01 Overview and Scope


ThisPolicy and supporting Procedures are designed to provide Primetric with a documentedand formalized process for protecting individuals’ privacy. Respect for theprivacy of personal and other information is fundamental to Primetric. This privacypolicy describes Primetric's collection of personally identifiable information(PII) from users of Primetric's Website("Website" or "Site"), Primetric's platform, andall related applications, widgets, software, tools, and other services providedby Primetric and on which a link to this Policy is displayed(collectively, together with the Website, our "Service"). This Policyalso describes Primetric's use and disclosure of such information. By using Primetric's Service, youconsent to the collection and use of personally identifiable information inaccordance with this policy.

In accordance withmandated organizational security requirements set forth and approved bymanagement, Primetric has established a formalPrivacy Policy and Procedures. This comprehensive Policy document isimplemented immediately, along with all relevant and applicable Procedures.

The Policy Owner owns thisPolicy and is responsible for reviewing the Policy on an annual basis andfollowing any major changes to Primetric’s sensitive data environment to ensurethat it continues to meet its organizational goals. The Policy Owner isresponsible for ensuring that the Privacy Procedure is reviewed and updated onan annual basis and following any major changes. Compliance with policies andprocedures will be regularly reviewed. The review will assess opportunities to improve and approach to managingchanges in the organization’s environment, business needs, and regulatoryrequirements. Results of management review will be taken into account whenreviewing policies and procedures. Management approval is required for anypolicy changes.

Policies and procedures will bemade available to those persons responsible for implementing thepolicy/procedure to which the documentation pertains.

Roles and Responsibilities

Data Protection Officer (DPO) (Chief Privacy Officer)

Responsibilities of the Data Protection Officer (DPO) (or Chief PrivacyOfficer) includeproviding overall direction, guidance, leadership, and support on methods andtools for the implementation of a privacy protection program. The Data Protection Officer is responsible for developing andimplementing privacy policies and procedures. The Data Protection Officer isthe designated point of contact for all privacy-related issues such asreceiving individual requests or privacy complaints. The Data ProtectionOfficer is also responsible for providing privacy-related guidance to the organizationand service providers regarding privacy specific responsibilities. The Data Protection Officer isthe designated contact for use by individuals regarding the processing of theirPII. The Data Protection Officer is responsible for developing, implementing,maintaining, and monitoring an organization-wide governance and privacy programto ensure compliance with applicable PII regulations. The Data ProtectionOfficer will take into consideration risks associated with processing factoringin the nature, scope, context, and purpose of processing when carrying out his/her duties. The Data Protection Officer may be responsible forother tasks as long as those tasks do not result in a conflict of interest. The Data Protection Officerwill conduct resource and investment planning to implement the management,operational, technical, and privacy requirements of the program.

The DPO works with the CTO and CISO to develop, perform, and document related security and privacy awareness training. The DPO must:

  • Be independent and report directly to the appropriate management levelof the organization in order to ensure effective management of privacy risks
  • Be involved in the management of all issues related to PII processing
  • Be an expert in data protection regulations and practices
  • Act as the contact point forsupervisory authorities
  • Inform top-level management andemployees of the organization of their obligations with respect to PIIprocessing
  • Provide advice in respect to privacy impact assessments conducted

Privacy Committee

Responsibilities include approving andmonitoring adherence to this policy, analyzing the organization’s environment,and complying with legal requirements. Additional responsibilities include:

  • Executing the privacy operations of the firm, including monitoring the system used to solicit, evaluate, and respond to individual privacy complaintsand problems
  • Evaluating implemented privacy controls
  • Assessing existing policies and procedures that address privacy areas
  • Working with appropriate departments to ensure compliance with privacy policies and procedures
  • Recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization’s privacy objectives
  • Reporting to the Chief Privacy Officer on the effectiveness of the privacy controls/program in meeting applicable regulatory requirements and standards

Primetric must formally document and make privacy policies readily available to individuals, internal personnel, and third parties who need them. Management supports compliance with all privacy policies and relevant data protection regulations through a formal organizational structure and control. The organization will abide by regulatory requirements defining theresponsibilities for handling sensitive information including personallyidentifiable information and ensuring awareness with data protectionprinciples. Privacy policies will be documented to include security practicesfor privacy to include implementing technical security controls such as accesscontrols, authentication, and monitoring as well as organization measurescovered below to protect sensitive information.

The organization will appoint a dataprotection officer or privacy officer responsible for the organization’sprivacy protection program. The data protection officer or privacy officer willreport to the highest management level of the organization (such as the CEO).The organization will support the data protection officer in performingrequired tasks and provide necessary resources to carry out those tasks toinclude providing access to personal data or operations. The data protectionofficer is designated based on professional qualities to include expert knowledgeon privacy laws and ability to carry out required tasks. The organization willsupport the data protection officer in maintaining his/her expert knowledge.The organization will ensure the data protection officer’s independence relatedto any instructions regarding the exercise of the data protection officer’stasks and the data protection officer will be bound to confidentiality whenperforming those tasks according to applicable laws. The data protectionofficer will not be penalized for performing their duties.

Management will review and approveprivacy policy onan annual basis.

GDPR – Processor

Primetric, as a processor, isrequired to provide sufficient guarantees to implement appropriate technicaland organizational measures to ensure processing meets requirements of the GDPRand ensure the protection of individual rights.

Primetric, as a processor, will not engage another sub-processor withoutspecific written authorization of the controller. The controller will have theopportunity to object to any changes.

