Updated 7 September 2018
Introduction
We, “Principle” (“Principle Global Ltd”, “Principle Holdings Ltd”, “Principle Systems Ltd”, “Principle GMBH”, “Principle USA Inc”, “Principle Services SA de CV”, “Principle Mexico SA de CV”, “Principle Link (UK) Ltd”, “Principle Spira Ltd”, “Principle Italy Spa”, “Principle France SARL”, “Principle Global (Shanghai) Trading Co.”, “Principle India (Private) Ltd”, “we”, “our”, “us”) are committed to ensuring that your personal data is used correctly and in accordance with the highest standards of Data Protection Law.
This Privacy Policy (“Policy”) explains in detail the types of personal data we may collect about you and what we do with your personal data. It also set outs what we do to keep your personal data secure, as well as your rights in relation to the personal data we hold about you.
Principle Group means Principle Global Limited a holding company of Principle Holdings Limited, and its branches, subsidiaries, joint ventures, trading companies and affiliate companies set out in the “Definitions and Glossary” section of this Policy.
Please see the “Definitions and Glossary” section to understand the meaning of some of the terms used in this Policy.
PrincipleGlobal.com, PrincipleReach.com, PrincipleConnect.com and Principle-360.com are operated through Principle Systems Ltd, a company headquartered in the United Kingdom, and are provided to Principle offices (as per the Principle Group listing in Definitions and Glossary). Your contract for services may be through one of our group organisations located throughout the world as shown in our Definitions and Glossary.
As a global organisation, we may store and utilise services and information in geographical territories throughout the world, including (but not limited to) the United Kingdom, European Economic Area and the United States of America. We take the privacy and storage of your personal information very seriously and only handle and utilise it in accordance with Data Protection Law, which may vary based on your geographical location or citizenship status.
What personal data do we collect?
Information you provide us when you use our Services or contact our team:
- Personal details such as your name, your company details, job role or function, telephone number and email address.
Information we collect about you when you use our Services:
- Details of the transactions you carry out when using our Services, including geographic location from which the transaction originates.
- If you have a PrincipleReach.com, PrincipleConnect.com or Principle-360com online account, we will collect and keep encrypted records of your username and password.
- We will keep information relating to your job function and role, your address location, project information associated with our commercial dealings, delivery information, email exchanges or other project associated paperwork and communications.
- In relation to our websites, we will log your Internet protocol (IP) address so that it is recognised next time you visit and we will hold details of successful logins to our system, for audit and compliance purposes.
We will update the information we hold on you as and when you provide it to us during our communications with you. However, whenever possible, you should advise us if information we hold on you needs updating or is no longer accurate.
Information we collect about you when you use our Services or contact our team:
- When you visit any of our websites
- When you make an enquiry about our Services or open an account with us online, over the telephone, by post, email or via an approved commercial contract.
- When you have given a third party permission to share with us, your personal data.
- When you report a problem, make a query or issue a complaint about our Services.
- In the course of your relationship with us, you may occasionally speak with our employees (or persons acting on our behalf) by telephone. To ensure that we provide a quality service, your telephone calls may be recorded.
- During business-to-business correspondence over telephone, email, post or in person.
- When you visit any one of our PrincipleGlobal.com, PrincipleReach.com, PrincipleConnect.com or Principle-360.com websites.
The “lawful basis” we rely on to process your personal data
European Union Data Protection Law sets out the lawful basis that organisations, businesses and governments can rely on to collect and process personal data. Depending upon your geographical location and citizenship status, the application of the lawful basis may apply to you;
Consent
This means processing your personal data where you have explicitly given us permission to do so.
Performance of a Contract
This means processing your personal data in order to fulfil our contractual obligations with you.
Legal Obligations
This means processing your personal data where it is necessary for compliance with a legal or regulatory obligation to which we are subject.
Legitimate Interests
This means processing your personal data where we or a third party have a legitimate interest to do so. We make sure we consider and balance any potential impact on your rights before we process your personal data for our legitimate interests. Where our interests are overridden by a negative impact on your rights, we will not process your personal data.
How do we use your Personal Data?
We may process your personal data for the following purposes, depending on how you interact with us.
1. To complete the delivery of our services (“Services”)
Without your personal data, we would not be able to facilitate your requirements, provide you with a login to our management portals or provide you with relevant and pertinent information associated with your contracted commercial services.
2. To respond to your queries and complaints.
Without your personal data, we would not be able to effectively respond and handle queries or complaints. We may keep a record of our correspondence to demonstrate how we communicated with you throughout. We will do this on the basis of our legitimate interests and our legal obligations.
