1.1 In order to service our clients ACE HOLDINGS
LIMITED we needs to collect personal data
from our clients and/or potential clients, contact persons at suppliers and/or other
business partners. The ACE HOLDINGS LIMITED also processes personal data about employees for
the purpose of personnel administration.
In light of the above, ACE HOLDINGS LIMITED wants to ensure a high level of data protection
as privacy is a cornerstone in gaining and maintaining the trust of our clients and/or
potential clients, contact persons at suppliers and/or other business partners and thus,
ensuring ACE HOLDINGS LIMITED ’s future business. The same applies to the processing of
personal data about the employees.
Protection of personal data requires among other things that appropriate technical and organisational measures are implemented to demonstrate a high level of data protection. the ACE HOLDINGS LIMITED has adopted a number of internal and external data protection policies, which must be followed by employees of the ACE HOLDINGS LIMITED.
Additionally, the ACE HOLDINGS LIMITED will monitor, audit and document internal compliance with the data protection policies and applicable statutory data protection requirements, including the General Data Protection Regulation (“GDPR”).
The ACE HOLDINGS LIMITED will also take the necessary steps in order to enhance data protection compliance within the organisation. These steps include the assignment of responsibilities, raising awareness and training within data protection of staff involved in processing operations. Please note that this data protection guideline will be reviewed from time to time to take into account any new obligations. Retention of personal data will be governed by our most recent retention policy.
This data protection guideline, along with guidelines for processing of personal data, constitute the overall framework for processing of personal data within the ACE HOLDINGS LIMITED.
1.2 “Personal data” is any information which may be related to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data, phone number, age, gender, etc. Such personal data can for instance concern an employee, a job applicant, client/potential client, supplier and other business partners.
1.3 Personal data can be categorized as ordinary
non-sensitive personal data or special categories of personal data (sensitive personal
data). Special categories of personal data are exhaustively outlined in the GDPR and include
personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, and the processing of genetic data,
bio-metric data for the purpose of uniquely identifying a natural person, data concerning
health or data concerning a natural person's sex life or sexual orientation. Ordinary
non-sensitive personal data include all information that is not categorized as special
categories of personal data (sensitive personal data). Such information can be name,
address, telephone number, employee id, information about education, etc. Certain ordinary
non-sensitive personal data may be considered confidential. This may, for instance, include
information on income and wealth, and information on internal family relationships/matters.
Confidential, ordinary non-sensitive data are normally subject to further security measures.
The category of personal data will have an impact on which legal basis the processing of such personal data can be based on. Special rules apply to the processing of data about criminal offences and CPR-numbers. The various legal bases are described below in clause 2.
1.4 Although information regarding companies/businesses is not as such personal data, please note that information relating to contact persons within such companies/businesses, e.g. name, title, work email, work phone number, etc. is considered personal data. However, personal data relating to a personally owned and run business are considered as personal data even if the personal data concern the business. Such personal data are considered as relating to an identified or identifiable natural person.
1.5 ACE HOLDINGS LIMITED collects and uses personal data for a variety of legitimate business purposes, including establishment and management of customer and supplier relationships, completion of purchase agreements, recruitment and management of all aspects of terms and conditions of employment, communication, fulfillment of legal obligations or requirements, performance of contracts, providing services to clients, etc. When carrying out such processing activities, the first step is to ensure that the general principles relating to the processing of personal data are complied with.
1.6 Pursuant to the general principles personal data shall always be:
1.7 The ACE HOLDINGS LIMITED shall be responsible for and be able to demonstrate compliance with the above (principle of accountability). This principle is one of the reasons that we have prepared this data protection guideline and why it is important that you read it thoroughly.
2. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
2.1 Besides complying with the general principles
relating to the processing of personal data, the processing of the personal data must also
be based on a legal basis. The legal basis will depend on, which category of personal data
is being processed.
The most predominant legal bases for processing ordinary non-sensitive personal data, such as, name, address, email, telephone number, credit card information, etc., within ACE HOLDINGS LIMITED are:
In certain cases, if none of the above legal bases can be applied, the ACE HOLDINGS LIMITED
will obtain the data subjects' consent to the processing.
