1.0      Overview

 

1.1       Here at CMS Systems Solutions Ltd (“CMS”) we take both our clients’ as well as our personnel privacy and personal information seriously. For this reason, this Privacy Policy was developed in order to demonstrate CMS’s commitment to both our clients’ as well as our personnel privacy.

 

1.2       This Privacy Policy explains what Personal Information is and how CMS collects, uses, holds, protects and processes this information during the course of providing our clients with a wide range of professional services.

 

This Privacy Policy also explains what Personal Information in relation to its personnel is and how CMS collect, uses, holds, protect and processes such information.

 

1.3       This Privacy Policy should be read in conjunction with CMS’s Terms of Use .

 

1.4       In addition to this Privacy Policy, CMS has also published a privacy policy related to the usage of its website, being the Website Privacy Policy.

 

1.5       As used herein, note that the following terms shall have the meanings as presented below:

 

-           “Data subject” is any person whose personal information is being collected, held or processed.

 

-           “Personal Information” or personal data of a data subject as defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) is ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

 

-           “Cloud Services” means computing resources provided by way of the Internet and may include the provision of storage, software, platform, computing services or other resources.

 

-           “Website” means www.cms-ss.com.

 

1.6       CMS is not required to appoint a specific Data Protection Officer since it is doesn’t meet the criteria presented in the GDPR.

 

However, CMS is aware and is regularly informed regarding the GDPR requirements and processes including its responsibilities and data subjects’ rights, and has in place procedures to ensure that CMS is compliant with the related requirements. 

 

2.0      Contact us

 

If you have any questions about this Privacy Policy, please contact us at:

 

Physical Address:

CMS Systems Solutions Ltd

22 Athinon Street,

Strovolos, Nicosia 2040

Cyprus

 

Postal Address:

P.O.Box 28029

Nicosia 2090

Cyprus

 

Telephone: +357 22817503

Fax: +357 22817516

E-mail: info@cms-ss.com.

 

3.0      Consent

 

3.1       CMS collects Personal Information directly from its clients and its personnel.

 

3.2       CMS uses and discloses Personal Information obtained from its clients only as described and up to the extent that each client has provided its consent for and as described in this Privacy Policy and CMS’s Terms of Use .

 

3.3       A client can withdraw its consent at any time by communicating this to info@cms-ss.com.

 

3.4       CMS uses and discloses Personal Information obtained from its personnel only as described in this Privacy Policy.

 

4.0       CMS’s ways of collecting Personal Information

 

CMS collects Personal Information through a variety of means as presented below:

 

4.1       Through a contract

 

• When a client becomes a contractual party to related agreements with CMS

 

• When a client completes an order form regarding a purchase of CMS products and/or services (including purchasing licence and licence renewal)

 

• When a client completes and returns the Client Communication Details Confirmation document to CMS

 

4.2       Through serving legitimate interests

 

• When a client contacts CMS for support on technical or other related issues and for the usage of the software products and services that it has obtained from CMS

 

During the provision of the support services to its clients, CMS collects Personal Information through the following means to be able to provide the support that each client needs in a case-by-case situation:

 

• When a client through a telephone communication requests CMS assistance on a matter regarding CMS’s products or services.

 

• When a client registers and uses the Cloud Services as offered by CaseWare Cloud Ltd, where the client may provide CMS with documents that it needs CMS’s assistance with.

 

Clients can choose not to provide Personal Information to CMS, but it may mean that CMS will be unable to provide them with support services to the extent that they may need it in a case-by-case situation.

 

• When a data subject registers and attends Trainings organised by CMS for the usage of CMS products and services

 

• When a user logs in the website to download the current version of various CMS products that he purchased

 

For more information regarding the privacy policy of the usage of CMS’s website please refer to the Website Privacy Policy.

 

4.3       Through obtaining consent from a data subject

 

• When a data subject gives its consent to CMS through other ways than the above, in order for CMS to use its Personal Information for specific purposes

 

In the event that the consent is provided in such a way, then the consent can be withdrawn by the data subject at any time.

