Information controller, who are we?
PTminder (Software Minder Limited) is an innovative software company which specialises in providing cloud-based business management tools for businesses within the Health & Fitness industry.
Your personal data that we process is:
We declare that the personal data we collect will only be used for the following purposes:
- To improve and assist with customer service.
- To send occassional emails - the email address you provide may be used to send information, respond to queries or other requests.
- To process transactions - Your information, whether public or private, will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the purchased product or service requested.
- To improve our product and personalise your experience.
The basis that entitles us to process your data is:
Processing is based on your consent;
Do we disclose any information to outside parties?
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
By agreeing to accept this Privacy Notice, you authorize us to process your personal information only for the purposes we specify. In cases where we want consensus on special (sensitive) personal data, we will always be motivated why and how this information will be used. You can withdraw your consent at any time
We will retain your Personal Information for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods include:
- The length of time we have an ongoing relationship with you and provide the Services to you (for example, for as long as you have an account with us or keep using the Services);
- Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or
- Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
At any time while we store or process your personal data, you have the following rights:
- You have the right to request a copy of your personal data PTminder and the right of access at any time to your personal data;
- You have the right to request your personal data in a form convenient to transfer to another personal data administrator from PTminder or to ask us to do so without being hindered by ourselves;
- You have the right to ask PTminder to correct without undue delay your inaccurate personal data as well as the data that is not up to date;
You have the right to request from PTminder that your personal data be deleted without undue delay in any of the following circumstances:
- personal data are no longer needed for the purposes for which they were collected;
- when you have withdrawn your consent;
- when you have objected to the processing,
- when processing is unlawful;
- where personal data must be erased in order to comply with a legal obligation under EU law or the law of a Member State that applies to us as a data controller;
- when personal data have been gathered in connection with the provision of information society services.
- You have the right to request from PTminder to restrict the processing of your personal data, in which case the data will only be stored but not processed. Our refusal to restrict will be explicit only in writing, and we are obliged to motivate it for the legitimate reason;
- You have the right to withdraw your consent to the processing of your personal data at any time with a separate request addressed to the administrator;
- You have the right to object to certain types of processing, such as direct marketing (unsolicited advertising messages);
- You have the right to object to automated processing, including profiling;
- You have the right not to be the subject of a decision based solely on automated processing including profiling;
- If we need to use your personal data for a new purpose not covered by this data protection statement, we will provide you with a new data protection skill and when and where necessary we will require your prior consent for the new processing.
- in the exercise of the right to freedom of expression and the right to information;
- to comply with a legal obligation on our part or to carry out a task in the public interest,
- in the exercise of the official powers granted to us (in case you are a body of authority);
- for reasons of public interest in the field of public health;
- for purposes of archiving in the public interest, for scientific or historical research or for statistical purposes, in so far as deletion is likely to render impossible or seriously obstructing the achievement of the purposes of such processing; or for the establishment, exercise or protection of legal claims.
You have the right to complaint to the supervisory authority
In case you wish to file a complaint about the processing of your personal data through PTminder (recipients, including outside the EU and international organizations), you can do so by contacting PTminder or directly of the Data Protection Officer (the contact details listed below).
Data Protection Officer
Address: PO Box 25600, St Heliers 1740, Auckland, New Zealand.
General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 (General Data Protection Regulation) replaces Data Protection Directive 95/46. It has direct effect and implies a change in the legislation of the Member States in the field of personal data protection. Its purpose is to protect the "rights and freedoms" of individuals and to ensure that personal data are not processed without their knowledge and, where possible, processed with their consent.
Material scope (GDPR Article 2) - this Regulation applies to the processing of personal data wholly or in part by automatic means and to the processing of personal data (for example, manually and on paper) by other means, which are part of a personal data record or which are intended to form part of a personal data record.
Territorial scope (GDPR Article 3) - The rules of the GDPR will apply to all data controllers established in the EU who process personal data of individuals in the context of their activities. It will also apply to non-EU administrators who process personal data in order to offer goods and services or observe the behavior of data subjects who are resident in the EU.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership of trade unions and the processing of genetic data, biometrics for unique identifying an individual, data concerning health or data on the sexual life of an individual or sexual orientation.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Data subject means any natural person who is the subject of personal data stored by the Controller (Administrator).
