Throughout this Policy, references to “iQuantM” shall include “iQuantM Technologies”, “iQuantM Inc.”, “ iQuantM Corp.”, “ iQuantM UK” and any other entities within the iQuantM organisational structure from time to time.
iQuantM, its employees and leadership respect and protect the rights of individuals, in particular the right of all individuals to data protection and privacy during the processing and use of Personal Data as well as the right to privacy.
This Policy outlines an iQuantM-wide minimum standard for handling Personal Data in compliance with data protection and privacy laws worldwide, iQuantM contracts with employees and subcontractors, and external agreements with other parties. It defines requirements for all operational processes that affect Personal Data, as well as clear responsibilities and organizational structures. As soon as any function or process at iQuantM involves collecting, processing, or using Personal Data, the provisions of this Policy are to be adhered to. iQuantM’s leadership team and the relevant process owners are responsible for ensuring that all processes during which Personal Data is collected, processed, or used are designed such that the provisions of this Policy are fulfilled. It is the duty of all iQuantM employees and contractors to comply with the provisions of this Policy when handling Personal Data in the course of their work or engagement with iQuantM.
2. About iQuantM
iQuantM Technologies Ltd. is a certified SAP Partner with Headquarters registered in the United Kingdom with subsidiary offices in Canada, India and the Kingdom of Saudi Arabia
The following definitions, whether capitalized or not as the case may be, apply throughout this Policy:
“anonymized” means, in the context of Personal Data, the outcome of making the direct or indirect identification of an individual person by use of that Personal Data impossible, even with the aid of other data or information;
“collecting” means procuring Personal Data on the Person Affected.
“Commissioned Data Processing” means the process by which Personal Data is transferred between iQuantM entities, or between iQuantM and a Commissioned Data Processor;
“Commissioned Data Processor” means a natural or legal person, authority, institution, or any other office that processes Personal Data on behalf of the Data Controller, for example, an external company or an iQuantM company that is not the Data Controller itself;
“consent” means explicit consent or implicit consent, as such terms are defined hereunder.
“Data Controller” means the iQuantM entity that makes decisions on the purposes and means of processing Personal Data of individuals. For the avoidance of doubt, where an iQuantM entity cannot be readily identified as the Data Controller, the Data Controller shall be iQuantM Technologies 1st Floor, Pintail House, Duck Island Lane, Ringwood, United Kingdom, BH24 3AA;
“deletion” means either the physical destruction of certain data or the anonymization of certain data in such a way that makes it impossible to relate such data to a natural person;
“EEA” means the European Economic Area;
“explicit consent” means an action by the Person Affected through which they allow the processing of Personal Data – for example, the declaration of consent with the sending of e-mails or entering of Personal Data (opt-in);
“identifiable” means, the context of a person, one whom can be directly or indirectly identified, in particular, by reference to an identity number or to one or more factors specific to that person’s physical, physiological, psychological, economic, cultural, or social identity e.g. names, telephone numbers, e-mail addresses, postal addresses, user IDs, tax numbers, or social security numbers, or indirectly on the basis of a combination of any such information;
“implicit consent” means where an active opt-out is required for processing to cease;
“Person Affected” means an identified or identifiable natural person whose Personal Data is affected by a data processing action. A person is deemed identifiable if he or she can be identified directly or indirectly, in particular by reference to an identity number or to one or more factors specific to that person’s physical, physiological, psychological, economic, cultural, or social identity;
“Personal Data” means all information on a Person Affected, including data on employees, applicants, former employees, clients, interested parties, suppliers, partners, users of iQuantM websites and services, and any other persons. The data may be contained in an iQuantM system, or in systems of third parties that operate these on behalf of iQuantM. Client systems that iQuantM or third parties on behalf of iQuantM operate are also relevant, as are systems operated by clients themselves if iQuantM employees can access the Personal Data stored in these systems while providing services, support, or consulting services;
“Privacy Officer” means the privacy officer appointed by iQuantM;
“processing” describes any operation performed with or without the aid of an automatic procedure, or any set of operations connected with Personal Data, for example, collecting, saving, modifying, storing, changing, transferring, locking, or deleting Personal Data;
“Special Categories of Personal Data” means categories of Personal Data based on the racial or ethnic origin, political views, religious or philosophical beliefs, union membership, felonies, penal convictions, health, or sexual preferences of persons, as well as Personal Data that can be misused for identity theft. For example, social security numbers, credit card and bank account numbers, as well as passport or driver’s license numbers;
“third party” means a natural or legal person, authority, institution, or any other office, except for the following:
• the Person Affected;
• the Commissioned Data Processor; or
• the persons who, under the direct responsibility of the Data Controller or the Commissioned Data Processor, are authorized to process the data.
