SACA Technologies, Inc. ("SACA", "We" or " Our" or the "Company") is committed to protecting your privacy and the personal information collected and processed about you.
By visiting and using SACA's website, mobile site, and/or applications (together, the "Site"), registering to use our services offered through the Site, or providing your personal information to us at our corporate events (the "Services"), you understand that you will be subject to the terms set forth in this notice (" Privacy Notice").
This Privacy Notice describes how we collect information about you, what we do with that information, and also what controls you have over that information in relation to your use of our Site and Services. Your information will be held and managed by the Company, acting either as a data controller, or, if you are a customer or end user of the Company, as a data processor.
· Sets out how SACA stores, uses and discloses personal information
· Relates to personal information collected by any means and by any technology
· Summaries how we make the personal information we hold available for access to and correction by an individual.
If you have any questions about this policy, please direct them to the Compliance Officer (see contact details below).
2. SACA and GDPR
SACA welcomes the EU General Data Protection Regulation (GDPR) as an important step forward in streamlining data protection requirements. We comply with pertinent GDPR regulations as a data processor. Like other existing legal requirements, our compliance with the GDPR requires a partnership between the Company and our customers in their use of our services. We comply with the GDPR in delivering our service to our customers. We are also dedicated to helping our customers comply with the GDPR. We have analyzed the requirements of the GDPR and are working to make enhancements to our products, contracts, and documentation to help support SACA's and our customers' compliance with the GDPR.
3. Definition of Terms
Anonymized data, Anonymous data
Data in a form that makes the direct or indirect identification of an individual person impossible, even with the aid of other data or information. Anonymous data does not have any reference to a person when it is collected. Anonymous and anonymized data is no longer subject to the internal or external data protection and privacy regulations.
Commissioned data processor
A natural or legal person, authority, institution, or any other office that processes personal data on behalf of the data controller, for example, an external company or the Company that is not the data controller itself.
Special categories of personal data
Contain data on the racial or ethnic origin, political views, religious or philosophical beliefs, union membership, felonies, penal convictions, health, or sexual preferences of persons, as well as data that can be misused for identity theft. For example, social security numbers, credit card and bank account numbers, as well as passport or driver's license numbers.
Person affected/ Data Subject
An identified or identifiable natural person whose personal data is affected by a data processing action. A person is deemed identifiable if he or she can be identified directly or indirectly, in particular by reference to an identity number or to one or more factors specific to that person's physical, physiological, psychological, economic, cultural, or social identity.
Data processing actions
(collecting, processing, and/or using)
Collecting means procuring data on the person affected. Processing describes any operation performed with or without the aid of an automatic procedure, or any set of operations connected with personal data, for example, collecting, saving, modifying, storing, changing, transferring, locking, or deleting personal data. Using means any usage of personal data, except for processing.
A natural or legal person, authority, institution, or any other office, except for the following:
· The person affected
· The office responsible
· The commissioned data processor
· The persons who, under the direct responsibility of the data controller or the commissioned data processor, are authorized to process the data
This may be explicit or implicit. Explicit consent generally requires an action by the person affected, through which they allow the processing of data - for example, the declaration of consent with the sending of e-mails or entering of personal data (opt-in). Explicit consent granted without duress is deemed to be the legal basis for the processing of personal data, provided no other legal provision is in force. Implicit consent (for example, opt-out) allows processing provided the person affected does not object.
Either the physical destruction of data or the anonymization of data in such a way that makes it impossible to relate the data to a natural person.
All information on an identified or identifiable natural person (person affected). A person is deemed identifiable if he or she can be directly or indirectly identified - in particular, by reference to an identity number or to one or more factors specific to that person's physical, physiological, psychological, economic, cultural, or social identity.
For example, persons can be identified directly on the basis of names, telephone numbers, e-mail addresses, postal addresses, user IDs, tax numbers, or social security numbers, or indirectly on the basis of a combination of any information. Personal data that is subject to this Policy includes data on employees, applicants, former employees, customers, interested parties, suppliers, partners, users of Company services, and any other persons. The data may be contained in the Company system, or in systems of third parties that operate these on behalf of Saca Technologies. Customer systems - that Saca Technologies or third parties on behalf of Technologies operate - are also relevant - as are systems operated by customers themselves if Company employees can access the personal data stored in these systems while providing services, support, or consulting services.
Data controller (controller)
A natural or legal person, authority, institution, or any other office that - either alone or in collaboration with others - makes decisions on the purposes and means of processing personal data (general legal definition). In the case of Saca Technologies, the company is always the controller for the personal data of its employees, customers, suppliers, partners, or other persons. The Saca employees, internal units, or organizations cannot be controllers. The controller is represented by the management legally responsible (for example, the members of the Saca Technologies Executive Board and/or directors).
