Privacy Notice with respect to Vodafone Innovus S.A IoT business solutions
The objective of this Privacy Notice is to explain how your personal data are collected, used, shared and protected while using the IoT business solution (hereinafter “Service”) of your choice.
The Customer is the Data Controller with respect to your personal information, as the data processed by the Service are provided by the Customer. The Customer, as the Data Controller, undertakes the obligation to inform and/ or obtain the consent of data subjects according to the applicable legislation.
How we collect information about you
For the provision of each Service, Vodafone Innovus, acting as a Data Processor, may collect and process the following types of personal information:
Data necessary for your access to the Service, such as: username, email address.
Data submitted by the authorized users of the Service (“end users”).
Data collected through the use of the Service.
How we use your personal information
Vodafone Innovus processes your personal information in the context of the Service provided, as it has been requested by the Customer and as per the personal data processing terms agreed between Vodafone Innovus and the Customer.
Who we share information about you with
Depending on the nature of each Service provided, we may share your personal information with third companies, for the development, support and provision of the Service. These third companies shall act as sub-processors and undertake the execution of a specific project following our instructions regarding the processing of personal information. In these cases, Vodafone Innovus remains liable to the Customer for any act or omission performed during the processing of your personal data.
Some of the aforementioned companies may be located outside of the European Economic Area (EEA), in which case we will need to transfer your personal data to countries outside the EEA. In this case, we will ensure the existence of a legal basis for such a transfer and that your personal information is adequately protected as required by applicable law. Apart from the above recipients, Vodafone Innovus shall not disclose your personal information to third parties, except in cases where such a disclosure is required by applicable legislation.
How long we keep information about you
The retention periods of personal data depend on the Customer’s data processing terms and its choices, the type of personal data, the purposes of collection and processing as well as the applicable legislation.
How we protect your personal information
Vodafone Innovus is committed to protecting your personal information. We implement a series of strong security and privacy measures for the protection of your personal information from unauthorized access, use, loss, disclosure or destruction. For example, we encrypt your personal information when it is transmitted, and we store it in a controlled environment with limited access. Our dedicated security and privacy teams conduct assessments on our products, services and operations to ensure our privacy and security policies are implemented. Our suppliers and others who process personal information on our behalf are expected to comply with our high standards. Employees of Vodafone Innovus and approved third parties who need access to personal information are subject to internal policies, strict confidentiality obligations and training. We monitor the implementation of these internal policies. Failure to comply with our policies may lead to investigation and possible disciplinary action. Vodafone Innovus complies with applicable data protection laws, including applicable data breach notification laws.
Rights of the end users of each Service
In general, according to the personal data protection legislation, end users of each Service have and may exercise the following rights:
- the right of access;
- the right to rectification of inaccurate or incomplete personal data;
as well as and provided that the legal requirements are met,
- the right to erasure;
- the right to restriction of the processing;
- the right to object; and
- the right to lodge a complaint with the competent supervisory authority.
Vodafone Innovus shall assist the Data Controller (Customer), insofar as possible, in fulfilling its obligation to respond to data subjects’ requests regarding the exercise of their rights.
Compliance Program of Vodafone Group with the General Data Protection Regulation (GDPR)
On the specific actions we take in order to comply with GDPR requirements, protecting our customers’ privacy has always been critical to us, so ensuring we are compliant with the GDPR will be an evolution of what we do already. Vodafone has a Group GDPR implementation programme designed to make sure we are compliant with the new legislation at both global and local level.
The Compliance Program of the Vodafone Group was launched in July 2016, based on existing procedures and includes a thorough check of services and products to ensure compliance with the Regulation. This program also includes the retraining of all personnel on privacy issues to ensure that both Vodafone employees and their immediate partners are aware of their obligations regarding the management and protection of personal data.
The main actions of the Vodafone Group to comply with the requirements of the GDPR include, but are not limited to:
- Actions for the sole purpose of serving all customer requests related to their rights as they result from the Regulation.
- Initiatives to transparently inform Vodafone customers about the processing of their personal data on all products and services of the organization.
- Creation of Records of Processing Activities, processes and systems, which are constantly updated.
- Identification and assessment of high-risk processing activities of personal data throughout the organization so as to implement appropriate measures that will meet the requirements of the GDPR.
- Security and Privacy by Design and Assurance applies to the development, launch and in-life changes of all Vodafone products, services and operations in order to identify and respond to privacy risks that may arise.
- Conduction of a privacy training programme so as to raise the awareness of both Vodafone employees and contractors in order to understand the impact of the GDPR on their day-to-day tasks.
Updating policies where it is deemed necessary including, but not limited to:
- Standards and processes related to the Vodafone Information Security Standard
- Procedures for managing disclosures and personal data breach events.
- Standardization of a series of procedures to ensure that Vodafone’s suppliers comply with all the requirements of the GDPR. It is noted that any processing of personal data by suppliers is always in accordance with the signed Data Processing Agreement between Vodafone and the supplier, which specifies the security requirements that the supplier must comply with.
