Data Protection Policy

1. Update and approval

This Internal Privacy Policy shall be updated annually, or if deemed necessary, whenever there is a formal requirement to do so. The update shall be in line with any change in the privacy environment, other regulatory changes in the market(s) where InnovA operates or any other internal changes within InnovA. Any change(s) to this Privacy Policy are subject to the approval of InnovA’s President and CEO.

2. Introduction and InnovA’s main objectives

This Privacy Policy on Data Privacy, hereinafter referred to as the “Privacy Policy” or the “Policy” has been adopted by the President and CEO of InnovA.

The aim of this policy is to outline the basic contours of the measures adopted by InnovA in processing and handling personal data. Moreover, by concluding this document InnovA intends to ensure that the processing of personal data that is processed by its employees and contractors entrusted with such processing, is performed in accordance with the applicable law to which InnovA and its Customer(s) are subject to.

Since InnovA is in the process of enlarging its business operations in other countries than the United States, InnovA aims to align its processes and procedures to key global principles of data privacy, in particular in the United States, Canada, the European Union and the UK.

Therefore, this Policy provides for the necessary framework conditions to ensure an adequate level of protection aligned with the provisions of the applicable law to which InnovA is subject to and in particular to Regulation:

  • (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC, hereinafter referred to as the “Regulation” or “GDPR”; and
  • The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, referred to as the “UK GDPR”.
    A list with definitions of certain terms used by the GDPR is available in Chapter 4 below. The GDPR can also be consulted online at the following address: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

This Policy is applicable when InnovA processes the personal data both as a data controller and as a data processor (i.e. when InnovA processes personal data on behalf of its Customers). These roles are further described in Chapter X.

This Policy will further describe:

  • the purpose for processing of personal data by InnovA;
  • the scope of responsibilities for InnovA as an organisation and its employees or contractors;
  • the types and categories of personal data that is processed by InnovA;
  • how the personal data shall be kept safe and secure at all times;
  • what are the rights of data subjects under the applicable law and how InnovA shall react when data subjects exercise those rights;
  • what are the risks for non-compliance.

By this Policy, InnovA aims to:

  1. ensure that the personal data is processed in accordance with the legitimate purposes for which they were collected;
  2. ensure that all personal data is adequately protected against cyberattacks/threats or any other malicious attacks, so as the personal data security is assured;
  3. create an awareness campaign related to the personal data protection requirements, in such a way that it is integrated within the daily operations the Staff performs, ensuring that the relevant Staff is properly informed on the procedures they must follow for personal data collection, legitimate processing, disclosure, transfer, retention, archiving and destruction;
  4. ensure that all InnovA’s Staff understand the importance of practices related to personal data protection, as well as their responsibilities related to maintaining the personal data security, being aware of all contractual, statutory and regulatory implications the incidents that could affect the personal data, respectively personal data security breaches, could trigger;
  5. ensure that all users, employees, and business partners collecting, storing and processing personal data on behalf and for the Company meet and implement adequate personal data protection and security measures. The personal data shall not be disclosed in any way, accidentally or otherwise, to any unauthorized local person or to any third party.

Any breach or failure to comply with this Policy may lead to disciplinary actions or any other appropriate actions.

InnovA intends to make continuous efforts in emphasising the importance of data privacy throughout the entire data lifecycle. InnovA is aware that the legal environment related to data privacy will continue to extend and develop over time. Therefore, a privacy program cannot be the exclusive job of a dedicated person or privacy team, but rather the responsibility of the entire organisation. Thus, InnovA, including its employees and the external consultants must be aware of how they contribute to the overall privacy program. Therefore, all employees of InnovA and the external consultants engaged by the latter for certain services must understand and employ fundamental practices required to protect the personal data – from secure methods of collecting, storing and transmitting personal data through secure methods of destruction. The latter are further described in the Personal Data Retention Policy.

Moreover, InnovA will perform regular audits in order to ensure that this Policy and Applicable Law are complied with.

It is important to highlight that other Policies applied by InnovA will align to this Privacy Policy and are made available at the end of this document in Chapter 23.

3.   Purpose and scope

This Policy is implemented and shall be strictly complied with by InnovA’s employees (permanent or temporary) and external consultants or contractors employed by InnovA or any other relevant third parties that have access to the information held or maintained by InnovA, further referred to as “Staff” or “You”, whenever the latter process personal data during and while carrying out their job duties as InnovA processes, collects and stores personal data on a continous basis.

Therefore, InnovA’s employees, externals consultants or contractors must read, understand and comply with this policy when processing personal data as compliance with this policy is mandatory.

InnovA considers that compliance by its employees, externals consultants or contractors with the Applicable Law, in particular related to data privacy, is of outmost importance.

This document provides an overview on the minimum personal data protection requirements and further specifies more detailed information, if necessary.

