
Your Choices: You have the right to request a copy of your information, to object to our use of your information (including for marketing purposes), to request the deletion or restriction of your information, or to request your information in a structured, electronic format. Below, we describe the tools and processes for making these requests. If you have unresolved concerns, you may have the right to complain to a data protection authority in the country where you live, where you work or where you feel your rights were infringed.

Request that we stop using your information: In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don't have the appropriate rights to do so. Where you gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time. You can also opt-out of our use of your information for marketing purposes by contacting us, as provided below.

Opt out of communications: You may opt out of receiving promotional communications from us by i) using the unsubscribe link within our email, or ii) requesting so by answering any of our emails in case it does not contain a direct unsubscribe link.

Data portability: Data portability is the ability to obtain some of your information in a format you can move from one service provider to another (for instance, when you transfer your mobile phone number to another carrier). Depending on the context, this applies to some of your information, but not to all of your information. Should you request it, we will provide you with an electronic file of your basic personal information.

Right to withdraw consent: If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on your prior consent.

Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we have handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns.

Changes: We may update this Privacy Policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

Contact us: For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail joseph@candylio.com or mail to:

CANDYLIO
Lvl 7, 131 Tran Huy Lieu
Ward 8, District Phu Nhuan, Ho Chi Minh City
Vietnam.
PERSONAL DATA BREACH NOTIFICATION POLICY
1. Introduction
1.1 This policy sets out the policies and procedures of Pyramid Consulting SA and its subsidiaries (the "company") with respect to detection of personal data breaches, responding to personal data breaches and notification of personal data breaches to supervisory authorities, data controllers and data subjects.
1.2 When dealing with personal data breaches, the company and all company personnel must focus on protecting individuals and their personal data, as well as protecting the interests of the company.
2. Definitions
2.1 In this policy:
(a) "appointed person" means the individual primarily responsible for dealing with personal data breaches affecting the company, being the data protection officer of the company;
(b) "data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
(c) "data processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(d) "data subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(e) "personal data" means any information relating to a data subject;
(f) "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the company (including any temporary or permanent loss of control of, or inability to access, personal data); and
(g) "supervisory authority" means the National data protection authority (as formalized by the GDPR) where the breach occured.
3. Responding to personal data breaches
3.1 All personnel of the company must notify the appointed person immediately if they become aware of any actual or possible personal data breach.
3.2 The appointed person is primarily responsible for investigating possible and actual personal data breaches and for determining whether any notification obligations apply. Where notification obligations apply, the appointed person is responsible for notifying the relevant third parties in accordance with this policy.
3.3 All personnel of the company must cooperate with the appointed person in relation to the investigation and notification of personal data breaches.
3.4 The appointed person must determine whether the company is acting as a data controller and/or a data processor with respect to each category of personal data that is subject to a personal data breach.
3.5 The steps to be taken by the appointed person when responding to a personal data breach may include:
(a) ensuring that the personal data breach is contained as soon as possible;
(b) assessing the level of risk to data subjects as soon as possible;
(c) gathering and collating information from all relevant sources;
(d) considering relevant data protection impact assessments;
(e) informing all interested persons within the company of the personal data breach and the investigation;
(f) assessing the level of risk to the company; and
(g) notifying supervisory authorities, data controllers, data subjects and others of the breach in accordance with this policy.
3.6 The appointed person shall keep a full record of the response of the company to a personal data breach, including the facts relating to the personal data breach, its effects and the remedial action taken. This record shall form part of the personal data breach register of the company.
4. Notification to supervisory authority
4.1 This section 4 applies to personal data breaches affecting personal data with respect to which the company is acting as a data controller.
4.2 The company must notify the supervisory authority of any personal data breach to which this section 4 applies without undue delay and, where feasible, not later than 72 hours after the company becomes aware of the breach, save as set out in subsection 4.4.
4.3 Personal data breach notifications to the supervisory authority must be made by the appointed person using the form set out in schedule 1 (Notification of personal data breach to supervisory authority). The completed form must be sent to the supervisory authority by secure and confidential means. The appointed person must keep a record of all notifications, and all other communications with the supervisory authority relating to the breach, as part of the personal data breach register of the company.