Processing of the organization isgoverned by a contract binding the organization with regards to the controllerand setting out the subject-matter as well as duration of the processing, thenature/purpose of processing, type of personal data/categories of individuals,and obligations/rights of the controller. The contract will stipulate theorganization must:

  • Process personal data only asinstructed in writing from the controller including transfers of personal datato third countries or international organizations. The organization will informthe controller of legal requirements for processing unless prohibited by law onthe grounds of public interest
  • Ensure persons authorized to process personal data are committed toconfidentiality or are under appropriate statutory obligation ofconfidentiality
  • Take all measures required to ensure security of processing
  • Respect conditions for engaging another sub-processor
  • Assist the controller in their fulfillment of the controller’sobligation to respond to requests for individuals exercising their rightsconsidering the nature of processing and the appropriate technical andorganizational measures possible
  • Assist the controller in ensuring compliance with security ofprocessing, notification of data breaches to supervisory authority,communication of breaches to individuals, data protection impact assessment andprior consultation with the data protection officer
  • Delete or return personal data at the choice of the controller after theend of services unless required by law
  • Make information available to controller necessary to demonstrate compliancewith obligations and allow for/contribute to audits including inspectionsconducted by the controller
  • Immediately inform the controller, if in the organization’s opinion, aninstruction infringes on GDPR or other data protection provisions

Primetric, as a processor, and anyperson acting under the organization’s authority who has access to personaldata shall not process this data except as instructed by the controller or elserequired by law.

02 Authority to Process PersonallyIdentifiable Information

Processing Authority

Primetric may process sensitive information to include personally identifiableinformation (PII) as a part of its operations across the information lifecycle. Processing includes, but is not limited to, the creation, collection,use, processing, storage, maintenance, dissemination, disclosure, reception,transmission, and disposal of information. Processing also includes logging,generation, transformation, and analysis techniques like data mining.

Primetric will abide by relevant lawsestablishing its authority or limitations onprocessing certain types of personally identifiable information and willestablish related processing requirements according to contractual obligations.Primetric will consult with the DataProtection Officer and other legal counsel regarding the authority to processinformation across multiple jurisdictions. Primetricwill be governed by its privacy policies and procedures related toprocessing that consider all laws, contracts, and other privacy relatedrequirements.

Primetric will determine and document theauthority permitting the organization to process personally identifiableinformation and will restrict processing ofpersonally identifiable information not authorized. Privacy risks may still bepresent even though processing is performed on a legal basis. Privacy riskassessments will be performed to identify any associated privacy risks andsolutions to manage such risks will be determined. Where possible, Primetric will attach data tags containingauthorized processing to elements of personally identifiable information.

The organizationwill train employees on authorized processing of sensitive informationincluding personally identifiable information as well as monitor/audit the useof this information.

Individual Requests

Primetric must publish aprocess governing individual requests to access their records maintained by theorganization. The organization must permit individuals to exercise their rightsof access and allow for individuals to correct inaccurate information as may beapplicable. The organization will implement a process for individuals torequest access, provide proof of identity, and provide communications to anindividual about their personal information similar to how an individual'soriginal information was collected (such as through normal mail or email):

  • Within a reasonable time as prescribed by relevantregulations
  • At a reasonableand allowable cost, if any
  • In an appropriatemanner
  • In an understandable form

Primetric will respond to requests for access as provided by lawor as indicated within the organization's privacy notice. Where possible,responses will be provided as requested by the individual. The organization will ensure individual's rights to access can be exercised, except when:

  • The expense or burden for the organization isunreasonable or disproportionate to privacy risks
  • The sensitive information (personally identifiable information (PII)) can't be disclosed dueto legal or security restrictions
  • Other individual's privacy would be violated due to theaccess request

Primetric will restrict access to sensitive information (personally identifiable information(PII)) to only those to whom the information relates or to an authorizedindividual. The organization will authenticate a requestor's identity accordingto regulatory requirements. When authentication is required, the organizationwill determine the appropriate form of authentication unless prescribed byregulatory requirements. The organization will request only the minimum necessaryinformation to verify identities. Identification and authentication informationmust be secured and retained only as long as needed.

Primetric mustensure all requested information can be provided, but must factor in theprotection of rights, freedoms, and privacy of other individuals beforeproviding an individual with their sensitive information (personallyidentifiable information (PII)). The organization will provide sensitiveinformation (personally identifiable information (PII)) to an authorizedindividual securely.

Primetric mustdevelop and implement a process related to notifying individuals of the statusof their requests and any required processing such as through mail/email alongwith identifying the dates when the request was made and expectation of one therequest may be fulfilled. The organization may need additional time to retrieveinformation from archives but may still be required to communicate this delayto the requestor.

Primetric may denya request for access based on regulatory requirements; however, theorganization will provide the individual with the rationale behind the denialalong with the process to challenge the denial in a timely manner.

If the Primetric is acting as a processor for another controller, the organization will support the controller's obligation with respect to an individual's rights of access, correction, and deletion of their sensitive information (personally identifiable information (PII)) according to regulatory or contractual requirements.

Primetric will provide forthe right of an individual to obtain confirmation the organization processesthe individual’s personal data and if this is the case, the organization willprovide access to the personal data along with the following information:

  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients (or categories of recipients) to whom the personal data has been (or will be) disclosed especially those recipients in third countries (or international organizations)
  • The estimated period of time the personal data will be stored, where possible, or thecriteria used to determine the time period
  • The existences of the right to request rectification, erasure of personal data, restriction of processing of personal data concerning the individual, or object to processing
  • The right to lodgea complaint with a supervisory authority
  • Where the personal data is not collected from the individual, any available information as to thesource
  • The existence ofautomated decision-making (including profiling) and any meaningful information about the logic involved as well as any significant envisaged consequences ofthe individual for such processing
  • Where personaldata is transferred to a third country (or international organization), theindividual has the right to be informed of the appropriate safeguards relatedto the transfer

Primetric will provide acopy of the personal data undergoing processing. For any additional copiesrequested by the individual, Primetric may charge a reasonable fee based on administrativecosts. If the individual makes the request via electronic means, theinformation shall be provided in a commonly used electronic form, unlessotherwise requested by the individual. The right to obtain a copy of thepersonal data must not adversely affect the rights or freedoms of anotherindividual.