3. To comply with our legal and regulatory obligations
In order to meet our legal, regulatory and commercial requirements, we are required to carry out regular checks in order to prevent and detect security issues/breaches, ensure that your information is relevant and current. We are also required to send you communications known as ‘service messages’ in order to inform you about changes to the services we provide you. These service messages will not include any promotional content and cannot be unsubscribed from.
4. To analyse, test and improve our systems and databases
We may use your personal data to ensure that our systems are tested thoroughly. This ensures that the system can cope with comparable volumes of information, that a wide range of realistic scenarios are covered, and that the test will reflect all the possible combinations that occur in the real environment. Test systems are isolated from external networks to ensure that live systems are not compromised. In addition, to ensure data is not compromised, we carry out various risk assessments, and have implemented safeguards to ensure data security. We will do this on the basis of our legitimate interests. Data within the development and test platforms are appropriately anonymised.
5. To develop new and improved products and services, including conducting market research and product analysis
For this purpose, we will use cookies to personalise your current and next visits to our websites and to measure volumes and patterns of website usage. Full information can be found in our Cookie Policy. This includes information on how to adjust your browser settings to accept or reject cookies. Please note that our websites rely significantly on the correct execution of cookies and therefore reducing their effectiveness may cause operational incompatibilities and ability to execute the project platform correctly or completely. We will do this on the basis of our legitimate interests.
If you sign up to receive email Newsletters from us we will use the information you give us to provide the service(s) you have requested. We may occasionally contact website users and newsletter subscribers to help us evaluate and improve the services that we offer. If you receive the HTML-formatted email version of a communication or newsletter, your opening of the email is notified to us and saved. Your clicks on links in the email are sometimes also saved. These and the open statistics are used in aggregate form to give us an indication of the popularity of the content and to help us make decisions about future content and formatting.
6. For training and quality purposes
We are continually reviewing the quality of the services we provide in order to improve your experience with Principle. We will do this on the basis of our legitimate interests.
Who do we share your personal data with?
We may share your personal data with the following entities for the purposes described in this Policy:
1) Principle subsidiaries, overseas branches and affiliate companies
A complete and up-to-date list can be found in the “Definition and Glossary” section of this Policy.
2) Third party service providers
This includes:
- Companies who support and maintain our website, databases and other business systems; including group organisations.
- Companies who perform functions on our behalf in the areas of IT development, IT support, back office, compliance and finance.
3) Public authorities
This will only be in response to lawful requests made from public authorities in order to meet national security, public interest or law enforcement requirements. As we are an international organisation, this may include law enforcement agencies in locations outside of your physical location or territory.
4) Other third parties
Principle will not provide your personal details to third party organisations unless there is a legal basis upon which to do so and it does not contravene your legitimate personal rights and freedoms.
Please note our websites may, from time to time, contain links to and from the websites of our partner networks and affiliates. If you follow a link to any of these websites, it is likely that these websites have their own privacy policies and you should be aware that we do not accept any responsibility for them. Please check these policies before you submit any personal data to these websites.
Sharing your personal data outside the European Economic Area
The personal data that we collect from you may be transferred to, and stored at, destinations both in and outside the European Economic Area (“EEA”).
Where processed outside the EEA, we will take appropriate steps to ensure your personal data still receives a level of protection that is consistent with European data protection standards. For example, we will only share your personal data outside the EEA if we have an EU approved model clauses agreement in place or if the third party receiving your personal data has signed up to an EU approved data sharing mechanism such as the EU-US Privacy Shield scheme.
How do we protect your personal data?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Personal data is protected by a defence in depth security programme that is aligned to best practice found in International Organisation for Standardisation and National Institute of Standards Technology (NIST) documentation. Protections may include, but are not limited to, mature access control (with strict procedures around privileged access), network segmentation, standard security appliances (firewalls, IPS, AV), secure configuration and system hardening, weekly vulnerability assessments and periodic penetration tests, documented processes and procedures, DLP protection, rogue detection, and monthly rolling patch management and vulnerability remediation. We don’t provide payment card services within our site framework. We also secure access to all transactional areas of our websites and applications using ‘https’.
We provide our employees with training and detailed information about our data handling practices through internal company policies such as our Data Protection Policy. All employees have to certify that they have read and understood the contents of our Data Protection Policy where is reviewed and updated on an annual basis. As well as our data protection policy, which governs how we process data throughout the Principle group of companies, we have a separate suite of internal policies which govern areas such as information security and information classification.