4.4 The company will not notify the supervisory authority of a personal data breach where it is unlikely to result in a risk to the rights and freedoms of natural persons. The appointed person shall be responsible for determining whether this subsection 4.4 applies, and the appointed person must create a record of any decision not to notify the supervisory authority. This record should include the appointed person's reasons for believing that the breach is unlikely to result in a risk to the rights and freedoms of natural person. This record shall be stored as part of the personal data breach register of the company.
4.5 To the extent that the company is not able to provide to the supervisory authority all the information specified in schedule 1 (Notification of personal data breach to supervisory authority) at the time of the initial notification to the supervisory authority, the company must make all reasonable efforts to ascertain the missing information. That information must be provided to the supervisory authority, by the appointed person, as and when it becomes available. The appointed person must create a record of the reasons for any delayed notification under this subsection 4.5. This record shall be stored as part of the personal data breach register of the company.
4.6 The company must keep the supervisory authority informed of changes in the facts ascertained by the company which affect any notification made under this section 4.
5. Notification to data controller
5.1 This section 5 applies to personal data breaches affecting personal data with respect to which the company is acting as a data processor.
5.2 The company must notify the affected data controller(s) of any personal data breach to which this section 5 applies without undue delay and, where feasible, not later than 72 hours after the company becomes aware of the breach. In addition, the company must comply with the provisions of the contract(s) with the affected data controller(s) relating to such notifications.
5.3 Personal data breach notifications to the affected data controller(s) must be made by the appointed person using the form set out in schedule 2 (Notification of personal data breach to data controller). The completed form must be sent to the affected data controller(s) by secure and confidential means. The appointed person must keep a record of all notifications, and all other communications with the affected data controller(s) relating to the breach, as part of the personal data breach register of the company.
5.4 To the extent that the company is not able to provide to the affected data controller(s) all the information specified in schedule 2 (Notification of personal data breach to data controller) at the time of the initial notification to the affected data controller(s), the company must make all reasonable efforts to ascertain the missing information. That information must be provided to the affected data controller(s), by the appointed person, as and when it becomes available.
6. Notification to data subjects
6.1 This section 6 applies to personal data breaches affecting personal data with respect to which the company is acting as a data controller.
6.2 The company must notify the affected data subjects of any personal data breach to which this section 6 applies if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, save as set out in subsection 6.4.
6.3 Personal data breach notifications to the affected data subjects must be made by the appointed person in clear and plain language using the form set out in schedule 3 (Notification of personal data breach to data subject). The completed form must be sent to the affected data subjects by appropriate means. The appointed person must keep a record of all notifications, and all other communications with the affected data subjects relating to the breach, as part of the personal data breach register of the company.
6.4 The company has no obligation to notify the affected data subject of a personal data breach if:
(a) the company has implemented appropriate technical and organisational protection measures (in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption), and those measures have been applied to the personal data affected by the personal data breach;
(b) the company has taken subsequent measures which ensure that a high risk to the rights and freedoms of data subjects is no longer likely to materialise;
(c) it would involve disproportionate effort (in which case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner), providing that the appointed person shall be responsible for determining whether this subsection 6.4 applies, and the appointed person must create a record of any decision not to notify the affected data subjects. This record should include the appointed person's reasons for believing that the breach does not need to be notified to the affected data subjects. This record shall be stored as part of the personal data breach register of the company.
6.5 If the company is not required by this section 6 to notify affected data subjects of a personal data breach, the company may nonetheless do so where such notification is in the interests of the company and/or the affected data subjects.
7. Other notifications
7.1 Without affecting the notification obligations set out elsewhere in this policy, the appointed person should also consider whether to notify any other third parties of a personal data breach. Notifications may be required under law or contract. Relevant third parties may include:
(a) the police;
(b) other law enforcement agencies;
(c) insurance companies;
(d) regulatory authorities;
(e) financial institutions;
(f) trade unions or other employee representatives; and/or
(g) Leasing/Rental Companies.
8. Reviewing and updating this policy
8.1 The DPO shall be responsible for reviewing and updating this policy.
8.2 This policy must be reviewed and, if appropriate, updated annually on or around [date].
8.3 This policy must also be reviewed and updated on an ad hoc basis if reasonably necessary to ensure:
(a) the compliance of the company with applicable law, codes of conduct or industry best practice;
(b) the security of data stored and processed by the company; or
(c) the protection of the reputation of the company.
8.4 The following matters must be considered as part of each review of this policy:
(a) changes to the legal and regulatory environment;
(b) changes to any codes of conduct to which the company subscribes;
(c) developments in industry best practice;
(d) any new data collected by the company;
(e) any new data processing activities undertaken by the company; and
(f) any security incidents affecting the company.