1.5 As used herein, note that the following terms shall have the meanings as presented below:
- “Data subject” is any person whose personal information is being collected, held or processed.
- “Personal Information” or personal data of a data subject as defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) is ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
- “Cloud Services” means computing resources provided by way of the Internet and may include the provision of storage, software, platform, computing services or other resources.
- “Website” means www.cms-ss.com.
1.6 CMS is not required to appoint a specific Data Protection Officer since it is doesn’t meet the criteria presented in the GDPR.
However, CMS is aware and is regularly informed regarding the GDPR requirements and processes including its responsibilities and data subjects’ rights, and has in place procedures to ensure that CMS is compliant with the related requirements.
CMS Systems Solutions Ltd
22 Athinon Street,
Strovolos, Nicosia 2040
Telephone: +357 22817503
Fax: +357 22817516
3.1 CMS collects Personal Information directly from its clients and its personnel.
3.3 A client can withdraw its consent at any time by communicating this to firstname.lastname@example.org.
CMS collects Personal Information through a variety of means as presented below:
4.1 Through a contract
4.2 Through serving legitimate interests
During the provision of the support services to its clients, CMS collects Personal Information through the following means to be able to provide the support that each client needs in a case-by-case situation:
Clients can choose not to provide Personal Information to CMS, but it may mean that CMS will be unable to provide them with support services to the extent that they may need it in a case-by-case situation.
4.3 Through obtaining consent from a data subject
In the event that the consent is provided in such a way, then the consent can be withdrawn by the data subject at any time.
4.4 Through employment process
5.1 Through contracts
5.2 Through the purposes of serving legitimate interests
5.3 Through obtaining consent from a data subject
5.4 Through employment contract and other employment related documents
CMS processes, collects, uses and discloses information including Personal Information for a variety of purposes as presented below:
6.1 For the performance of a contract
6.2 For the purposes of serving legitimate interests
6.3 For the reasons that each data subject has provided its consent for
6.4 For personnel and prospect employees related matters
6.5 To comply with CMS’s legal obligations, resolve disputes, and enforce agreements
CMS will retain and use Personal Information as obtained from its clients and its personnel, as necessary to comply with the above.
During this process, the data subject should register to the Cloud Services and could provide CMS with documents that it needs CMS’s assistance with.
During this process, CMS obtains the client’s e-mail address.
CMS should not be considered liable in the case where a client provides CMS with documents through any other means including e-mail. Since the Internet is not in itself a secure environment, it is CMS’s opinion that the Cloud Services offered by CaseWare Cloud Ltd provide a more secured environment than other means including e-mail communications.
8.1 Client Personal Information
CMS shall keep the Personal Information regarding each data subject for as long as the data subject has a business relationship or represents a legal entity that has business relationship with CMS.
In the event where the business relationship between the client and CMS ceases, then CMS as a general rule shall retain the Personal Information obtained for at least two years following the termination date, taking into account any additional legal requirements that may exist.
8.2 Personnel and prospect employees Personal Information
CMS shall keep the Personal Information regarding each employee for the whole length of their employment with CMS.
In the event where the employment is terminated then CMS as a general rule shall retain the Personal Information obtained for at least two years following the termination date, taking into account any additional legal requirements that may exist.
In the event where the prospect employee doesn’t enter into an employment contract with CMS then CMS as a general rule shall retain the Personal Information obtained for at least two years following the date that it obtained the Personal Information.
9.1 CMS uses an internal CRM System to store the following full licensing and contact details for all of its contracted customers, the primary contacts within customer businesses, users who contact the support services and users that have provided their consent to be notified about marketing and other relation information as presented above.
The information regarding the primary contacts within each customer business is being reviewed and updated accordingly by each client during the renewal notification process.
In addition, CMS stores information regarding the support queries that each user has requested assistance for during the provision of support services.
9.2 CMS stores and transfer its clients Personal Information within the European Economic Area in compliance to GDPR or equivalent regulations and standards.
9.3 CMS during the provision of the support services, may be required in rare cases to transfer information, data or documentation, to its respective suppliers through CaseWare International Inc. systems, in order to be able to fully assist its clients. In such cases the documentation/information that its clients provide CMS with, will be transferred outside the EU. The parties that will obtain the information in these cases have in place standards similar to the EU data protection standards.