4.   Definitions and abbreviations

‘personal data’ under the GDPR means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“personal information” under the CCPA is personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household. The statutory definition includes a list of specific categories of personal information. Personal information does not include certain publicly available government records. The CCPA also excludes certain personal information covered by other sector specific legislation from its coverage scope.
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data;
‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‘main establishment’ means: (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority;
‘cross-border processing’ means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;
‘international organization’ means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
‘Assets’ mean any tangible or intangible assets held by InnovA which InnovA’s Customer(s) is responsible for.
‘Business Unit’ means division, facility or department of the Company organized as such in the Company’s Organizational Chart (e.g. Marketing, HR, Accounting, Compliance, IT, etc.).
‘Staff’ all Company’s employees, contractors, subcontractors and agents having access to facilities, networks, media and/or confidential or proprietary information.
“Services” means the work as specified in an agreement, contract or activity schedule concluded between InnovA and its Customer(s); for example in the Software as a Service Agreement used by InnovA.
“Applicable Law” means the law or any other legal instruments to which InnovA is subject to, which may include the legislation referred to in Chapter 5.
“Platform” means the Software as a Service solution provided to InnovA’s Customer(s).

5.   Applicable Law

It is expected that the following will be applicable to InnovA’s processing activities.

The list hereunder is non-exhaustive as other legislations may pe applicable depending on the scope of InnovA’s processing.

  • Regulation no. 679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (EU General Data Protection Regulation/GDPR);
  • Convention for the Protection of Human Rights and Fundamental Freedoms ratified at Rome on 4 November 1950;
  • Charter of Fundamental Rights of the European Union;
  • California Consumer Privacy Act of 2018 (CCPA);
  • The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA);
  • The UK’s Data Protection Act 2018.

6. Who is responsible for the day to day application of this policy?

InnovA’s VP of Technology is responsible for the overall responsibility of the day-to-day management and implementation of this policy.

If there are questions about:

  • This policy;
  • Regarding the processing of the personal data; or
  • Requests that you had received from data subjects who want to exercise any of their rights under the applicable data protection regulation;
  • Requests that you had received from a Customer regarding the processing of personal data;

You may contact:

Paul Rabalais
Vice President Technology
InnovA LLC
1315 Rancher’s Legacy Trail
Suite 120
Fort Worth, TX 76126

7. Roles and responsibilities

 7.1. Controller

InnovA will process personal data in furtherance of its business legitimate interests in order to provide its Services. More specifically, InnovA may process personal data to:

  • To provide, update, maintain and protect its Services, website, platform and business;
  • To communicate with the registered users on the platform by responding to their requests, comments or questions or any other customer support related issue;
  • Customer relationship purposes;
  • As required by the Applicable Law, legal process or regulation;
  • To develop and provide search, learning and productivity tools and additional features;
  • In other words, InnovA may send service, technical and other administrative emails, messages, and other types of communications. InnovA may also contact the users on the platform to inform them about changes in their services, Services offerings, and important services-related notices, such as security and fraud notices);
  • To investigate and help prevent security issues and abuse.

7.2. Processor

InnovA is the responsible entity for the management and operation of the SaaS platform.

At the time of writing this document, InnovA is a processor for the SaaS application that is provided to the Customers and processes personal data in accordance with the instructions received from the latter for:

  • Service enhancement;
  • Account management;
  • Logistics;
  • Administrative matters; and
  • Billing

7.3. InnovA’s DPO

InnovA’s nominated DPO is:

Paul Rabalais
Vice President Technology
InnovA LLC
1315 Rancher’s Legacy Trail
Suite 120
Fort Worth, TX 76126

The DPO shall actively follow-up on the compliance with the Applicable Law.

The DPO shall also advise the organisation’s management on data protection matters and shall be responsible for coordinating the governance within the privacy field together with the contact persons of individual business areas and support functions, which are further detailed below.

In addition, the DPO shall have the following tasks:

  • to inform and advise InnovA’s Staff, who carries out processing on behalf of InnovA, on their obligations pursuant to the Applicable Law;
  • to monitor compliance with the Applicable Law to which InnovA is subject to as a result of its processing of personal data, and with the policies of InnovA’s Customers for the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits;
  • to provide advice where requested as regards the data privacy assessments or data protection impact assessment and monitor its performance;
  • to cooperate with the relevant supervisory authority(ies);
  • to act as the contact point for the relevant supervisory authority(ies) on issues relating to processing, and to consult, where appropriate, with regard to any other matter.

Other relevant contact persons within InnovA

A contact person shall be appointed for each technical or business unit and group support function, i.e. legal, IT and HR.

The contact persons are the point of contact for the DPO and the Staff in matters relating to the individual business unit or support function.

On the date of the adoption of this policy, the following contact person(s) are nominated as follows:

IT

Paul Rabalais
Vice President Technology
InnovA LLC
1315 Rancher’s Legacy Trail
Suite 120
Fort Worth, TX 76126

Legal

Michael Babb
General Counsel
InnovA LLC
777 Main Street
Suite 3900
Fort Worth, TX 76102

HR

Jeff Olmstead
President
InnovA LLC
777 Main Street
Suite 3900
Fort Worth, TX 76102

8. What personal data is processed by InnovA?

InnvoA processes various types of personal data that are included in the activities that are carried out on a daily basis. This can relate to:  identification data of natural persons, contact and address data, accounting related data, business related information and information on service/product development, marketing, information on Customers, consultancy, partnerships or contracts.

