PRIVACY POLICY – TRUST & TRANSPARENCY

1. What our policy covers

Your privacy and the integrity of your personal data is very important to PYCOGROUP, and so is being transparent about how we may receive, collect, use, and share information about you. This policy is intended to help you understand PYCOGROUP’s Privacy Policies.

This Privacy Policy covers the information we receive from you or collect about you when you use our Site or Services, or otherwise interact with us (for example, by attending our events), unless a different policy is displayed.  PYCOGROUP, we and us refers to Pyramid Consulting SA and any of our corporate affiliates.  PYCOGROUP’s mission is to help its clients “build Digital teams and solutions” in doing so we offer web and software development services as well as staffing and recruitment services, we refer to these as "Services" in this policy.

If you do not agree with this Privacy Policy, do not access or use our Site or Services or interact with any other aspect of our business.

Where we provide the Services under contract with an organization or yourself that contract may further control the information processed by PYCOGROUP.

2. What information we collect about you

We collect information about you when you provide it to us, when you use our Services, and when other sources provide it to us, as further described below.

Information you provide to us: We collect information about you when you input it into the Services or otherwise provide it directly to us.

Content you provide through our websites: The Services also include our websites owned or operated by us. We collect other content that you submit to these websites, which include social media or social networking websites operated by us. For example, you may provide content to us when you apply to online job openings, spontaneously send us your résumé, use our contact form to make business or Services enquiries, provide feedback or when you participate in any interactive features, surveys, contests, promotions, activities or events.

Device and Connection Information: We may collect information about your computer, phone, tablet, or other devices you use to access the Site. This device information includes your connection type and settings when you install, access, update, or use of our Services. We may also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience.  How much of this information we collect depends on the type and settings of the device you use to access the Services.  Server and data center Service administrators can disable collection of this information via the administrator settings or prevent this information from being shared with us by blocking transmission at the local network level.

Cookies and Other Tracking Technologies: PYCOGROUP and our third-party partners, such as Google analytics, may use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Services and devices. A cookie disclaimer and acceptance banner conditions usage of our Site.

3. How we use information we receive and/or collect

Below are the specific purposes for which we use the information we receive or collect about you.

To communicate with you about the Services: We may use your contact information and information to communicate about our Services, offer you to engage into a Services Contract, enter into a partnership with PYCOGROUP relating to the Services.

To market, promote and drive engagement with the Services:  We may use your contact information and information to send promotional communications that may be of specific interest to you, including by email and by displaying PYCOGROUP ads on other companies' websites and applications, as well as on platforms like Linked-In, Facebook and Google, etc.  These communications are aimed at driving, including information about new services, survey requests, newsletters, and events we think may be of interest to you.  You can control whether you receive these communications as described below under "Opt-out of communications."

To power our customer relationship management (CRM) database: Our CRM database may store personal data and information relating to individuals and/or companies with whom we already have a Services relationship or want to develop one. The information used for these purposes include relevant business information, such as: contact data, publicly available information (e.g. your public posts, information, publications on social media sites if relevant for business purpose), your responses to targeted e-mail. If you wish to be excluded from our CRM databases, please contact us at DPO@pycogroup.com

For safety and security: We use information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies.

To protect our legitimate business interests and legal rights: Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.

Special Legal bases for collecting and processing information of EEA residents: If you are an individual residing in the European Economic Area (EEA), we may only collect and process information about you (i.e. “personal data” as defined in the General Data Protection Regulation 2016/679) where we have legal bases for doing so and under the strict respect of applicable EU laws and regulations.

This means we may collect and use your information only where:


If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, you also have the right to access personal information we may hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us at the following email address DPO@pycogroup.com.

4. How does PYCOGROUP share information it receives and/or collects

We share information we receive and collect about you in the ways discussed below, including in connection with the Services, but we are not in the business of selling information about you to advertisers or other third parties.

Sharing with other Service users: When you accept to use the Services, we share certain information about you with other Service users.
If another Services user needs to access information about you for us to perform the Services, they do so under the obligation, to observe all policies and procedures designed to protect your information hereunder.

Links to Third Party Sites: The Site may include links that direct you to other websites or services whose privacy practices may differ from ours. If you submit information to any of those third party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.

With your consent: We share information about you with third parties when you give us consent to do so.  For example, we may display personal testimonials of satisfied customers on our public websites. With your consent, we may post your name alongside the testimonial.

Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights: In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect PYCOGROUP, our customers or the public from harm or illegal activities.

Sharing with PYCOGROUP companies: We share information we receive or collect with affiliated companies.  Affiliated companies are companies owned by PYCOGROUP.  The protections of this privacy policy apply to the information we share in these circumstances.

Business Transfers: We may share or transfer information we collect under this privacy policy in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. You will be notified via email and/or a prominent notice on the Services if a transaction takes place, as well as any choices you may have regarding your information.

5. How does PYCOGROUP store and secure information it receives and/or collects

Information storage and security: We use data hosting service providers in the United States, France, Vietnam, and Singapore, to host the information we receive and/or collect, and we use technical measures to secure your data (data encryption, data segregation, physical security processes, etc.).