4. Collection of Personal Information
SACA will, where it is reasonable or practicable to do so, collect personal information directly from you using several different methods, including collection via our Sites, electronic transmission (e.g. email), post, telephone, in person or portable devices. We may also collect personal information from third parties, including clients, contractors, service providers and other individuals.
SACA will only collect personal information that is necessary to promote our business, to provide our services or to conduct our activities as its primary purpose (the "Primary Purpose"). These activities include:
· To provide products and services to clients
· To receive products and services from service providers and contractors
· To maintain and promote relationships with clients, service providers and contractors
· To provide clients and prospective clients with information on our services and products, economic and industry developments, and seminars and events that may be of interest to them
· To recruit and maintain relationships with staff
· To complete internal administration functions (e.g. invoicing clients).
The personal information collected may include your name, date of birth, gender, marital status, addresses, contact details, job titles, account details, financial information among others.
4.1. Data Sources
Personal Data should be collected only from the Data Subject unless one of the following apply:
· The nature of the business purpose necessitates collection of the Personal Data from other persons or bodies.
· The collection must be carried out under emergency circumstances in order to protect the vital interests of the Data Subject or to prevent serious loss or injury to another person.
If Personal Data is collected from someone other than the Data Subject, the Data subject must be informed of the collection unless one of the following apply:
· The Data Subject has received the required information by other means.
· The information must remain confidential due to a professional secrecy obligation
· A national law expressly provides for the collection, Processing or transfer of the Personal Data.
Where it has been determined that notification to a Data Subject is required, notification should occur promptly, but in no case later than:
· One calendar month from the first collection or recording of the Personal Data
· At the time of first communication if used for communication with the Data Subject
· At the time of disclosure if disclosed to another recipient.
4.2. Data Subject Consent
SACA will obtain Personal Data only by lawful and fair means and, where appropriate with the knowledge and Consent of the individual concerned. Where a need exists to request and receive the Consent of an individual prior to the collection, use or disclosure of their Personal Data, SACA is committed to seeking such Consent. The Data Protection Officer, and other relevant business representatives, shall establish a system for obtaining and documenting Data Subject Consent for the collection, Processing, and/or transfer of their Personal Data. The system must include provisions for:
· Determining what disclosures should be made in order to obtain valid Consent.
· Ensuring the request for consent is presented in a manner which is clearly distinguishable from any other matters, is made in an intelligible and easily accessible form, and uses clear and plain language.
· Ensuring the Consent is freely given (i.e. is not based on a contract that is conditional to the Processing of Personal Data that is unnecessary for the performance of that contract).
· Documenting the date, method and content of the disclosures made, as well as the validity, scope, and volition of the Consents given.
· Providing a simple method for a Data Subject to withdraw their Consent at any time.
4.3. Data Subject Notification
SACA, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the Processing of their Personal Data.
When the Data Subject is asked to give Consent to the Processing of Personal Data and when any Personal Data is collected from the Data Subject, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following apply:
· The Data Subject already has the information
· A legal exemption applies to the requirements for disclosure and/or Consent.
The disclosures may be given orally, electronically or in writing. If given orally, the person making the disclosures should use a suitable script or form approved in advance by the Office of Data Protection. The associated receipt or form should be retained, along with a record of the facts, date, content, and method of disclosure.
4.4. External Privacy Notices
Each external website provided by a SACA Entity will include an online 'Privacy Notice' and an online 'Cookie Notice' fulfilling the requirements of applicable law. All Privacy and Cookie Notices must be approved by the Data Protection Officer prior to publication on any SACA external website.
5. How We Use Your Personal Information
5.1. Data Processing
SACA uses the Personal Data of its Contacts for the following broad purposes:
· The general running and business administration of SACA Entities.
· To provide services to SACA customers.
· The ongoing administration and management of customer services.
The use of a Contact's information should always be considered from their perspective and whether the use will be within their expectations or if they are likely to object. For example, it would clearly be within a Contact's expectations that their details will be used by SACA to respond to a Contact request for information about the products and services on offer. However, it will not be within their reasonable expectations that SACA would then provide their details to Third Parties for marketing purposes.
Each SACA Entity will Process Personal Data in accordance with all applicable laws and applicable contractual obligations. More specifically, SACA will not Process Personal Data unless at least one of the following requirements are met:
· The Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes.
· Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
· Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
· Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.
· Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
· Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a Third Party (except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, in particular where the Data Subject is a child).
