Data Protection Policy

CG Power Solutions

SDC Trailers

Mylan

Largo Foods

Save up to 80% in maintenance costs and achieve 99% uptime in operations

1. Introduction and Scope


PMI Software Limited t/a PEMAC (the “Company”) necessarily collects, processes and stores  significant volumes of Personal Data from our employees, customers, suppliers, service  providers, employees or agents of our customers, suppliers and service providers and other  business contacts or members of the public. 

In accordance with the General Data Protection Regulation (“GDPR”) and the Data Protection Act  2018, PMI Software Limited is a Data Controller and, as such, acknowledges that it has  responsibilities for ensuring the privacy of Data Subjects and the protection of Personal Data  processed. The Company takes those responsibilities very seriously and, for that reason, has  introduced and will abide by this policy. This policy also applies to any and all subsidiaries of the  Company that may exist from time to time. 

This policy applies to all Personal Data collected, processed and stored by the Company (and to  any and all subsidiaries of the Company that may exist from time to time) in respect of all Data  Subjects.

2. Definitions


The following definitions shall have effect for the purposes of this policy: 

Personal Data means any information relating to an identified or identifiable natural person (a  Data Subject). An identifiable natural person is one who can be identified, directly or indirectly,  in particular by reference to an identifier such as a name, an identification number, location data,  an online identifier or to one or more factors specific to the physical, physiological, genetic,  mental, economic, cultural or social identity of that natural person. 

Data Subject is an individual whose Personal Data is processed. 

Processing means any operation or set of operations which is performed on personal data, by  manual or automated means, such as collection, recording, organisation, structuring, storage,  adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination  or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Special Categories of Data means any data which reveals racial or ethnic origin, political opinions,  religious or philosophical beliefs, trade union membership, genetic data, biometric data uniquely  identifying a natural person, data concerning health or data concerning a natural person’s sex life  or sexual orientation.

Data Controller means the natural or legal person, public authority, agency or other body which,  alone or jointly with others, determines the purposes and means of the processing of personal  data. For the purposes of this policy, the Company will normally be the Data Controller. 

Data Processor means a person, public authority, agency or other body who processes personal  data on behalf of the controller.

3. Data Protection Principles


The six principles of the GDPR require that personal data is: 

  • processed in a way that is lawful, fair and transparent; 
  • collected for specified, explicit and legitimate purposes and not further processed in a  manner that is incompatible with those purposes; 
  • adequate, relevant and is limited to what is necessary; 
  • accurate and kept up to date; 
  • kept in a form which permits identification of data subjects for no longer than is necessary  for the purposes for which the personal data are processed; and 
  • processed in a manner that ensures appropriate security of the data. 

Article 5(2) of the GDPR also obliges the Company to “be responsible for, and be able to demonstrate, compliance with the principles”. The Company endeavours at all times to comply  with these principles.

3.1 Personal Data must be Processed in a way that is Lawful, Fair and Transparent Article 6 of the GDPR sets grounds on which personal data processing is lawful. 

Much of the personal data processing by the Company is carried out because it is necessary to  effect to contracts with Data Subjects, because it is necessary for the compliance with the  Company’s legal obligations or because it is necessary for the performance of the legitimate  interests being pursued by the Company. 

In very limited circumstances, the Company may request the consent of the data subject to process their data. In such cases, consent will be sought at the time that the data is collected, and the data subject will be advised that they can withdraw their consent at any stage during  processing. 

The Company will be fully transparent in relation to how personal data collected is used. The  Company will provide the required information to data subjects when the personal data is collected. The Company will ensure that the information is provided in an intelligible form using  clear and plain language. 

3.2 Personal Data can only be Collected for Specific, Explicit and Legitimate Purposes 

The Company processes personal data only for the purposes for which it is collected. Any further  proposed processing of data will be the subject of an impact assessment to ascertain if it poses a risk to the rights and freedoms of the data subject. This assessment may take the form of a data  protection impact assessment. 

