Updated January 1, 2018
This Policy provides information regarding:
- DAC Group (“DAC”) management and protection of personal data,
- Collected from its employees for workforce management purposes
- Collected in the course of recruitment
- Collected from website visits for the purposes of operating and improving the website
- Processed and analyzed on behalf of DAC s clients.
- The process to exercise individual privacy rights regarding one’s personal data held by DAC in relation to:
- Individual access,
- Rectification, as appropriate,
- Objection to use
- Restriction of processing
- Challenging compliance
- DAC Group does not collect special categories of data such as racial or ethnic origin or health data.
I. DAC PROTECTION AND MANAGEMENT OF PERSONAL DATA
DAC collects personal data, meaning information about an identified or identifiable individual, directly from individuals, from its employees and from its website.
DAC has access to its clients’ data, without collecting it, to perform data analysis as a service to a client. In these cases, the data may be personal or anonymous. In either case, DAC never collects or stores the data.
DAC Group collects personal data from,
- its employees, with implicit consent for the purposes of human resource management including hiring, deployment, compensation, benefits, leave management, performance management, discipline and termination, as well as emergency contact;
- candidates for positions at DAC; with proper notification and implicit consent, DAC may use internet searches to perform due diligence on candidates strictly in relation to data relating to recruitment purposes.
- customers business email addresses as necessary to the business relationship
- Website users, through automatic collection of certain technical information, including IP address, device information, geo-location information, computer and network performance data and navigation history. DAC uses permanent and temporary cookies on the website. Cookies are small text files, stored on the user’s computer during the site visit. Cookies often store the settings for a website, and help DAC make the user’s experience more efficient by providing information about the visit. DAC uses permanent cookies to analyze website usage and for language preferences. DAC uses temporary (session based) cookies to improve performance and to determine web trends. DAC cookies may be disabled but this may exclude the use of some features of the website.
DAC processes personal data that its clients have collected and provided to DAC for the purposes of a contract with a client. This data is analyzed and processed exclusively under the instructions of the client in the context of the contract and in accordance with the contract. DAC uses this data to develop multi-platform and multi-channel directional marketing, display advertising and search marketing campaigns and strategies for its customers. DAC also uses this data for data analytics purposes to provide its clients with insights into their businesses and marketing campaigns and strategies.
DAC does not sell or otherwise disclose to third parties any data it holds save in the following exceptional cases:
- Should DAC receive a request from law enforcement authorities to provide personal data in its custody, it would only do so upon demonstration of lawful authority. If the data requested is held on behalf of a business customer, DAC will consult the customer unless it is prohibited to do so by law.
- Strictly as allowed by law, DAC may disclose data to another organization where it is:
- reasonable for the purposes of investigating a breach of an agreement or a contravention of the law that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
- reasonable for the purposes of preventing, detecting or suppressing fraud and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;
- necessary to identify an individual who is injured, ill or deceased, to a government institution or the individual’s next of kin or authorized representative and, if the individual is alive, with notification to the individual.
- With respect to employee data, DAC may disclose personal data if it is necessary:
- to establish, manage or terminate an employment relationship, as allowed by law.
- in a prospective business transaction where DAC has entered into an agreement that:
- restricts the use and disclosure of that data solely for purposes related to the transaction
- protects the data by security safeguards appropriate to the sensitivity of the information, and
- if the transaction does not proceed, the data is returned to DAC or destroyed it within a reasonable time.
DAC may transfer personal data to suppliers and sub-contractors it employs to deliver its services and the transfer may occur across national borders. In all cases, it is subject to the following conditions:
- The transfer is solely for the purpose of assisting DAC in its service delivery and under its instructions.
- It comes under contractual clauses that ensure compliance with data protection legislation at a compatible level of protection whether DAC transfers as a collector to a processor or as a processor to a sub-processor.
- When DAC collects personal data,
- Exercises due diligence in the choice of processors to whom to transfer the data;
- Ensures compliance with data protection with contractual clauses and monitors compliance through means including inspections, audits and immediate breach reports.
- When DAC processes personal data for a client, it does so
- Exclusively under documented instructions from its business customer;
- With approval of the customer and in accordance with the SA.
4. Location of personal data
DAC stores European employee data in the United Kingdom.
Website data, client data and non-European employee personal data are stored in Canada and in the United States.
DAC is committed to data security and protects personal data through integrated physical, technological and administrative safeguards. In particular,
- All data is protected by security safeguards appropriate to the level of sensitivity of the data through (i) physical measures, such as secure areas; (ii) technical measures, such as encryption and secure servers; and (iii) organisational measures such as access policies based on the need-to-know and employee security through vetting and supervision.
- All data is retained only for as long as it is necessary for the purposes for which it was collected or transferred, in accordance with DAC Retention Schedule.
- Should DAC suffer a breach, it would implement its Incident and Breach Response Plan, including notification to individuals and or data collector, as soon as feasible.
II. PROCESSES TO EXERCISE PRIVACY RIGHTS AT DAC
1. Individual access
DAC responds to individual requests for access to one`s personal data, and for rectification as necessary for all data it holds as a collector, through new following process.
In relation to employee data and employment candidate data, the request must be addressed to the Vice-President Human Resources to respond.
In relation to website data, the request must be addressed to the Vice President, Technology, to respond.
Both will seek advice from the Data Protection Officer as necessary to ensure compliance. The DPO may be reached at DPO@dacgroup.com
- Within one month, free of charge, unless
- the volume or the complexity of the request require a longer process, where DAC will inform the requester, within one month, of the reasons for an extension and may charge a reasonable fee to cover administrative costs; or
- the request is unfounded or excessive and DAC may refuse the request with justification.
- Providing the following information:
- the purposes of the processing;
- the categories of personal data processed;
- the third parties to whom the personal data have been or will be transferred under the employment of DAC and their location;
- the criteria to determine the period for which the personal data will be stored;
- the existence of the right to request rectification or erasure of personal data and the process for it;
- the right to object to processing, as applicable;
- the right to lodge a complaint with a supervisory authority.
Rectification requests follow the same process as access requests, described above.
DAC provides rectification as soon as possible within one month. Should DAC refuse the request, it will provide justification.
3. Challenging compliance
An individual about whom DAC holds data may challenge compliance with data protection rights by filing a complaint in accordance with the process instituted for access requests and rectification requests, described above.
DAC will investigate the complaint in consultation with the office responsible for the use of the data and under the guidance of Data Protection Officer. Should the complaint be well-founded, DAC will take all appropriate measures to resolve the complaint and, if necessary, amend its practices as needed.
The Data Protection Officer may be reached at DPO@DACGroup.com
The Vice-President, Human Resources, may be reached at firstname.lastname@example.org
The Vice-President, Technology, may be reached at email@example.com.