It is important that the Staff is aware of the wide range of personal data the company processes in order to be able to determine the applicable data protection rules to the relevant data and applicable risk management method.

This policy defines the personal data processed by InnovA within and during its business activity, the confidential information capacity being applicable to this category.

Personal data include any information related to such identified or identifiable natural person (e.g. Customers of InnovA or users on the platform), such as, but not limited to:

  • Name and First Name;
  • E-mail address;
  • Phone number;
  • Account ID:
  • Delivery address;
  • Billing address;
  • Company address;
  • IP address;
  • Outstanding balance;
  • Deposit balance;
  • Buying limit;
  • Buying power;
  • Invoices;
  • Bank account;
  • Online pre-auction bids;
  • Active auction offers;
  • Auctions won/purchased;
  • Auctions lost;
  • Information provided within the relevant legal Documents (Provision of services contract – Customer and InnovA or any other legal documents or auction related legal documents).

8. Main personal data processing operations performed within the activities carried out by the Company and purpose for processing

8.1. Processing operations

  • The main processing operations / sets of operations consist of:
  • collecting or recording and structuring personal data;
  • storing the personal data;
  • extracting personal data;
  • accessing and consulting personal data;
  • correcting or altering the personal data
  • disclosing to third parties by transmission or dissemination;
  • blocking, erasing or destructing personal data.

8.2. The purpose of personal data processing

The personal data of Customers/potentialcustomers/ legal representatives, registered users on InnovA’s platform or their legal representatives can be collected and used during the performance of InnovA’s services for:

  • concluding and performing the contracts, including service contracts, tracking billing and payments and product invoicing,
  • fulfilling a legal obligation, such as issuing fiscal invoices or receipts and
  • carrying out a user profile for receiving customized offers or communications,
  • processing operations carried out by InnovA’s contractors for various processing activities,
  • Enhancement of its Services;
  • Account management for users on InnovA’s platform;
  • Develop and provide search, learning and productivity tools and additional features;
  • Sending service, technical and other administrative emails, messages, and other types of communications to users on the platform.
  • contacting the users on the platform to inform them about changes in InnoA’s Services, Services offerings, and important services-related notices, such as security and fraud notices
  • To investigate and help prevent security issues and abuse.

9. Use of personal data

Irrespective of the category of personal data, the personal data must be used only for the purpose for which it was collected and for the period serving the purpose for which it was collected from the data subject (either InnovA’s Customers, non-customers, users on InnovA’s platform or InnovA’s Staff) and, respectively, for the necessary period for complying with a legal obligation or for achieving a legitimate interest of InnovA.

For example, when a personal data processing is performed with the customer’s express and specific consent, such as the case when a data subject agrees to InnovA’s processing personal data for marketing purposes, the purposes for which the data shall be processed shall be described in the consent expressed by the data subject.

For the same aim to ensure the legitimacy of the personal data processing by InnovA, in case the data subject withdraws their consent related to processing their data for marketing purposes or for other legitimate purposes for which the prior consent of the data is necessary, the Company ensures that the personal data are erased in accordance with the regulations in force.

10. Lawfulness of processing

It is important to understand that each processing activity performed by InnovA requires a legal basis. Therefore, InnovA will only collect, process and share personal data fairly and lawfully and for specified purposes. Thus, InnovA will only process personal data when it is necessary:

  • for the performance of a contract with its Customers;
  • for the performance of a contract to which the data subject is subject to, or to fulfil a request from the data subject;
  • To comply with a legal or regulatory obligation;
  • Whenever the processing is needed for the fulfilment of a legitimate interest of InnovA or the third party to whom the data is disclosed, provided that such interest does not damage the interest or the fundamental rights and freedoms of the data subject.

11. Data protection principles

InnovA adheres to the principles relating to the Processing of Personal Data as set out in the GDPR which require personal data to be:

11.1. Processed lawfully, fairly and in a transparent manner

Personal data shall be processed correctly and lawfully. Personal data shall only be processed if the data processing takes place within the limits of the applicable law. Personal data shall only be obtained for one or more specific purposes and shall not be processed in a way that does not comply with the respective purposes. Processing for purposes further identified is only allowed in instances where consent is not required, upon a prior notice sent to the data subjects.

The data subject shall be notified in advance with regard to the personal data to be processed, the purpose of processing and its legal grounds, the identity of the controller and their processors, the legitimate interest pursued by the controller by the personal data processing, if appropriate, any recipients or recipient categories for such data, if appropriate, InnovA’s intent to transfer the personal data to another third party, if the provision of all data requested is mandatory and the consequences of the refusal to provide such data, the terms for which such personal data shall be stored or, if not possible, the criteria used to determine such period, the existence of an automated decision process including the creation of profiles as well as, at least for such cases, information concerning the logic used, the foreseeable consequences and importance of such a processing to the data subject, the rights of the data subject provided under the laws in the data protection, as well as the conditions under which they may be exercised, as well as in relation to any other information specific to the processing purpose itself.