There are some circumstances in which Personal Data may be further processed for purposes that go beyond the original purpose for which the Personal Data was collected. When making a determination as to the compatibility of the new reason for Processing, guidance and approval must be obtained from the Office of Data Protection before any such Processing may commence.
In any circumstance where Consent has not been gained for the specific Processing in question, SACA will address the following additional conditions to determine the fairness and transparency of any Processing beyond the original purpose for which the Personal Data was collected:
· Any link between the purpose for which the Personal Data was collected and the reasons for intended further Processing.
· The context in which the Personal Data has been collected, in particular regarding the relationship between Data Subject and the Data Controller.
· The nature of the Personal Data, in particular whether Special Categories of Data are being Processed, or whether Personal Data related to criminal convictions and offences are being Processed.
· The possible consequences of the intended further Processing for the Data Subject.
· The existence of appropriate safeguards pertaining to further Processing, which may include Encryption, Anonymization or Pseudonymization.
5.2. Special Categories of Data
SACA will only Process Special Categories of Data (also known as sensitive data) where the Data Subject expressly consents to such Processing or where one of the following conditions apply:
· The Processing relates to Personal Data which has already been made public by the Data Subject.
· The Processing is necessary for the establishment, exercise or defense of legal claims.
· The Processing is specifically authorized or required by law.
· The Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent.
· Further conditions, including limitations, based upon national law related to the Processing of genetic data, biometric data or data concerning health.
In any situation where Special Categories of Data are to be Processed, prior approval must be obtained from the Office of Data Protection and the basis for the Processing clearly recorded with the Personal Data in question.
Where Special Categories of Data are being Processed, SACA will adopt additional protection measures. Each SACA Entity may also adopt additional measures to address local custom or social expectation over the Processing of Special Categories of Data.
5.3. Children's Data
Our Sites and Services are not targeted nor intended to attract children under the age of 13. Further, we do not knowingly solicit any personal information from children under the age of 13. If we learn or be informed that we have collected information from users under the age of 13, we will delete such personal information right away. If you are under the age of 13 in your country of residence, please ask your parent or guardian to assist you in providing your information.
5.4. Data Quality
SACA will adopt all necessary measures to ensure that the Personal Data it collects and processes is complete and accurate in the first instance, and is updated to reflect the current situation of the Data Subject.
The measures adopted by SACA to ensure data quality include:
· Correcting Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification.
· Keeping Personal Data only for the period necessary to satisfy the permitted uses or applicable statutory retention period.
· The removal of Personal Data if in violation of any of the Data Protection principles or if the Personal Data is no longer required.
· Restriction, rather than deletion of Personal Data, insofar as:
o a law prohibits erasure.
o erasure would impair legitimate interests of the Data Subject.
o the Data Subject disputes that their Personal Data is correct, and it cannot be clearly ascertained whether their information is correct or incorrect.
5.5. Data Retention
To ensure fair Processing, Personal Data will not be retained by SACA for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further Processed. The length of time for which SACA need to retain Personal Data is set out in the SACA Personal Data Retention Schedule. This takes into account the legal and contractual requirements, both minimum and maximum, that influence the retention periods set forth in the schedule. All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
5.6. Law Enforcement Requests & Disclosures
In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes:
• The prevention or detection of crime.
• The apprehension or prosecution of offenders.
• The assessment or collection of a tax or duty.
• By the order of a court or by any rule of law.
If a SACA Processes Personal Data for one of these purposes, then it may apply an exception to the Processing rules outlined in this policy but only to the extent that not doing so would be likely to prejudice the case in question. If any SACA Entity receives a request from a court or any regulatory or law enforcement authority for information relating to a SACA contact, you must immediately notify the Compliance Officer who will provide comprehensive guidance and assistance.
5.7 Breach Reporting
Any individual who suspects that a Personal Data Breach has occurred due to the theft or exposure of Personal Data must immediately notify the Compliance Officer providing a description of what occurred. Notification of the incident can me made via e-mail, by calling, or by using the anonymous incident reporting format. The Compliance Officer will investigate all reported incidents to confirm whether or not a Personal Data Breach has occurred. If a Personal Data Breach is confirmed, the Compliance Officer will follow the relevant authorized procedure based on the criticality and quantity of the Personal Data involved. For severe Personal Data Breaches, the SACA Legal Counsel will initiate and chair an emergency response team to coordinate and manage the Personal Data Breach response.
6. Your Rights under GDPR
This section provides details about your rights in relation to your personal information.
6.1. You may ask us to access all the personal information about you held by us. On request, we will provide you with a copy of this information. We reserve the right to charge a reasonable fee considering the administrative costs of providing the information or taking the action requested. You can exercise your right of access to your personal information:
· By emailing us at [email protected]; or
· By writing to us at the address below.
