01 Overview and Scope

Overview and Scope

This Policy and supporting Procedures are designed to provide Primetric with a documented and formalized process for protecting individuals’ privacy. Respect for the privacy of personal and other information is fundamental to Primetric.

This privacy policy describes Primetric's collection of personally identifiable information (PII) in its capacity as a Data Controller for its own business operations (e.g., support, billing, and communications). For data processed through the Primetric platform on behalf of customers, Primetric acts as a Data Processor, and the customer remains the Data Controller under applicable data protection laws, including the GDPR.

This Policy also describes Primetric's use and disclosure of such information. By using Primetric's Service, you consent to the collection and use of personally identifiable information in accordance with this policy.

Primetric sp. z o.o. is a wholly owned subsidiary of BigTime Software Inc., a Delaware corporation. However, Primetric operates as an independent legal entity and provides services to customers located in the European Union. BigTime Software Inc. does not access or process customer data unless separately designated as a Subprocessor and disclosed to the customer.

In accordance with mandated organizational security requirements set forth and approved by management, Primetric has established a formalPrivacy Policy and Procedures. This comprehensive Policy document isimplemented immediately, along with all relevant and applicable Procedures.

The Policy Owner owns thisPolicy and is responsible for reviewing the Policy on an annual basis and following any major changes to Primetric’s sensitive data environment to ensure that it continues to meet its organizational goals. The Policy Owner is responsible for ensuring that the Privacy Procedure is reviewed and updated on an annual basis and following any major changes. Compliance with policies and procedures will be regularly reviewed. The review will assess opportunities to improve and approach to managing changes in the organization’s environment, business needs, and regulatory requirements. Results of management review will be taken into account when reviewing policies and procedures. Management approval is required for any policy changes.

Policies and procedures will be made available to those persons responsible for implementing the policy/procedure to which the documentation pertains.

Roles and Responsibilities

Data Protection Officer (DPO) (Chief Privacy Officer)

Responsibilities of the Data Protection Officer (DPO) (or Chief PrivacyOfficer) include providing overall direction, guidance, leadership, and support on methods and tools for the implementation of a privacy protection program. The Data Protection Officer is responsible for developing and implementing privacy policies and procedures. The Data Protection Officer is the designated point of contact for all privacy-related issues such as receiving individual requests or privacy complaints. The Data Protection Officer is also responsible for providing privacy-related guidance to the organization and service providers regarding privacy specific responsibilities. The Data Protection Officer is the designated contact for use by individuals regarding the processing of theirPII. The Data Protection Officer is responsible for developing, implementing, maintaining, and monitoring an organization-wide governance and privacy program to ensure compliance with applicable PII regulations. The Data Protection Officer will take into consideration risks associated with processing factoring in the nature, scope, context, and purpose of processing when carrying out his/her duties. The Data Protection Officer may be responsible for other tasks as long as those tasks do not result in a conflict of interest. The Data Protection Officer will conduct resource and investment planning to implement the management, operational, technical, and privacy requirements of the program.

The DPO works with the CTO and CISO to develop, perform, and document related security and privacy awareness training. The DPO must:

Be independent and report directly to the appropriate management levelof the organization in order to ensure effective management of privacy risks
Be involved in the management of all issues related to PII processing
Be an expert in data protection regulations and practices
Act as the contact point for supervisory authorities
Inform top-level management and employees of the organization of their obligations with respect to PII processing
Provide advice in respect to privacy impact assessments conducted

Where Primetric acts as a Data Processor on behalf of its customers, the DPO shall ensure that the processing is conducted only under documented instructions of the Data Controller, as defined in the customer’s Data Processing Agreement. The DPO shall also ensure separation of processing roles for any data processed by Primetric in its own capacity as a Data Controller.

Privacy Committee

Responsibilities include approving and monitoring adherence to this policy, analyzing the organization’s environment, and complying with legal requirements. Additional responsibilities include:

Executing the privacy operations of the firm, including monitoring the system used to solicit, evaluate, and respond to individual privacy complaints and problems
Evaluating implemented privacy controls
Assessing existing policies and procedures that address privacy areas
Working with appropriate departments to ensure compliance with privacy policies and procedures
Recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization’s privacy objectives
Reporting to the Chief Privacy Officer on the effectiveness of the privacy controls/program in meeting applicable regulatory requirements and standards

Primetric must formally document and make privacy policies readily available to individuals, internal personnel, and third parties who need them. Management supports compliance with all privacy policies and relevant data protection regulations through a formal organizational structure and control. The organization will abide by regulatory requirements defining the responsibilities for handling sensitive information including personally identifiable information and ensuring awareness with data protection principles. Privacy policies will be documented to include security practices for privacy to include implementing technical security controls such as access controls, authentication, and monitoring as well as organization measures covered below to protect sensitive information.