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Main place of establishment - the EU controller's headquarters will be the place where he takes the basic decisions about the purpose and means of his data processing activities. For personal data processors, its main place of establishment in the EU will be its administrative center.
If the controller is based outside the EU, he must appoint a representative in the jurisdiction where the administrator works to act on behalf of the controller and deal with supervisors. (Article 4 (16) of the GDPR) Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- The management of PTminder undertake to ensure compliance with the EU and Member States legislation regarding the processing of personal data and the protection of the "rights and freedoms" of persons whose personal data is PTminder collects and processes under the General Data Protection Regulation (Regulation (EU) 2016/679).
- In accordance with the GDPR, other relevant documents as well as related processes and procedures are described in this policy.
- Regulation (EU) 2016/679 and this policy shall cover all processing functions of personal data, including those relating to the personal data of clients, employees, suppliers and partners, and any other personal data that the organization processes from different sources.
- The Data Protection Officer shall be responsible for reviewing the "Registry of Processing Activities" annually in the light of any changes in the activities of PTminder as well as any additional requirements, data protection impact assessments. This register must be available at the request of the supervisory authority.
- This policy applies to all employees / workers (and stakeholders) of PTminder as external suppliers. Any violation of the GDPR will be considered a violation of labor discipline, and if there is a presumption of a crime, the matter will be referred to the relevant state authorities as soon as possible.
- Partners and third parties who work with or for PTminder and who have or may have access to personal data will be expected to become acquainted, understand and comply with this policy. No third party may access personal data stored by PTminder without having previously entered into a data privacy agreement which impose on the third party obligations no less burdensome than those which the PTminder has taken over and entitles (PTminder to carry out checks on compliance with the obligations imposed by the agreement).
- PTminder is (data controller and processor) under Regulation (EU) 2016/679.
- Compliance with data protection legislation is the responsibility of all employees of PTminder, which process personal data.
- The training policy of the PTminder (GDPR_POL_02) specifies the specific training and information requirements in relation to the specific roles of the employees of PTminder.
All processing of personal data must be in accordance with the data protection principles referred to in Article 5 of GDRP (EU) 2016/679. The policies and procedures of PTminder aim to ensure compliance with these principles.
1. Personal data must be processed lawfully, in good faith and transparently
Lawfulness - Identify a legal basis before it can process personal data. They are often referred to as "grounds for processing", such as "consent".
Fairness - in order for the processing to be in good faith, the data controller must provide certain information to the data subjects as far as is practicable. This applies irrespective of whether personal data is obtained directly from data subjects or from other sources.
Regulation (EU) 2016/679 increases the requirements for what information should be available to data subjects that are covered by the "transparency" requirement.
Transparency - The GDPR includes rules on the provision of confidential information to data subjects in Articles 12, 13 and 14 of the GDPR. They are detailed and specific, emphasizing that privacy notices are understandable and accessible. Information must be communicated to the data subject in comprehensible form using clear and comprehensible language.
The specific information to be provided to the data subject must include as a minimum:
- Data identifying the controller and contact details of the controller and, if applicable, of the controller's representative;
- the contacts of the DPO;
- the purposes of the processing for which the personal data are intended and the legal basis for the processing;
- the period for which personal data will be stored;
- the existence of the following rights - requesting access to data, correction, deletion (right to be forgotten), restriction of processing, as well as the right to object to the conditions (or the lack thereof) in relation to the exercise of these rights;
- categories of personal data;
- recipients or categories of recipients of personal data, where applicable;
- where applicable, whether the controller intends to transfer personal data to a third party recipient and the level of data protection;
- any additional information necessary to ensure good handling.
2. Personal data may only be collected for specific, explicit and legitimate purposes
Data obtained for specific purposes should not be used for a purpose that differs from those officially announced to the supervisory body as part of the PTminder Data Processing (Article 30 GDPR). The Transparency Procedure for the Processing of Personal Data defines the relevant rules.