For the purposes of this Policy as well as applicable data protection and privacy laws, different companies within the iQuantM organizational structure are classified as third parties in relation to each other;
“using” means any use of Personal Data, except for processing.
4. Role of the Privacy Officer
The Privacy Officer is an appointed position within iQuantM. It reports directly to the Chief Executive Officer.
The Privacy Officer, in consultation with iQuantM’s leadership team, determines iQuantM’s data protection and privacy strategy in accordance with the strategic objectives of iQuantM and ensures that all iQuantM entities adhere to the applicable provisions of the data protection and privacy regulations. The Privacy Officer is to be supported in performing its tasks, in particular with the resources required to perform its tasks and is to be provided with any requested information fully and without undue delay.
The Privacy Officer is free to exercise tasks as he/she sees fit and must not be hindered or discriminated against for performing their tasks.
If a Privacy Officer’s appointment comes to an end or is otherwise terminated, iQuantM must make all reasonable endeavours to appoint a new Privacy Officer as quickly as possible.
The Privacy Officer shall be provided with reasonable time to administer their duties and suitable resources shall be allocated to the Privacy Officer for them to perform their tasks. To ensure that the Privacy Officer retains and benefits from learning resources to ensure the necessary expertise to fulfill their duties, they shall be permitted to participate in further education and professional development.
5. iQuantM website
iQuantM may further collect and process any information and data that a website user volunteers to us, e.g. when a website user registers for events, subscribes to newsletters, participates in online surveys, discussion groups or forums, or when a website user views or downloads selected information and/or documents.
iQuantM uses IP addresses to help diagnose problems, to administer the iQuantM website, and to gather demographic information.
iQuantM will only gather information related to a website user’s visit to the iQuantM website. iQuantM does not track or collect personal information from a website user’s visits to websites of companies or entities other than iQuantM.
iQuantM may collect information during a website user’s visit to iQuantM’s website through automated tools, which include Web beacons, cookies, embedded Web links, and other commonly used information-gathering tools. These tools collect certain standard information that a website user’s browser sends to iQuantM’s website such as the website user’s browser type and language, access times, and the address of the website from which the website user arrived at iQuantM’s website.
iQuantM’s website may contain links to foreign (meaning non- iQuantM) entities’ websites. iQuantM is not responsible for the privacy practices or the content of websites outside of iQuantM and makes no warranties thereto.
iQuantM will take all reasonable measures to help maintain security of the data transmitted to iQuantM by users of iQuantM’s website.
6. Basic principles of protecting Personal Data
During every process that includes collecting, processing, or using Personal Data, Personal Data may be processed or used only in accordance with this Policy and to the extent permitted by law.
Processing is only allowed in the following cases:
• If a Person Affected freely gave their consent, for example, when registering on a website or entering into a contract with iQuantM that includes the processing of their Personal Data.
• In iQuantM’s provision of goods or services requested by a client, prospective client, or partner.
• In ensuring iQuantM’s compliance with export laws of various countries.
• In iQuantM’s legitimate interest, such as questionnaires and surveys, creation of anonymized data sets, recordings for quality assurance purposes, other legitimate industry-related business improvement activities, marketing activities, sales activities or requests for feedback from relevant stakeholders.
• If required to fulfill contracts with the Person Affected, for example, for an employment contract or a service contract.
• Between iQuantM entities, provided such Personal Data is used only for the same purposes and under the same conditions as originally consented to by the Person Affected.