Primetric permits individuals to determine whether it maintains personallyidentifiable information about them, and upon request, the individual mayobtain access to their personally identifiable information. Primetric will verify and authenticate theidentity of individuals who request access to their personally identifiableinformation before they are given access to the information.

Primetric will provide personallyidentifiable information to the individual in an understandable form, in areasonable timeframe, and at a reasonable cost.

Primetric may deny an individual access to or a request to change theirpersonally identifiable information based on regulatory requirements and willinform the individual of the denial along with the reason for the denial in atimely manner, unless prohibited by regulations.

Data Portability

Primetricwill provide theright of an individual to receive their personal data in a structured, commonlyused, and machine-readable format. The organization will provide for the rightto transmit an individual’s personal data to another organization withouthindrance where:

  • Processing is based on consentor on contract
  • The processing is carried out by automated means

Where technicallyfeasible, an individual exercising their right to data portability has theright to have their personal data transmitted directly from one organization toanother. This right doesn’t apply to processing necessary for the performanceof a task carried out in the public interest or in the exercise of officialauthority and shall not adversely affect the rights/freedoms of others.


Primetric will only disclose personallyidentifiable information to third parties if there is a legal basis and in amanner that complies with the law, in particular the GDPR

Primetric will track and log authorized andreported unauthorized disclosures.

Correction and Update

Primetric will permit individuals to update or correct personally identifiableinformation held by the organization and will provide such updates or correctedinformation to third parties that were previously provided with theindividual’s personally identifiable information. Taking into account thepurposes of the processing, the individual has the right to have incompletepersonal data completed, including by means of providing a supplementary statement.

Primetric may deny an individual access to or a request to change theirpersonally identifiable information based on regulatory requirements and willinform the individual of the denial along with the reason for the denial in atimely manner, unless prohibited by regulations.


Primetric will capture requests for deletion of personally identifiableinformation and information related to requests will be identified and flaggedfor destruction to meet the organization’s objectives related to privacy. Primetric will provide notification of suchdeleted information to third parties that were previously provided with theindividual’s personally identifiable information consistent with theorganization's objectives related to privacy.

Individuals have the right to obtain from the organization the erasureof their personal data without undue delay. Primetricis obligated to erase personal data without undue delay where one of thefollowing applies:

  • The personal data is no longernecessary in relation to the purposes for which the personal data was collectedand/or processed;
  • The individual withdrawals consent on which the processing is based andthere is no other legal ground for processing;
  • The individual objects to processing and there are no legitimategrounds for overriding the processing, or the individual objects to processingdata that has no compelling legitimate grounds for being processed;
  • The personal data has been unlawfully processed;
  • The personal data has to be erased for compliance with legalobligations; or
  • The personal data has been collected in relation to the offer ofinformation society services.

Where Primetric has made thepersonal data public and is obligated to erase the personal data, theorganization will take reasonable steps (e.g., considering available technologyand cost of implementation), including technical measures, to inform otherorganizations processing the personal data that the individual has requestedthe erasure of their personal data.

Primetric may deny the request of erasure if processing of personal data isnecessary for the following reasons:

  • For exercising the right offreedom of expression and information
  • For compliance with legal obligations
  • For reasons of public interest in the area of public health
  • For archiving purposes in the public interest, scientific or historicalresearch purposes, or statistical purposes in so far as the right to erasure islikely to render impossible (or seriously impair) the achievement of theobjectives of the processing
  • For the establishment, exercise, or defense of legal claims


Primetricwill provide forthe right of an individual to restrict processing of their personal data whereone of the following applies:

  • The accuracy of the personaldata is contested by the individual for a period of time enabling theorganization to verify the accuracy of the personal data.
  • The processing is unlawful and the individual opposes the erasure ofthe personal data and requests the restriction of its use instead.
  • The organization no longer needs the personal data for the purposes ofthe processing, but is required by the individual for the establishment, exercise,or defense of legal claims.
  • The individual has objected to processing on legitimate grounds pendingthe verification whether the legitimate grounds of the organization overridethose of the individual.

Where processing hasbeen restricted, except for storage, the organization will only processpersonal data as follows:

  • With the individual’s consent
  • For the establishment, exercise, or defense of legal claims
  • For the protection of the rights of another individual or legal person
  • For reasons of important public interests

Primetric will inform the individual who has obtained restrictions of processingbefore the restrictions of processing have been lifted.


Primetric will provide the right ofthe individual to object to processing of their personal data, includingprocessing based on profiling. Primetric will no longer processpersonal data unless the organization can demonstrate compelling legitimategrounds for the processing overriding the interests, rights/freedoms of theindividual, or for the establishment, exercise, or defense of legal claims.

Where personal data is processed for direct marketingpurposes, the individual has the right to object at any time to processing oftheir personal data for such marketing, including profiling to the extent it isrelated to such direct marketing. The personal data shall no longer beprocessed for marketing purposes based on an individual’s objection.

The right to object will be brought to the individual’sattention at the time of first communication with the individual and will bepresented in a clear and separate form from any other information.