11.2. Purpose limitation

Personal data must only be collected and processed to accomplish specified, explicit and legitimate purposes and not process personal data beyond such purposes unless the further processing is considered compatible with the purposes for which the personal data was originally collected.

InnovA shall first identify the purposes for which personal data will be processed. Reference is made to Chapter 8.2 above. InnovA shall process the personal data under the limits provided by the foregoing purposes. Processing personal data for secondary purposes are lawful only when it is considered compatible with the original purpose for which personal data was processed. If, however, the secondary or further data processing does not relate to these purposes, controllers must assess whether the further processing is compatible with the purposes for which the personal data was originally collected. When assessing the compatibility, InnovA may consider the following:

  • Any link between those purposes and the purposes of the intended further processing;
  • The context in which the personal data has been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use;
  •  The nature of the personal data;
  • The consequences of the intended further processing for data subjects;
  • The existence of appropriate safeguards in both the original and intended further processing operations

If secondary purpose turns out not to be compatible with the first one, InnovA must inform the data subject in order to obtain consent or satisfy another applicable legal basis.

11.3. Data minimisation

InnovA shall only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed.

The practical implementation of this principle requires applying two concepts:

  • necessity and
  • proportionality to the personal data processing.

Necessity – Is the personal data that is collected suitable and reasonable to accomplish the specific purposes?

Proportionality – InnovA must assess the amount of data to be collected. Data that is collected shall not be excessive. The idea to save and collect all possible information shall be avoided.

11.4. Accurate and where necessary kept up to date

InnovA shall take reasonable measures to ensure that the personal data is accurate and kept up to date.

During the collection process, inaccuracy of personal data may occur if the authenticity of the information is not properly verified. Controllers must evaluate how reliable the source from which they collect the information is and take additional care when a potential inaccuracy may have adverse implications for the data subject.

Users on InnovA’s platform should be provided with the technical means to update personal data concerning them.

11.5. Not kept in a form which permits identification of data subjects for longer than necessary for the purposes for which the data is processed;

Personal data must not be kept for longer than necessary for the purposes for which the personal data is processed. In other words, once the information is no longer needed, personal data must be securely deleted.

Further reference is made to the paper prepared by PrivacyTrust on storage limitation.

11.6. Processed in a manner that ensures security, using appropriate technical and organisational measures to protect against unlawful or unauthorised processing and against accidental loss, destruction or damage

Personal data must be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

InnovA shall ensure that personal data is properly protected and preserved throughout the entire data life cycle. It is recommended to use Pseudonymisation and encryption techniques.

12. Instructions to InnovA’s Staff

12.1. When data subjects exercise their rights

Individuals nowadays are offered a wide range of rights enforceable against organisations that process their personal data. Therefore, organisations are obliged to facilitate the exercise of data subject rights.

Transparency in the communication with the data subjects is of paramount importance. The information communicated by InnovA must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

12.2. Identity confirmation

InnovA’s Staff must use all reasonable efforts to verify the identity of the data subjects when the latter makes use of their rights, which are described under Chapter 13. You should not request additional personal data that is not necessary if the identification was already clarified. You should also not request fees when such requests are submitted by data subjects.

In case of a request from the data subject, the employees responsible for the reply should acknowledge that they had received the request and confirm / clarify what has been requested from the data subject. All such requests shall be properly documented.

12.3. Time to respond

With reference to the time to respond, the deadline for the reply must not exceed one month or 30 calendar days, especially if the EU / UK GDPR is the governing law. This period starts from the date of the request. In exceptional cases, this period can be extended to two (2) further months if the case is complex. Should this extension be needed, the data subject must be informed within the first month as soon as possible. More information on the data subject’s rights is available in Chapter 13.

12.4. Refusal to respond

If requests turn out to be manifestly unfounded or excessive, You can either request a “reasonable fee” to deal with the request or refuse to deal with the request at all. In either case, such decision must be justified and thoroughly document the facts that lead to the respective assessment. Moreover, the data subject must be informed of the refusal of InnovA to treat their request further. The data subject must also be informed about their right to lodge a complaint before the relevant data protection authority. If the GDPR is applicable, a list of the EU data protection authorities is available hereunder:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

12.5. Means of communication

It is also important to keep consistency with the means of communication that were issued by the data subjects when they had issued their request. For example, if a request was submitted by e-mail, it is important to also provide your reply via e-mail.

The templates for replying to requests of data subjects are available here. If in doubt, please refer your concerns to the appropriate contact person.

