(last updated 27 February 2020)
This document establishes guidelines and processes for the way in which PMIQ will manage data privacy and data protection of personal information.
This document covers the way in which PMIQ will collect, store and process personal information.
The PMIQ CEO is ultimately responsible for ensuring all aspects of data privacy and data protection are always adhered to. The administration of this policy can be delegated to another PMIQ employee with a clear responsibility and remit for data privacy and protection, but this does not negate the overall responsibility of the PMIQ CEO to ensure that this process is always adhered to.
4. Reference Documents
5. Abbreviations, Acronyms and Definitions
|CRM||Customer Relationship Management|
|GDPR||General Data Protection Regulation|
|Personal data||Any information relating to an identified or identifiable natural person, and include information such as name, phone numbe
r, email, and postal address
|Data subject||The “data subject” is an individual to whom personal data relates. For PMIQ, our main category of data subjects is our course delegates. Trainers, invigilators, agents, and third-party contractors are also data subjects under GDPR.|
|Data processing||Data processing includes, but is not limited to, collection, recording, use, storage and transmission of data.|
|Data controller||A “data controller” is a person or company who decides what type of data should be collected, what purposes they are collected for and how this data will be processed. In our case, PMIQ is a Data Controller.|
|Data processor||A “data processor” is a person or company who processes personal data on behalf of a Data Controller, following the instructions of the Data Controller. For PMIQ, Zoho CRM is a Data Processor, and examination institutes (e.g. PeopleCert) is a Data Processor.|
6. General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) requires that we obtain explicit permission from data subjects to store their personal information and to send certain information to those individuals. Examples of information that we may send to individuals includes:
- Articles, insights and upcoming events
- Special offers on our existing products
- New products that we offer as we bring those to market.
The following sections provide definitions for “personal data”, “data subject”, “data processing”, “data controller” and “data processor”.
6.1.2 The definition of personal data
Under General Data Protection Regulation (GDPR), “personal data” means any information relating to an identified or identifiable natural person. Among others, the following information is considered personal data:
- Name, address and unique identifying numbers (e.g. passport number)
- Demographics such as age, gender, income or sexual preference
- Behavioural data such web searches, purchase history and more
Aggregated and anonymized data is often out of its scope of the GDPR. However! If data, even if anonymized, can somehow be tied back to an individual then this information may be personal data.
6.1.2 The definition of data subject
A “data subject” is an individual to whom personal data relates. For PMIQ, our main category of data subjects is our course delegates. Trainers, invigilators, agents, and third-party contractors are also data subjects under GDPR.
6.1.3 The definition of data processing
Data processing includes, but is not limited to, collection, recording, use, storage and transmission of data.
6.1.4 The definition of a data controller and a data processor
- A “data controller” is a person or company who decides what type of data should be collected, what purposes they are collected for and how this data will be processed. In our case, PMIQ is a Data Controller.
- A “data processor” is a person or company who processes personal data on behalf of a Data Controller, following the instructions of the Data Controller. For PMIQ, Zoho CRM is a Data Processor, and examination institutes (e.g. PeopleCert) is a Data Processor.
The GDPR introduces important new responsibilities for both Data Controllers and Data Processors. The two parties will often have to work together (sometimes on strict deadlines) to accommodate the requests of data subjects and/or supervisory authorities.
6.2 The rights of data subjects
Data subjects decide how and when their data will be used, and the GDPR gives them an enhanced set of fundamental rights. These include:
- The right to access and modify their personal data.
- The right to deletion of personal data when it’s no longer necessary for their original purpose, including a ‘right to be forgotten’ for data that is outdated.
- The right to lodge a complaint.
- The right of portability to another service provider, which means that controllers may need to provide some or all personal data they have on a subject when requested, in a portable format.
Data subjects can exercise their rights at any time by contacting PMIQ using the contact details clearly displayed on our website.
6.3 Consent to collect and process personal data
PMIQ will ask for consent via a consent form when we start collecting and processing personal data. This consent will be clearly documented and tracked in our CRM system.
PMIQ takes their responsibilities with respect to GDPR very seriously and has taken (and continues to take) positive and proactive steps to ensure that we remain compliant. We have robust and secure systems and processes in place to ensue that this remains the case.
6.5 PMIQ’s responsibilities as a data controller
Personal data must be collected for specified, explicit and legitimate purposes, and not processed in a manner that is incompatible with those purposes. As data controller, we are responsible for the data we hold. This means that we need to take steps to protect it and be able to demonstrate such steps to data protection authorities as required.
6.5.1 Identifying the personal data we hold and where it resides
PMIQ will notify all leads and contacts via a consent form of the types of personal data we may hold to allow us to run our business and serve our customers. This may include:
- email address
- phone number
- postal/ invoice address
This data will be securely stored and managed in our Zoho CRM database. We will ensure that personal data stored is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
6.5.2 Informing data subjects
Data subjects will be informed of how PMIQ process and store their data. This will be done in writing, and use clear, simple language that is easily accessible. This will be achieved by sending each data subject a consent form covering the following:
- Purpose of processing: We use the personal information of data subjects primarily to provide them with products and services, to better understand our customers’ needs and improve the products and services we offer, and for the day-to-day running of our business. We keep the personal information of data subjects confidential and will only share such information outside of PMIQ for the purposes of delivering our contractual obligations. This may include sharing with third parties such as examination institutes so that we can book examinations on your behalf.
- Categories of personal data concerned: The primary categories of personal information processed includes data subject name, phone number, email address and postal address.
