1.1.1 All data subjects whose personal data is collected, in line with the requirements of the General Data Protection Regulation (GDPR).
2.1.1 The GDPR Owner is responsible for ensuring that this notice is made available to data subjects prior to Arkessa collecting/processing their personal data.
2.1.2 All employees of Arkessa who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and their consent to the processing of their data is secured.
3 Privacy Notice
3.1 Privacy Statement
3.1.1 We understand that privacy and the security of your personal information is extremely important. For this reason, this policy sets out what we do with your information and what we do to keep it secure. It also explains where and how we collect your personal information, as well as your rights over any personal information we hold about you.
3.2 Data protection principles
3.2.1 We will comply with data protection law. This says that the personal information we hold about you must be:
• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Not kept in a form which permits identification of Data Subject and kept only as long as necessary for the purposes we have told you about.
• Kept securely and processed in a manner that ensures its security using appropriate technical an organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
• Not transferred to another country without appropriate safeguards being in place.
• Made available to Data Subjects and allow Data Subject to exercise certain rights in relation to their Personal Data.
3.3 Who are we?
3.3.1 Arkessa Limited is a technology leader in the provision of platforms, management tools and connectivity to the IoT and M2M markets.
3.3.2 When we say ‘we’ or ‘us’ in this policy, we’re generally referring to the separate and distinct legal entities that make up Arkessa Limited and Arkessa GmbH (“Arkessa”), although it does depend on the context. These include:
• Arkessa Limited (registered office: 78 Cannon Street, London, EC4N 6AF, United Kingdom)
• Arkessa GmbH (registered office: eine Gesellschaft nach deutschem Recht (Amtsgericht Kempten, HRB 14018) mit Sitz in 87616 Marktoberdorf, Alte Marktoberdorfer Str. 14, Deutschland)
3.4 What information do we collect about you?
3.4.1 Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
3.4.2 We will collect, store, and use the following categories of personal information about you:
• Information that you provide to us such as your name, title, addresses, telephone numbers, mobile numbers, email addresses, billing addresses, delivery addresses and any feedback you give to us, including by telephone, email, post, or when you communicate with us via social media.
• Your account login details, including your username.
• Information about the services that we provide to you (for example, the products and services we have provided to you, when and where, what has been paid, the way you use our products and services, and so on).
• Information about any device you have used to access our services (such as your device’s make and model, browser, or IP Address) and how you use our services. For example, we try to identify which of our features you use and when and how you use them. If you use our websites, we try to identify when and how you use those websites too.
• The details of the emails and other electronic communications you receive from us, including whether that communication has been opened and if you have clicked on any links within that communication. This is to help us improve our services and what we communicate with you.
3.4.3 There are “Special Categories” of more sensitive personal data which require a higher level of protection. We do not usually collect sensitive data about you unless there is a clear and valid reason for doing so and data protection laws allow us to.
3.5 Our legal basis for processing your personal information
3.5.1 We will only use your personal information when the law allows us to. The different legal bases we rely on are:
• Consent: You have told us that you are happy for us to process your personal information for a specific purpose.
• Legal obligation: We are required to process your personal information by law.
• Legitimate interests: The processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights.
• Performance of a contract: We must process your personal information to perform the contract we have entered with you.
• Vital interests: The processing of your personal information is necessary to protect you or someone else’s life.
• Public task: The processing is needed in the public interest or for official purposes.
3.5.2 Where we rely on your consent, you have the right to withdraw such consent at any time. Where you withdraw consent, we will stop using your data for the specific purpose, unless we have an alternative legal basis to use it.
3.6 How do we use your information?
3.6.1 The kind of information we hold about you primarily allows us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.
3.6.2 If you fail to provide certain information when requested, we may not be able to perform the contract we have entered with you, or we may be prevented from complying with our legal obligations.
3.6.3 We may use your information in the following ways:
• Process orders that you have submitted.
• Manage your account.
• Carrying out our obligations under any contracts entered between you and us.
• Keeping a record of your relationship with us.
• Contact you if necessary.
• Send information to you about our products and services from time to time by email or other means (subject to an objection or preference you may indicate).
• Seek your views or comments on the services we provide.
• Notify you of changes to our services.
• Analyse and produce reports, perform market research and statistical analysis and to monitor usage behaviour. We may pass this data to certain third parties.
• Enhance and personalise the products and services that we offer you and to develop new products and services.
• Help answer your questions, solve any issues, investigate any complaints or other enquiries that you submit to us.