 

4.4       Through employment process

 

• When a prospect employee provides its curriculum vitae and application form that includes Personal Information to CMS for a potential employment

 

• When a data subject enters into an employment contract with CMS

 

5.0       Personal information that CMS collects

 

5.1       Through contracts

 

• Contact details of the data subject that enters into an agreement of any form representing the client. These include full name, address, telephone and e-mail.

 

• Additionally, CMS may require some other form of Personal Information which will be communicated directly to the data subject upon request

 

5.2       Through the purposes of serving legitimate interests

 

• Full name and contact details of the data subjects including e-mail address and telephone number.

 

• Additionally, CMS may require some other form of Personal Information which will be communicated directly to the data subject upon request.

 

5.3       Through obtaining consent from a data subject

 

• Full name and contact details of the data subjects including e-mail address and telephone number.

 

5.4       Through employment contract and other employment related documents

 

• Full name and contact details of the employee including personal address, personal e-mail address, personal mobile telephone and home telephone.

 

• Details of the bank that the data subject prefers to obtain its salary through including its IBAN number and bank account number.

 

• Other personal details of the employee including TIC, Social Insurance and ID number.

 

• In the case that the employee was previously employed somewhere else during the year, documentation from its previous employer is obtained that states all the details of the salary that the data subject obtained during the year.

 

6.0       Usage of the Personal Information by CMS

 

CMS processes, collects, uses and discloses information including Personal Information for a variety of purposes as presented below:

 

6.1       For the performance of a contract

 

• CMS processes Personal Information based on the contracts and other agreements it has with each client depending on the requirements for each product and/or service.

 

• CMS based on these requirements, could use the Personal information to provide the data subjects with the following:
• Invoices and statement
• Notifications for updates
• Website access to download product updates

 

6.2       For the purposes of serving legitimate interests

 

• To verify existing client’s identity in order to be able to provide its assistance based on the products and/or services that the client has purchased.

 

• To monitor for internal business management purposes, to improve the service support provision and to facilitate future conversations with clients, by keeping track of the tasks that it has provided its support for (support queries) and the respective users that requested the assistance.

 

• To monitor activity usages of the website in order to improve and manage the services that it provides.

 

For more information regarding the privacy policy of the usage of CMS’s website please refer to the Website Privacy Policy.

 

• CMS shall not use the Personal Information of any data subject in any other way that those included in this Privacy Policy and the Terms of Use and shall keep confidential all information as disclosed.

 

• To assist the client with a document of any kind that may or may not include Personal Information about others (including any Personal Information of the customers of the client or third parties), if asked to do so.

 

CMS shall not use the Personal Information about others in any way and shall keep confidential all information as disclosed. This shall be read in line with the Terms of Use .

 

Following the above, the client should take all necessary steps to obtain all necessary consents to disclose such Personal Information to CMS, and to allow CMS to process such Personal Information in accordance with this Privacy Policy.

 

• To issue personal Training attendance certificates and update our training records. We use that information only if asked by the data subject, such as re-issue a Training attendance certificate and to provide a more complete support service.

 

6.3       For the reasons that each data subject has provided its consent for

 

• During this process, CMS’s primary usage of the Personal Information of the data subjects could be for the provision of marketing and other related information including but not limited to:
• Announcements for new development or new products
• Newsletters
• Other marketing information
• Events notification
• Notification for Trainings
• Notification regarding related webinars
• Other useful information that CMS believes is relevant for them

 

• CMS will only provide the above information to data subjects that have given their consent to be notified for these purposes.

 

6.4       For personnel and prospect employees related matters

 

• During the employment of each data subject, CMS uses the Personal Information to calculate and pay its employees’ wages and salaries, social insurance and related taxes.

 

• During the employment process, CMS uses the information obtained through the prospect employee’s curriculum vitae, application form and personal interviews to decide regarding the potential employment of the prospect data subject and how it will continue through the employment process.

 

• If the employment with CMS is terminated, then CMS uses the personal information obtained for archive and historical purposes.

 

• If the prospect employee doesn’t enter into an employment contract with CMS, then CMS uses the personal information obtained for archive purposes.

 

• Both CMS and its employees shall not use the Personal Information of any employee or previous employee or prospect employee in any other way that those included in this Privacy Policy and shall keep confidential all information as disclosed.