In the context of information society service use, theindividual may exercise their right to object by automated means usingtechnical specifications.

Where personal datais processed for scientific historical research purposes or statisticalpurposes, the individual has the right to object to processing their personaldata unless the processing is necessary for the performance of a task carriedout in the public interest.

Automation (Automated Decisions)

The organization will enforce the authorizedprocessing of personally identifiable information using automated mechanismaugmenting verification that only authorized processing is occurring.

The organization upholds the right of individuals to not be subject toa decision having legal effects or similarly significant effects on anindividual based solely on automated processing including profiling. Theorganization will implement suitable measures to safeguard the individual’srights/freedoms and legitimate interest by providing the right to obtain humanintervention on the part of the organization, to express the individual’s pointof view, and to contest the decision. Note: The decision may not apply ifnecessary as part of a contract between the organization and the individual,authorized by law, or is based on the individual’s explicit consent.

03 Personally Identifiable Information(PII) Processing Purposes

Primetric will identify and document thepurposes for processing personally identifiable information. This enablesindividuals to make informed decisions and manage their privacy interests. Thepurpose of processing will be described in the public privacy notices andrelated privacy procedures. Primetric willrestrict processing of personally identifiable information to only that whichis compatible with the identified purposes. Primetricwill monitor for changes in processing and consult with the DataProtection Officer or other legal counsel to ensure any new processing is stillcompatible with the original purpose. If information that was previouslycollected is to be used for purposes not previously identified in the privacynotice, Primetric will document the newpurpose, notify the individual, and obtain implicit or explicit consent priorto such new use or purpose.

Primetric will monitor changes inprocessing personally identifiable information and implement mechanisms to ensurethat any changes are made in accordance with defined requirements.

Where possible, the organizationwill attach data tags containing purposes to elements of personallyidentifiable information for defined processing purposes.

The organization will trackprocessing purposes of personally identifiable information using automatedmechanisms.

The organization will ensure that contracts in place to process PIIaddress the organization’s role in providing any assistance to its customersrelated to their obligations with processing, taking into account the nature ofprocessing and information available to the organization. Primetric will only process PII on behalf of acustomer for the purposes expressed in documented instructions by the customer.


Primetric will limit the collection of personally identifiable information towhat is necessary to meet the organization’s objectives. The methods ofcollecting PII will be reviewed by management prior to implementation toconfirm PII is obtained fairly and without intimidation or deception as well aslawful, in adherence to all relevant rules of law.

Primetric will inform individuals if the organization develops or acquiresadditional information about them for its use.

Use and Disclosure

Primetric usespersonally identifiable information only as is authorized and only at theminimum necessary level required by the organization to meet service levelobligations, contractual obligations, or regulatory requirements.


Primetric willretain PII only as long as required or according to the organization’sretention schedule as may be required by regulatory or contractual obligations.


Primetric must define and approvewhere sensitive information (including PII) will be stored. Sensitiveinformation will be kept to a minimum as may be required for business or legalpurposes and retained only as long as needed according to the data retentionschedule.

Primetric must implementtechnical measures to protect the confidentiality and integrity of sensitiveinformation at rest or stored in approved locations according toregulations.  This sensitive informationwill be rendered unusable, unreadable, or indecipherable in any electronic formit is stored by using any of these techniques:

  • Enforcing mandatoryfull disk encryption on laptops or other mobile devices where supported

Note: If disk encryption is utilized, logical access must bemanaged independently of the operating system and any decryption keys must notbe tied to user accounts.

  • Encrypting virtual disks
  • Encrypting disk volumes
  • Encrypting specific files or folders

Primetric willutilize strong encryption technology such as the use of one-way hashes,truncation, or other strong cryptography with key management. Approvedencryption algorithms include those meeting FIPS 140-2 standards such as Advanced EncryptionStandard AES utilizes a minimum of 128-bit key length, Triple Data EncryptionAlgorithm (or Triple DES). The organization will document the rationale andapproval of the CISO for any cases where encryption is not reasonable orappropriate.


GDPR governs the protection ofnatural persons (or individuals) with regard to the processing of theirpersonal data as well as rules related to the free movement of personal data.GDPR protects the fundamental rights and freedoms of individuals and theirrights to protect their personal data. Free movement of personal data withinthe European Union (EU) will not be restricted nor prohibited for reasonsconnected with the protection of individuals regarding the processing of theirpersonal data.

GDPR applies to the processing of personal data (wholly or partially) byautomated means to processing other than automated means of personal dataforming (or intended to form) a filing system. GDPR doesn’t apply toindividuals in the course of purely personal or household activities or by competentauthorities for the purposes of preventing, investigating, detecting, orprosecuting criminal offenses or execution of criminal penalties includingsafeguards against the prevention of threats to public safety.

GDPR applies to processing of personal data in the context of activitiesof an organization established in the EU, regardless if the processing takesplace in the EU or not. GDPR also applies to processing of personal data ofdata subjects who are in the EU by an organization not established in the EUwhere the processing relates to offering of goods (or services) irrespective ofpayment to such data subjects in the EU or monitoring the behavior as far astheir behavior takes place within the EU.

This policy incorporates the definitions of terms as set forth in GDPRArticle 4 related to compliance with GDPR.

