Download Privacy Policy.pdf

Revision Date: 25th February 2024

This Data Privacy Policy (“Policy”) represents the minimum standards that IVM ME FZ LLC and its affiliates (“IVM”) has set with respect to data privacy, for ensuring that IVM collects, uses, retains and discloses Personal Data in a fair, transparent and secure way.

This Policy aligns with (and in some cases exceeds) the main requirements of applicable laws and regulations. This Policy is also aligned with other specific policies of IVM relating to the collection and use of information or of Personal Data implemented by IVM to cover the specific Personal Data processing purposes needed for the day to day activity (e.g. cookies policy, specific local policies). This Policy acknowledges that certain IVM affiliates are located in countries with varying legal and cultural approaches to privacy and data protection. This Policy may thus be supplemented by other policies and procedures in certain geographic regions as may be appropriate to comply with applicable laws and meet cultural norms.

In the event of a conflict between this Policy and the local applicable privacy policies and/or applicable local law as relevant, or inapplicability of the provisions of this Policy, the local applicable policy and local law should prevail. Some useful definitions are provided in Section 2 of this Policy for your ease of reference.

 

  1. What is the scope of this Policy?

    1. The Policy covers all Personal Data in any form, including but not limited to electronic data, paper documents and disks and all types of processing, whether manual or automated that is under the possession or control of IVM, in all geographies areas where IVM operates. This will include information held about IVM members, partners, employees, consultants, clients, suppliers, business contacts and any third parties.
    2. IVM cares about protecting minors and has implemented certain reasonable measures to prevent the processing of the Personal Data of minors. Therefore, IVM does not process Personal Data from minors knowingly. If IVM is informed or becomes aware that IVM processes Personal Data of minors, IVM will immediately delete it.
    3. IVM cares about protecting minors and has implemented certain reasonable measures to prevent the processing of the Personal Data of minors. Therefore, IVM does not process Personal Data from minors knowingly. If IVM is informed or becomes aware that IVM processes Personal Data of minors, IVM will immediately delete it.
  2. Definitions. 

    1. IVM shall mean IVM ME FZ LLC and its affiliates.
    2. Third Party shall mean a third party who receives from IVM or who is otherwise entrusted with Personal Data on behalf of IVM, for example suppliers, contractors, sub-contractors and other service providers.
    3. Data Subject shall mean an identified or identifiable person whose Personal Data is being processed by IVM
    4. Informed Consent shall mean any freely given specific and informed indication of the Data Subject’s agreement to the processing of his/her Personal Data.
    5. Personal Data shall mean any information capable of identifying a natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link.
    6. Sensitive Data are a subset of Personal Data, which due to their nature have been classified by law or by an applicable policy as deserving additional privacy and security protections.
    7. Process / Processing shall mean any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, but not limited to collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction (and Process shall be interpreted accordingly).
  3. How does IVM ensure the Lawfulness, Fairness and Transparency of our data processing?

    1. Personal Data is processed on the basis of legal grounds with the informed knowledge of the Data Subjects.
    2. IVM will only use Personal Data
      • if necessary to perform a contract with the Data Subjects (e.g. employees, contractors, clients, suppliers etc.);
      • if required to comply with a legal obligation;
      • where IVM has a legitimate business need or a legitimate business reason to use Personal Data as part of our business activities (e.g. when carrying out a Know Your Client processing); or
      • where IVM has the Data Subject’s Informed Consent when it is specifically required. For instance where required by law (e.g. to send marketing information through electronic communication means) or by applicable policy, IVM may need to obtain the consent of Data Subjects in order to collect, use, retain and disclose their Personal Data. This may also be the case where no other valid grounds described above is applicable. In particular, IVM will not sell Personal Data for marketing purposes without appropriate consent and/or legal basis.
    3. IVM considers that it is important to assess the privacy risks before IVM collects, uses, retains or discloses Personal Data, such as in a new system or as part of a project.
    4. IVM will only Process Personal Data in the way described in its privacy notices or privacy policies and in accordance with any Informed Consent IVM may have obtained from the Data Subject
    5. IVM will not carry out profiling activities based on automated decision making, unless legally grounded on a requirement of applicable law or the performance of a contract or the Data Subject’s consent and provided that suitable safeguards are implemented to protect the Data Subjects rights.
    6. IVM uses cookie technology on its websites to allow it to evaluate and improve their functionality. Cookies could also be used for advertising or analytics purposes, subject to consent and depending on the choice made by using the cookie control tool. For more information about how IVM uses cookies, please read the online Privacy Policy.
    7. Where legally required, IVM will ensure that Data Subjects are provided with a relevant information, concerning the processing of their Personal Data, unless there is an impossibility to provide such information or if it requires disproportionate efforts to provide such information. Such information will notably include, the purposes of the data processing, the types of data collected (if the data have not been obtained directly from the Data Subject), the categories of recipients, the list of rights which may be exercised by the Data Subjects, the consequences of a failure to reply, the conditions of the transfer of personal data outside EU, if any, and the mechanism used to protect the data in the event of a transfer, etc. This requirement may be satisfied by issuing a privacy notice to Data Subjects at the point where Personal Data are originally collected from them. Privacy notices shall be written in language which provides Data Subjects with a clear understanding as to how their Personal Data will be used.
  4. Specific and legitimate purpose, Data Minimization and Accuracy.