The organization will appoint a data protection officer or privacy officer responsible for the organization’s privacy protection program. The data protection officer or privacy officer will report to the highest management level of the organization (such as the CEO). The organization will support the data protection officer in performing required tasks and provide necessary resources to carry out those tasks to include providing access to personal data or operations. The data protection officer is designated based on professional qualities to include expert knowledge on privacy laws and ability to carry out required tasks. The organization will support the data protection officer in maintaining his/her expert knowledge.The organization will ensure the data protection officer’s independence related to any instructions regarding the exercise of the data protection officer’s tasks and the data protection officer will be bound to confidentiality when performing those tasks according to applicable laws. The data protection officer will not be penalized for performing their duties.

Management will review and approve privacy policy on an annual basis.

GDPR – Processor

Primetric, as a processor, is required to provide sufficient guarantees to implement appropriate technical and organizational measures to ensure processing meets requirements of the GDPR and ensure the protection of individual rights. As of the Effective Date of this Policy, all customer data processed by Primetric is stored and processed exclusively within the European Economic Area. If transfers of personal data to third countries become necessary in the future, they shall be made only in accordance with Chapter V of the GDPR using legally recognized mechanisms, such as Standard Contractual Clauses.

Primetric, as a processor, will not engage another sub-processor without specific written authorization of the controller. The controller will have the opportunity to object to any changes.

Processing of the organization is governed by a contract binding the organization with regards to the controller and setting out the subject-matter as well as duration of the processing, the nature/purpose of processing, type of personal data/categories of individuals, and obligations/rights of the controller. The contract will stipulate the organization must:

Process personal data only as instructed in writing from the controller including transfers of personal data to third countries or international organizations. The organization will inform the controller of legal requirements for processing unless prohibited by law on the grounds of public interest
Ensure persons authorized to process personal data are committed to confidentiality or are under appropriate statutory obligation of confidentiality
Take all measures required to ensure security of processing
Respect conditions for engaging another sub-processor
Assist the controller in their fulfillment of the controller’s obligation to respond to requests for individuals exercising their rights considering the nature of processing and the appropriate technical and organizational measures possible
Assist the controller in ensuring compliance with security of processing, notification of data breaches to supervisory authority, communication of breaches to individuals, data protection impact assessment and prior consultation with the data protection officer
Delete or return personal data at the choice of the controller after the end of services unless required by law
Make information available to controller necessary to demonstrate compliance with obligations and allow for/contribute to audits including inspections conducted by the controller
Immediately inform the controller, if in the organization’s opinion, aninstruction infringes on GDPR or other data protection provisions

Primetric, as a processor, and any person acting under the organization’s authority who has access to personal data shall not process this data except as instructed by the controller or else required by law.

02 Authority to Process Personally Identifiable Information

Processing Authority

Primetric may process sensitive information to include personally identifiable information (PII) as a part of its operations across the information lifecycle. Processing includes, but is not limited to, the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, reception, transmission, and disposal of information. Processing also includes logging, generation, transformation, and analysis techniques like data mining.

Primetric will abide by relevant laws establishing its authority or limitations on processing certain types of personally identifiable information and will establish related processing requirements according to contractual obligations. Primetric will consult with the DataProtection Officer and other legal counsel regarding the authority to process information across multiple jurisdictions. Primetric will be governed by its privacy policies and procedures related to processing that consider all laws, contracts, and other privacy related requirements.

Primetric will determine and document the authority permitting the organization to process personally identifiable information and will restrict processing of personally identifiable information not authorized. Privacy risks may still be present even though processing is performed on a legal basis. Privacy risk assessments will be performed to identify any associated privacy risks and solutions to manage such risks will be determined. Where possible, Primetric will attach data tags containing authorized processing to elements of personally identifiable information.

The organization will train employees on authorized processing of sensitive information including personally identifiable information as well as monitor/audit the use of this information.

Individual Requests

Where Primetric acts as a Data Processor, it will assist the Data Controller in facilitating individual rights requests (e.g., access, correction, erasure) as required by GDPR Article 28. Individuals should contact the Data Controller to exercise these rights in relation to Customer Data processed by Primetric on their behalf.

Primetric must publish a process governing individual requests to access their records maintained by the organization. The organization must permit individuals to exercise their rights of access and allow for individuals to correct inaccurate information as may be applicable. The organization will implement a process for individuals to request access, provide proof of identity, and provide communications to an individual about their personal information similar to how an individual's original information was collected (such as through normal mail or email):

Within a reasonable time as prescribed by relevant regulations
At a reasonable and allowable cost, if any
In an appropriate manner
In an understandable form

Primetric will respond to requests for access as provided by law as indicated within the organization's privacy notice. Where possible,responses will be provided as requested by the individual. The organization will ensure individual's rights to access can be exercised, except when:

The expense or burden for the organization is unreasonable or disproportionate to privacy risks
The sensitive information (personally identifiable information (PII)) can't be disclosed due to legal or security restrictions
Other individual's privacy would be violated due to the access request

Primetric will restrict access to sensitive information (personally identifiable information(PII)) to only those to whom the information relates or to an authorized individual. The organization will authenticate a requestor's identity according to regulatory requirements. When authentication is required, the organization will determine the appropriate form of authentication unless prescribed by regulatory requirements. The organization will request only the minimum necessary information to verify identities. Identification and authentication information must be secured and retained only as long as needed.

