incorporated by reference in the Seamless Customer Agreement that Contemi has executed with our client (“Client”).
1. Contact information
Contemi processes data under the direction of Clients and has no direct control or ownership of the personal information it receives or processes. Clients are responsible for complying with any regulations or laws that require providing notice, disclosure and/or obtaining consent prior to transferring the data to Contemi/Seamless for processing purposes.
If you have any questions, complaints or suggestions regarding data protection or this policy please do not hesitate to contact us by email at firstname.lastname@example.org.
2. Collection and use of your personal data
2.1 Collection of data by automated means (logs)
When accessing Seamless, your device automatically transmits certain data for technical reasons. Your IP address is not collected in the course of protocol.
In order to be able to use Seamless you will need to provide registration information such as username, email address, password, first name, surname, and telephone number.
This data is necessary in order to provide you with a user account and to maintain the account for you, so that you can use the applicable features and functionalities of Seamless. Furthermore, we may need those and additional data to support you and communicate with you. Even after the actual conclusion of the contract, contractual or regulatory obligations may exist to keep personal data of the contractual partner.
3. Transfer of data to third parties
In general, your personal data will only be passed on without your explicit prior consent where we have a legitimate interest in preventing abuse, prosecuting criminal offences and securing, asserting and enforcing legal claims. It is possible that we will need to disclose information about you when required by law, subpoena, or other legal process or if we have a good faith belief that disclosure is reasonably necessary to (1) investigate, prevent or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (2) enforce our agreements with you; (3) investigate and defend ourselves against any thirdparty claims or allegations; (4) protect the security or integrity of our services; or (5) exercise or protect the rights and safety of Contemi, our personnel or others.
We also process data in countries outside of the European Economic Area (EEA). In these cases, we base the data transfer on approved Standard Contractual Clauses (SCC) provided by the European Commission in combination with additional technical and/or organizational measures implemented by the data importer to protect personal data.
4. Your rights as data subject
In case your personal data is processed, you are the data subject within the meaning of relevant data protection laws and you have the rights outlined hereafter.
4.1 Right of confirmation and access (Information)
Each data subject shall have the right granted by the European legislator to obtain from the Controller the confirmation as to whether or not personal data concerning him or her are being processed.
In case such processing occurs, the data subject may request access to the following information:
– the purposes of the processing of personal data;
– the categories of personal data concerned in the processing;
– the recipients or categories of recipients to whom the personal data have been or will be disclosed;
– where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
– where the personal data are not collected from the data subject, any available information as to their source;
– the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
4.2 Right to rectification of inaccurate data
You have the right that Contemi has to immediately correct or complete any personal data concerning you if it is inaccurate or incomplete. We as the controller would have to execute your request without undue delay.
4.3 Right to restriction of processing
You have the right that Contemi has to restrict processing of your personal data subject to the following prerequisites:
– The accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data.
– The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use.
– The Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
– The data subject has objected to processing pursuant to Art. 21 (1) of the GDPR pending the verification whether the legitimate interests of the Controller override those of the data subject.
In case the processing of your personal data was subject to restriction, and notwithstanding their storage, such data shall only be processed with your consent or for the establishment, exercise, or defense of claims or for the procurement of the protection of rights of a natural or legal person or for purposes of an important public interest of the European Union or a member state.
In case the restriction of processing has been executed in accordance with the above, you shall be informed by the Controller prior to the cancellation of such restriction.
4.4 Right to erasure (“Right to be forgotten”)
a) Right to erasure
Each data subject shall have the right to request from the Controller the erasure of personal data concerning him or her without undue delay, and the Controller shall have the obligation to erase personal data without undue delay where one of the following reasons applies, as long as the processing is not necessary:
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– the data subject withdraws consent to which the processing is based according to Art. 6 (1) lit. a GDPR, or Art. 9 (2) lit. a GDPR, and where there is no other legal reason for the processing;
– the data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or – – the data subject objects to the processing pursuant to Art. 21 (2) GDPR;
– the personal data has been unlawfully processed;
– the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject to;
– the personal data have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.
b) Information to third parties
Where the Controller has made personal data public and is obliged to erase the personal data, the Controller, taking into account available technology and the cost of
implementation, shall take reasonable steps, including technical measures, to inform other Controllers processing the personal data that the data subject has requested erasure of any links to, or copy or replication of, those personal data, from these controllers.