• If legally required or permitted, for example due to tax, employment or social security laws.
Consent given by a Person Affected, as described above, will allow iQuantM to use that person’s Personal Data for the following purposes:
• The provision to that person of news about iQuantM’s products and services, and SAP industry developments.
• Creation of user profiles on iQuantM’s internal business- and time-management software.
• In connection with an event, conference, seminar or webinar, where there is sharing of information for the purpose of communication and/or the exchange of ideas.
• In connection with the registration for and access to an event, conference or seminar, iQuantM may ask for information about health for the purpose of being considerate of individuals who have disabilities or special dietary requirements.
Personal Data may be collected and processed for lawful purposes only. The respective purpose must be defined before the time at which the Personal Data is collected. Processing Personal Data for a purpose other than the one defined before the Personal Data was collected is permitted in exceptional circumstances only if the Person Affected consents to the processing or if stipulated by law.
Personal Data may only ever be collected to the extent absolutely necessary for fulfilling the purpose specified before it is processed or used; any other processing is not permitted, unless part of iQuantM’s legitimate business interest as described above.
Personal Data must be accurate at all times and corrected where necessary. iQuantM employees and contractors with access to automated mechanisms or software for the purpose are required to update their Personal Data once changes are known to them and advise their manager or their appropriate Human Resources manager. All other holders of Personal Data must advise their contact person within iQuantM of any changes or corrections required to their Personal Data. Save for these occurrences, iQuantM will be deemed to not be aware of any desired or necessary changes to Personal Data in its possession.
A person must not suffer any detrimental effects if they choose to not consent or provide Personal Data, however in making that choice, that person acknowledges that there are certain circumstances in which iQuantM cannot take action without certain Personal Data, for example because the Personal Data requested is required to process orders or provide access to a web offering or newsletter. In such cases, Personal Data may be retained only for as long as is absolutely necessary for the purposes specified, where otherwise legally required, or until it is objected to by the Person Affected. Thereafter, Personal Data must be deleted or anonymized. For more information, see section 8.3 below.
7. Responsibilities for Data Protection and iQuantM Privacy
The legal responsibility for collecting, processing, and using Personal Data within iQuantM lies with the officers and directors of the iQuantM entity that collects, processes, or uses the Personal Data for iQuantM’s business purposes.
Within iQuantM, responsibility can be delegated along the organizational structure of iQuantM by means of documented instructions from management, guidelines, and business processes that involve the explicit transfer of responsibility to managers at different levels as well as employees.
The relevant iQuantM officers and directors are responsible for structuring all processes during which Personal Data is collected, processed, or used in such a way that the requirements of this Policy are fulfilled.
The following tasks are the responsibility of management in every iQuantM entity:
• Ensuring that there is continuous monitoring of the applicable privacy law.
• Ensuring that processes, during which Personal Data is collected, processed, and/or used, are in line with applicable law and that local and global process owners are informed of necessary changes.
• Ensuring that all approvals required by the supervisory authorities for collecting, processing, using, and transferring Personal Data have been granted and that the necessary notifications have been sent to the relevant supervisory authorities.
Global Human Resources
Before commencing an activity during which access to Personal Data cannot be excluded, every employee, contractor and third party acting on behalf of iQuantM whom can be reasonably foreseen to be involved in that activity are to be instructed that they are not permitted to collect, process, or use Personal Data without authorization (data protection) and that this data must be handled confidentially.
Employees and contractors are to be made aware of the consequences of violating this Policy and data protection laws. This Policy and other internal company guidelines that govern the handling of Personal Data are to be brought to employees’ attention upon employment. The instruction must be documented in writing or in another form and will be available to employees from the Privacy Officer at all times.
It is the duty of all iQuantM employees and contractors to treat Personal Data to which they have access in the course of fulfilling their employee or contractual duties with iQuantM as confidential.
iQuantM employees may collect, process, and/or use Personal Data only to the extent required to fulfill their duties and in accordance with approved processes. If collecting, processing, or using Personal Data is not recognizably prohibited for the employee, he or she can refer to the legality of the relevant iQuantM management’s instructions. In case of doubt, employees may contact the Privacy Officer for clarification.
