FCC Compliance: Data (Privacy) Protection Procedure
Our Data (Privacy) Protection procedure addresses 10 privacy principles:
These 10 privacy principles are essential to the proper protection and management of FAIM Applicants personal and sensitive information. They are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and recognized good privacy practices.
We will, through appropriate management and strict application of criteria and controls:
• Observe fully conditions regarding the fair collection and use of information.
• Meet our legal obligations to specify the purposes for which information is used.
• Collect and process appropriate information, and only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirements.
We ensure that we have a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection
We ensure that everyone processing personal information understands that they are contractually responsible for following good data protection practice aligned with internal procedures and legal requirements.
We collect, process and transfer personal information about FAIM Applicants through computerized and paper-based data processing systems.
We have established routine processing functions (such as processing FAIM Compliance Procedure applications and FAIM Compliance Procedure audit reporting)
We ensure that all processing and transfers of personal information are subject to reasonable confidentiality and privacy safeguards.
We provide notice about our privacy policies and procedures at the time of the FAIM Application; our notice is also available on the FIDI website under the FAIM section. We are committed to respect FAIM Applicants by handling all their personal information collected in connection with their FAIM Compliance Procedure in accordance with applicable law as well as our own Privacy Policies.
We only process personal information to accommodate FAIM Applicants with their respective Compliance Procedure. For example we identify key contacts to communicate during the FAIM application.
We may process sensitive information if it is needed to for business objectives (statistics) or if it is required to comply with applicable law. For example, we process audit reports related to FAIM Applicants audit performance but we may need to process also sensitive company financial information as needed by our external FAIM auditor to assess a First Time Applicant's FAIM Compliance Procedure.
In general personal and/or sensitive information will not be collected, processed or transferred, except where adequate privacy protection mechanisms are in place.
3. Choice and consent:
By applying for FAIM Certification you give your explicit consent with respect to the collection, use, and disclosure of personal information as described in this notice. Explicit consent here means you were clearly presented with an option to agree or disagree with the collection, use, or disclosure of personal information.
We shall obtain and process personal data fairly and in accordance with statutory and other legal obligations. We collect personal information for the sole purposes to accommodate FAIM Applicants before, during and after their FAIM Compliance Procedure.
5. Use, retention, and disposal:
We limit the use of personal information to the sole purpose of executing your FAIM Compliance Procedure and for which you have given your implicit consent.
We retain personal information for only as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately dispose of such information. For example we will retain your personal information as long as you are affiliated to FIDI and therefore subject of a FAIM Compliance Procedure.
You may reasonably access and update your personal information by contacting the FCC.
This notice provides basic information about our processing of your personal information and your privacy rights. Should you have additional questions, you may contact the FCC's Data Protection Officer at following details:
7. Disclosure to third parties:
We shall use and disclose your personal data only in circumstances that are necessary for the purposes for which we collected the data. For example we will disclose your personal information only to our independent FAIM auditor and to other FIDI departments and for the purposes listed above or in the event of an emergency. We will never sell your personal information to third parties.
8. Security for privacy:
We protect personal data against unauthorized access (both physical and logical) aligned with our internal IT policy and procedures. We shall take appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of personal data and against its accidental loss or destruction. Personal data will only be accessible to authorised staff.
We maintain accurate, complete, and relevant personal information as reasonable possible and only for the purposes identified in this notice.
We retrieve your personal data from the FAIM Application Form and corresponding e-mails.
Please note that we have shared responsibility with regard to the accuracy of your personal information. Please let us know of any changes to your personal information.
10. Monitoring and enforcement:
We monitor compliance with our privacy policies and procedures and have procedures to address privacy related complaints and disputes. All FCC staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them. If you believe that your personal information is not handled in accordance with the applicable law or our privacy policies, you may submit a complaint to the FCC's Data Protection Officer who will investigate the complaint.
This Data Protection Policy will be reviewed regularly in light of any legislative or other relevant developments.
Glossary of Terms
Privacy: The rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.
Personal information: (sometimes referred to as personally identifiable information) information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual.
Individuals, for this purpose, include prospective, current, and former customers, employees, and others with whom the entity has a relationship. Most information collected by an organization about an individual is likely to be considered personal information if it can be attributed to an identified individual. Some examples of personal information are as follows:
- Home or e-mail address
- Date of Birth
- Identification number (for example, a Social Security or Social Insurance Number)
- Physical characteristics
- Consumer purchase history
Sensitive information: Some personal information is considered sensitive. Some laws and regulations define the following to be sensitive personal information:
- Information on medical or health conditions
- Financial information
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Sexual preferences
- Information related to offenses or criminal convictions
Non-personal information: information about or related to people that cannot be associated with specific individuals. This includes statistical or summarized personal information for which the identity of the individual is unknown or linkage to the individual has been removed. In such cases, the individual’s identity cannot be determined from the information that remains because the information is de-identified or anonymized. Non-personal information ordinarily is not subject to privacy protection because it cannot be linked to an individual. However, some organizations may still have obligations over non-personal information due to other regulations and agreements
Privacy or Confidentiality?
Unlike personal information, which is often defined by law or regulation, no single definition of confidential information exists that is widely recognized. In the course of communicating and transacting business, partners often exchange information or data that one or the other party requires be maintained on a “need to know” basis. Examples of the kinds of information that may be subject to a confidentiality requirement include the following:
- Transaction details
- Engineering drawings
- Business plans
- Banking information about businesses
- Inventory availability
- Bid or ask prices
- Price lists
- Legal documents
- Revenue by client and industry
Also, unlike personal information, rights of access to confidential information to ensure its accuracy and completeness are not clearly defined. As a result, interpretations of what is considered to be confidential information can vary significantly from organization to organization and, in most cases, are driven by contractual arrangements.
Data Protection Officer:
The person responsible for ensuring that the FAIM Coordination Centre (FCC) follows its data protection policy and complies with local legislation.
Is a freely given, specific and informed agreement by an Individual / FAIM Applicant in the processing of personal information about her/him. Explicit consent is needed for processing sensitive data.
Means collecting, amending, handling, storing or disclosing personal information.