Personal data must be:

  • Lawfulness, Fairness, andTransparency: Processed in a lawful, fair, andtransparent manner in relation to the individual
  • Purpose Limitation: Collected for a specified,explicit, and legitimate purpose and not processed further in a manner notcompatible with those purposes. Note: processing for the purpose of archivingin the public interest, science or historical research, or statistical purposeis not considered incompatible with the initial purpose
  • Data Minimization: Adequate, relevant, and delimitedto only what is necessary related to the purpose of the processing
  • Accuracy: Accurate and kept up to date as well astake every reasonable step to ensure any inaccuracies, in regard to the purposebeing processes, are erased or rectified without delay
  • Storage Limitation: Kept for only as long as necessaryfor the purpose it was collected. Note: personal data may be stored longer ifit is being processed solely for archiving in the public interest, science orhistorical research, or statistical purposes subject to the implementation ofappropriate technical and organizational measures to safeguard rights andfreedoms of individuals
  • Integrity and Confidentiality: Processingpersonal data in a manner to ensure appropriate security of the personal dataincluding protection against unauthorized or unlawful processing as well asprotection against accidental loss, destruction, or damage using appropriatetechnical or organizational measures
  • Accountability: Be responsible for and demonstratecompliance with the GDPR.


Processing is required to be lawful and at least of thefollowing must apply:

  • Individual gives consent toprocessing for one or more specific purposes
  • Processing is necessary to perform a contractual obligation for theindividual who is a party to the contract or to take steps at the request of anindividual to enter into a contract
  • Meet compliance with legal obligations
  • Necessary to protect the vital interests of the individual or anotherindividual
  • Necessary to carry out a task in the public interest or exercise any officialauthority of the organization
  • Processing for a legitimate interest except where the interest isoverridden by fundamental rights/freedoms of an individual requiring protectionof the personal data (such as the case for children’s personal data)

If processing doesn’t requireidentification of the individual, the organization is not obligated tomaintain, acquire, or process additional information to identify theindividual. The organization will be required to verify the identity of theindividual only as required by law for purposes of the individual to exercisetheir individual privacy rights.

04 Consent

Individuals participate inmaking decisions about processing through their consent. From an organizationalperspective, risks of processing personally identifiable information aretransferred to an individual by providing the individual with consent over theprocessing of their information. Consent may also be required by laws. Primetric will consider reasonable expectations toaccept and understand privacy risks from an individual’s authorization whenselecting consent to process information. The organization will consider allcontrols to effectively mitigate privacy risks and also consider anydemographic or contextual factors influencing the understanding/behavior ofindividuals with respect to processing.

Primetric informs individuals about thechoices available to them with respect to the collection, use, and disclosureof their personally identifiable information. Primetricmust require implicit or explicit consent to collect, use, and disclosepersonally identifiable information or provide and obtain consent from anindividual (or authorized representative) where processing introduces newuse/disclosure as required by law.

Primetric will obtain and documentimplicit or explicit consent from individuals at or before the time personallyidentifiable information is collected (or soon thereafter). As required by law,Primetric must obtain consent prior toemailing, faxing, communicating, or otherwise disclosing personallyidentifiable information to external parties. The individual will confirm andimplement the individual’s preferences expressed in their consent. Primetric must provide a way for an individual tomodify their consent and act upon this modification or cease processing in atimely manner. Primetric obtains consentbefore personally identifiable information is transferred to or from anindividual’s computer or other similar device.

Primetric will abide by legal requirementsover consent and obtain informed and transparent consent. The organization willutilize alternative solutions to obtain consent prior to processing if thenormal means of consent isn’t available. The organization must maintain recordsof consent.

Primetricmust confirm the identity of an individual orauthorized representative submitting consent to processing. Information relatedto identity verification will be kept to the minimum necessary and retainedonly as long as required. The identity verification information will bedisposed of securely when no longer needed. The organization will identify potential authorizationprivacy risks.

Primetric will consider appropriatemechanisms to obtain consent such as type of consent (e.g., opt-in or opt-out),how to authenticate or identify individuals, and how to obtain consent throughelectronic means. The organization will consider usability factors to helpindividuals understand risks related to consent and include the use of plainlanguage while avoiding technical jargon.

Primetric will implement tools ormechanisms for individuals to consent to the processing of their personallyidentifiable information prior to its collection facilitating individuals’informed decision-making. Where possible, the organization will providemechanisms to allow individuals to tailor processing permissions to selectedelements of personally identifiable information. The organization will presentconsent mechanisms to individuals at the time of processing. The organizationwill implement a mechanism for individuals to revoke consent to processing.

Primetric must provide an individual theopportunity to exercise their rights to choice prior to processing of theirsensitive information (personally identifiable information (PII)). An individualmay withdraw their consent by giving reasonable notice to the organization asmay be applicable by law. The organization may provide an individual withreasonable grounds to permit them to exercise their rights to object toprocessing. Primetric may refuse to comply with a request according to law, but theorganization will provide the individual with detailed reasons for denying thelegitimacy of the objection.

Primetric may, where possible, permit an individualto object to specific aspects of processing rather than the entirety ofprocessing. Primetric will acknowledge an individual's objection within the legal time frameor as specified in the organization's privacy policy.

Primetric will not condition services on anindividual declining to provide their sensitive information (personallyidentifiable information (PII)) not being relevant to the services beingoffered.

Primetric must confirm the identity of anindividual or authorized representative submitting an objection. Informationrelated to identity verification will be kept to the minimum necessary andretained only as long as required. The identity verification information willbe disposed of securely when no longer needed.

Primetricmust make othernecessary entities aware of any submitted objections and require these entitiesto abide by applicable valid objections.

Primetricwill not use PIIprocessed under a contract for purposes of marketing or advertising withoutprior consent obtained from the appropriate individual. Primetric is restricted from making the providingof consent a condition to receive services.