Primetric must ensure all requested information can be provided, but must factor in the protection of rights, freedoms, and privacy of other individuals before providing an individual with their sensitive information (personally identifiable information (PII)). The organization will provide sensitive information (personally identifiable information (PII)) to an authorized individual securely.

Primetric must develop and implement a process related to notifying individuals of the status of their requests and any required processing such as through mail/email along with identifying the dates when the request was made and expectation of one the request may be fulfilled. The organization may need additional time to retrieve information from archives but may still be required to communicate this delay to the requestor.

Primetric may deny a request for access based on regulatory requirements; however, the organization will provide the individual with the rationale behind the denial along with the process to challenge the denial in a timely manner.

If the Primetric is acting as a processor for another controller, the organization will support the controller's obligation with respect to an individual's rights of access, correction, and deletion of their sensitive information (personally identifiable information (PII)) according to regulatory or contractual requirements.

Primetric will provide for the right of an individual to obtain confirmation the organization processes the individual’s personal data and if this is the case, the organization will provide access to the personal data along with the following information:

The purposes of the processing
The categories of personal data concerned
The recipients (or categories of recipients) to whom the personal data has been (or will be) disclosed especially those recipients in third countries (or international organizations)
The estimated period of time the personal data will be stored, where possible, or the criteria used to determine the time period
The existences of the right to request rectification, erasure of personal data, restriction of processing of personal data concerning the individual, or object to processing
The right to lodge a complaint with a supervisory authority
Where the personal data is not collected from the individual, any available information as to the source
The existence of automated decision-making (including profiling) and any meaningful information about the logic involved as well as any significant envisaged consequences of the individual for such processing
Where personal data is transferred to a third country (or international organization), the individual has the right to be informed of the appropriate safeguards related to the transfer

Primetric will provide a copy of the personal data undergoing processing. For any additional copies requested by the individual, Primetric may charge a reasonable fee based on administrative costs. If the individual makes the request via electronic means, the information shall be provided in a commonly used electronic form, unless otherwise requested by the individual. The right to obtain a copy of the personal data must not adversely affect the rights or freedoms of another individual.

Access

Primetric permits individuals to determine whether it maintains personally identifiable information about them, and upon request, the individual may obtain access to their personally identifiable information. Primetric will verify and authenticate the identity of individuals who request access to their personally identifiable information before they are given access to the information.

Primetric will provide personally identifiable information to the individual in an understandable form, in a reasonable timeframe, and at a reasonable cost.

Primetric may deny an individual access to or a request to change their personally identifiable information based on regulatory requirements and will inform the individual of the denial along with the reason for the denial in a timely manner, unless prohibited by regulations.

Data Portability

Primetric will provide the right of an individual to receive their personal data in a structured, commonly used, and machine-readable format. The organization will provide for the right to transmit an individual’s personal data to another organization without hindrance where:

Processing is based on consent or on contract
The processing is carried out by automated means

Where technically feasible, an individual exercising their right to data portability has the right to have their personal data transmitted directly from one organization to another. This right doesn’t apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority and shall not adversely affect the rights/freedoms of others.

Disclosure

Primetric will only disclose personally identifiable information to third parties if there is a legal basis and in a manner that complies with the law, in particular the GDPR

Primetric will track and log authorized and reported unauthorized disclosures.

Correction and Update

Primetric will permit individuals to update or correct personally identifiable information held by the organization and will provide such updates or corrected information to third parties that were previously provided with the individual's personally identifiable information. Taking into account the purposes of the processing, the individual has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Deletion

Primetric will capture requests for deletion of personally identifiable information and information related to requests will be identified and flagged for destruction to meet the organization’s objectives related to privacy. Primetric will provide notification of such deleted information to third parties that were previously provided with the individual's personally identifiable information consistent with the organization's objectives related to privacy.

Individuals have the right to obtain from the organization the erasure of their personal data without undue delay. Primetric is obligated to erase personal data without undue delay where one of the following applies:

The personal data is no longer necessary in relation to the purposes for which the personal data was collected and/or processed;
The individual withdrawals consent on which the processing is based and there is no other legal ground for processing;
The individual objects to processing and there are no legitimate grounds for overriding the processing, or the individual objects to processing data that has no compelling legitimate grounds for being processed;
The personal data has been unlawfully processed;
The personal data has to be erased for compliance with legal obligations; or
The personal data has been collected in relation to the offer of information society services.

Where Primetric has made the personal data public and is obligated to erase the personal data, the organization will take reasonable steps (e.g., considering available technology and cost of implementation), including technical measures, to inform other organizations processing the personal data that the individual has requested the erasure of their personal data.

Primetric may deny the request of erasure if processing of personal data is necessary for the following reasons:

For exercising the right of freedom of expression and information
For compliance with legal obligations
For reasons of public interest in the area of public health
For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in so far as the right to erasure is likely to render impossible (or seriously impair) the achievement of the objectives of the processing
For the establishment, exercise, or defense of legal claims

Restriction

Primetric will provide forthe right of an individual to restrict processing of their personal data where one of the following applies:

The accuracy of the personal data is contested by the individual for a period of time enabling the organization to verify the accuracy of the personal data.
The processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of its use instead.
The organization no longer needs the personal data for the purposes of the processing, but is required by the individual for the establishment, exercise,or defense of legal claims.
The individual has objected to processing on legitimate grounds pending the verification whether the legitimate grounds of the organization override those of the individual.