While we implement safeguards designed to protect your information, no security system is impenetrable and in case of breach of your information we will implement the following Data Breach Policy (Hyperlink).

In our customer relationship management (CRM) database: Our CRM database may store personal data and information relating to individuals and/or companies with whom we already have a Services relationship or want to develop one. If you wish to be deleted from our CRM databases, please contact us at DPO@pycogroup.com

How long we keep information: How long we keep information we collect about you depends on the type of information, as described in further detail below.  After such time, we will either delete or anonymize your information.

Promotional information: If you have elected to receive information emails from us, we retain information about your promotional preferences for a reasonable period of time from the date you last expressed interest in our Services, such as when you last opened or answered an email from us.  We retain possible information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.

6. How can you access and control your information?

You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations.

Your Choices: You have the right to request a copy of your information, to object to our use of your information (including for marketing purposes), to request the deletion or restriction of your information, or to request your information in a structured, electronic format.  Below, we describe the tools and processes for making these requests.  If you have unresolved concerns, you may have the right to complain to a data protection authority in the country where you live, where you work or where you feel your rights were infringed.

Request that we stop using your information: In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don't have the appropriate rights to do so.  Where you gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time. You can also opt-out of our use of your information for marketing purposes by contacting us, as provided below.

Opt out of communications: You may opt out of receiving promotional communications from us by i) using the unsubscribe link within our email, or ii) requesting so by answering any of our emails in case it does not contain a direct unsubscribe link.

Data portability: Data portability is the ability to obtain some of your information in a format you can move from one service provider to another (for instance, when you transfer your mobile phone number to another carrier).  Depending on the context, this applies to some of your information, but not to all of your information.  Should you request it, we will provide you with an electronic file of your basic personal information.

Right to withdraw consent: If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on your prior consent.

Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we have handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns.

Changes: We may update this Privacy Policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

Contact us: For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail DPO@pycogroup.com or mail to:

PYCOGROUP
Avenue Louise 523
1050 Brussels,
Belgium.

PERSONAL DATA BREACH NOTIFICATION POLICY

Businesses and other institutions collect and generate vast amounts of data about the individuals with whom they come into contact. Many organisations hold records relating to millions of individuals. Some of this data is highly confidential; and the theft or unauthorised disclosure of even non-confidential this data can cause real damage. Security incidents involving personal data are reported in the media every day.

One response of European law to these issues is to be found in Articles 34 and 35 of the General Data Protection Regulation (GDPR), which are concerned with the question of when a personal data breach must be reported. They set out in considerable detail the circumstances in which reports should be made to:


The handling of data breaches and compliance with reporting obligations can be greatly assisted by a data breach notification policy. Although the use of such policy is not a specific and express requirement of the GDPR, the guidance from the regulatory authorities indicates that the existence of such a policy may help an organisation in the event of a breach and regulatory investigation. Of course, a sound policy properly applied should reduce the practical risks associated with a data breach.

In this post, I explore some of the issues you will face when writing or reviewing a data breach notification policy.

GDPR jargon

Before turning to the GDPR rules, a quick note on terminology. If you're familiar with the key definitions in the GDPR, please feel free to skip this section.

The key definitions in the GDPR in the context of data breaches are as follows:


If your business processes personal data, whether as a controller or processor or both, you should consider creating a data breach policy.

Scope of policy

The first question to decide is the scope of the policy.

Is it intended to cover ancillary matter such as the prevention of data breaches and process for ongoing improvements to systems to reduce the risk. Alternatively, is the focus purely upon notifications.

If the policy will only cover notifications, consider whether prevention and improvements should be covered elsewhere in your organisation's policy documents.

What data?

The GDPR relates only to personal data. Personal data may or may not be confidential, and confidential information may or may not be personal.

Accordingly, a policy which focuses exclusively on compliance may neglect the risks arising out of the unauthorised disclosure of non-personal confidential information.

Given that the issues are so closely related, it is common to cover both personal and non-personal data breaches in a single policy document.

Reconciling goals

A data breach notification policy needs to reconcile various goals, including goals relating to compliance, risk management, practicality and flexibility.


In some cases the goals may conflict. For example, there are cases where guaranteed legal compliance under the GDPR conflicts with practicality.

Statutory reporting obligations

Conformity with the statutory reporting obligations in the GDPR and in other applicable legislation is often the starting point for drafting a policy. As noted above, there are specific reporting obligations for controllers to supervisory authorities, processors to controllers, and controllers to data subjects set out the GDPR. The specific obligations include specifications of information to be reported and time periods for reporting.

The use of standard reporting forms as part of your policy can help ensure that all the requisite information is supplied.

Discretionary reports to data subjects

There are situations where, although there is no legal obligation to notify data subjects of a breach, it may nonetheless be a good idea. Consider including a process for determining whether to make such discretionary notifications in your policy.