12.6. General instructions

You shall comply with the general instructions displayed hereunder when processing personal data within the employment capacity:

  • Acknowledge the principles described above in Chapter 11 on how personal data may be processed and take it into account when You process personal data.
  • The following person/division within InnovA can reply to such requests. All requests should be submitted to them if received by another member of the Staff.
    • Paul Rabalais
  • Acknowledge that “processing” of personal data is every operation or set of operations performed on personal data, either automatically or manually, e.g. collecting, storing, reading, generating, changing or deleting personal data.
  • Always limit the collection and processing of personal data in order not to collect personal data that are “nice to have” but only what You “need to have” for the specific purpose.
  • Limit or exclude the processing of special categories of personal data, such as information on revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • Maintain the information security for the personal data that You use or are responsible for, e.g. by using complex passwords or locking Your computer when left unattended.
  • Make sure that the persons whose data You process have been informed about the contemplated processing. Contact the Contact Person if in doubt.
  • Make sure that there is a legal basis to process personal data in the manner You intend. Contact the appropriate contact person or DPO if in doubt.
  • Make sure that the personal data that you process is correct and up to date.
  • Erase personal data that You have stored on your computer which is no longer necessary to process, taking into account the purpose for which it was initially collected.
  • Only share personal data pertaining to You or other individuals to colleagues which are authorised and in need to have it.

The person(s) responsible with procurement and engagement of contractors or new customers, shall ensure data processing agreements (and / or international data transfer agreements) are in place.

If You are involved in the procurement of IT systems/services where personal data will be processed, keep in mind to include, amongst others, requirements on the system/service that will make it possible to restrict access, protect or erase the personal data. Also ensure that You are informed of any sub-contractor of the service provider that will process the personal data and where the personal data will be processed. Pay particular attention to privacy requirements when procuring or using cloud services.

InnovA’s Staff shall regularly participate in data privacy and information security training.

13. Data subject’s rights in the EU

InnovA’s Staff must be aware of the data subject’s rights of persons in the EU, which can exercise it and can submit a number of requests to InnovA as described hereunder. Individuals in the UK will have the same rights as the UK GDPR mirrors the EU GDPR. InnovA shall apply the same data subject rights to persons outside of the UK / EU, unless otherwise provided in this Policy.

Upon receipt of a request, InnovA’s Staff shall verify whether InnovA acts as a controller / processor. If InnovA is not a controller, but merely a processor, you should inform the data subject and refer them to the actual controller.

13.1. Right to be informed about the personal data collection and information;

If the personal data was collected directly from the data subject, the latter has the right to be informed about:

  • the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  • the contact details of the DPO, where applicable;
  • the purposes of the processing for which the personal data is intended as well as the legal basis for the processing;
  • where the processing is based on point (f) of Article 6.1 of the GDPR, the legitimate interests pursued by the controller or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49.1 GDPR, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • where the processing is based on point (a) of Article 6(1) or point (a) of Article 9.2 GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  • the existence of automated decision-making, including profiling, referred to in Article 22.1 and 22.4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • If InnovA intends to further process the personal data for a purpose other than that for which the personal data were collected, we shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information.

If the personal data was not collected directly from the data subject, the latter must be informed about:

  • the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data is intended as well as the legal basis for the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 GDPR, or the second subparagraph of Article 49(1) GDPR, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • where the processing is based on point (f) of Article 6(1) GDPR, the legitimate interests pursued by the controller or by a third party;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
  • the right to lodge a complaint with a supervisory authority;
  • from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

13.2. Right of access

Data subjects have the right to obtain confirmation as to whether or not personal data concerning to him / her are being processed and, where that is the case, access to the personal data and the following information:

  • The purpose of the processing;
  • The categories of personal data concerned;
  • The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular, recipients in third countries (i.e. non-EEA countries) or international organisations;
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • The existence of the request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • The right to lodge a complaint with the supervisory authority;
  • Where the personal data wasn’t collected from the data subject, any available information as to their source;
  • The existence of automated-decision making tools.

Data subjects can request a copy of all the personal data that InnovA is processing related to them in a machine-readable format at any time. However, if an access request by an individual includes information about others, their rights must also be adequately protected and balanced with the foregoing request. In certain situations, the personal data may be redacted before its disclosure. If that would turn out to be impossible or apparently unreasonable, the consent of the other involved persons should be required before the access request is finally granted.

Such a request may also be requested by a third-party on behalf of the concerned data subject, e.g. accountant, lawyer or any other person. Should this happen, personal data can only be disclosed once it has been sufficiently ensured that the third party making the request is entitled to do it. While it is the third party’s responsibility to provide evidence on this entitlement, as a part of the process, the nature of the request as a proxy request and retain proof of the entitlement, whether it is a written authority to make the request or a more general power of attorney.

13.3. Right to withdraw consent for processing

It is important to understand that consent may be withdrawn at any time by the data subject when the data processing is based on the consent of the data subject.

The consent must be withdrawn:

  • Completely;
  • In a timely manner;
  • Free of costs for the data subject that had withdrawn the consent;
  • In the same form that the request was made, unless the data subject would request it otherwise. Should this be the case, the responsible person should document this action.
  • The withdrawal can be performed through the following mechanisms:
  • Opt-out links in mailings or electronic communications;
  • Opt-out process explanation and steps on website and in all written communications;
  • Ability to opt-out verbally, in writing or by email.

13.4. Request to move their data to a different organisation in a machine-readable format

Data subjects have the right to receive the personal data that is processed by InnovA in a structured, commonly used and machine-readable format.

InnovA should facilitate this transfer to another organization where the data subject wants to have the personal data transferred to or send it directly to the data subject.