3.3 Personal Data must be Adequate, Relevant and Limited to what is Necessary for Processing  (Data Minimisation) 

The Company will make every reasonable effort to ensure that any data collected and held is the  minimum amount required for the specified purpose. The Company will make every reasonable  effort to not collect personal data that is unnecessary. All personal data requests issued by the  Company will clearly state the business purpose for the collection of such data. 

3.4 Personal Data must be Accurate and Kept Up to Date 

The Company will ensure that, where possible, all personal data held is kept accurate and up to  date. Data subjects have the right to have inaccurate data held by the Company updated or  erased, as appropriate. 

3.5 Personal Data is Only Held for as Long as is Necessary 

The Company will make every reasonable effort to ensure that data is not retained for longer  than it is required and that it will be properly destroyed/deleted when it is no longer needed. 

3.6 Personal Data is Processed in a Manner that Ensures Appropriate Security of the Data 

The Company maintains high standards of technical, organisational, and physical security measures to ensure that personal data held and otherwise processed is as secure as is reasonably  practicable at all times. Security systems and measures will be reviewed as and when appropriate  and, when necessary, updated. Company employees will, where appropriate, be provided with training in relation to their responsibilities in respect of the protection of personal data.

4. GDPR – Rights of Data Subjects


Subject to the provisions of the Data Protection Act, 2018, and any associated regulations, the  GDPR enumerates the following rights of Data Subjects: 

  • a right to be informed/right of access; 
  • a right to rectification; 
  • a right to erasure; 
  • a right to restrict processing; 
  • a right to data portability; 
  • a right to object to processing; and
  • rights in relation to automated decision making and profiling.

4.1 Right to be Informed and Right of Access 

Data Subjects have the right to be informed by the Company about the collection and use of their  Personal Data. In addition, they have the right to access their Personal Data and other  supplementary information, as appropriate (subject to restrictions prescribed by law). 

The Company will respond to all such Data Subject access requests as required Article 12 of the  GDPR. Further information on making a Data Subject access requests can be found on the website of the Data Protection Commission at https://www.dataprotection.ie/en/dpc guidance/data-subject-access-requests-faq 

4.2 Right to Rectification 

Data Subjects have the right to have inaccurate Personal Data held by the Company rectified and to have incomplete Personal Data updated so that it is complete. 

On receipt of a request from a Data Subject for rectification of their Personal Data, the Company will take reasonable steps to ensure that the data held is accurate and will ensure that data is  rectified, where necessary. 

4.3 Right to Erasure 

Article 17 of the GDPR provides for the right of data subjects in certain circumstances to have  their Personal Data erased (‘right to be forgotten’). The right to erasure is not an absolute right  and does not apply in circumstances where the Company’s processing of personal data is  necessary, for example, for the establishment, exercise or defence of legal claims.

Where a Data Subject is of the opinion that elements of Personal Data held by the Company are incorrect, they may make a request in writing to have such data permanently erased. The  Company will review all such requests and, where appropriate, will erase the data in question. 

4.4 Right to Restriction of Processing 

A Data Subject has the right to obtain a restriction in relation to the processing of their Personal  Data where any one of the following applies: 

  • the Data Subject contests the accuracy of their data. The restriction will apply for a period  enabling the Company to verify the accuracy of the personal data; 
  • the processing is unlawful and the Data Subject does not wish to have the data erased, but  rather wishes to restrict its use; 
  • the Company no longer requires the data in question, but the Data Subject seeks its retention in order to establish, exercise or defend a legal claim; or 
  • the Data Subject has objected to the processing of their Personal Data by the Company.  The restriction will apply pending verification of whether the Company’s legitimate grounds  for processing overrides the Data Subject’s concerns. 

4.5 Right to Data Portability 

In cases where the Company has collected Personal Data from a Data Subject by consent or by reason of a contract, that Data Subject can request the Company to provide the Personal Data in  electronic format in order to provide it to another Data Controller. The Company will comply  with all such legitimate requests. 

