PWNT gathers and uses certain information from visitors to the PWNT website. The PWNT Leadership Team attaches great importance to data privacy and is committed to complying with all applicable data protection regulations.1 This policy has been drafted to provide persons visiting www.PWNT.com with information about why and how PWNT processes personal data and what rights and duties they have with respect to personal data.
- explain why personal data is collected in the form of Cookies and other means
- show what PWNT does with personal data and who it is shared with
- collect & retain personal data which includes the following: Full name; NRIC, FIN or passport number; photograph or video image of an individual; Mobile telephone number; Personal email address; residential address; and residential telephone number
- provide information and updates of relevant and substantial developments in the course of business of PWNT
- demonstrate what measures PWNT takes to protect personal data
- inform individuals of their rights and obligations with respect to personal data
- set out the procedure for how any data breaches will be dealt with
The following definitions apply to this policy:
- personal data: means information that relates to a living person and which can identify them either directly or indirectly
- processing: means any operation performed on personal data, including collection, organizing, storing, using, making available, erasing and destroying
PWNT adheres to the following principles regarding the processing of personal data:
- data are processed lawfully, meaning consent has been given or the processing is necessary for the performance of a contract, to comply with a legal obligation, to protect a vital interest of an individual, to perform a task in the public interest, or for legitimate interests pursued by PWNT (unless these are overridden by the fundamental rights of an individual)
- the processing of data is carried out with fairness and transparency regarding where, why and how personal data are processed
- personal data are only processed for specified, explicit and legitimate purposes and not further processed in an incompatible manner
- the processing is adequate, relevant and limited to what is necessary
- every reasonable step is taken to ensure the personal data are kept accurate and up-to-date
- personal data are not kept longer than is necessary
- appropriate security measures are used to protect against unauthorized or unlawful processing and against accidental loss, destruction or damage
PWNT processes personal data for a number of different purposes. For practical reasons, some data may also be transferred to third parties (for ie. our appointed marketing & public relation firms & partners) for processing on PWNT’s behalf. The legitimate purposes for processing personal data on the PWNT website is for Business development of marketing purposes. Each of these categories and the specific data processed are described below. If the personal data is required for statutory or contractual purposes, the individual concerned will be informed of this as well as the consequences of not providing the data.
Due to PWNT’s role as a technology provider, it is important for commercial purposes that trade secrets and other confidential information are sufficiently protected. PWNT uses a firewall to protect the digital environment. For the appropriate function of this firewall, PWNT processes IP addresses.
PWNT ensures that measures are in place to protect personal data in its possession or under its control. These measures are designed to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. Protection arrangements can take various forms, including administrative measures, physical measures, technical measures or a combination of these.
a) Administrative Measures
Examples of administrative measures PWNT has in place to protect personal data include:
- restricting access to personal data on a need-to-know basis
- requiring staff and others performing work for PWNT to be bound by confidentiality obligations
- implementing robust policies and procedures for the protection of personal data
- signing data processing agreements with third-parties who process personal data that include safeguards for protecting such data
- making staff aware of the importance of protecting personal data
- ensuring only the necessary amount of personal data is held for the purpose required
b) Physical Measures
Examples of physical measures PWNT has in place to protect personal data include:
- clearly marking as confidential all documents that include personal data
- properly erasing personal data or disposing of personal data documents that are no longer needed
- using the appropriate level of security when physically transmitting personal data
c) Technical Measures
- Examples of technical measures PWNT has in place to protect personal data include:
ensuring computer networks are secure
- adopting appropriate access controls e.g. implementing stronger authentication measures where appropriate
- encrypting personal data when necessary to prevent unauthorised access
- installing appropriate computer security software and using suitable security settings
- disposing of personal data in IT devices that are to be recycled, sold or disposed of
- using the correct level of email security settings when sending and/or receiving emails
- updating computer security and IT equipment regularly
- ensuring that IT service providers are able to provide the requisite standard of IT security
The general rule is that personal data will only be kept by PWNT for as long as necessary for the purpose of processing. However, it may be necessary to retain some data for longer in order to meet legal or regulatory requirements. The retention periods for certain categories of personal data processed by PWNT are as follows:
- Any individual & business contacts and correspondences regarding enquiries, information, promotions are retained for 5 years for the purpose of informing PWNT stakeholders who are typically water industry stakeholders and taking into account the characteristics of the water industry in regards to technology development, in the course of business of PWNT
PWNT recognizes that individuals have certain rights in the personal data being processed about them. The following rights may be exercised by contacting PWNT, who should also be contacted if further information is required about these rights:
a) Right of Access
Individuals have the right to access their personal data that is being processed. This includes the right to obtain a copy of the personal data and information about the processing.
b) Right of Rectification
This right allows individuals to have inaccurate personal data rectified without undue delay.
c) Right to Erasure
Also known as the “right to be forgotten”, this gives individuals the right to have their data erased under certain circumstances. These circumstances include if the data is no longer necessary, consent is withdrawn, the processing is unlawful or there is a legal obligation to erase the data.
d) Right to Restriction of Processing
An individual has the right to restrict the processing of their information under a number of circumstances, including for a time when the accuracy of the personal data is contested, when processing is unlawful but the individual does not want it to be erased, when the data is no longer needed for processing but the individual requires the data in connection with legal claims and for a period when the right to object is exercised (see below).
e) Right to Data Portability
This gives the right for individuals to obtain and reuse personal data for their own purposes across different services. The right only applies to information an individual has provided for processing.
f) Right to Object
Individuals have the right to object to the processing of their personal data in certain circumstances. This right to object applies in particular to the processing of data for the purposes of direct advertising.
g) Right to Withdraw Consent
Where the processing is based on consent, the individual who provided the consent has the right to withdraw such consent at any time.
h) Right to Lodge a Complaint
Individuals have a right to lodge a complaint with the relevant government supervisory authority regarding issues related to data protection.
Data security breaches are increasingly common occurrences whether caused through human error or via malicious intent. A breach can come in many forms, including loss or theft of hard copy or equipment where data are stored, equipment failure or damage, sending data to an incorrect recipient, inappropriate sharing or dissemination of data, non-secure disposal of data or hacking, malware or data corruption.
PWNT will ensure that where it is aware personal data has been misdirected, lost, hacked or stolen, inappropriately accessed or damaged, the incident will be properly dealt with and rectified according applicable law. PWNT is responsible for overseeing management of the breach, establishing the severity of the breach and taking the necessary action.
Where a breach is likely to result in a risk to the freedoms and rights of an individual, PWNT will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. In instances, when the databreach causes a in high risks for the datasubjects, the datasubject will be informed without undue delay. All incidents of breaches of personal data security will be recorded, reviewed and evaluated. Any lessons learned will be acted upon and improvements made where necessary.