3. Personal data must be adequate, relevant, limited to what is necessary for their processing for the purpose. (principle of minimum necessary)
- Data Protection Officer (DPO) is responsible for ensuring that PTminder does not collect information that is not strictly necessary for the purpose for which it was received.
- The Data Protection Officer (DPO) will ensure that on an annual basis all data collection methods are reviewed by (internal audit / external experts) to ensure that the collected data continues to be adequate , relevant, are not excessive.
4. Personal data must be accurate and up-to-date at all times, and the necessary efforts are made to enable deletion or correction immediately (within the framework of possible technical solutions)
- The data stored by the data controller should be reviewed and updated as necessary. Data should not be stored in cases where it is unlikely to be accurate.
- The Data Protection Officer is responsible for ensuring that all staff are trained in the importance of accurate data collection and maintenance.
- It is also the duty of the data subject to declare that the data he transmits for storage by PTminder are accurate and up-to-date. Completing a form from the data subject to the administrator will include a statement that the data contained therein is accurate at the filing date.
- Employees / employees (clients / others) should be required to notify PTminder of any change in circumstances in order to update the records of personal data. Instructions and rules for updating the records are contained (here). The responsibility of PTminder is to ensure that any change of circumstances notification is recorded and action is taken.
- The Data Protection Officer is responsible for ensuring that appropriate procedures and policies are in place to maintain the accuracy and timeliness of personal data, taking into account the volume of data collected, the speed at which it can change, other relevant factors .
- At least annually, the Data Protection Officer will review the storage times of all personal data handled by PTminder, referring to the inventory of the data and will identify all data that are no longer required in the context of the registered objective. These data will be reliably destroyed in accordance with the administrator's procedures and rules.
- The Data Protection Officer (DPO) is responsible for complying with data r requests within one month , which can be extended by a further two months If the PTminder decides not to comply with the request, the Data Protection Officer must respond to the data subject in order to explain his / her reasons and to inform him / her of the right to complain and the supervisory authority and to seek redress.
- The Data Protection Officer is responsible for taking appropriate measures in cases where third party organizations have inaccurate or outdated personal data to inform them that the information is inaccurate or obsolete and is not used to make decisions about individuals to inform the parties concerned; and to forward any correction of personal data to third countries where necessary.
5. Personal data must be stored in such a form that the data subject can only be identified for as long as is necessary for the processing.
- When personal data is retained after the processing date, it will be stored appropriately (minimized, encrypted, aliased) to protect the identity of the data subject in case of data breaches.
- Personal data will be stored in accordance with the Data Storage and Destruction Procedure and after the storage period has passed, they must be reliably destroyed by the procedure specified in this procedure.
- The Data Protection Officer should specifically approve any retention of data beyond the retention period defined in the Data Storage and Destruction Procedure and must ensure that the justification is clearly defined and complies with the requirements of data protection legislation. This approval must be in writing.
6. Personal data must be processed in a way that ensures appropriate security (Article 24, Article 32 of the GDPR)The Data Protection Officer will carry out an impact assessment (risk assessment) taking into account all circumstances related to data management or processing operations by PTminder.
In determining the suitability of the processing, the Data Protection Officer should also examine the extent of any damage or loss that may be caused to individuals (eg staff or customers) if a security breach occurs, as is the case and any likely damage to the reputation of the controller, including a possible loss of customer confidence.
When assessing appropriate technical measures, the Data Protection Officer will consider the following:
- Password protection;
- Automatic locking of idle workstations in the network;
- Removing access rights for USB and other removable storage media;
- Antivirus software and firewalls;
- Access rights based on roles, including those of assigned temporary staff
- Protect devices that leave the organization's premises, such as laptops or others;
- Security of local and wide-area networks;
- Enhanced privacy practices such as pseudonymization and anonymization
- Identification of appropriate international security standards appropriate for PTminder
- Levels of appropriate training in PTminder
- Measures that take into account staff reliability (for example, appraisal assessments, recommendations, etc.);
- Inclusion of data protection in employment contracts;
- Identification of disciplinary measures for violations with regard to data processing;
- Regularly inspect staff for compliance with relevant security standards;
- Control of physical access to electronic and paper-based records;
- Adoption of a "clean job" policy;
- Store the database paper in lockable wall cabinets;
- Restricting the use of portable electronic devices outside the workplace;
- Limiting employee use of personal devices in the workplace;
- Accepting clear rules for creating and using passwords;
- Regular backup of personal data and physical storage of media with copies outside the office;
- Imposition of contractual obligations on counterparty organizations to take appropriate security measures when transferring data outside the EU.