In such cases, CMS will request written permission from its clients prior of transferring the documentation/information.
9.4 CMS uses third party data hosting providers (Hostgator) to host its website. For information about Hostgator’s Terms of Service please refer to “Hostgator’s Terms of Service”.
9.5 CMS uses the Cloud Services as offered by CaseWare Cloud Ltd, which uses third party hosting providers (Amazon Web Services) to host its Cloud Services and Subscriber Data on servers that are located within the EU region.
10.1 CMS has in place secured internal servers and is committed to protecting the security of the information including Personal Information as disclosed to it and takes all reasonable precautions to protect it from unauthorized access, modification and disclosure.
10.2 However, CMS cannot give an absolute assurance that Personal Information will be secure at all times, since the Internet is not in itself a secure environment.
11.1 As per GDPR a personal data breach means “A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
11.3 In the event that any actual or suspected data security breach took place, the steps that should be followed depend on the severity, nature and extent of the breach as well as the type of breach (if it was an internal personnel breach or external party breach). In all cases the Management Team that deals with such matters should be notified immediately.
11.4 All details concerning the security data breach or incident should be recorded in writing in due course by the designated individual within the related Management Team. The details that should be recorded should include the timing, the nature, source and extent of the breach, details of any data loss and damages that were resulted from the breach, any future risks that may result from the breach and future steps to ensure that this doesn’t happen again, details of who discovered the incident and their steps, assessment of the necessity to inform the data subject and subsequent actions to be followed.
In line with the above assessment, an investigation of the incident needs to take place to establish the facts and decide regarding the subsequent actions to be followed. During this investigation the full facts of the data breach should be examined in order for the risks, issues and root causes to be identified and the appropriate recommendations to address these issues to be of an appropriate nature. During this investigation the responsible person should interview people involved, inspect the any equipment and location involved and examine any physical evidence and documentation that is available.
11.5 In the event that an internal personnel breach took place meaning that a member of CMS staff undertook a breach of data security policy, then the procedures that CMS should follow are according to the internal standard disciplinary procedures that CMS has in place.
11.6 In the event that an external or third-party breach took place meaning that the breach was caused by a CMS external agent, representative or any other third-party, then CMS should notify the Management Team that deals with such matters should immediately.
11.7 In all cases, CMS shall notify accordingly the relevant data subject if such breach of security took place to its data, if it considers it necessary depending on the nature and extent of the breach. In the case that CMS considers it necessary to inform the data subject, then it shall disclose to it the nature and extent of the breach and the respective threat.
Further, it shall give all necessary assistance to the relevant data subject to prevent or stop such a breach or threatened breach and eliminate further related risks.
It is the client’s and personnel responsibility to ensure that the Personal Information it provides to CMS is as accurate, truthful, complete, reliable, and up-to-date as necessary for the purposes for which it is going to be used.
In addition, it should ensure that it does not infringe the rights of others.
Each data subject has the right to obtain from the controller the confirmation as to whether or not its Personal Information are being processed by CMS.
Each data subject has the right to access the Personal Information that CMS holds about it, and CMS can provide the information, upon request, within the timeframe as presented in the GDPR.
Each data subject shall have the right to obtain from CMS the rectification of inaccurate Personal Information that concerns it.
Each data subject has the right to change or delete the Personal Information about it that CMS holds by communicating with CMS, as long as the processing is not necessary. CMS will delete the records within the timeframe as presented in the GDPR.
Each data subject shall have the right to obtain from CMS restriction of processing the Personal Information that concerns it.
Each data subject shall have the right to receive the personal data concerning it, which was provided to a controller, and to transmit these data to another controller.
Each data subject shall have the right to object, on grounds relating to its particular situation, at any time, to processing of personal data concerning it, which is based on point (e) or (f) of Article 6(1) of the GDPR.
Each data subject has the right to change its preferences for being communicated by CMS for particular purposes.
Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling.
Each data subject has the right to withdraw its consent at any time by communicating this to CMS.