Where processing has been restricted, except for storage, the organization will only process personal data as follows:

With the individual’s consent
For the establishment, exercise, or defense of legal claims
For the protection of the rights of another individual or legal person
For reasons of important public interests

Primetric will inform the individual who has obtained restrictions of processing before the restrictions of processing have been lifted.

Objections

Primetric will provide the right of the individual to object to processing of their personal data, including processing based on profiling. Primetric will no longer process personal data unless the organization can demonstrate compelling legitimate grounds for the processing overriding the interests, rights/freedoms of the individual, or for the establishment, exercise, or defense of legal claims.

Where personal data is processed for direct marketing purposes, the individual has the right to object at any time to processing of their personal data for such marketing, including profiling to the extent it is related to such direct marketing. The personal data shall no longer be processed for marketing purposes based on an individual’s objection.

The right to object will be brought to the individual's attention at the time of first communication with the individual and will be presented in a clear and separate form from any other information.

In the context of information society service use, the individual may exercise their right to object by automated means using technical specifications.

Where personal data is processed for scientific historical research purposes or statistical purposes, the individual has the right to object to processing their personal data unless the processing is necessary for the performance of a task carried out in the public interest.

Automation (Automated Decisions)

The organization will enforce the authorized processing of personally identifiable information using automated mechanism verification that only authorized processing is occurring.

The organization upholds the right of individuals to not be subject to a decision having legal effects or similarly significant effects on individuals based solely on automated processing including profiling. The organization will implement suitable measures to safeguard the individual's rights/freedoms and legitimate interest by providing the right to obtain human intervention on the part of the organization, to express the individual’s point of view, and to contest the decision. Note: The decision may not apply if necessary as part of a contract between the organization and the individual, authorized by law, or is based on the individual’s explicit consent.

03 Personally Identifiable Information(PII) Processing Purposes

Primetric will identify and document the purposes for processing personally identifiable information. This enables individuals to make informed decisions and manage their privacy interests. The purpose of processing will be described in the public privacy notices and related privacy procedures. Primetric will restrict processing of personally identifiable information to only that which is compatible with the identified purposes. Primetric will monitor for changes in processing and consult with the DataProtection Officer or other legal counsel to ensure any new processing is still compatible with the original purpose. If information that was previously collected is to be used for purposes not previously identified in the privacy notice, Primetric will document the new purpose, notify the individual, and obtain implicit or explicit consent prior to such new use or purpose.

Primetric will monitor changes in processing personally identifiable information and implement mechanisms to ensure that any changes are made in accordance with defined requirements.

Where possible, the organization will attach data tags containing purposes to elements of personally identifiable information for defined processing purposes.

The organization will trackprocessing purposes of personally identifiable information using automatedmechanisms.

The organization will ensure that contracts in place to process PIIaddress the organization’s role in providing any assistance to its customers related to their obligations with processing, taking into account the nature of processing and information available to the organization. Primetric will only process PII on behalf of a customer for the purposes expressed in documented instructions by the customer.

Collection

Primetric will limit the collection of personally identifiable information to what is necessary to meet the organization’s objectives. The methods of collecting PII will be reviewed by management prior to implementation to confirm PII is obtained fairly and without intimidation or deception as well as lawful, in adherence to all relevant rules of law.

Primetric will inform individuals if the organization develops or acquires additional information about them for its use.

Use and Disclosure

Primetric uses personally identifiable information only as is authorized and only at the minimum necessary level required by the organization to meet service level obligations, contractual obligations, or regulatory requirements.

Retention

Primetric will retain PII only as long as required or according to the organization's retention schedule as may be required by regulatory or contractual obligations.

Safeguards

Primetric must define and approve where sensitive information (including PII) will be stored. Sensitive information will be kept to a minimum as may be required for business or legal purposes and retained only as long as needed according to the data retention schedule.

Primetric must implement technical measures to protect the confidentiality and integrity of sensitive information at rest or stored in approved locations according to regulations. This sensitive information will be rendered unusable, unreadable, or indecipherable in any electronic format is stored by using any of these techniques:

Enforcing mandatory full disk encryption on laptops or other mobile devices where supported

Note: If disk encryption is utilized, logical access must be managed independently of the operating system and any decryption keys must not be tied to user accounts.

Encrypting virtual disks
Encrypting disk volumes
Encrypting specific files or folders

Primetric will utilize strong encryption technology such as the use of one-way hashes, truncation, or other strong cryptography with key management. Approved encryption algorithms include those meeting FIPS 140-2 standards such as Advanced Encryption Standard AES utilizes a minimum of 128-bit key length, Triple Data EncryptionAlgorithm (or Triple DES). The organization will document the rationale and approval of the CISO for any cases where encryption is not reasonable or appropriate.