 

6.5       To comply with CMS’s legal obligations, resolve disputes, and enforce agreements

 

CMS will retain and use Personal Information as obtained from its clients and its personnel, as necessary to comply with the above.

 

7.0       CaseWare Cloud

 

CMS during the provision of the support services to its clients, and in line with the Terms of Use, could provide its services remotely using the Cloud Services as offered by CaseWare Cloud Ltd.

 

During this process, the data subject should register to the Cloud Services and could provide CMS with documents that it needs CMS’s assistance with.

 

During this process, CMS obtains the client’s e-mail address.

 

CMS should not be considered liable in the case where a client provides CMS with documents through any other means including e-mail. Since the Internet is not in itself a secure environment, it is CMS’s opinion that the Cloud Services offered by CaseWare Cloud Ltd provide a more secured environment than other means including e-mail communications.

 

For more information about CaseWare Cloud Ltd Cloud Services please refer to “CaseWare Cloud Privacy Policy” .

 

CMS shall not use the Personal Information about others in any way, and shall keep confidential all information as disclosed. This shall be read in line with the Terms of Use .

 

Following the above, the client should take all necessary steps to obtain all necessary consents to disclose such Personal Information to CMS, and to allow CMS to process such Personal Information in accordance with the Terms of Use as well as this Privacy Policy.

 

8.0       Retention period

 

8.1       Client Personal Information

 

CMS shall keep the Personal Information regarding each data subject for as long as the data subject has a business relationship or represents a legal entity that has business relationship with CMS.

 

In the event where the business relationship between the client and CMS ceases, then CMS as a general rule shall retain the Personal Information obtained for at least two years following the termination date, taking into account any additional legal requirements that may exist.

 

8.2       Personnel and prospect employees Personal Information

 

CMS shall keep the Personal Information regarding each employee for the whole length of their employment with CMS.

 

In the event where the employment is terminated then CMS as a general rule shall retain the Personal Information obtained for at least two years following the termination date, taking into account any additional legal requirements that may exist.

 

In the event where the prospect employee doesn’t enter into an employment contract with CMS then CMS as a general rule shall retain the Personal Information obtained for at least two years following the date that it obtained the Personal Information.

 

9.0       Where Information including Personal Information is Stored

 

9.1       CMS uses an internal CRM System to store the following full licensing and contact details for all of its contracted customers, the primary contacts within customer businesses, users who contact the support services and users that have provided their consent to be notified about marketing and other relation information as presented above.

 

The information regarding the primary contacts within each customer business is being reviewed and updated accordingly by each client during the renewal notification process.

 

In addition, CMS stores information regarding the support queries that each user has requested assistance for during the provision of support services.

 

9.2       CMS stores and transfer its clients Personal Information within the European Economic Area in compliance to GDPR or equivalent regulations and standards.

 

9.3       CMS during the provision of the support services, may be required in rare cases to transfer information, data or documentation, to its respective suppliers through CaseWare International Inc. systems, in order to be able to fully assist its clients. In such cases the documentation/information that its clients provide CMS with, will be transferred outside the EU. The parties that will obtain the information in these cases have in place standards similar to the EU data protection standards.

 

In such cases, CMS will request written permission from its clients prior of transferring the documentation/information.

 

9.4       CMS uses third party data hosting providers (Hostgator) to host its website. For  information about Hostgator’s Terms of Service please refer to “Hostgator’s Terms of Service”.

 

9.5       CMS uses the Cloud Services as offered by CaseWare Cloud Ltd, which uses third party hosting providers (Amazon Web Services) to host its Cloud Services and Subscriber Data on servers that are located within the EU region.

 

For more information about CaseWare Cloud Ltd Cloud Services please refer to “CaseWare Cloud Privacy Policy” .

 

10.0     Safeguards

 

10.1     CMS has in place secured internal servers and is committed to protecting the security of the information including Personal Information as disclosed to it and takes all reasonable precautions to protect it from unauthorized access, modification and disclosure.

 

10.2     However, CMS cannot give an absolute assurance that Personal Information will be secure at all times, since the Internet is not in itself a secure environment.