6.2. You have the right to be informed that the Company is processing your personal data, the type of data that they are processing, the reason of the processing, who is responsible, and the person to whom the data is passed into;
6.3. You may correct or erase your personal information where appropriate. Please note, you may review and update certain user profile information by logging in, as applicable, to the relevant portions of the Services where such information may be updated;
6.4. Restrict the processing of your personal information such as when we investigate your concern, or when there is a pending legal dispute;
6.5. Where your processing is based on your consent, you have a right to receive your information in a commonly used electronic format or ask we move the data in that format to another provider where your request relates to the data that you gave us direct and where technically possible (data portability);
6.6. Object to the processing of your personal information which is inconsistent with the primary purpose for which the same has been obtained;
6.7. Not to be subject to a decision based only on automated processing;
6.8. Withdraw your consent at any time when the processing relies upon consent.
6.9. Assert deletion of your data, i.e. the so-called "Right to be Forgotten" when your personal information is no longer necessary for the purposes that it was obtained; and
6.10. If you remain unhappy with a response you receive you can also refer the matter to your data protection supervisory authority.
7. Linked Sites and Advertisements on Our Website or Services
Our Site or Services may contain links to third-party websites. We are not responsible for the privacy practices or the content of those third-party websites. Any information you provide via those services is subject to the applicable third-party privacy policies and is not covered by this Privacy Use Notice.
8. Your Privacy Rights Under California Law
Under California law, users who are California residents are permitted to request and obtain from us once a year, a list of the third parties to whom we have disclosed their personal information, if any, for their direct marketing purposes in the prior calendar year, and the type of personal information disclosed to those parties. This is free of charge. If you are a resident of California and would like to request this information, please provide a written acknowledgement that you are a resident of California and address your request to the Compliance Officer at the information provided below.
9. Data Access, Quality and Correction
We will provide access to personal information about an individual upon request by that individual. However, there are some exceptions to granting access e.g. where providing access would be unlawful. If we deny access to an individual's personal information, we will provide reasons in writing.
We will take all reasonable measures to ensure that the personal information we hold is accurate, complete and up to date. Please contact the Compliance Officer if you believe that the information we have about you is not accurate, complete or up to date.
10. Disclosure of Personal Information
We may disclose personal information to third parties, such as contractors, agents and service providers, to assist us with our activities and the provision of products and services to our clients. We will take reasonable steps to ensure that these organizations are bound by obligations of confidentiality and privacy to protect personal information in doing so.
We may also send personal information to organizations outside USA in connection with the provision of our products and services to clients and the performance of administrative functions.
Other than as stated above, we will not disclose personal information to any other third party unless we have:
· Reasonable grounds to believe that the disclosure is required by law;
· Reasonable grounds to believe that the disclosure is necessary to avoid a serious and imminent threat to a person's life, health or safety; and
· Secured the consent of an individual to do so.
11. Information Security
We have in place generally accepted standards of technological security to protect personal information from misuse, loss, corruption or destruction. Only our authorized personnel have access to your personal information. These personnel are required by our policies and employment contracts to maintain the confidentiality of this sensitive data.
Where personal information that we hold is identified as no longer needed for any purpose for which the information may be used or disclosed under GDPR, we will take reasonable steps to destroy such information by appropriate means.
12. Your Online Privacy Matters
For statistical purposes, we may collect information by using 'cookies' on Site activities (including the number of users who visit our websites, date and time of your visit to the Website, the pages accessed, and any information downloaded, navigation patterns, the country and systems through which users have accessed the website).
Cookies refers to the data which a website transfers to an individual's hard drive for record-keeping purposes. Cookies can facilitate your ongoing access to and use of a website and may be necessary to access features such as online transactions.
While we take great precautions in protecting your personal information on our Site and use state-of-the-art data transmission encryption. Unfortunately, there is no data transmission over the Internet that can be guaranteed to be 100% secure. Consequently, we cannot ensure or warrant the security of any information that you are sending us or receiving from us online. This is particularly true for information you are sending us via email. We have no way of protecting that information until it reaches us. Once we obtain your communication, we exert our best efforts to ensure its security in our possession.
The Websites may contain links/ plug-ins which will direct you to other sites. We are not responsible for content of, or the privacy practices or policies of, those sites when you visit them.
13. Our Sites
SACA takes care to protect the personal information that you have provided us on our Sites. Our Sites have electronic security systems in place.
15. For Your Questions and Concerns
SACA Technologies, Inc.
5101 East La Palma Avenue
Anaheim Hills, California, 92807
[email protected] | Phone: (888) 603-9030 | Fax: (888) 603-9033