GDPR

GDPR governs the protection of natural persons (or individuals) with regard to the processing of their personal data as well as rules related to the free movement of personal data. GDPR protects the fundamental rights and freedoms of individuals and their rights to protect their personal data. Free movement of personal data within the European Union (EU) will not be restricted nor prohibited for reasons connected with the protection of individuals regarding the processing of their personal data.

GDPR applies to the processing of personal data (wholly or partially) by automated means to processing other than automated means of personal dataforming (or intended to form) a filing system. GDPR doesn’t apply to individuals in the course of purely personal or household activities or by competent authorities for the purposes of preventing, investigating, detecting, or prosecuting criminal offenses or execution of criminal penalties including safeguards against the prevention of threats to public safety.

GDPR applies to processing of personal data in the context of activities of an organization established in the EU, regardless if the processing takes place in the EU or not. GDPR also applies to processing of personal data of data subjects who are in the EU by an organization not established in the EUwhere the processing relates to offering of goods (or services) irrespective of payment to such data subjects in the EU or monitoring the behavior as far as their behavior takes place within the EU.

This policy incorporates the definitions of terms as set forth in GDPRArticle 4 related to compliance with GDPR.

Personal data must be:

Lawfulness, Fairness, and Transparency: Processed in a lawful, fair, and transparent manner in relation to the individual
Purpose Limitation: Collected for a specified,explicit, and legitimate purpose and not processed further in a manner not compatible with those purposes. Note: processing for the purpose of archiving in the public interest, science or historical research, or statistical purpose is not considered incompatible with the initial purpose
Data Minimization: Adequate, relevant, and delimited to only what is necessary related to the purpose of the processing
Accuracy: Accurate and kept up to date as well as take every reasonable step to ensure any inaccuracies, in regard to the purpose being processes, are erased or rectified without delay
Storage Limitation: Kept for only as long as necessary for the purpose it was collected. Note: personal data may be stored longer if it is being processed solely for archiving in the public interest, science or historical research, or statistical purposes subject to the implementation of appropriate technical and organizational measures to safeguard rights and freedoms of individuals
Integrity and Confidentiality: Processing personal data in a manner to ensure appropriate security of the personal data including protection against unauthorized or unlawful processing as well as protection against accidental loss, destruction, or damage using appropriate technical or organizational measures
Accountability: Be responsible for and demonstrate compliance with the GDPR.

Lawfulness

Processing is required to be lawful and at least of the following must apply:

Individual gives consent to processing for one or more specific purposes
Processing is necessary to perform a contractual obligation for the individual who is a party to the contract or to take steps at the request of an individual to enter into a contract
Meet compliance with legal obligations
Necessary to protect the vital interests of the individual or another individual
Necessary to carry out a task in the public interest or exercise any official authority of the organization
Processing for a legitimate interest except where the interest is overridden by fundamental rights/freedoms of an individual requiring protection of the personal data (such as the case for children’s personal data)

If processing doesn’t require identification of the individual, the organization is not obligated to maintain, acquire, or process additional information to identify the individual. The organization will be required to verify the identity of the individual only as required by law for purposes of the individual to exercise their individual privacy rights.

‍04 Consent

Individuals participate in making decisions about processing through their consent. From an organizational perspective, risks of processing personally identifiable information are transferred to an individual by providing the individual with consent over the processing of their information. Consent may also be required by laws. Primetric will consider reasonable expectations to accept and understand privacy risks from an individual’s authorization when selecting consent to process information. The organization will consider all controls to effectively mitigate privacy risks and also consider any demographic or contextual factors influencing the understanding/behavior of individuals with respect to processing.

Primetric informs individuals about the choices available to them with respect to the collection, use, and disclosure of their personally identifiable information. Primetric must require implicit or explicit consent to collect, use, and disclose personally identifiable information or provide and obtain consent from an individual (or authorized representative) where processing introduces new use/disclosure as required by law.

Primetric will obtain and document implicit or explicit consent from individuals at or before the time personally identifiable information is collected (or soon thereafter). As required by law,Primetric must obtain consent prior to emailing, faxing, communicating, or otherwise disclosing personally identifiable information to external parties. The individual will confirm and implement the individual’s preferences expressed in their consent. Primetric must provide a way for an individual to modify their consent and act upon this modification or cease processing in a timely manner. Primetric obtains consent before personally identifiable information is transferred to or from an individual's computer or other similar device.

Primetric will abide by legal requirements over consent and obtain informed and transparent consent. The organization will utilize alternative solutions to obtain consent prior to processing if the normal means of consent isn’t available. The organization must maintain records of consent.

Primetric must confirm the identity of an individual or authorized representative submitting consent to processing. Information related to identity verification will be kept to the minimum necessary and retained only as long as required. The identity verification information will be disposed of securely when no longer needed. The organization will identify potential authorization privacy risks.

Primetric will consider appropriate mechanisms to obtain consent such as type of consent (e.g., opt-in or opt-out),how to authenticate or identify individuals, and how to obtain consent through electronic means. The organization will consider usability factors to help individuals understand risks related to consent and include the use of plain language while avoiding technical jargon.