4.6 Right to Object to Processing 

Under Article 21 of the GDPR, Data Subjects have a right to object to the processing of their  personal data in specific circumstances. Where such an objection is received, the Company will  assess each case on its individual merits. 

4.7 Right not to be Subjected to Automated Decision-Making 

Data Subjects have the right not to be subjected to a decision based solely on automatic  processing, including profiling, that have a legal or similarly significant effect on them. The  Company will make every reasonable effort to ensure that no decision made in respect of a Data  Subject is based on automatic processing alone.

4.8 Complaints 

Data Subjects who may be concerned that their rights under the GDPR or the 2018 Act are not  being respected by the Company can contact the Company’s Data Privacy Manager (DPM). The  DPM will engage with the Data Subject in order to bring their complaint to a satisfactory  conclusion. The DPM can be contacted at gdpr@pemac.com 

Where a complaint to the DPM cannot be resolved, the Data Subject will be informed in writing  and will be further informed of their right to bring their complaint to the Data Protection  Commission.

5.0 Responsibilities of the Company


The Company is responsible for the following: 

5.1 Implementing and maintaining appropriate technical and organisational measures for  the protection of Personal Data 

The Company has implemented appropriate technical and organisational measures to ensure that all Personal Data held under its control is secure and is not at risk from unauthorised access, either internal or external. Measures for the protection of Personal Data are reviewed and  improved, where appropriate, from time to time. 

5.2 Maintaining a record of Data Processing activities 

The Company maintains a written record of all categories of processing activities for which it is responsible in accordance with GDPR Article 30. 

5.3 Data Processing Agreements with Personal Data recipients 

On an ongoing basis, the Company puts in place appropriate contracts with third party data  processors where Personal Data is shared. This includes security and other sub-contractors. The  agreements specify the purpose of sharing the data, the requirements for security of the data  and the requirements for termination of the agreement and the return/deletion of the data  shared. 

5.4 Data Protection by Design and Default 

In accordance with Article 25 of the GDPR, the Company implements technical and organisational  measures to give effect to the principles of the protection of Personal Data and to ensure that,  by default, only Personal Data necessary for each specific purpose of the processing are  processed.

Such measures include the implementation of security measures to secure the data.

5.5 Data Protection Impact Assessment (DPIA) 

Where the Company considers that proposed processing (in particular, processing that involves new technology), poses a high risk to the rights and freedoms of Data Subjects, the Company will  carry out a DPIA. 

The Company’s DPM will be consulted in relation to each DPIA completed. Where technical  and/or organisational measures proposed will not mitigate any high risks previously identified,  the Data Protection Commission will be consulted as appropriate. 

5.6 Transfer of Personal Data Outside of the European Union 

The Company will ensure that appropriate safeguards are in place prior to transferring any Personal Data outside of the European Union. 

5.7 Personal Data Breaches 

The GDPR defines a Personal Data breach as meaning “a breach of security leading to the  accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,  personal data transmitted, stored or otherwise processed”. 

Company employees are required to notify the Company’s DPM where they identify or suspect  that a data breach has occurred. In accordance with GDPR, the DPM will notify the Data Protection Commission within 72 hours from detection where a breach is likely to result in a risk to the  rights and freedoms of the Data Subject(s) involved. 

The DPM will also assess if the breach is likely to result in a high risk to the data subject(s)  involved. Where a high risk is identified, the DPM will arrange for the data subjects to be notified. 

5.8 Data Protection Governance 

Compliance with the GDPR is a key requirement for the Company. The Company will at all times  endeavour to oversee, monitor and ensure compliance with data protection legislation.

6.0 Data Protection Contacts


Data Privacy Manager
Stephen Davis
PMI Software Ltd. t/a PEMAC
Unit 7, 4075 Kingswood Road,
Citywest Business Campus,
Dublin 24, D24 XD28.
Ph: 01-4663888
Email: gdpr@pemac.com 

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
Email: https://forms.dataprotection.ie/contact