    1. Personal Data will only be collected and processed for legitimate purposes, complying with the Personal Data Minimization principle and ensuring the accuracy of the Personal Data processed.
    2. Personal Data will be collected for specified, explicit and legitimate purposes (which could be multiple) and not further processed in a manner that is incompatible with those purposes.
    3. IVM carefully evaluates and defines the purposes of the Personal Data Processing before launching a project (e.g. management of HR data, management of recruitment data; payroll purpose, accounting and financial management, risk management, management of employees’ safety, allocation of IT tools and any other digital solutions or collaborative platforms, IT support management, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering and anti-bribery obligations or any other legal requirements, data analytics operations, implementation of compliance processes, management of mergers and acquisition, etc.).
    4. IVM will ensure that the Personal Data collected is relevant, adequate and not excessive in relation to the purpose of the Data Processing and its eventual use (insights, marketing, promotions, etc.). This means that only necessary and relevant information for the purpose sought can be collected and processed.
    5. When collecting Sensitive Data, proportionality is fundamental. For instance, there is no need to request information on the nationality of a consumer when he/she pass an order. IVM does not collect Sensitive Data (or Special Categories of Data), unless required by applicable law or subject to the Data Subject’s prior express consent.
    6. Every reasonable step will be taken to ensure that Personal Data are maintained in an appropriately accurate and up-to-date form at every step of Personal Data Processing (i.e. collect, transfer, storage and retrieval).
    7. IVM encourages Data Subjects to help maintaining their Personal Data up to date by exercising their rights notably of access and rectification.
  5. Security and confidentiality.

    1. IVM ensures the security and confidentiality of the Personal Data it Processes
    2. IVM protects any Personal Data collected, used, retained and disclosed to support the business activities by following the relevant usage, technical and organizational policies, standards and processes.
    3. Employees, customers, consumers and business partners put their trust in IVM when they provide their Personal Data.
    4. Industry standard technical and organizational measures are implemented to prevent against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access, or any other unlawful or unauthorized forms of Processing.
    5. Where processing is to be carried out on behalf of IVM, IVM will select service providers providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of applicable data protection laws and ensure the protection of the rights of the Data Subject.
    6. IVM endeavors to take reasonable measures based on Privacy by design and Privacy by default as appropriate to implement necessary safeguards when processing Personal Data Processing.
    7. When a Personal Data Processing is likely to result in a high risk to the rights and freedoms of Data Subjects, IVM will carry out a risk impact assessment prior to its implementation
    8. IVM will examine all claims related to any breach to this Policy or applicable data protection laws, potential or actual, that are brought to its attention or that IVM becomes aware of and will take all reasonable measures to limit their impact.
    9. IVM will examine all claims related to any breach to this Policy or applicable data protection laws, potential or actual, that are brought to its attention or that IVM becomes aware of and will take all reasonable measures to limit their impact.
  6. Personal Data Retention.

    1. Any person handling Personal Data for IVM will keep it only for as long as it is necessary for the purpose for which it has been collected and processed (and other compatible purposes) which may include:
      • to meet or support a business activity;
      • to comply with a legal or regulatory requirement and comply with applicable statute of limitation requirements; or
      • to defend against legal or contractual actions (in which case, the Personal Data may be retained until the end of the corresponding statute of limitation or in accordance with any applicable litigation hold policies).
    2. to defend against legal or contractual actions (in which case, the Personal Data may be retained until the end of the corresponding statute of limitation or in accordance with any applicable litigation hold policies).
  7. What are your rights, as Data Subject?