Storage and Processing
Personal Data will be stored by iQuantM and potentially iQuantM’s third-party service providers within Canada, the USA, the European Union and Switzerland. This policy applies regardless of where Personal Data is stored.
Notification, Accuracy of Personal Data, and Inspection
A Person Affected must be informed in a suitable manner that their Personal Data is being collected, processed, and/or used. Usually, they are to be informed before the time at which Personal Data is collected.
The Person Affected must be informed of the iQuantM entity collecting the Personal Data; the purpose for collecting, processing, or using the Personal Data; and other recipients to whom their Personal Data will be transferred. This information must be provided in a way that is easy to understand.
Stored Personal Data must be accurate. Inaccurate Personal Data must be corrected or deleted as soon as practicably possible.
A Person Affected may, at any time, request information about the Personal Data stored on them, its origin, purpose for storing, a copy of the Personal Data itself, and recipients to whom the Personal Data is passed on. iQuantM will carefully consider such a request and discuss same with the Person Affected. Queries or complaints submitted by a Person Affected must be processed by the responsible iQuantM entity without undue delay or according to those timeframes imposed by local law, whichever is the earlier. Objections from a Person Affected with regard to the processing of Personal Data must be investigated and, if necessary, remedial action must be taken.
A Person Affected may, at any time, lodge a complaint with the data protection authority of the country with which the relevant Personal Data has a necessary connection.
Duration of storage and Personal Data deletion or anonymization
This section applies insofar as it is possible for iQuantM to delete the relevant Personal Data in its possession.
For every process in which Personal Data is collected, processed, or used, a schedule must be defined for the regular deletion of Personal Data after the specified purpose has been fulfilled, if the legal basis for retaining the Personal Data no longer applies, or if the Person Affected objects to the retention of the Personal Data or otherwise withdraws their consent to iQuantM’s retention of the Personal Data.
Instead of being deleted, Personal Data, it may also be irreversibly anonymized. If, for technical or legal reasons (for example, if the retention of Personal Data is legally required for compliance with tax laws), it is not possible to either delete or anonymize Personal Data, such Personal Data must be blocked for any further processing and/or use, as well as for further access.
Where a Person Affected withdraws a consent granted hereunder, iQuantM will not process Personal Data subject to the withdrawn consent unless legally required to do so. In case iQuantM is required to retain Personal Data for legal reasons, such Personal Data will be restricted from further processing and only retained for the term required by law, however a withdrawal of consent has no effect on past processing of Personal Data by iQuantM up to the point in time of the withdrawal.
Additional Rules for Special Categories of Personal Data
Special Categories of Personal Data are to be treated as equal to Personal Data.
In the instances in which iQuantM collects Special Categories of Personal Data, iQuantM must ensure that the Persons Affected have been informed in advance and have given their consent. Provided that applicable law does not determine otherwise, Special Categories of Personal Data may be collected, stored, processed, and transferred only with the explicit consent of the Persons Affected. Increased precautions (for example, physical safety features, encryption, and access restrictions) that are appropriate for the heightened sensitivity of the Special Categories of Personal Data are to be taken for collecting, storing, processing, and transferring such data.
The following additional rules apply for Special Categories of Personal Data:
• The collection, processing, and/or use of such data must be transparent for the Persons Affected at all times.
• Consent given by persons affected must refer explicitly to these Special Categories of Personal Data.
• Processes that involve collecting or using special types of Personal Data may be configured only with a prior check performed by the Privacy Officer.
Transfer of Personal Data and Commissioned Data Processing
If Personal Data is to be exchanged between iQuantM entities or with other companies (Commissioned Data Processors), it must first be checked whether contractual agreements on data protection and privacy, and data security are required. Such a check is always required if an iQuantM entity is to process data on behalf of another iQuantM entity, or if a Commissioned Data Processor is to process Personal Data on behalf of an iQuantM entity (a transfer for processing purposes). A check is also necessary if an iQuantM entity transfers Personal Data to another iQuantM entity or a Commissioned Data Processor (for example, a service provider, partner, or client), and the Commissioned Data Processor wishes to use the Personal Data for its own business purposes (transfer for own purposes).