The most predominant legal bases for processing special categories of personal data (if any) within the ACE HOLDINGS LIMITED are:
Below, follows a more detailed description of the legal bases.
2.2 Performance of a contract
2.2.1 It will be legitimate to collect and process personal data relevant to the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This applies to all contractual obligations and agreements signed with the ACE HOLDINGS LIMITED, including the pre-contractual phase irrespective of the success of the contract negotiation.
2.3 Compliance with a legal obligation
2.3.1 The ACE HOLDINGS LIMITED must comply with
various legal obligations and requirements, which are based on Union or Member State law.
Such legal obligations, to which the ACE HOLDINGS LIMITED is subject, may be sufficient as a
legitimate basis for the processing of personal data.
2.3.2 Such legal obligations include obligations to collect, register and/or make available certain types of information relating to employees, clients, etc. Such legal requirements will then form the legal basis for us to process the personal data, however, it is important to note whether the provisions allowing or requiring the ACE HOLDINGS LIMITED to process certain personal data also set out requirements in relation to storage, disclosure and deletion.
2.4 Legitimate interests
2.4.1 Personal data will only be processed where it is necessary for the purposes of the legitimate interests pursued by the ACE HOLDINGS LIMITED , and these interests or fundamental rights are not overridden by the interests of the data subject. the ACE HOLDINGS LIMITED will, when deciding to process personal data, ensure that the legitimate interests do not override the rights and freedoms of the individual and that the processing will not cause unwarranted harm. An example of a legitimate interest of the ACE HOLDINGS LIMITED is to process personal data on potential clients in order to expand the business and develop new business relations. The data subject must be given information on the specific legitimate interests pursued by the ACE HOLDINGS LIMITED if a processing is based on this legal basis, cf. clause 4.1 below.
2.5.1 If the collection, registration and further processing of personal data on clients, suppliers, other business relations and employees are based on such a person’s consent to the processing of personal data for one or more specific purposes, the ACE HOLDINGS LIMITED shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2.5.2 A consent shall be freely given, specific,
informed and unambiguous indication of the data subject's wishes.
The data subject must actively consent to the processing of personal data by a statement or by a clear affirmative action.
2.5.3 A request for consent shall be presented in a manner, which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
2.5.4 To process special categories of personal data (sensitive personal data) the consent shall also be explicit.
2.5.5 The data subject is entitled to withdraw his/her consent at any time and upon such withdrawal, we will stop collecting and/or processing personal data about that person unless we are obligated or entitled to do so based on another legal basis.
2.6 Obligations and exercising specific rights of the ACE HOLDINGS LIMITED or the data subject
2.6.1 This legal basis will in most cases only be relevant if the ACE HOLDINGS LIMITED processes health data about the employees to comply with the rules pursuant to employment law or collective agreements, e.g. reimbursement of sickness benefits, etc.
2.7 Legal claims
2.7.1 This legal basis will be relevant if it is necessary for the ACE HOLDINGS LIMITED to process personal data in order to establish, exercise or defend a legal claim towards a third party, for instance a client or an employee.
3. PROCESSING AND TRANSFER OF PERSONAL DATA
3.1 The ACE HOLDINGS LIMITED as Data Controller
3.1.1 The ACE HOLDINGS LIMITED is in most cases processing personal data as a data controller, as the ACE HOLDINGS LIMITED determines the purposes and means of the processing of personal data, e.g. when the processing relates to the ACE HOLDINGS LIMITED's clients, other business partners and employees.
3.2 Use of data processors
3.2.1 An external data processor is a company, which processes personal data on behalf of the ACE HOLDINGS LIMITED and in accordance with the ACE HOLDINGS LIMITED’s documented instructions, including for the ACE HOLDINGS LIMITED's purposes and by means set-out by the ACE HOLDINGS LIMITED, e.g. in relation to providers of HR systems, third party IT providers, etc. When the ACE HOLDINGS LIMITED outsources the processing of personal data to data processors, the ACE HOLDINGS LIMITED ensures that said company as a minimum implements the same degree of security measures for the protection of personal data protection as the ACE HOLDINGS LIMITED. If this cannot be guaranteed, the ACE HOLDINGS LIMITED will choose another data processor. The processing by a data processor is governed by a data processing agreement.