7. Compliance with the principle of accountabilityRegulation (EU) 2016/679 includes provisions that promote accountability and manageability and complement transparency requirements. The principle of accountability in Art. 5, par. 2 requires the administrator to prove that he adheres to the other principles in the GDPR and explicitly states that this is his responsibility.
PTminder will demonstrate compliance with data protection principles by implementing data protection policies by adhering to codes of conduct, implementing appropriate technical and organizational measures, and adopting data protection techniques the design and protection phase of data, impact assessment on the protection of personal data, personal data breach notification procedure, etc.
8. Rights of data subjectsData subjects shall have the following rights in respect of the processing of data and the data recorded for them:
- Make requests to verify that personal data associated with it is being processed and, if so, to access the data, as well as information on who the recipients of that data are.
- Request a copy of their personal data from the controller (administrator);
- Ask the controller (administrator) to correct personal data when they are inaccurate and when they are no longer up to date;
- Require the controller (administrator) to delete personal data (right to be forgotten);
- Ask the controller (administrator) to limit the processing of personal data, in which case the data will be stored but not processed;
- To object to the processing of his or her personal data;
- To object to the processing of personal data relating to him / her for direct marketing purposes.
- Appeal to a supervisor if he / she believes that any of the GDPR provisions is violated;
- Request and be given personal data in a structured, widely used and machine-readable format;
- Withdraw your consent to the processing of personal data at any time with a separate request addressed to the administrator;
- Not subject to automated decisions affecting him to a significant extent without human interference;
- Oppose automated profiling, which happens without its consent;
You can request to exercise these rights by emailing firstname.lastname@example.org. We will process your request within 30 days of receiving your request. Note that we may require proof of identification before we process your request.
- Under consent, PTminder shall understand any free expression, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or a clear confirmation action, which expresses its consent to the processing of the related personal data. The data subject may withdraw his / her consent at any time.
- PTminder understands "consent" only in cases where the data subject has been fully informed of the planned processing and has expressed his / her consent and without exerting pressure on it. Consent obtained under pressure or on the basis of misleading information will not be a valid basis for the processing of personal data.
- Consent can not be inferred from the absence of a reply to a message to the data subject. There must be active communication between the controller and the subject for consent. The administrator must be able to demonstrate that consent has been received for the processing operations.
- For specific categories of data, explicit consent in writing to obtain consent to the processing of personal data of data subjects shall be obtained unless there is an alternative legal basis for processing.
- In most cases, the consent for the processing of personal and special categories of data is routinely obtained from PTminder, using standard documents for consent (please specify) when a new client signs a contract or when recruiting new staff, etc.
- When PTminder processes personal data of children, permission must be obtained from parents exercising parenting rights (parents, guardians, etc.). This requirement applies to children under the age of 16 (unless the Member State has provided for a lower age limit, which may not be less than 13 years).
10. Data security
- All employees / employees are responsible for ensuring the security in the storage of the data they are responsible for and which PTminder, holds and that the data are safely stored and not disclosed under any circumstances of third parties, unless the PTminder has given such rights to that third party by entering into a contract / confidentiality clause (please indicate here if you have any such).
- All personal data must be accessible only to those who need it and access can only be granted in accordance with established access control rules. All personal data must be treated with the utmost certainty and must be kept:
- in a self-contained room with controlled access; and / or in a locked cabinet or in the filing cabinet; and / or
- if computerized, password protected in accordance with internal requirements set out in organizational and technical measures to control access to information (eg access control rules); and / or
- stored on portable computer media that are protected in accordance with organizational and technical measures to control access to information.