Primetric will implement tools or mechanisms for individuals to consent to the processing of their personally identifiable information prior to its collection facilitating individuals’informed decision-making. Where possible, the organization will provide mechanisms to allow individuals to tailor processing permissions to selected elements of personally identifiable information. The organization will present consent mechanisms to individuals at the time of processing. The organization will implement a mechanism for individuals to revoke consent to processing.

Primetric must provide an individual the opportunity to exercise their rights to choice prior to processing of their sensitive information (personally identifiable information (PII)). An individual may withdraw their consent by giving reasonable notice to the organization as may be applicable by law. The organization may provide an individual with reasonable grounds to permit them to exercise their rights to object to processing. Primetric may refuse to comply with a request according to law, but the organization will provide the individual with detailed reasons for denying the legitimacy of the objection.

Primetric may, where possible, permit an individual to object to specific aspects of processing rather than the entirety of processing. Primetric will acknowledge an individual's objection within the legal time frame or as specified in the organization's privacy policy.

Primetric will not condition services on an individual declining to provide their sensitive information (personally-identifiable information (PII)) not being relevant to the services being offered.

Primetric must confirm the identity of an individual or authorized representative submitting an objection. Information related to identity verification will be kept to the minimum necessary and retained only as long as required. The identity verification information will be disposed of securely when no longer needed.

Primetric must make other necessary entities aware of any submitted objections and require these entities to abide by applicable valid objections.

Primetric will not use PII processed under a contract for purposes of marketing or advertising without prior consent obtained from the appropriate individual. Primetric is restricted from making the providing of consent a condition to receive services.

GDPR – Consent

Primetric must demonstrate an individual provided consent for their processing. If the individual’s consent is provided in a written consent concerning other matters, the consent must be presented in a manner clearly distinguishable from other matters. The consent must be intelligible and in an easy accessible form using clear and plain language. The individual retains the right to withdraw consent at any time. Withdrawal must be as easy as to give consent.

When assessing whether consent is freely given, utmost account shall be taken of whether,inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

As it relates to providing information society services directly to a child, the child must be at least sixteen (16) years old to lawfully process their personal data. Where the child is less than sixteen (16) years of age, parental authorization must be obtained to process the child’s personal data.

05 Privacy Notice (Transparency)

Primetric will process personal information in a lawful, fair, and transparent manner in relation to the individual.

Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization.Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.

Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed,organizations write materials in plain language and avoid technical jargon.

Primetric must make the organization's latest privacy policy publicly available on the organization’s website.

Primetric must provide a clear and accessible privacy notice to individuals in plain-language outlining the organization's practices and policies regarding sensitive information (personally identifiable information (PII)) in a form and time required by law upon first interacting with the organization and subsequently upon changes in the notice. The privacy notice should be easily understood by individuals not familiar with information technologies, legal jargon, or the Internet. The organization will provide notice to individuals about processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information, purpose for which personally identifiable information is to be processed, and includes specific information related to the organization's regulatory or contractual obligations.

Primetric must disclose to the individuals the choices and means for purposes of limiting processing, accessing, correcting,and removing the individual's sensitive information (personally identifiable information (PII)).

Primetric will make updates to the privacy notice reflecting any changes in the organization's privacy policies, practices, or activities before or as soon as possible after the change. Notice must be provided to individuals before or at the time of collection of sensitive information (personally identifiable information (PII)) as practical.

Primetric must clearly describe the purpose of any close nexus between general authorization and specific collection of sensitive information (personally identifiable information (PII)) within the organization's privacy compliance documentation when statutory language is too broad. Primetric may provide real-time or layered notices when collecting sensitive information (personally identifiable information (PII)).

Primetric will present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or annually if or when the notice changes.

Primetric must provide notice to individuals regarding:

● Privacy related activities including, but not limited to, collection, use, sharing, safeguarding, maintenance, and disposal of sensitive information (personally identifiable information (PII))

● Authority to collect sensitive information (personally identifiable information (PII))

● The sensitive information (personally identifiable information (PII)) collected, purpose of collection, safeguards in place to protect sensitive information (personally identifiable information (PII))

● Individual's choice regarding how the organization uses their sensitive information (personally identifiable information (PII)) and any consequences an individual may have if exercising this choice

● Right to object to processing

● Fees associated with access as may be permitted by law

● Retention of sensitive information(personally identifiable information (PII))

● Right to access and how to access sensitive information (personally identifiable information (PII)) for the purpose of corrections, where appropriate

● Whether the organization shares sensitive information (personally identifiable information (PII)) with other entities and for what purpose it is shared

● Whether the organization sells or forwards data to be processed by data analytics organizations and details to any risks posed to this processing

● Contact information for the organization's privacy official to communicate any feedback, complaints,questions, or other relevant topics related to the organization's privacy practices.

Primetric maintains an up-to-date list of authorized subprocessors, available upon request. Customers will be notified of any intended changes to subprocessors in accordance with their Data Processing Agreement.