 

11.0     Breach of personal data

 

11.1     As per GDPR a personal data breach means “A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.

 

11.2     For the purposes of this Privacy Policy, a breach of the data security policy occurs when an identified weakness in the system or policies indicates a breach of data, information security policy or failure of safeguards.

 

11.3     In the event that any actual or suspected data security breach took place, the steps that should be followed depend on the severity, nature and extent of the breach as well as the type of breach (if it was an internal personnel breach or external party breach). In all cases the Management Team that deals with such matters should be notified immediately.

 

11.4     All details concerning the security data breach or incident should be recorded in writing in due course by the designated individual within the related Management Team. The details that should be recorded should include the timing, the nature, source and extent of the breach, details of any data loss and damages that were resulted from the breach, any future risks that may result from the breach and future steps to ensure that this doesn’t happen again, details of who discovered the incident and their steps, assessment of the necessity to inform the data subject and subsequent actions to be followed.

 

In line with the above assessment, an investigation of the incident needs to take place to establish the facts and decide regarding the subsequent actions to be followed. During this investigation the full facts of the data breach should be examined in order for the risks, issues and root causes to be identified and the appropriate recommendations to address these issues to be of an appropriate nature. During this investigation the responsible person should interview people involved, inspect the any equipment and location involved and examine any physical evidence and documentation that is available.

 

11.5     In the event that an internal personnel breach took place meaning that a member of CMS staff undertook a breach of data security policy, then the procedures that CMS should follow are according to the internal standard disciplinary procedures that CMS has in place.

 

11.6     In the event that an external or third-party breach took place meaning that the breach was caused by a CMS external agent, representative or any other third-party, then CMS should notify the Management Team that deals with such matters should immediately.

 

11.7     In all cases, CMS shall notify accordingly the relevant data subject if such breach of security took place to its data, if it considers it necessary depending on the nature and extent of the breach. In the case that CMS considers it necessary to inform the data subject, then it shall disclose to it the nature and extent of the breach and the respective threat.

 

Further, it shall give all necessary assistance to the relevant data subject to prevent or stop such a breach or threatened breach and eliminate further related risks.

 

12.0     Accuracy

 

It is the client’s and personnel responsibility to ensure that the Personal Information it provides to CMS is as accurate, truthful, complete, reliable, and up-to-date as necessary for the purposes for which it is going to be used.

 

In addition, it should ensure that it does not infringe the rights of others.

 

13.0     Rights of the data subject

 

• Right of confirmation

Each data subject has the right to obtain from the controller the confirmation as to whether or not its Personal Information are being processed by CMS.

 

• Right of access

Each data subject has the right to access the Personal Information that CMS holds about it, and CMS can provide the information, upon request, within the timeframe as presented in the GDPR.

 

• Right to rectification

Each data subject shall have the right to obtain from CMS the rectification of inaccurate Personal Information that concerns it.

 

• Right to erasure (to be forgotten)

Each data subject has the right to change or delete the Personal Information about it that CMS holds by communicating with CMS, as long as the processing is not necessary. CMS will delete the records within the timeframe as presented in the GDPR.

 

• Right of restriction of processing

Each data subject shall have the right to obtain from CMS restriction of processing the Personal Information that concerns it.

 

• Right to data portability

Each data subject shall have the right to receive the personal data concerning it, which was provided to a controller, and to transmit these data to another controller.

 

• Right to object

Each data subject shall have the right to object, on grounds relating to its particular situation, at any time, to processing of personal data concerning it, which is based on point (e) or (f) of Article 6(1) of the GDPR.

Each data subject has the right to change its preferences for being communicated by CMS for particular purposes.

 

• Automated individual decision-making, including profiling

Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling.

 

• Right to withdraw data protection consent

Each data subject has the right to withdraw its consent at any time by communicating this to CMS.

 

14.0     Changes to this Privacy Policy

 

CMS reserves the right to change this Privacy Policy at any time, and any amended Privacy Policy will be posted immediately on the website.

 

CMS’s clients will be deemed to have accepted the terms of any amended Privacy Policy following their continued use of the website after any amendments.

 

CMS’s personnel will be deemed to have accepted the terms of any amended Privacy Policy as long as they are employment with CMS.