The right to erasure does not apply where the processing is necessary:
• for the exercise of the right of freedom of speech and information;
• for the fulfilment of a mandatory legal obligation that is mandatory, according to European or the respective member state’s law the Controller is subject to, or is
necessary for the performance of a task carried out in the public interest or in execution of official authority given to the Controller;
• for reasons of public interest in regard to public safety and health pursuant to Art. 9 Abs. 2 lit. h and i as well as Art. 9 (3) GDPR;
• for archives in the public interest, scientific, historical or statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the granted right mentioned in a) above
would likely make the achievement of such purposes impossible or seriously endangered; • or for establishing, exercising or defending legal claims.
4.5 Right of information
In case you have claimed the right of rectification, erasure or restriction of the processing towards the Controller, the Controller is obliged to inform all recipients of personal data belonging to you such rectification, erasure or restriction accordingly, unless such information seems to be impossible or only possible by needing inappropriate efforts.
You are entitled to claim to be informed by the Controller about such recipients.
4.6 Right to data portability
You shall have the right to receive the personal data concerning you, which was provided to us as the Controller, in a structured, commonly used and machine-readable format. You shall also have the right to transmit this data to another Controller without hindrance from the Controller to which the personal data has been provided, as long as the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or of Art. 9 (2) lit. a GDPR, or on a contract pursuant to Art. 6 (1) lit. b GDPR, and the processing is carried out by automated means.
Furthermore, in exercising your right to data portability, the data subject shall have the right to have personal data transmitted directly from one Controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
The right to data portability only applies as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
4.7 Right to object
Each data subject shall have the right to object, based on his or her particular situation, at any time, to processing of personal data concerning him or her, which is based of Art. 6 (1) lit. e, or f GDPR. This also applies to profiling based on these provisions.
Contemi shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If Contemi processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing.
If the data subject objects to Contemi to the processing for direct marketing purposes, Contemi will no longer process the personal data for these purposes.
In order to exercise the right to object, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.
4.8 Right to withdraw data protection consent
You as data subject shall have the right to withdraw your consent to processing of your personal data at any time. Irrespective of such withdrawal of the consent, the legitimation of the processing of personal data until the withdrawal shall remain unaffected.
4.9 Automated individual decision-making, including profiling
Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision
– is not is necessary for entering into, or the performance of, a contract between the data subject and a Controller, or
– is not authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
– is not based on the data subject’s explicit consent.
In view of the cases 1 to 3 above, the Controller shall procure suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests. This means that the Controller is at least required to procure the right to obtain human intervention on the part of the Controller, to express his or her point of view and contest the decision.
4.10 Right to file complaints with the regulatory authority
Notwithstanding any other administrative and judicial procedures, you shall have the right to file a complaint with a competent regulatory authority, in particular in the member state where you are situated, you have your place of work or where the alleged breach has occurred; if you believe that the processing of your personal data is a breach of the regulations set forth in the GDPR.
The regulatory authority, that has been approached by you, shall inform you about the status of the results of an investigation on an ongoing basis as well as about the possibility of a judicial procedure.
5 Personal Data Protection Act (PDPA):
Singapore Personal Data Protection Act 2012 (PDPA) establishes a general data protection regime, comprising data protection obligations and Contemi ensures its respect:
• Consent obligation: Contemi only uses the personal Data of Data Subject who consented to share it (Article 13 PDPA)
• Purpose Limitation Obligation: Contemi collects, uses or discloses personal data about a Data Subject only for purposes that a reasonable person would consider appropriate in the circumstances. (Article 18 PDPA)
• Access and Correction Obligation: The Data Subject may request to Contemi the access and the correction of its personal Data (Article 21 PDPA)
• Protection Obligation : Contemi has implemented security measures to protect the personal data of its customers (article 24 PDPA)
• Retention Limitation Obligation : The data subject can request Contemi to delete personal data related to him as soon as possible when these are no longer necessary for the purposes for which they were indexed, (Article 25 PDPA)
• Transfer Limitation obligation : Contemi undertakes, if there is a transfer of data from a subject living in Singapore, that this will be done while respecting the protection measure imposed by the PDPA (Article 26 PDPA)
7. Legal basis for the processing
We obtain consent for a specific processing purpose.
8. Period for which personal data will be stored
The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfilment of the contract for services or the initiation of a contract