GDPR – Consent

Primetric must demonstrate an individual providedconsent for their processing. If the individual’s consent is provided in awritten consent concerning other matters, the consent must be presented in amanner clearly distinguishable from other matters. The consent must beintelligible and in an easy accessible form using clear and plain language. Theindividual retains the right to withdraw consent at any time. Withdrawal mustbe as easy as to give consent.

When assessingwhether consent is freely given, utmost account shall be taken of whether,inter alia, the performance of a contract, including the provision of aservice, is conditional on consent to the processing of personal data that isnot necessary for the performance of that contract.

As it relates toproviding information society services directly to a child, the child must beat least sixteen (16) years old to lawfully process their personal data. Wherethe child is less than sixteen (16) years of age, parental authorization mustbe obtained to process the child’s personal data.

05 Privacy Notice (Transparency)

Primetric will process personal information in a lawful, fair, and transparentmanner in relation to the individual.

Privacy notices help inform individuals about how their personallyidentifiable information is being processed by the system or organization.Organizations use privacy notices to inform individuals about how, under whatauthority, and for what purpose their personally identifiable information isprocessed, as well as other information such as choices individuals might havewith respect to that processing and other parties with whom information isshared. Laws, executive orders, directives, regulations, or policies mayrequire that privacy notices include specific elements or be provided inspecific formats. Federal agency personnel consult with the senior agency officialfor privacy and legal counsel regarding when and where to provide privacynotices, as well as elements to include in privacy notices and requiredformats. In circumstances where laws or government-wide policies do not requireprivacy notices, organizational policies and determinations may require privacynotices and may serve as a source of the elements to include in privacynotices.

Privacy risk assessments identify the privacy risks associated with theprocessing of personally identifiable information and may help organizationsdetermine appropriate elements to include in a privacy notice to manage suchrisks. To help individuals understand how their information is being processed,organizations write materials in plain language and avoid technical jargon.

Primetric must make the organization’slatest privacy policy publicly available on the organization’s website.

Primetric must provide a clear and accessible privacy notice to individuals inplain-language outlining the organization's practices and policies regardingsensitive information (personally identifiable information (PII)) in a form andtime required by law upon first interacting with the organization andsubsequently upon changes in the notice. The privacy notice should be easilyunderstood by individuals not familiar with information technologies, legaljargon, or the Internet. The organization will provide notice to individualsabout processing of personally identifiable information that identifies theauthority that authorizes the processing of personally identifiableinformation, purpose for which personally identifiable information is to beprocessed, and includes specific information related to the organization’sregulatory or contractual obligations.

Primetric must disclose to the individuals thechoices and means for purposes of limiting processing, accessing, correcting,and removing the individual's sensitive information (personally identifiableinformation (PII)).

Primetric will make updates to the privacy notice reflecting any changes in theorganization's privacy policies, practices, or activities before or as soon aspossible after the change. Notice must be provided to individuals before or atthe time of collection of sensitive information (personally identifiableinformation (PII)) as practical.

Primetric must clearly describe the purpose of anyclose nexus between general authorization and specific collection of sensitiveinformation (personally identifiable information (PII)) within theorganization's privacy compliance documentation when statutory language is toobroad. Primetric may provide real-time or layered notices when collecting sensitiveinformation (personally identifiable information (PII)).

Primetric will present notice ofpersonally identifiable information processing to individuals at a time andlocation where the individual provides personally identifiable information orin conjunction with a data action, or annually if or when the notice changes.

Primetric must provide notice to individuals regarding:

●     Privacy related activities including, butnot limited to, collection, use, sharing, safeguarding, maintenance, anddisposal of sensitive information (personally identifiable information (PII))

●     Authority to collect sensitiveinformation (personally identifiable information (PII))

●     The sensitive information (personallyidentifiable information (PII)) collected, purpose of collection, andsafeguards in place to protect sensitive information (personally identifiableinformation (PII))

●     Individual's choice regarding how theorganization uses their sensitive information (personally identifiableinformation (PII)) and any consequences an individual may have if exercisingthis choice

●     Right to object to processing

●     Fees associated with access as may bepermitted by law

●     Retention of sensitive information(personally identifiable information (PII))

●     Right to access and how to accesssensitive information (personally identifiable information (PII)) for thepurpose of corrections, where appropriate

●     Whether the organization shares sensitiveinformation (personally identifiable information (PII)) with other entities andfor what purpose it is shared

●     Whether the organization sells orforwards data to be processed by data analytics organizations and details toany risks posed to this processing

●     Contact information for theorganization's privacy official to communicate any feedback, complaints,questions, or other relevant topics related to the organization's privacypractices.

Primetric will inform third parties with whomit shares PII of any modification, withdrawal or objections pertaining to theshared PII, and implement appropriate policies, procedures and/or mechanisms todo so.

Primetric will inform customers if, in its opinion, processing instructionsinfringe on applicable laws.

Primetric will notify customers of anylegally binding requests for disclosure of PII. The organization will discloseany use of subcontractors to process PII to the customer before using thesubcontractor.

GDPR – Privacy Notice

Primetric will provide information and anycommunications related to processing of personal data to the individual in aconcise, transparent, intelligible, and easily accessible form using clear andplain language (especially in cases of children, where applicable). Primetric will provide this information in writing or electronic form. If theidentity of an individual is proven by other means, the information requestedby the individual may be provided orally.

Primetric will facilitate the exercise of individual rights and will not refuse toact on a request of an individual to exercise their rights, unless theorganization demonstrates it is not in a position to identify the individual.

Primetric will provide information on actions taken on an individual’s request withoutundue delay and in any event within one (1) month of receipt of the request.This period of time may be extended by two (2) more months where necessary,taking into account the complexity and number of requests. Any delays should becommunicated to the requestor within one month explaining the reasons for thedelay and the additional time extension required. If the individual makes arequest electronically, the information will be provided by electronic means,unless otherwise requested by the individual.