Contractual reporting obligations: to controllers

While the GDPR itself does not specify a period within which personal data breaches discovered by a data processor must be reported to the relevant controller, guidance from the regulatory authorities suggests that the clock for the 72 hour period within which a controller must report to its supervisory authority can start ticking when a processor is fixed with notice of the breach.

If this is right, then it is sensible for controller-processor contracts to specify a processor-to-controller notification period of less than 72 hours. 24 hours is typical in the data processing agreements I have seen.

There are two ways in which this affects the drafting of a data breach notification policy. First, the policy should specify a period which reflects the contracts that the processor signs up to.

Second, the processor should take care to ensure that the contracts it signs up to reflect the requirements of the policy. Standard contracts will help here.

Contractual reporting obligations: under NDAs

Some non-disclosure agreements and confidentiality clauses will provide that the recipient of confidential information must notify the disclosor in the event of an unauthorised disclosure of the confidential information.

Again: insofar as your data breach notification policy is designed to cover confidential information, you should ensure that the policy reflects the contracts that the business has signed up to, and that future contracts reflect the terms of the policy. Standard contracts will help with this latter point.

Using templates

Using a good template should take much of the pain out of the drafting process. A wide range of different template policies are available to purchase on the web. See for example the personal data breach notification policy on our Docular website.
Personal data breach notification policy contents

  1. 1. Introduction: purpose of personal data breach notification policy; approach to personal data breaches.

  2. 2. Definitions: definitions (appointed person, data breach).

  3. 3. Detection of personal data breaches: technological measures to detect personal data breaches; organisational measures to detect personal data breaches; regular review of measures to detect personal data breaches.

  4. 4. Responding to personal data breaches: personnel to notify appointed person upon personal data breach; role of appointed person regarding personal data breaches; cooperation with appointed person; appointed person to determine role of company where personal data breach; steps to be taken when responding to a personal data breach;
    Company to keep record of response to personal data breach.

  5. 5. Notification to supervisory authority: section applies where company is data controller; obligation to notify supervisory authority of personal data breach; procedure for notification of personal data breach to supervisory authority; exception to obligation to notify supervisory authority of personal data breach; additional information to be provided to supervisory authority; changes in facts relating to personal data breach to be notified to supervisory authority.

  6. 6. Notification to data controller: section applies where company is data processor; obligation to notify data controller of personal data breach; procedure for notification of personal data breach to data controller; additional information to be provided to data controller.

  7. 7. Notification to data subjects: section applies where company is data controller; data subject notifications in consultation with supervisory authority; obligation to notify data subjects of personal data breach; procedure for notification of personal data breach to data subjects; exception to obligation to notify data subjects of personal data breach; discretionary notification of personal data breach to data subjects.

  8. 8. Other notifications: notification of personal data breach to other persons.

  9. 9. Reviewing and updating this policy: persons responsible for reviewing and updating policy; annual review of policy; ad hoc review of policy; matters to be considered during review of policy.

Schedule 1 (Notification of personal data breach to supervisory authority)

  1. 1. Introduction: identification of person giving personal data breach notification.

  2. 2. Description of personal data breach: prompt for general description of personal data breach.

  3. 3. Categories of data subject affected: prompt for categories of data subject affected.

  4. 4. Number of data subjects affected: number of data subjects affected.

  5. 5. Categories of personal data concerned: prompt for categories of personal data concerned.

  6. 6. Number of records concerned: prompt for number of records concerned.

  7. 7. Likely consequences of breach: prompt for likely consequences of personal data breach.

  8. 8. Measures taken to address breach: prompt for measures taken to address breach.

  9. 9. Has breach been notified to data subjects?: details of whether data breach notified to data subjects.

  10. 10. Late report of breach: Prompt for reasons for late report by controller of personal data breach.

  11. 11. Contact details: contact details for personal data breach.

Schedule 2 (Notification of personal data breach to data controller)

  1. 1. Introduction: identification of person giving personal data breach notification.

  2. 2. Description of personal data breach: prompt for general description of personal data breach.

  3. 3. Categories of data subject affected: prompt for categories of data subject affected.

  4. 4. Number of data subjects affected: number of data subjects affected.

  5. 5. Categories of personal data concerned: prompt for categories of personal data concerned.

  6. 6. Number of records concerned: prompt for number of records concerned.

  7. 7. Likely consequences of breach: prompt for likely consequences of personal data breach.

  8. 8. Measures taken to address breach: prompt for measures taken to address breach.

  9. 9. Contact details: contact details for personal data breach.

Schedule 3 (Notification of personal data breach to data subject)

  1. 1. Introduction: identification of person giving personal data breach notification.

  2. 2. Description of personal data breach: prompt for general description of personal data breach.

  3. 3. Categories of personal data concerned: prompt for categories of personal data concerned.

  4. 4. Likely consequences of breach: prompt for likely consequences of personal data breach.

  5. 5. Measures taken to address breach: prompt for measures taken to address breach.

  6. 6. Steps to mitigate breach: prompt for steps data subject may take to mitigate personal data breach.

  7. 7. Contact details: contact details for personal data breach.