If Personal Data under the legal responsibility of iQuantM is transferred to a Commissioned Data Processor located outside the EEA, it must also be ensured in advance that a suitable level of protection in accordance with Articles 25 and 26 of the EU Data Protection Directive (95/46/EC) is guaranteed.
If Personal Data is transferred, the following rules apply:
Transfer for commissioned processing:
• The iQuantM entity that commissions or instructs another iQuantM entity or a Commissioned Data Processor to collect, process, or store Personal Data is responsible for compliance with the requirements of data protection and privacy regulations.
• This responsibility does not cease with the transfer to the other iQuantM entity or the Commissioned Data Processor.
• Every iQuantM entity must ensure that Commissioned Data Processors that collect, process, or store Personal Data on their behalf, are reviewed in advance and then regularly to ensure that they comply with the requirements of data protection and privacy regulations and that the necessary contracts with these companies have been concluded.
Transfer for recipient’s own purposes:
• The transfer of Personal Data to a Commissioned Data Processor for their own purposes (for the avoidance of doubt, this means any purposes other than those of iQuantM) is allowed only if this is permitted or required by law or if the Persons Affected have given their prior consent.
The transferring iQuantM entity must ensure that the legal requirements are checked before the data is transferred.
Transfer to state agencies (authorities and courts):
• iQuantM may transfer Personal Data to governmental agencies only on the basis of applicable law or lawful request.
• In the event of a request for information from a governmental authority or a court of competent jurisdiction, iQuantM will inform the Person Affected of this without undue delay.
9. Transfer of clients’ Personal Data
iQuantM will generally make all reasonable efforts to avoid processing clients’ Personal Data. However, from time to time in the course of its business, iQuantM may be required to process clients’ Personal Data. The transfer and use of such Personal Data must be performed in full compliance with applicable law and those additional obligations agreed in the contract between iQuantM and the client. Personal Data of clients may never be passed on to third parties without an appropriate legal or contractual basis.
10. Cookies and similar technologies
The cookies and similar technologies on our websites and our mobile applications allow us to track your browsing behavior, links clicked, items purchased, your device type, and to collect various data, including analytics, about how you use and interact with our Services.These technologies automatically collect data when you use and interact with our Services, including metadata, log files, cookie / device IDs, page load time, server response time, and approximate location information to measure website performance and improve our systems, including optimizing DNS resolution, network routing and server configurations.Specifically, interactions with the features, content and links(including those of third – parties, such as social media plugins) contained within the Services, Internet Protocol(IP) address, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data, information about devices accessing the Services, including type of device, what operating system is used, device settings, application IDs, unique device identifiers and error data is collected.All this allows us to provide you with more relevant product offerings, a better experience on our sites and mobile applications, and to collect, analyze and improve the performance of our Services.We may also collect your location(IP address) so that we can personalize our Services.
11. Data Protection and Privacy Supervisory Authorities
If required by law or contract, iQuantM must always cooperate with any data protection and privacy supervisory authority irrespective of whether such authoritative entity is based inside or outside the EEA.
If such an authority requests information or otherwise exercises their right of investigation, the Privacy Officer must be informed without delay. The Privacy Officer shall then act as the primary coordinator to formulate an appropriate response to the query, in consultation with relevant iQuantM departments. The Privacy Officer will act as the direct contact with the relevant authorities.
12. Data Protection and Privacy Standards
This Policy may be specified and enhanced through data protection and privacy standards, upon review and consideration of the Privacy Officer.
13. Raising Awareness and Training
iQuantM, through the Privacy Officer and other appropriate staff, shall take measures to raise awareness at regular intervals. All employees and third parties acting on behalf of iQuantM are regularly informed about both their duties and their rights within the scope of this Policy and all applicable laws.
iQuantM shall ensure its employees, especially new employees, are adequately trained in this Policy.
This Policy is provided as information only. iQuantM reserves the right to change the Policy at any time without giving notice.