If Primetric does not take action on anindividual’s request, the organization will inform the individual within one(1) month of receipt of the request for the reason the organization will nottake actions and how to lodge a complaint with a supervisory authority in aneffort to seek judicial remedy.

Primetric will provide communications andany actions taken to the individual free of charge. Where requests from anindividual are manifestly unfounded or excessive (due to repetitive actions),the organization may:

●    Charge a reasonable fee takinginto account the administrative costs of providing the information,communication, or taking the action requested; or

●     Refuse to act on the request.

○     Note: The organization bears the burden of demonstrating the manifestlyunfounded or excessive character of the request.

Primetric will request additionalinformation as necessary to confirm the identity of an individual when theorganization has reasonable doubts concerning the identity of the individual.

The information provided to individuals may be provided in combinationwith standardized icons in order to give in an easily visible, intelligible,and clearly legible manner a meaningful overview of the intended processing.Where icons are presented electronically, they should be machine-readable.

Primetric, at the time when personal datais collected from the individual, provide the individual with the followinginformation:

●    The identity and the contactdetails of the organization and the organization’s representative, whereapplicable

●     The contact details of the data protection officers, where applicable

●     The purposes of the processing for which the personal data are intendedas well as the legal basis for the processing

●     Where the processing is based on legitimate interests, the legitimateinterests pursued by the organization or by a third party

●     The recipients or categories of recipients of the personal data, if any

●     Where applicable, the fact the organization intends to transfer personaldata to a third country (or international organization) and the existence orabsence of an adequacy decision, reference to the appropriate or suitablesafeguards as well as the means by which to obtain a copy of them (or wherethey have been made available)

In addition, Primetric will provide an individual at thetime of collection the following further information necessary to ensurefair/transparent processing:

●    The period of time for which thepersonal data will be stored or the criteria used to determine that period, ifit is not possible to provide a period of time

●     The existences of the right to request from the organization: access to,rectification, erasure, restriction, or objection to processing as well as theright to data portability

●     When processing is based on consent, the existences of the right towithdraw consent at any time, without affecting the lawfulness of processingbased on consent before its withdrawal

●     The right to lodge a complaint with a supervisory authority

●     Whether the provisions of personal data is a statutory or contractualrequirement, or a requirement necessary to enter into a contract as well aswhether the individual is obliged to provide the personal data and the possibleconsequences of failure to provide such data

●     The existence of automated decision-making (including profiling) and atleast in those cases, meaningful information about the logic involved, as wellas the significance and the envisaged consequences of such processing for theindividual

Where Primetric intends to further process personal data for a purpose other than thatfor which the personal data was collected, the organization will provide thedata subject prior to that further processing with information on that otherpurpose as well as any relevant further information as required.

Primetric doesn’t have to repeat providing information to the individual insofaras the individual already has the information.

When personal data has not beenobtained from the individual, Primetric will provide the individual withthe following information:

●    The identity and the contact detailsof the organization and the organization’s representative, where applicable

●     The contact details of the data protection officers, where applicable

●     The purposes of the processing for which the personal data are intendedas well as the legal basis for the processing

●     The categories of personal data concerned

●     The recipients or categories of recipients of the personal data, if any

●     Where applicable, the fact the organization intends to transfer personaldata to a third country (or international organization) and the existence orabsence of an adequacy decision, reference to the appropriate or suitablesafeguards as well as the means by which to obtain a copy of them (or wherethey have been made available)

In addition, Primetric will provide an individual at the time of collectionthe following further information necessary to ensure fair/transparentprocessing:

●    The period of time for which thepersonal data will be stored or the criteria used to determine that period, ifit is not possible to provide a period of time

●     When the processing is based on legitimate interests, the legitimateinterests pursued by the organization or by a third party

●     The existences of the right to request from the organization: access to,rectification, erasure, restriction, or objection to processing as well as theright to data portability

●     When processing is based on consent, the existences of the right towithdraw consent at any time, without affecting the lawfulness of processingbased on consent before its withdrawal

●     The right to lodge a complaint with a supervisory authority

●     From which source the personal data originated, and if applicable,whether it came from publicly accessible sources

●     The existence of automated decision-making (including profiling) and atleast in those cases, meaningful information about the logic involved, as wellas the significance and the envisaged consequences of such processing for theindividual

Primetricwill provide this information:

●    Within a reasonable period of timeafter obtaining the personal data, but within one (1) month, having regard tothe specific circumstances in which the personal data was processed

●     If the personal data is to be used for communication with theindividual, at the time of the first communication to that individual

●     If a disclosure to another recipient is envisaged, when the personaldata is first disclosed

If Primetric intends to further process the personal data for a purpose other thanfor which the personal data was collected, Primetric will provide the individual, prior to theprocessing, with the information on that other purpose as well as any relevantfurther information as required.

Primetric doesn’t have to repeat providinginformation to the individual if:

●    The individual already has theinformation

●     The provision of the information provides impossible or involvedisproportionate effort such as for archiving, scientific/historical, orstatistical purpose

●     Obtaining or disclosing is provided by law and appropriate measures toprotect the individual’s legitimate interests are implemented

●     Where personal data must remain confidential subject to an obligation ofprofessional secrecy regulated by law

Primetric  will communicate any rectification or erasureof personal data along with any restrictions of processing to each recipient towhom the personal data has been disclosed, unless this proves impossible orinvolves disproportionate effort. Primetric will inform the individual aboutthose recipients if the individual requests it.