3.3 Data processing agreements
3.3.1 Prior to transfer of personal data to the data processor, the ACE HOLDINGS LIMITED shall assess whether the data processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects. After the assessment is carried out and it is determined that the data processor meets such requirements, the ACE HOLDINGS LIMITED shall enter into a written data processing agreement with the data processor. The data processing agreement ensures that the ACE HOLDINGS LIMITED controls the processing of personal data, which takes place outside the ACE HOLDINGS LIMITED for which the ACE HOLDINGS LIMITED is the data controller and thereby responsible.
3.3.2 If the data processor/sub-data processor is located outside the EU/EEA, the conditions of clause 3.4.2 below will apply
3.4 Disclosure of personal data to other independent data controllers
3.4.1 Before disclosing personal data to others, i.e. other independent data controllers, it is the responsibility of the ACE HOLDINGS LIMITED to ensure that the general principles relating to the processing of personal data are complied with. Further, it is the ACE HOLDINGS LIMITED's responsibility to ensure that the disclosure of the personal data is based on a legal basis.
3.4.2 If the third-party recipient is located outside the EU/EEA in a third country that does not ensure an adequate level of personal data protection, the transfer can only be completed if the ACE HOLDINGS LIMITED is providing appropriate safeguards. This will be done by entering into a transfer agreement between the ACE HOLDINGS LIMITED and the third party. The transfer agreement shall be based on the EU Standard Contractual Clauses.
4. RIGHTS OF THE DATA SUBJECT
Subject to various terms and conditions and exceptions, the data subjects have the following rights:
4.1 Duty of information when the personal data are obtained from the data subject
4.1.1 When the ACE HOLDINGS LIMITED processes, including collects and registers personal data about data subjects, the ACE HOLDINGS LIMITED is obligated to inform such persons about the following:
4.1.2 The ACE HOLDINGS LIMITED has prepared a privacy notice that contains a more detailed description of the above-mentioned information obligation.
4.1.3 If the personal data are not obtained from the data subject, he/she must also be informed about the source from which the personal data originate, an if applicable, whether it came from publicly accessible sources.
4.2 Right to access
4.2.1 Any person whose personal data the ACE HOLDINGS LIMITED is processing, including but not limited to, the ACE HOLDINGS LIMITED employees, job applicants, external suppliers, clients, potential clients, contact persons employed at business partners, etc. has the right to obtain from the ACE HOLDINGS LIMITED confirmation as to whether or not personal data concerning him/her are being processed, and if that is the case, request access to the personal data which the ACE HOLDINGS LIMITED processes about him/her in addition with the information outlined in clause 4.1.1 above.
4.3 Right to rectification
4.3.1 The data subject shall have the right to obtain from the ACE HOLDINGS LIMITED without undue delay the rectification of inaccurate personal data concerning him or her.
4.4 Right to erasure (right to be forgotten)
4.4.1 The data subject shall have the right to obtain from the ACE HOLDINGS LIMITED the erasure of personal data concerning him or her and the ACE HOLDINGS LIMITED shall have the obligation to erase personal data without undue delay, unless it is required by law to retain any information for a prescribed period of time, for example, by financial regulators or tax authorities.
4.5 Right to restriction of processing
4.5.1 The data subject shall have the right to obtain from the ACE HOLDINGS LIMITED restriction of processing, if applicable.
4.6 Right to data portability
4.6.1 The data subject shall have the right to receive the personal data registered in a structured and commonly used and machine-readable format.
4.7 Right to objection
4.7.1 The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on a balancing of interests, including profiling.
4.8 Any requests received from a data subject to exercise the rights in this clause will be answered as soon as reasonably possible, and no later than 30 days from receipt. Requests shall be forwarded without delay to the ACE HOLDINGS LIMITED’s Service Center. The Service Center will be supported by the the ACE HOLDINGS LIMITED’s Data Protection Officer to process the request to meet the reply deadline.