Primetric does not use customer personal data for independent analytics, marketing, or profiling purposes unless explicitly authorized by the Data Controller. Customer personal data is not sold or shared with third-party data analytics or advertising networks.

Primetric will inform third parties with whom it shares PII of any modification, withdrawal or objections pertaining to the shared PII, and implement appropriate policies, procedures and/or mechanisms to do so.

Primetric will inform customers if, in its opinion, processing instructions infringe on applicable laws.

Primetric will notify customers of any legally binding requests for disclosure of PII. The organization will disclose any use of subcontractors to process PII to the customer before using the subcontractor.

GDPR – Privacy Notice

Primetric will provide information and any communications related to processing of personal data to the individual in a concise, transparent, intelligible, and easily accessible form using clear and plain language (especially in cases of children, where applicable). Primetric will provide this information in writing or electronic form. If the identity of an individual is proven by other means, the information requested by the individual may be provided orally.

Primetric will facilitate the exercise of individual rights and will not refuse to act on a request of an individual to exercise their rights, unless the organization demonstrates it is not in a position to identify the individual.

Primetric will provide information on actions taken on an individual’s request without undue delay and in any event within one (1) month of receipt of the request.This period of time may be extended by two (2) more months where necessary,taking into account the complexity and number of requests. Any delays should be communicated to the requestor within one month explaining the reasons for the delay and the additional time extension required. If the individual makes a request electronically, the information will be provided by electronic means,unless otherwise requested by the individual.

If Primetric does not take action on an individual's request, the organization will inform the individual within one(1) month of receipt of the request for the reason the organization will not take actions and how to lodge a complaint with a supervisory authority in an effort to seek judicial remedy.

Primetric will provide communications and any actions taken to the individual free of charge. Where requests from an individual are manifestly unfounded or excessive (due to repetitive actions),the organization may:

● Charge a reasonable fee taking into account the administrative costs of providing the information,communication, or taking the action requested; or

● Refuse to act on the request.

○ Note: The organization bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

Primetric will request additional information as necessary to confirm the identity of an individual when the organization has reasonable doubts concerning the identity of the individual.

The information provided to individuals may be provided in combination with standardized icons in order to give in an easily visible, intelligible,and clearly legible manner a meaningful overview of the intended processing.Where icons are presented electronically, they should be machine-readable.

Primetric, at the time when personal data is collected from the individual, provide the individual with the following information:

● The identity and the contact details of the organization and the organization’s representative, where applicable

● The contact details of the data protection officers, where applicable

● The purposes of the processing for which the personal data are intended as well as the legal basis for the processing

● Where the processing is based on legitimate interests, the legitimate interests pursued by the organization or by a third party

● The recipients or categories of recipients of the personal data, if any

● Where applicable, the fact the organization intends to transfer personal data to a third country (or international organization) and the existence or absence of an adequacy decision, reference to the appropriate or suitable safeguards as well as the means by which to obtain a copy of them (or where they have been made available)

In addition, Primetric will provide an individual at the time of collection the following further information necessary to ensure fair/transparent processing:

● The period of time for which the personal data will be stored or the criteria used to determine that period, if it is not possible to provide a period of time

● The existence of the right to request from the organization: access to,rectification, erasure, restriction, or objection to processing as well as the right to data portability

● When processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

● The right to lodge a complaint with a supervisory authority

● Whether the provisions of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract as well as whether the individual is obliged to provide the personal data and the possible consequences of failure to provide such data

● The existence of automated decision-making (including profiling) and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual

Where Primetric intends to further process personal data for a purpose other than that for which the personal data was collected, the organization will provide the data subject prior to that further processing with information on that other purpose as well as any relevant further information as required.

Primetric doesn’t have to repeat providing information to the individual insofar as the individual already has the information.

When personal data has not been obtained from the individual, Primetric will provide the individual with the following information:

● The identity and the contact details of the organization and the organization’s representative, where applicable

● The contact details of the data protection officers, where applicable

● The purposes of the processing for which the personal data are intended as well as the legal basis for the processing

● The categories of personal data concerned

● The recipients or categories of recipients of the personal data, if any

In addition, Primetric will provide an individual at the time of collectionthe following further information necessary to ensure fair/transparent processing:

● The period of time for which the personal data will be stored or the criteria used to determine that period, if it is not possible to provide a period of time

● When the processing is based on legitimate interests, the legitimate interests pursued by the organization or by a third party

● The existences of the right to request from the organization: access to,rectification, erasure, restriction, or objection to processing as well as the right to data portability

● When processing is based on consent, the existences of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

● The right to lodge a complaint with a supervisory authority

● From which source the personal data originated, and if applicable,whether it came from publicly accessible sources

Primetric will provide this information:

● Within a reasonable period of time after obtaining the personal data, but within one (1) month, having regard to the specific circumstances in which the personal data was processed

● If the personal data is to be used for communication with the individual, at the time of the first communication to that individual

● If a disclosure to another recipient is envisaged, when the personal data is first disclosed

If Primetric intends to further process the personal data for a purpose other than for which the personal data was collected, Primetric will provide the individual, prior to the processing, with the information on that other purpose as well as any relevant further information as required.