- Recipients of personal data: PMIQ (as data controller), Zoho CRM (as data processor) and PMIQ (as sub-data processor for examination institutes for the purposes of examination administration).
- Period of processing: PMIQ will not keep personal information for longer than necessary, which is usually up to a maximum of six years after your relationship with PMIQ ends, unless we are required to keep it longer (for example for contractual or legal reasons).
- Information about the data controller and data processor: The “data controller” (the person or company who is collecting the consent from you) is PMIQ Limited. The “data processor” (where your data is processed) is Zoho CRM which is a third-party application used by PMIQ as part of our end-to-end business systems and processes.
6.5.3 Managing how personal data is used and accessed
Personal data will be kept up-to-date and data subjects can ask PMIQ to correct or update the information that we hold on them at any time by informing us using the contact details on our website. Data subjects can also request a copy of the data that we hold. PMIQ will not store personal data for any longer than is necessary, taking account of the purpose for which the personal data are processed. All associated records and documentation will be stored in our CRM database.
6.5.4 Security controls
PMIQ will ensure that appropriate security controls are put in place and subsequently maintained to prevent, detect and respond to unlawful processing, accidental loss, destruction or damage, data breaches and vulnerabilities. Measures of protection deployed may include the encryption of the data collected, the use of passwords for accessing our systems, the use of GDPR certified platforms and services, and any necessary training of our employees on data handling best practices. PMIQ will report breaches of data security to the relevant authorities, where possible within 72 hours. The data processor we have selected as part of our management system (Zoho CRM) has stringent security and data protection controls in place to ensure that personal information always remains suitably protected.
6.6 PMIQ’s responsibilities as a data processor for examination institutes
6.6.1 Authorized use
As a data processor/ sub-data processor for examination institutes, PMIQ is not permitted to process personal data other than for the following purposes (or as otherwise authorized by the examination institute):
- Exam administration: registration of candidates, administration of exams and communication of results.
- Certification: handing out of certificates to successful candidates.
- Auditing: participation in audits performed by PeopleCert, a test owner or any other authority legally authorized to do so.
- Legal compliance: processing required by law, judicial decision or government request.
6.6.2 Procedures & obligations
- PMIQ is strictly prohibited from using personal data obtained from examination institutes for marketing purposes, unless specific consent to this effect is given by the data subject.
- PMIQ shall not transfer personal data to third-party processor(s) whether established in the European Economic Area (EEA) or in third countries, unless such transfer is expressly approved by the candidate and by the examination institute.
- PMIQ shall apply appropriate technical and organizational security measures to safeguard personal data from unauthorized use, access, disclosure, alteration or destruction, and such security measures shall be at least as comprehensive to those applied to PMIQ’s own data. Security measures may include the encryption of data, the use of passwords when accessing PMIQ’s database, the use of GDPR certified platforms and services, and the tutoring of employees who have access to and process personal data.
- PMIQ must notify the examination institute immediately (within 24 hours) if a breach of the security of personal data occurs.
- PMIQ shall notify the examination institute as soon as possible (and always within 48 hours) if:
(a) PMIQ receives a request from a candidate (or other individual) for the exercise of its rights under GDPR, and shall respond to such request as directed by the examination institute
(b) PMIQ receives a request to provide access to personal data to a government authority or other third party (and, to the extent permitted by law, PMIQ shall respond to such request as directed by the examination institute), or
(c) PMIQ is (permanently or temporarily) incapable of complying with any of the obligations set out by the examination institute with respect to GDPR compliance. In this case the examination institute will, at its sole discretion, decide either to suspend the services or terminate its agreement with PMIQ.
- Upon termination or expiry of the agreement between PMIQ and the examination institute, PMIQ shall immediately return all personal data and the copies thereof to the examination institute, or shall, at the examination institute’s request, promptly destroy all personal data and shall certify to the examination institute that it has been completed.
You should also be aware that when you visit our website, we may collect certain information that does not identify you personally, but provides us with “usage data,” such as the number of visitors we receive or what pages are visited most often. This data helps us to analyze and improve the usefulness of the information we provide via the website.
Like most commercial website owners, we may use what is known as “cookie” technology. A “cookie” is an element of data that a website can send to your browser when you link to that website. It is not a computer program and has no ability to read data residing on your computer or instruct it to perform any step or function. By assigning a unique data element to each visitor, the website is able to recognize repeat users, track usage patterns and better serve you when you return to that site. The cookie does not extract other personal information about you, such as your name or address. When you visit our website, you will have the option to accept or decline cookies, ensuring that you always stay in control of this activity.
We use a combination of both session and persistent cookies. Session cookies keep track of your current visit and how you navigate the site, persistent cookies enable our website to recognise you as a repeat visitor when you return. The session cookies will be deleted from your computer when you close your browser. Persistent cookies will be removed on a pre-determined expiry date, or when deleted by you.
Most web browsers allow user privacy settings to block either all cookies, or third party cookies. Blocking cookies will, however, have a negative impact upon the usability of many websites, including this one. Please visit www.aboutcookies.org for comprehensive information on how to change your cookie settings in a wide variety of different web browsers.
8. Linking to other sites
From time to time, the PMIQ website may provide links to other websites, not owned or controlled by PMIQ, that we think might be useful or of interest to you. We cannot, however, be responsible for the privacy practices used by other website owners or the content or accuracy of those other websites. Links to various non-PMIQ websites do not constitute or imply endorsement by PMIQ of these websites, any products or services described on these sites, or of any other material contained in them.
9. Changes to this policy
10. Contacting us