Should this request take place, please consult … for further guidance/assistance.

13.5. Right to rectification

Data subjects have the right to request rectification of any inaccurate personal data that is processed by InnovA. Data subjects have the right to provide additional personal data that is necessary to complete any missing information.

This should be done without unreasonable delay.

13.6. Right to erasure

Data subjects have the right to request the erasure of the personal data in full / partially that is processed by InnovA. This right is applicable under the GDPR only if the request meets one of six specific conditions as described under Article 17 of the GDPR:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) GDPR, or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR;
  • the personal data has been unlawfully processed;
  • the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

You can however deny this request if the processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

13.7. Right to object to, or limit to restrict, the use of data

The data subject shall have the right to obtain the restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

A data subject who has obtained restriction of processing pursuant to the paragraph above shall be informed by the controller before the restriction of processing is lifted.

13.8. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  • the processing is based on consent on a contract to which the data subject is party to; and (the processing is carried out by automated means.
  • In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  • The exercise of this right shall be without prejudice to the right to be forgotten. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When processing such request, InnovA’s Staff must be aware that the right to data portability of an individual shall not adversely affect the rights and freedoms of others.

13.9. Right to object to automated individual decision-making

Data subjects have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the legitimate interests of the controller, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

13.10. Information about the data recipients

Data subjects are also entitled to request information about the identities of recipients to whom InnovA has disclosed or intends to disclose the personal data.

If the data subject has subsequently exercised the right of rectification, erasure or blocking, InnovA shall make all reasonable efforts to notify all those third-parties of the data subject’s exercise of the foregoing rights. If this action would involve a disproportionate effort, InnovA is exempt from this obligation. However, this disproportionate effort will have to be proven by InnovA.

If you have doubts on assessing whether disproportionate efforts are necessary, you should clarify this with the DPO or the responsible privacy person / department.

13.11. Right to filling complaints

Data subjects have the right to file complaints with their relevant data protection authority in their country in relation to InnovA’s processing of their personal data. When data subjects exercise their rights, InnovA should also inform the latter about the possibility to submit an official complaint to the relevant authority.

The responsible Staff must also be aware that according to agreement where InnovA is part of, InnovA must inform its Customer(s) without unreasonable delay about any complaint or request in particular, requests for access, rectification, erasure, restriction, portability, blocking or deletion of Customer Personal Data received directly from data subjects of Customer(s). InnovA will not substantively respond to any such request without Customer’s prior written authorization.

InnovA shall also inform the Customer if an official complaint is submitted against InnovA and/or the Customer.

a.    CCPA

A consumer complaint under the CCPA can be submitted here: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

b.    EU

For data subjects in the European Union, the appropriate data protection authorities are listed here: https://edpb.europa.eu/about-edpb/board/members_en.

c.     UK

For data subjects in the United Kingdom, the appropriate data protection authority is the Information Commissioner’s Office and a complaint can be issued here: https://ico.org.uk/make-a-complaint/

13.12. Third party data processors

InnovA has outsourced a number of processing activities to third-parties processors as described hereunder:

Subprocessor Subject matter Nature Duration of processing
Microsoft Azure Cloud storage Collection, structuring, storage, access, correction, adaptation, alteration, dissemination, erasure, restriction, destruction Linked to the purpose of the Services provided by InnovA and to the duration of the Agreement.
Twilio Communication Collection, structuring, storage, access, adaptation correction, alteration, dissemination, erasure Linked to the purpose of the Services provided by InnovA and to the duration of the Agreement.
SendGrid E-mail delivery service Collection, structuring, adaptation, storage, access, correction, alteration, dissemination, erasure Linked to the purpose of the Services provided by InnovA and to the duration of the Agreement.
DocuSign Electronic Signature and Agreement Cloud Collection, structuring, storage, access, dissemination, erasure Linked to the purpose of the Services provided by InnovA and to the duration of the Agreement.
Smartystreets Address verification Collection, structuring, storage, access, correction, alteration, dissemination, erasure Linked to the purpose of the Services provided by InnovA and to the duration of the Agreement.
Avalara Tax compliance software Collection, structuring, storage, access, correction, alteration, dissemination, erasure Linked to the purpose of the Services provided by InnovA and to the duration of the Agreement.

It is important to keep this list updated as this is information is necessary when EU Standard Contractual Clauses are signed between InnovA and its Customer(s). This is usually mentioned in Annex 1 of the foregoing document.

14. Data subject rights under CCPA

InnovA’s Staff must be aware that the California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the In addition to the Chapter above, InnovA’s Staff must be aware that the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  •  The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

It is important to know that under the CCPA, if the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell link. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.

14.1.   The right to know

The CCPA requires businesses to give consumers certain information in a “notice at collection.” A notice at collection must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information.

Under the “right to know” data subjects may request that businesses disclose what personal information they have collected, used, shared, or sold about you, and why they collected, used, shared, or sold that information. Specifically, you may request that businesses disclose:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which the business collected personal information
  • The purposes for which the business uses the personal information
  • The categories of third parties with whom the business shares the personal information
  • The categories of information that the business sells or discloses to third parties

Businesses must provide this information for the 12-month period preceding the request submitted by the data subject. Businesses must provide this information free of charge.