3.6.4 Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
3.6.5 We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
3.6.6 If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
3.6.7 Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
3.7 Who we might share your information with?
3.7.1 We may pass your information to our third-party service providers, suppliers, agents, sub-contractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf.
3.7.2 We require third-parties to respect the security of your data and to treat it in accordance with the law.
3.7.3 We will share your personal information with third-parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
3.7.4 All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal information data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
3.7.5 We may share your personal information with our third-parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.
3.7.6 We will not sell your information to third-parties nor will we share your information with third-parties for direct marketing purposes.
3.8 Keeping you informed about our products and services
3.8.1 We would like to send you information about products and services of ours which may be of interest to you from time to time. If you have consented, we may do this through email, post, text message, online, social media, app notifications or by any other electronic means.
3.8.2 Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. The information you provided will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.
3.8.3 You have a right at any time to stop us from contacting you for marketing purposes, but we will still need to send you occasional service related messages. You can amend your marketing preference by selecting to un-subscribe from the message.
3.9 Data security
3.9.1 We have put in place measures to protect the security of your information. Details of these measures are available upon request.
3.9.2 We have put in place appropriate security measures to prevent your personal information from being accidently lost, used, or accessed in an unauthorised way, altered, or disclosed.
3.9.3 In addition, we limit access to your personal information to those employees, agents, contractors and other third-parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
3.9.4 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
3.10 Data Retention
3.10.1 We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
3.10.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
3.10.3 In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
3.10.4 The length of time we retain your personal information for is determined by operational and legal considerations. For example, we are legally required to hold some types of information to fulfil our statutory and regulatory obligations e.g. 6 years for accounting purposes.
3.10.5 We review our retention periods on a regular basis.
3.11 Your rights as a data subject
3.11.1 You have several rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you.
3.11.2 These include:
• Right of access – you have the right to request a copy of the information that we hold about you.
• Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete and you should do so as soon as you become aware that the data we hold is incorrect or out of date.
• Right to erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records where there is no good reason for us continuing to process it.
• Right to restriction of processing – where certain conditions apply to have a right to restrict or suspend the processing of personal information about you.
• Right to request transfer - of your personal data to you or to a third party. e will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Right to object – of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Right to withdraw consent at any time – where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
3.11.3 It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
3.11.4 If you want to review, verify, correct, or request erasure of your personal information, object to the processing of your personal data, or request that transfer a copy of your personal information to another party, please contact us using the details in the ‘How to contact us’ section below.
3.11.5 You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if you request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
3.11.6 We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
3.11.7 We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.12 Transferring your information outside of Europe
3.12.1 As part of the services offered to you, the information which you provide to us may be transferred to countries outside the European Economic Area (“EEA”). For example, this may happen if any of our or our supplier servers are from time to time located in a country outside of the EEA. You should be aware that these countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing.
3.12.2 If we transfer your information outside of the EEA in this way, your personal information will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators (see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en), having our third-parties and supplier’s sign-up to an independent privacy scheme approved by regulators, for example the US “Privacy Shield” scheme (see https://www.privacyshield.gov or the recipient country being deemed to provide adequate protection by the European Commission (see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en).
3.12.3 Please access the above links for further information or contact us using the details in the ‘How to contact us’ section below.
3.13 Use of ‘cookies’
3.13.2 It is possible to switch off cookies by setting your browser preferences. For more information on how to switch off cookies on your computer visit, www.arkessa.com/cookies. Turning off cookies may result in a loss of functionality when using our websites.
3.14 Website monitoring and Recording
3.14.1 Our websites may use website recording services. These services may record mouse clicks, mouse movements, page scrolling, and any text entered website forms. The information collected does not include any sensitive personal data.
3.14.2 Data collected is for Arkessa’s internal use only for improving the usability of our services and used for aggregated and statistical reporting.
3.15 Links to other websites
3.16 How to Contact Us
3.16.1 If you would like to contact us to exercise one of your rights as set out above, or if you have a question or a complaint about this policy, or the way your personal information is processed by Arkessa (or third parties), please contact us via one of the following methods:
• Email: firstname.lastname@example.org
• Post: FAO GDPR Owner, Arkessa Limited, Riverside House, Riverside, Bishop’s Stortford, Hertfordshire, CM23 3AJ, UK
3.16.2 You have the right to lodge a complaint directly with the UK supervisory authority, the Information Commissioner. For further information visit www.ico.org/concerns to find out more.