5. DATA PROTECTION BY DESIGN AND DATA PROTECTION BY DEFAULT
5.1 New products, services, technical solutions, etc. must be designed so they meet the principles of data protection by design and data protection by default settings why Saxo Bank has implemented the following guiding principles within its organisation:
1. Privacy as the Default Setting
Ensure that personal data are automatically protected in any given IT system or business practice.
2. Privacy Embedded into Design
Covering business process-, software design and development. Privacy is an essential component of the core functionality and our services, held up without diminishing the functionality.
3. End-to-End Security — Full Life-cycle Protection
Ensure that personal data are automatically protected in any given IT system or business practice, using appropriate encryption and authentication until the data is deleted.
4. Respect for clients Privacy — Keep it Client-Centric
The users own their data. The consumer has the right to make corrections, including the
right to be forgotten.
that inform and support how the ACE HOLDINGS LIMITED fulfils its responsibility to ensure clients’ privacy rights.
5.1.1 Data protection by design means that when designing new products or services, key considerations to data protection must be shown.
5.1.2 Data protection by default requires that relevant data minimisation techniques are implemented.
6. RECORDS OF PROCESSING ACTIVITIES
6.1 The ACE HOLDINGS LIMITED shall as data controller maintain records of processing activities under the ACE HOLDINGS LIMITED’s responsibility. The records shall contain the following information:
6.1.1 The ACE HOLDINGS LIMITED shall make the records of processing activities available to relevant data protection authorities upon request. the ACE HOLDINGS LIMITED has prepared several of such records.
7. DELETION OF PERSONAL DATA
7.1 Personal data shall be deleted when the ACE HOLDINGS LIMITED no longer has a legitimate purpose for the continuous storage or other processing of the personal data, or when it is no longer required to store the personal data in accordance with applicable legal requirements.
7.2 Detailed retention periods with respect to various categories of personal data are specified in the ACE HOLDINGS LIMITED’s Data Retention and Information Sharing policy.
8. SECURITY OF PROCCESSING (RISK ASSESSMENTS)
8.1 The ACE HOLDINGS LIMITED shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
8.2 In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. the ACE HOLDINGS LIMITED has prepared written risk assessments with regards to the processing activities.
9. DATA PROTECTION IMPACT ASSESSMENT
9.1 If the ACE HOLDINGS LIMITED processes personal data that is likely to result in a high risk for the persons whose personal data is being processed, a Data Protection Impact Assessment (“DPIA”) shall be carried out.
9.1.1 A DPIA implies that the ACE HOLDINGS LIMITED will, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with data protection requirements.
9.2 The technical and organisational measures shall be reviewed and updated where necessary and no later than every 6 months.
9.2.1 Adherence to approved codes of conduct or approved certification mechanisms may be used as an element by which to demonstrate compliance with the appropriate technical and organisational measures according to this clause.
10.1 Pursuant to the GDPR, profiling is defined as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements".Pursuant to the GDPR, profiling is defined as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements".
10.2 “Profiling” in the context of this data protection guideline is the use of an automated process to analyse personal data in order to assess or predict aspects of a person’s behaviour. the ACE HOLDINGS LIMITED may use profiling in the following circumstances:
11. NATIONAL REQUIREMENTS
11.1 The ACE HOLDINGS LIMITED shall comply with GDPR for its internal process and procedures.
11.2 If national legislation requires a higher level of protection for personal data than the GDPR, such stricter requirements are to be complied with. If the ACE HOLDINGS LIMITED’s policies/guidelines are stricter than the local legislation, our policies/guidelines must be complied with if applicable to the services provided or processing being done.
12.1 If you have any questions regarding the content of this data protection guideline or wish to submit a complaint regarding the ACE HOLDINGS LIMITED's processing activities, please contact the ACE HOLDINGS LIMITED at email@example.com.