Dedalus’ Commitment to the Protection of Personal Information.
The Commitment is designed to ensure that Personal Information will be protected regardless of geography or technology, when used within the Dedalus Group, and applies to Dedalus’ processing of Personal Information and Dedalus Customer Personal Information.
Processing Personal Information
Dedalus observes the following principles when processing Personal Information:
Fairness: DEDALUS will process Personal Information fairly and lawfully.
Purpose: DEDALUS will limit the processing of Personal Information to the fulfilment of DEDALUS’ specific, legitimate purposes. DEDALUS will only carry out processing that is compatible with such purposes unless DEDALUS, or its Customer where DEDALUS is a processor, has unambiguous consent for unrelated purposes.
In general, DEDALUS will process Personal Information:
where DEDALUS has a legitimate interest that, on balance, justifies the processing;
where necessary for the maintenance or the performance of a legal relationship between DEDALUS and the individual;
where necessary for complying with an obligation imposed on DEDALUS by applicable law, regulation, or governmental authority;
where there are exceptional situations that threaten the life, health or security of the individual or of another person;
after obtaining the individual’s freely given, explicit and informed consent where required by applicable law;
where the processing is in connection with a Customer service agreement.
Where consent has been obtained directly by DEDALUS, DEDALUS will provide a process to allow individuals to withdraw their consent to the extent required under applicable law, at any time and without charge.
Proportionality: DEDALUS will limit the processing of Personal Information to that which is adequate, relevant and not excessive in relation to the purposes for which DEDALUS collects and uses it.
Information Quality: DEDALUS will take reasonable steps to, and where DEDALUS is a processor provide Customers with a means to, ensure that Personal Information is accurate and kept up to date, to keep Personal Information only for as long as necessary for the purposes for which it is collected and used, and to delete or to render it anonymous after such retention requirements have been met.
Transparency: Where required by applicable law, DEDALUS will make available to individuals at the point of collection, or within a reasonable period of collection, information about DEDALUS’ identity; the purposes and legal basis of processing their Personal Information; intended recipients and cross-border data transfers; source(s) of Personal Information; how individuals may exercise their rights regarding Personal Information; contact details for the Data Protection Officer where applicable; and additional explanations as needed to ensure fair processing. Where DEDALUS collects Personal Information through the Internet or other electronic means, DEDALUS will post an easily accessible privacy notice that meets these transparency requirements.
Confidentiality: DEDALUS will maintain the confidentiality of Personal Information it processes, except where disclosure is required by an applicable operational or legal requirement. This obligation will continue even after the relationship with the individual, or Customer where DEDALUS is a processor, has ended.
Security: DEDALUS strives to protect Personal Information with appropriate technical and organizational measures to ensure its integrity, confidentiality, security and availability. DEDALUS will inform individuals of a security breach affecting their DEDALUS Personal Information that could pose a high risk to their individual rights and freedoms. In accordance with applicable law, DEDALUS will provide reasonable assistance to Customers, where DEDALUS is a processor, to ensure the security of their processing and will inform DEDALUS Customers of a security breach of DEDALUS Customer Personal Information as required under such laws.
Sharing and/or Transferring Personal Information
DEDALUS may share or transfer Personal Information in the following circumstances:
Personal Information may be shared within the DEDALUS Group for the purposes specified above, provided the DEDALUS Group entity processing Personal Information adheres to this Commitment.
DEDALUS may provide Personal Information to selected suppliers or service providers hired to perform certain processing or other services on its behalf. DEDALUS will strive to ensure that new supplier engagements provide for processing of Personal Information in a manner consistent with this Commitment and applicable law by means of a legal relationship established through a contract or other legally permissible means. Under such contracts, suppliers must implement adequate security measures and may only process Personal Information in accordance with DEDALUS’s instructions.
DEDALUS may disclose certain Personal Information to other third parties where required by law, to protect DEDALUS’s legal rights, or in connection with any DEDALUS merger or acquisition activity or the insolvency or re-organization of any part of DEDALUS.