InnovA must respond to this request within 45 calendar days. You can extend that deadline by another 45 days (90 days total) if the data subject is notified accordingly.

There are some exceptions to the right to know. Common reasons why businesses may refuse to disclose personal information include:

  • The business cannot verify the request;
  • The request is manifestly unfounded or excessive, or the business has already provided personal information to you more than twice in a 12-month period;
  • Businesses cannot disclose certain sensitive information, such associal security number, financial account number, or account passwords. However, the business must communicate if they’re collecting that type of information.
  • Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims.
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.

If InnovA is considered a service provider, it may deny the request and refer the data subject to the responsible entity, i.e. the controller.

See Civil Code section 1798.145 for more exceptions.

Businesses must verify that the person making a request to delete is the consumer about whom the business has personal information. Businesses may need to ask for additional information for verification purposes. If the business asks for personal information to verify the identity, it can only use that information for this verification purpose.

14.2. Right to request deletion of personal information

Data subjects may request that businesses delete personal information they collected and to tell their service providers to do the same. However, there are many exceptions that allow businesses to keep the personal information.

Businesses must respond to this request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if the data subject is notified accordingly.

There are exceptions to the right to delete. Common reasons why businesses may keep your personal information include:

  • The business cannot verify your request;
  • To complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes;
  • For certain business security practices;
  • For certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided;
  • To comply with legal obligations, exercise legal claims or rights, or defend legal claims;
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA;

See Civil Code sections 1798.105(d) and 1798.145 for more exceptions.

If InnovA is considered a service provider, it may deny the request and refer the data subject to the responsible entity, i.e. the controller.

Businesses must verify that the person making a request to delete is the consumer about whom the business has personal information. Businesses may need to ask for additional information for verification purposes. If the business asks for personal information to verify the identity, it can only use that information for this verification purpose.

14.3. Right to non-discrimination

Businesses cannot deny goods or services, charge data subjects a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.

However, if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction.

Businesses can also offer you promotions, discounts, and other deals in exchange for collecting, keeping, or selling your personal information. But they can only do this if the financial incentive offered is reasonably related to the value of your personal information. If you ask a business to delete or stop selling your personal information, you may not be able to continue participating in the special deals they offer in exchange for personal information. If you are not sure how your request may affect your participation in a special offer, ask the business.

14.4. The right to opt-out of the sale of their personal information

Businesses that sell personal information are subject to the CCPA’s requirement to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request.

Data subjects may request that businesses stop selling their personal information (“opt-out”). With some exceptions, businesses cannot sell the personal information after they receive the opt-out request unless the data subject later provide authorization allowing them to do so again.

Businesses must wait at least 12 months before asking you to opt back in to the sale of personal information.

There are some exceptions to the opt-out right. Common reasons why businesses may refuse to stop selling personal information include:

  • If a sale is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.

See Civil Code section 1798.145 for more exceptions.

While businesses are not required to verify that the person submitting an opt-out request is really the consumer for whom the business has personal information, they may need to ask for additional information to make sure they stop selling the right person’s personal information. If the business asks for personal information to verify the identity, it can only use that information for this verification purpose.

15. Data protection by design and by default

This Policy dictates that data protection and privacy of data subjects concerned are embedded throughout the entire lifecycle of the data processing. Therefore, the processing performed by InnovA is based on the following principles:

  • InnovA is proactive and not reactive as it anticipates and prevents possible data breach incidents;
  • The protection of the personal data is built into the system by default and there is no need for further actions;
  • InnovA provides end-to-end security during the entire lifecycle of the processing;
  • Visibility and transparency of the processing activities;
  • Respect for the data subject’s privacy.

The processing principles mentioned under Chapter 11 are in close connection to the requirement of data privacy by design and by default:

  • Lawfulness, fairness and transparency of processing in relation to the data subject;
  • Purpose limitation: collecting and processing for the specified purpose only;
  • Purpose limitation: collecting and processing of personal data for the specified purpose only;
  • Data minimisation: relevance and limit only to what is necessary;
  • Accuracy: completed and up-to-date data;
  • Storage limitation: personal data is only kept as long as needed to conduct the specified processing;
  • Integrity and confidentiality: security;
  • Accountability: responsibility and demonstration of compliance.

The principles enumerated under this Chapter must be taken on board during each new processing activity / innovative step performed by InnovA.

16. Record keeping

If InnovA is subject to the EU / UK GDPR, InnovA shall maintain a record of processing activities under its responsibility according to Article 30 of the GDPR. That record shall be supervised by the DPO and contain all of the following information:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data has been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) GDPR, the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1) GDPR.
      • An EU / UK Data Protection Authority may have the right to request InnovA to disclose such a record of processing. Should anyone receive such request, you must inform the responsible person accordingly.

      It is important to understand that not all data processed by InnovA will be personal data. However, it is important to know what non-personal data the InnovA is processing. Non-personal data may turn out personal data when new processing activities are implemented.