- Establish an organization to ensure that computer screens and terminals can not be viewed by anyone other than the authorized employees of PTminder. All employees / workers are required to be trained and accept the relevant contractual clauses / declaration of compliance with the organizational and technical measures of access as well as the rules for the locking of workstations before being given access to information of any kind.
- Paper-based records should not be left where they can be accessed by unauthorized persons and can not be removed from the designated office premises without explicit permission. As soon as paper documents are no longer required for ongoing customer support work, they must be destroyed in accordance with the established procedure / rules and the relevant protocol.
- Personal data may be erased or destroyed only in accordance with the Data Storage and Destruction Procedure . Paper records that have reached the date of storage must be cut and destroyed as "confidential waste". Hard disk data on redundant PCs must be deleted or disks destroyed according to established rules / procedures.
- The processing of personal data "outside the office" represents a potentially greater risk of loss, theft or violation of personal data. The staff must be specifically authorized to process data outside the controller's premises.
11. Disclosure of data
- PTminder must ensure that personal data are not disclosed to unauthorized third parties, including family members, friends, state bodies, even investigators, if there is reasonable doubt that they are not required established order. All employees / workers should be cautious when they ask them to disclose personal data stored to another person of a third party. It is important to keep in mind whether or not the disclosure of information is related to the needs of the organization's activities. Special training and periodic briefings are required in order to avoid the risk of such an offense.
- All requests from third parties for providing data shall be supported by appropriate documentation and any such disclosure shall be specifically authorized by the Data Protection.
12. Data storage and destruction
- PTminder does not store personal data in a way that allows the identification of the subjects for a longer period than is necessary with respect to the purposes for which the data were collected.
- PTminder may store data for longer periods only if the personal data are processed for purposes of archiving, public interest purposes, scientific or historical research and for statistical purposes and only in the performance of appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject.
- The storage period for each category of personal data will be set out in the Procedure for Storing and Destruction of Data as well as the criteria used to determine this period, including any legal obligations, PTminder to retain the data.
- The procedure for storing and destroying data as well as (if you have made) the rules for destroying the information on unused recording media, PTminder will apply in all cases.
- Personal data must be destroyed securely, in accordance with the principle of ensuring an appropriate level of security (Article 5 (1b) of the GDPR) - including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage , by applying appropriate technical or organizational measures ("integrity and confidentiality");
13. Data Processing Register (Data Inventory)
- PTminder has established a data inventory process as part of its approach to addressing risks and opportunities in complying with the compliance policy with Regulation (EU) 2016/679. In the inventory of the data in the PTminder and in the work data flow, there are established:
- business processes that use personal data;
- the sources of personal data;
- the number of data subjects;
- a description of the categories of personal data and elements in each category;
- processing activities;
- the purposes of the processing for which the personal data are intended;
- the legal basis for the processing;
- recipients or categories of recipients of personal data;
- Main systems and storage locations;
- any personal data that is subject to transfers outside the EU;
- storage and deletion times.
- PTminder is aware of the risks associated with the processing of certain types of personal data.
- PTminder assesses the level of risk for persons related to the processing of their personal data. Impact assessments on data protection related to the processing of personal data by PTminder and in relation to the processing undertaken by other organizations on behalf of PTminder are being carried out.
- PTminder manages all the risks identified by the Impact Assessment in order to reduce the probability of non-compliance with these rules. Where a type of processing can lead to a high risk to the rights and freedoms of individuals, in particular by using new technologies and taking into account the nature, scope, context and purposes of the processing, before proceeding with the processing of PTminder should perform an assessment of the impact of the processing operations envisaged on the protection of personal data. A general impact assessment may consider a set of similar processing operations that present similar high risks.
- Where, as a result of the Impact Assessment, it is clear that PTminder will start processing personal data which, due to a high risk, could cause damages to data subjects, the decision whether or not the processing should continue should be submitted for review by the Data Protection Officer.
- If the DPO has serious concerns about the potential harm or danger or the amount of relevant data, the matter should escalate to the supervisory authority.
- The Data Protection Officer shall make a periodic (annual) review of the initially inventory data, review the entered information in the "Registry of Processing Activities" in the light of any changes in the activities of PTminder.