- Vodafone Group and Vodafone Greece continue their actions so that all the necessary tools and processes are in place in May 2018 that will not only ensure but also prove their full compliance with the requirements of the new Regulation.
For more information, please contact email@example.com
This section is about what cookies are, how we use them and how you can manage them.
What are cookies?
Cookies are small files that are stored on your device when you visit a website. The cookies mean that the website will remember you and how you’ve used the site every time you come back. If you want to know more about cookies, head to aboutcookies.org or allaboutcookies.org (please note: these links open a new window or browser tab).
We’ve put our cookies into the following categories, to make it easier for you to understand why we need them:
Strictly necessary – these are used to help make our website work efficiently
Performance – these are used to analyse the way our website works and how we can improve it
We sometimes use persistent cookies as well as ‘session-based’ cookies. A ‘persistent’ cookie will remain for a period of time set for that cookie. A ‘session-based’ cookie is allocated only for the duration of your visit to our website and automatically expires when you close down your browser.
First-party cookies originate from the same domain as the website you’re currently visiting (in this case, vodafoneinnovus.com). See our list of first-party cookies (shown later on in this cookies policy). Third-party cookies Third-party cookies originate from a domain that’s different to the website being visited. For example, when you visit our website, we may link to another company’s website – like our Facebook or Twitter account, or a video from our YouTube page.
We don’t control how they use their cookies, so we suggest you check their website to see how they’re using them and how you can manage them.
Affiliates of the Vodafone Group with a different domain name may also place cookies on our website, to show you adverts or pages of other Vodafone Group companies that may be of interest to you. Details of these affiliates – and how to opt out – are included in our list of third parties (shown later on in this cookies policy) that may put cookies on our website.
Frequently Asked Questions regarding GDPR
What is GDPR?
GDPR is a European Data Protection Regulation which introduced a new legal framework across the EU. Whilst the principles of GDPR are similar to the European laws which it replaced, GDPR introduced stronger privacy rights for individuals about how organizations handle their personal data. Most importantly, GDPR introduced a new principle of accountability which requires organizations to be able to demonstrate how they are complying with the regulation and data protection principles.
When does GDPR apply?
The GDPR was approved and adopted by the EU Parliament in April 2016. The Regulation came into force on 25th May 2018.
What is personal data?
Personal data refers to any information relating to an identified or identifiable natural person (‘data subject’). An identifiable person is one who can be identified, directly or indirectly, for example by reference to an identification number, or to an online, network or device identifier, or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. It is thus a very broad concept.
What are the main principles of the GDPR?
The Regulation determines that:
The processing of personal data must be fair, transparent and based on lawful purposes.
Personal data should only be collected for specified, clear and lawful purposes.
Personal data should be sufficient, relevant to the purpose of the processing and limited to what is necessary.
The personal data kept must be accurate and up to date.
Personal data should be kept for the period of time that is deemed absolutely necessary, and not for longer.
Appropriate measures must be taken for the security of personal data.
You may make a request to the data controller to exercise the following rights over your personal information:
Right to rectification: you have the right to have the information that are kept about you corrected if it is not accurate. If the information about you needs updating, or you think it may be inaccurate, you can ask the data controller to update it for you.
Right to access: if you want a copy of your personal information that are processed by the data controller, you may request a copy of your personal information.
Right to object: you have the right to object to the processing of your personal information where the data controller relies on his legitimate interest to do so for example, for analytics and profiling use cases where you are identified personally. Your objection will be balanced against the data controller’s specific legitimate interest for processing.
Right to erasure: in certain circumstances you have the right to request that the data controllers erases the personal information the data controller processes about you.
Right to restriction of processing: if you feel the personal information the data controllers processes about you is inaccurate or believe the data controllers shouldn’t be processing your personal information, you may have the right to request the restriction of such processing.
Right to data portability: in certain circumstances you will have the right to take the personal information you have provided to the data controller with you.
Right to withdraw at any time the consent you have given to the data controller, without such withdrawal affecting the lawfulness of personal data processing having already taken place before its withdrawal.
What is a Data Controller?
Data Controller means the legal entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.
What is a Data Processor?
Data Processor means the legal entity which processes personal data on behalf of the controller.
What is a DPA?
A data processing agreement, or DPA, is an agreement between a data controller (such as a company) and a data processor (such as a third-party service provider). It regulates any personal data processing conducted for business purposes. A DPA may also be called a GDPR data processing agreement.
Does the GDPR apply to Vodafone Innovus?
Yes. For this reason, Vodafone Innovus has designed and implemented a comprehensive Regulatory Compliance Program at Group level with the sole purpose of ensuring compliance both locally and globally.
Where can I find general information on Vodafone Innovus’ compliance with the GDPR?
We share your concern about personal data. For any information, you can contact us at: firstname.lastname@example.org or by our Customer Service at 13830.