How long will we keep your personal data?
Whenever we collect or process your personal data, we will only keep it for the purpose for which it was collected and in accordance with our legal and regulatory obligations. In most cases, our retention period for your personal data will come to an end six years after the end of your relationship with us.
Inactive Accounts
If you have not used your account for more than 3 months, it will be flagged as inactive and we’ll contact you to ask whether you want to keep it open. After 2 years of inactivity, or as indicated by the end of our commercial agreement with your project and/or organisation, we will close and deactivate your account.
Closed Accounts
If you inform us you longer wish to have a PrincipleReach.com, PrincipleConnect.com or Principle-360.com account, we will close and deactivate your account.
At the end of the retention period, your personal data will either be anonymised (so that it can only be used in a non-identifiable way for statistical analysis, business planning), made inaccessible or unintelligible (for system integrity purposes) deleted completely or where indicated in your commercial agreement with you, returned to you.
Your Data Protection Rights
You have a number of rights under Data Protection Law which, in certain circumstances, you may be able to exercise in relation to the personal data we process about you. These rights may or may not be legally applicable to your depending upon your geographical location or citizenship status, this includes:
Right to Access: You have a right to receive a copy of the personal data we hold about you. This is commonly known as a Data Subject Access Request.
Right to Data Portability: You have a right to receive certain information you have provided to us in a ‘machine-readable’ format and/or request that we transmit it to a third party.
Right to Erasure: You have a right to request that we erase your personal data. However, we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Right to Object: In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data (which we will notify you of).
Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection authority. Further details can be found in the “Contact Us” section of this Policy.
Right to Rectification: Where your personal data is inaccurate, out-of-date or incomplete, you have the right to request an amendment to it.
Right to Withdraw Consent: Where you have given us your consent to process your personal data, you have the right to change your mind at any time and withdraw that consent.
If you wish to exercise any of these rights, please get in touch by using the details in the “Contact” section below. Please note we will ask you to verify your identity before proceeding with any request you make.
Contact
You can direct any questions or complaints about the use or disclosure of your personal data to us at:
Data Controller
Email: DataController@principleglobal.com
Telephone: +44 (0)1484 430 003
Post: Principle House, Tandem Industrial Estate, Huddersfield, United Kingdom, HD5 0AL
If you feel that your personal data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data you may have the right to lodge a complaint with the United Kingdom’s Information Commissioner’s Office. These rights may be subject to your geographical location or citizenship status; particularly if you are a not a European citizen.
You can contact the UK Information Commissioners Office by calling +44 (0)303 123 1113 or visiting www.ico.org.uk.
If you are based outside the United Kingdom, you may have rights to lodge your complaint with the relevant data protection authority in your country of residence or citizenship.
For other matters, please contact your Account Executive or your usual point of contact.
Glossary and Definitions
Data Protection Law
This means the EU General Data Protection Regulation 2016/679 (as amended and replaced from time to time), the EU Privacy and Electronic Communications Directive 2002/58/EC (as amended by Directive 2009/136/EC and as amended from time to time) and any national implementing legislations (as amended and replaced from time to time).
European Economic Area
The means the countries of the European Union and members countries of the European Trade Association. A complete list of applicable countries can be found at: https://www.gov.uk/eu-eea
Principle Group
This means Principle Global Ltd, Principle Holdings Ltd, Principle Systems Ltd, Principle USA Inc, Principle Mexico SA de CV, Principle Link (UK) Ltd, Principle Spira Ltd, Principle Italy Spa, Principle France SARL, Principle Global (Shanghai) Trading Co., Principle India (Private) Ltd, Principle Australia (franchise), Principle Russia (franchise), Principle South Africa (franchise), Principle Brazil (franchise), Principle Japan (franchise), Principle Services SA de CV, Principle GMBH. For full details including company registration numbers and addresses please contact us on DataController@principleglobal.com
Personal Data
This means information that can be used to directly or indirectly identify a living person.
Process, Processing, Processed
This means operation or set of operations which are performed on data. This includes collecting, viewing, recording, organising, structuring, storing, using and destroying.
Referring Partner
This means an entity who has referred an individual or company to a Principle Group establishment in order to engage in our services.
Services
This means our PrincipleReach.com, PrincipleConnect.com and/or Principle-360.com website, platform, application or project management services.
Changes
We reserve the right to amend this Policy from time to time in order to be consistent with Data Protection Law requirements. Where we do make significant changes to this Policy, we will take appropriate steps to bring those changes to your attention.