      A record of the InnovA’s processing activities is available here.

      17. Audit

      Audits are an ongoing process of evaluating the effectiveness of controls throughout the organisation’s operations, systems and processes. Generally concerned with process and technical improvements, audits can be used to identify the risks posed by vulnerabilities and weaknesses and provide opportunities to strengthen the organisation. Elements of the audit process in respect of privacy may happen simultaneously or in separate components depending on organisational requirements.

      There are three types of audits:

      • First party (internal) – organised once a year. InnovA will organise an annual internal audit, including of the suitability of the measures that are put in place to keep data secure.
      • Second party (supplier); organised on an occasional basis, but at least once a year.
      • Third party (independent) – organised once in two years.

      The results of the above-mentioned audits will be reported to:

      Paul Rabalais
      Vice President
      Wilks Brothers IT
      1315 Rancher’s Legacy Trail
      Suite 120
      Fort Worth, TX 76126 

      18. Data retention

      Personal data must be deleted as from the moment that the purpose for which it was collected is no longer needed. In case the personal data is stored electronically, this will be performed by overwriting or degaussing it.

      Please check the dedicated policy on this issue, which is available here.…..

      19. Data security

      Data security of the personal data exchanged and processed by InnovA is a high priority. InnovA will make sure that the foregoing personal data is kept secure from both internal and external threats.

      The information stored by InnovA and its sub-processors is stored in accordance with the Applicable Law in secure locations and servers as follows:

      • Strict physical, technical and organisational measures are enforced to counter the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data.
      • Only designated persons and a limited amount of InnovA’s personnel and external IT consultants have access to the personal data. InnovA’s personnel receive occasional trainings on how to observe data security in their work. Where personal data needs to be disclosed to subcontractors, the latter are requested to process and safeguard the data in a manner consistent with applicable laws and this Privacy Policy.
      • Despite of continuous efforts to protect the personal data, it should be acknowledged that due to the fast development of the IT development sector, in particular, in the security and privacy sector of the Internet, there are limitations which are beyond control;
      • The security, stability of the IT systems, and privacy of the information processed cannot be guaranteed; and
      • Any such information and data may be read or interfered with a third-party, despite of the continuous efforts to avoid that.

      20. Passwords

      InnovA’s Staff having access and process personal data, must:

      1. Use complex passwords (numbers, letters, and / or symbols) or long passphrases;
      2. Include a mix of upper and lower-case letters;
      3. Include special characters, such as !, £, %, $, %;
      4. Not include names, birthdays, usual phrases you use or places;
      5. No obvious substitutions (such as 0 for o);
      6. Include misspelled words, so that they are not in the dictionary;
      7. Have unique passwords which are not used for multiple accounts;
      8. Change Your password every six months.

21. Access restrictions

21. DPIAs

It is important to understand that when InnovA collects, stores or uses personal data of data subjects, those individuals are exposed to risks. Such risks can vary from personal data being poached and later on released on the Internet where ill-intentioned people may use the former to impersonate the data subject.

Not all legislations define the concept of a risk. There is nevertheless a definition of risk that has been utilised in the data protection community and proposed for the application of the GDPR as follows: “privacy risks equals the probability that a data processing activity result in an impact, threat to or loss of (in varying degrees of threat to, or loss of, a valued outcome that cannot be mitigated through the implementation of effective controls and / or that is unreasonable in relation to the intended benefits).

A data privacy impact assessment (DPIA) will define a process that is planned to identify those risks that derive from this processing and to minimise it as much as possible. A DPIA will have to be concluded in certain cases, especially when an organisation:

  • uses new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
  • uses automated processing including profiling;
  • uses large scale processing of sensitive (special category) data; and
  • processes data on a large scale;
  • plans to match or combine data sets (e.g. originating from two or more data processing operations performed for different purposes and / or by different data controllers in a way that would exceed the reasonable expectations of the data subjects concerned).
  • when the processing itself will prevent the data subjects from exercising a right or using a service or a contract.
  • A non-exhaustive list of minimum characteristics that a DPIA should include is available hereunder:
  • a description of the processing activities, including its purpose and legitimate interest(s) being pursued;
  • the necessity of the processing activities, including the analysis of the proportionality and the risks that it poses to the data subjects involved; and
  • the measures that the organisation has addressed towards these risks.

InnovA will have to perform a DPIA if one of the above-mentioned cases will apply. The responsible persons for the conclusion of the DPIA are:

Paul Rabalais
Vice President
Wilks Brothers IT
1315 Rancher’s Legacy Trail
Suite 120
Fort Worth, TX 76126

A sample DPIA template is provided in Annex 1 of this Policy.

23. Related policies within InnovA’s sphere

  1. Policy on data storage;
  2. Data mapping;
  3. Personal data retention policy;
  4. Data subject access request policy and procedure;
  5. Records of processing.

24. Changes to this policy

InnovA recognises that transparency is an ongoing responsibility so this Policy will be kept under regular review.

InnovA encourages You to periodically review it to be informed of how InnovA is protecting your information / other personal data processed by InnovA.