Primetric doesn’t have to repeat providing information to the individual if:

● The individual already has the information

● The provision of the information provides impossible or involve disproportionate effort such as for archiving, scientific/historical, or statistical purpose

● Obtaining or disclosing is provided by law and appropriate measures to protect the individual’s legitimate interests are implemented

● Where personal data must remain confidential subject to an obligation of professional secrecy regulated by law

Primetric will communicate any rectification or erasure of personal data along with any restrictions of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. Primetric will inform the individual about those recipients if the individual requests it.

06 Specific Categories of PersonallyIdentifiable Information

Specific categories of personally identifiable information may have special conditions or protections the organization may be required to comply with by law. Requirements may also come as a result of the privacy risk assessment where the organization determines a particular category of sensitive information is of elevated privacy risks. Primetric may need to consult with the Data Protection Officer or legal counsel regarding any necessary protections. Primetric will apply special conditions for specific categories of personally identifiable information as required by law.

Primetric must create and publish use and disclosure of sensitive information (including personally identifiable information (PII))guidelines. The organization will only use or disclose sensitive information(personally identifiable information (PII)) as authorized in the organization'sPrivacy Notice or by law. For any new use and disclosure instances, the organization must assess the use/disclosure to ensure it is authorized or requires a new consent (or updated notice).

Primetric will provide access to and restrict disclosure of sensitive information (including personally identifiable information (PII)) to only those required to perform their duties (i.e., “need to know” and “minimum necessary” principles will be applied).

Primetric will only use/disclose sensitive information(personally identifiable information (PII)) for which consent was given. The organization will only use sensitive information (personally identifiable information (PII)) if it is compatible with the original purpose it was collected.

For new uses of personally identifiable information (PII), the organization must formally evaluate to ensure the organization has authority to use the personally identifiable information (PII).

GDPR – Specific Categories of PII

Primetric is prohibited from processing the following personal data:

● Data revealing racial or ethnic origin

● Political opinions

● Religious or philosophical beliefs

● Trade union membership

● Genetic data

● Biometric data for the purpose of uniquely identifying a natural person

● Data concerning health

● Data concerning an individual’s sex life or sexual orientation

Except:

● Individual provided explicit consent for processing

● Except by law

● Processing is necessary for the purpose of carrying out obligations, exercising specific rights in the field of employment, social security, social protection law or collective agreements providing appropriate safeguards for the fundamental rights/interests of individuals

● Processing necessary to protect vital interests

● Processing carried out for legitimate activities by foundation,association, or any other not-for-profit body relating to individual's membership in the body

● Processing made public by the individual

● Processing for defense of legal claims or whenever courts are acting in their judicial capacity

● Processing necessary for substantial public interest

● Processing is necessary for the purposes of preventive/occupational medicine, assessment of the working capacity of employee, medical diagnosis,provision of health/social care/treatment, or management of health/social care pursuant to contact with a health professional

● Processing for reasons of public interest in area of public health to protect against cross-border health threats or ensure quality/safety of healthcare products or medical devices

● Processing for the purpose of archiving in the public interest,scientific or historical research, or statistical purposes

Processing of personal data related to criminal convictions or offenses must only be carried out under official authority for processing authorized by law and with appropriate safeguards for the rights/freedoms of individuals.

Local jurisdictions may restrict by legislative measures the scope of obligations and rights to individuals and organizations when such restrictions respect the essence of the fundamental rights/freedoms of individuals as well as being necessary/proportionate measures to a democratic society in order to safeguard:

● National security

● Defense

● Public security

● Prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

● Other important objectives of general public interest, in particular an important economic or financial interest, including monetary, budgetary and taxation matters, public health and social security

● Protection of judicial independence and judicial proceedings

● Prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions

● Monitoring, inspection, or regulatory function connected, even occasionally, to the exercise of official authority

● Protection of the individual or the rights/freedoms of others

● Enforcement of civil law claims

The above legislative measures shall contain specific provisions at least, where relevant, as to:

● The purposes of the processing or categories of processing

● The categories of personal data

● The scope of the restrictions introduced

● The safeguards to prevent abuse or unlawful access to transfer

● The specification of the controller or categories of controllers

● The storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing

● The risks to the rights/freedoms of individuals;

● The right of individuals to be informed about the restriction unless that may be prejudicial to the purpose of the restriction

Primetric will process personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes utilizing appropriate safeguards for the rights/freedoms of the individual. The organization will ensure technical and organization measures are in place for these safeguards to include ensuring respect for the principle of data minimization. Safeguard measures may include pseudonymization provided the purpose can be fulfilled utilizing this method. Where purposes can be fulfilled by further processing which does not permit or no longer permits the identification of the individual, those purposes shall be fulfilled in that manner.

European Profitability and Utilization Report Is Back - And So Are New Benefits For Your Business

Resource Planning

Resource Management

Project Portfolio Management

Project Accounting

Timesheets & Time Tracking

Business Intelligence

Integrations

Overview

Blog

Security

Help Center

FAQ

About us

Careers

Privacy Policy