    1. IVM is receptive to queries or requests made by Data Subjects in connection with their Personal Data and where required by law, IVM provides Data Subjects with the ability to access, correct, restrict and erase their Personal Data. IVM also allows them to oppose the processing of their personal data, and to exercise their right to portability.
    2. Access right: IVM will provide access to all Personal Data related to a Data Subject as required by law, to the purposes of the processing, categories of data processed, categories of recipients, data retention term, rights to rectify, delete or restrict the data accessed if applicable, etc.) 
    3. Right to portability: IVM may also provide a copy of any Personal Data that it holds in a format compatible and structured to allow the exercise of right to data portability to the extent it is relevant under applicable law.
    4. Right to rectification: Data Subjects can request to correct, amend, erase, any information which is incomplete, out of date or inaccurate.
    5. Right to erasure: Data Subjects can request the deletion of their Personal Data (i) if such Personal Data is no longer necessary for the purpose of the data processing, (ii) the Data Subject has withdrawn his/her consent on the data processing based exclusively on such consent, (iii) the Data Subject objected to the data processing, (iv) the Personal Data processing is unlawful, (v) the Personal Data must be erased to comply with a legal obligation applicable to IVM. IVM will take reasonable steps to inform the other entities of IVM of such erasure.
    6. Right to restriction: (i) in the event the accuracy of the Personal Data is contested to allow IVM to check such accuracy, (ii) if the Data Subject wishes to restrict the Personal Data rather than deleting it despite the fact that the processing is unlawful, (iii) if the Data Subject wishes IVM to keep the Personal Data because he/she needs it for his/her defense in the context of legal claims (iv) if the Data Subject has objected to the processing but IVM conducts verification to check whether it has legitimate grounds for such processing which may override the Data Subject’s own rights.
    7. Right to withdraw his/her consent: When the Personal Data processing is based on Data Subject’s consent, Data Subject may withdraw such consent at any moment, without affecting the lawfulness of processing based on consent before its withdrawal.
    8. Right to object: Data Subject can also indicate his/her objection to the processing of his/her Personal Data at any time:
      • Right to object: Data Subject can also indicate his/her objection to the processing of his/her Personal Data at any time:
      • to object to the sharing of his/her Personal Data with third parties or within IVM; or
      • to object to the sharing of his/her Personal Data with third parties or within IVM; or
      • to object to the sharing of his/her Personal Data with third parties or within IVM; or
  8. Disclosure to third parties.

    1. Disclosure to third parties.
    2. Disclosure is made on a strictly limited ‘need to know’ basis where there is clear justification for transferring Personal Data – either because the Data Subject has consented to the transfer or because disclosure is required to perform a contract to which the Data Subject is a party, or for a legitimate purpose that does not infringe the Data Subject’s fundamental rights, including the right to privacy (e.g. sharing in the context of a merger and acquisition operation etc.). In each case the Data Subject will be aware that the disclosure is likely to take place. Assurances will also be sought from the recipient that they will only use the Personal Data for legitimate / authorized purposes and keep it secure.
    3. Disclosure is made on a strictly limited ‘need to know’ basis where there is clear justification for transferring Personal Data – either because the Data Subject has consented to the transfer or because disclosure is required to perform a contract to which the Data Subject is a party, or for a legitimate purpose that does not infringe the Data Subject’s fundamental rights, including the right to privacy (e.g. sharing in the context of a merger and acquisition operation etc.). In each case the Data Subject will be aware that the disclosure is likely to take place. Assurances will also be sought from the recipient that they will only use the Personal Data for legitimate / authorized purposes and keep it secure.
  9. How are international transfers from EU protected?

    1. Personal Data originating from those IVM entities operating within the EU will not be transferred outside the EU to a third country which does not ensure an adequate level of protection unless appropriate safeguards are implemented in accordance with applicable laws.
    2. International Personal Data transfer is a very sensitive topic, and taken seriously before transferring any Personal Data from its EEA country of origin to another non-EEA country, whether such transfer is done for technical purposes (storage, hosting, technical support, maintenance etc.) or the main purposes (HR management, clients database management, etc.).
    3. IVM will not carry out international transfers of Personal Data from an EEA country to another non-EEA country without ensuring that appropriate transfer mechanisms as required by applicable data protection laws are in place, to ensure adequate protection of the data when transferred (e.g. adequacy decision, privacy shield certification if the transfer is made to the US, signature of EU Commission model clauses as appropriate, etc.). In some cases, IVM may also have to notify or gain pre-approval from the relevant privacy regulator prior to the transfer taking place.
  10. Complaint handling.

    1. IVM is committed to resolving the legitimate privacy issues of its staff, clients and other contacts. If a member of staff feels that he/she has done something in breach of this Privacy Policy, they must contact the Privacy Committee and report the matter.
    2. Data Subjects are informed that they can complain about privacy issues by writing an email to the Privacy Committee at privacy@midisgroup.com. In particular, this shall be expressly specified in the privacy notices communicated to and/or accessible by Data Subjects.
    3. If an individual covered by this Privacy Policy makes a complaint about the processing of his/her or someone else’s Personal Data, and the complaint is not satisfactorily resolved through this internal procedure, IVM will co-operate with the appropriate data protection authorities and comply with the advice of such authorities to resolve any outstanding complaints. In the event that IVM Privacy Committee or the data protection authorities determine that IVM or one or more of its staff failed to comply with this Privacy Policy or the data protection laws, upon recommendation of the authorities or IVM Privacy Committee, IVM will take appropriate steps to address any adverse effects and to promote future compliance.
  11. Update of this Policy.

    1. As the business and the regulatory environment change regularly, this Policy may also change. You are thus invited to consult it on a regular basis.

 

THIS POLICY IS EFFECTIVE AS OF DATE OF ITS PUBLISHING.