06 Specific Categories of PersonallyIdentifiable Information

Specific categories ofpersonally identifiable information may have special conditions or protectionsthe organization may be required to comply with by law. Requirements may alsocome as a result of the privacy risk assessment where the organizationdetermined a particular category of sensitive information is of elevatedprivacy risks. Primetric may need to consultwith the Data Protection Officer or legal counsel regarding any necessaryprotections. Primetric will apply specialconditions for specific categories of personally identifiable information asrequired by law.

Primetric  must create and publish use and disclosure ofsensitive information (including personally identifiable information (PII))guidelines. The organization will only use or disclose sensitive information(personally identifiable information (PII)) as authorized in the organization'sPrivacy Notice or by law. For any new use and disclosure instances, theorganization must assess the use/disclosure to ensure it is authorized orrequires a new consent (or updated notice).


Primetric willprovide access to and restrict disclosure of sensitive information (includingpersonally identifiable information (PII)) to only those required to performtheir duties (i.e., “need to know” and “minimum necessary” principles will beapplied).

Primetricwill only use/disclose sensitive information(personally identifiable information (PII)) for which consent was given. Theorganization will only use sensitive information (personally identifiableinformation (PII)) if it is compatible with the original purpose it wascollected.

For new uses of personallyidentifiable information (PII), the organization must formally evaluate toensure the organization has authority to use the personally identifiableinformation (PII).

GDPR – Specific Categories of PII

Primetricis prohibited fromprocessing the following personal data:

●     Data revealing racial or ethnicorigin

●    Political opinions

●    Religious or philosophical beliefs

●    Trade union membership

●    Genetic data

●    Biometric data for the purpose of uniquely identifying a natural person

●    Data concerning health

●    Data concerning an individual’s sex life or sexual orientation


●     Individual provided explicitconsent for processing

●    Except by law

●    Processing is necessary for the purpose of carrying out obligationsexercising specific rights in the field of employment, social security, andsocial protection law or collective agreements providing appropriate safeguardsfor the fundamental rights/interests of individuals

●    Processing necessary to protect vital interests

●    Processing carried out for legitimate activities by foundation,association, or any other not-for-profit body relating to individual’smembership in the body

●    Processing made public by the individual

●    Processing for defense of legal claims or whenever courts are acting intheir judicial capacity

●    Processing necessary for substantial public interest

●    Processing is necessary for the purposes of preventive/occupationalmedicine, assessment of the working capacity of employee, medical diagnosis,provision of health/social care/treatment, or management of health/social carepursuant to contact with a health professional

●    Processing for reasons of public interest in area of public health toprotect against cross-border health threats or ensure quality/safety ofhealthcare products or medical devices

●    Processing for the purpose of archiving in the public interest,scientific or historical research, or statistical purposes

Processing of personal data related to criminal convictions foroffenses must only be carried out under official authority for processingauthorized by law and with appropriate safeguards for the rights/freedoms ofindividuals.

Local jurisdictions may restrict by legislative measures the scope ofobligations and rights to individuals and organizations when such restrictionsrespect the essence of the fundamental rights/freedoms of individuals as wellas being necessary/proportionate measures to a democratic society in order tosafeguard:

●     National security

●    Defense

●    Public security

●    Prevention, investigation, detection, or prosecution of criminaloffenses or the execution of criminal penalties, including the safeguardingagainst and the prevention of threats to public security

●    Other important objectives of general public interest, in particular animportant economic or financial interest, including monetary, budgetary andtaxation matters, public health and social security

●    Protection of judicial independence and judicial proceedings

●    Prevention, investigation, detection, and prosecution of breaches ofethics for regulated professions

●    Monitoring, inspection, or regulatory function connected, evenoccasionally, to the exercise of official authority

●    Protection of the individual or the rights/freedoms of others

●    Enforcement of civil law claims

The above legislativemeasures shall contain specific provisions at least, where relevant, as to:

●     The purposes of the processingor categories of processing

●    The categories of personal data

●    The scope of the restrictions introduced

●    The safeguards to prevent abuse or unlawful access to transfer

●    The specification of the controller or categories of controllers

●    The storage periods and the applicable safeguards taking into accountthe nature, scope and purposes of the processing or categories of processing

●    The risks to the rights/freedoms of individuals;

●    The right of individuals to be informed about the restriction unlessthat may be prejudicial to the purpose of the restriction

Primetricwill process personal data for archiving purposes in thepublic interest, scientific or historical research purposes, or statisticalpurposes utilizing appropriate safeguards for the rights/freedoms of theindividual. The organization will ensure technical and organization measuresare in place for these safeguards to include ensuring respect for the principleof data minimization. Safeguard measures may include pseudonymization providedthe purpose can be fulfilled utilizing this method. Where purposes can befulfilled by further processing which does not permit or no longer permits theidentification of the individual, those purposes shall be fulfilled in thatmanner.

Related Documents

●       Privacy Procedures

●       Security and Privacy Attributes section of the Access Control Policy

●       Security Awareness and Privacy Training Policy

●       Control Assessments and Third-Party Agreements sections of theAssessment, Authorization and Monitoring Policy

●       Incident Response Plan section of the Incident Response Policy

●       Information Security Program Management Policy to include SecuritySafeguards (Confidentiality), Privacy Program Leadership Role, Accounting ofDisclosures, Personally Identifiable Information Quality Management, andComplaint Management

●       Privacy Impact Assessments section of the Risk Assessment Policy

●       Security and Privacy Engineering Principles section of the SystemDevelopment Life Cycle (SDLC)

●       Data Handling, Retention, and Disposal and the De-Identificationsections of the System Integrity Policy