Processing of Sensitive Personal Information
Where DEDALUS processes and/or transfers Sensitive Personal Information DEDALUS will inform the individual of the processing and/or transfer and obtain explicit consent for such processing and/or transfer when DEDALUS is required to do so by applicable law. Appropriate security measures will be provided depending upon the nature of this information and the risks associated with its intended uses.
DEDALUS is accountable for fulfilling the requirements sets out in the Commitment and under applicable law. In particular, DEDALUS will:
take the necessary measures to observe the requirements of the Commitment and applicable law; and
have the necessary internal mechanisms in place to demonstrate such observance, including maintaining a record of its processing activities in accordance with applicable law.
DEDALUS employs privacy practices designed to support its compliance with the Commitment and applicable law, including the appointment of a network of privacy leaders, education and awareness programs, incident response protocols, privacy impact assessments, audit routines and a Privacy by Design approach to process and system development.
In accordance with applicable law, an individual who has satisfactorily established his or her identity to DEDALUS may exercise the following rights in relation to Personal Information DEDALUS has collected directly from him or her; where DEDALUS is a processor, DEDALUS will assist the Customer in meeting its privacy obligations toward individuals:
Access: Where required by applicable law, DEDALUS will provide an individual Personal Information about him or her that DEDALUS holds, including information concerning the source of the Personal Information, the purposes of any processing by DEDALUS and the recipients, or categories of recipients, to whom such Personal Information is disclosed.
Correction and Deletion: Valid requests for correction or deletion of Personal Information which is incomplete, inaccurate or excessive will be respected, and confirmed as such, except that deletion will not be performed where retention is required by the contractual relationship between DEDALUS and the individual, in the context of a legal dispute or other legal retention requirement, or as otherwise required by applicable law.
Objection: DEDALUS will cease processing Personal Information where an individual’s objection is justified under applicable law, for example where the individual’s life or health is at risk due to the processing. An individual also has the right to object to decisions based solely on automated processing of Personal Information that produce legal effects which significantly affect the individual involved, except where the individual requested the processing, or when necessary for the legal relationship between DEDALUS and the individual. In the latter case, the individual may give his or her views on the automated decision. An individual has the right to object to processing of Personal Information by DEDALUS for marketing purposes where allowed by applicable law. The exercise of this right to object may be superseded where DEDALUS can demonstrate that its compelling legitimate interest in continuing the processing overrides the interests or fundamental rights and freedoms of the individual.
Restriction: An individual also has the right to request the restriction of any processing of his or her DEDALUS Personal Information by DEDALUS, to the extent such right is provided for under applicable law, for example where the accuracy of the DEDALUS Personal Information is contested. DEDALUS will cease processing such information where the restriction is justified, with the exception of storage and other permitted continued processing under applicable law.
Complaints: Any individual who claims to have suffered damage as a result of non-compliance by a DEDALUS Group entity with the Commitment may file a complaint with the applicable DEDALUS Group Privacy Leader or Compliance Officer, or with DEDALUS’ Complaint Handling Processes available on DEDALUS’ websites if other channels are unavailable or exhausted: firstname.lastname@example.org,
If DEDALUS considers the complaint to be justified, it will take reasonable steps to resolve the complaint to the reasonable satisfaction of the individual. DEDALUS endeavors to respond to complaints within thirty days of receipt.
Enforcement: An individual who has suffered damages as a result of a breach of the Commitment may be entitled to receive compensation for such damages in accordance with applicable law and as provided in the Commitment. An individual who is entitled to receive compensation may enforce his or her rights as provided in the Commitment by direct recourse to the courts or other judicial authority in accordance with applicable law.
Cooperation with Supervisory Authorities
DEDALUS will cooperate with any competent national or regional supervisory authority responsible for supervising applicable privacy law that has good cause to question any processing of Personal Information by DEDALUS, and will comply with such competent supervisory authority’s decisions on any issue related to the Commitment.
Changes to the Commitment
DEDALUS reserves the right to modify the Commitment. Any material changes will be submitted to DEDALUS’ lead Data Protection Authority and/or its Trustmark agent, where appropriate, and will be notified on DEDALUS’s website.