P R I V A C Y . P O L I C Y . L O N G . V E R S I O N
Rosita Bonita is committed to the protection of your the rights and privacy of the data that you provide to us.
This Privacy Statement informs you of our privacy practices and of the choices you can make about the way information about you is collected, how that information is used by Rosita Bonita, and how Rosita Bonita communicates with you. In implementing any changes to our procedures we apply a privacy first policy, we consider the impact on data privacy, and we review these policies accordingly. The policies in this statement are reviewed annually and were last reviewed in May 2018.
The General Data Protection Regulations (GDPR) provide the following rights for individuals who are data subjects: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling. These are explained in detail in the 120 page ICO guide at https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf.
On request, preferably by email to firstname.lastname@example.org, Rosita Bonita will provide you with the personal data that it holds about you in order that you can rectify any incorrect details, erase information that it is holding with your consent, and restrict any future processing except where it has a legitimate right under contract. We request you to notify us whenever your details change in order that our records can be kept up to date, and in order to prevent fraud, we reserve the right to request evidence of authenticity before making changes.
Rosita Bonita uses data for legitimate purposes to communicate with you in respect of the services that Rosita Bonita is contracted to provide and manage our relationship with you, including collecting monies due to us, and to resolve any complaints.
Rosita Bonita uses data with your explicit consent for electronic marketing purposes.
Rosita Bonita allows you to select specific items and methods for consent, and retains a record of your consent and the basis on which it was obtained.
Rosita Bonita does not send unsolicited messages except with specific informed consent which has not been withdrawn except to an existing (not prospective) customer or client who has not withdrawn consent.
Rosita Bonita collects and records personal data which may include your name, address, telephone number, email address.
Rosita Bonita does not have a need to store a full Credit Card Permanent Account Number (PAN). Any record of a card number to identify the card is restricted to the first 6 and the last 4 digits of the cardholder data, and the CVV/CVC (3 characters on the back of the card) is never stored.
Rosita Bonita does not and will not share, sell, rent, or lease your personal data to others except as required by law, or under a contract for the provision of services where the provider has a legitimate requirement for that information solely to provide that service and contracts not to use it for any other purpose. Rosita Bonita will share your personal information to: (i) respond to duly authorized information requests of police and governmental authorities; (ii) comply with any law, regulation, subpoena, or court order; (iii) investigate and help prevent security threats, fraud or other malicious activity; (iv) enforce/protect the rights and properties of Rosita Bonita when allowed and in line with the requirements of applicable law.
To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of the information, Rosita Bonita utilizes reasonable and appropriate physical, technical, and administrative procedures to safeguard the information we collect and process. Rosita Bonita retains data only as required or permitted by law and while it has a legitimate business purpose or consent. The personal information you provide to Rosita Bonita is stored on computer systems in permitted locations in controlled facilities which have limited access. When we transmit or transport confidential information, including over the internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol. Rosita Bonita does not connect computer files storing with personal data to an unsecured WiFi.
Rosita Bonita will not include personal data in an email, but emails can include an encrypted attachment which includes personal data, and communicate a password separately, either by email of some other means.
Rosita Bonita will consider whether it is appropriate to reveal the email addresses of other recipients, but will also consider whether the use of bcc is more appropriate.
Rosita Bonita requires the use of strong passwords, preferably 12 characters which do not resemble a dictionary word or anything that can easily be broken by a brute force attack. Passwords and computer access must never be shared. Vendor supplied default passwords must be changed before any equipment or processing facility is used.
Rosita Bonita implements automatic updating antivirus and firewall software, and a daily backup procedure encrypted to a secure off-site location.
Rosita Bonita uses session cookies to record your login to the secure parts of its website. These session cookies expire when you close your browser.
Rosita Bonita sets and reads persistent cookies on your computer through your browser in order the understand and improve your use of its website.
‘GDPR’ General Data Protection Regulations
‘Data subject’ is a living individual to whom personal data relates.
‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
‘Sensitive personal data’ refers to “special categories of personal data” and specifically include genetic data, and biometric data where processed to uniquely identify an individual.
‘Information society service’ (ISS) is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
‘Permitted locations’ are countries within the EU and other locations with an adequate level of protection. The United States of America is not a permitted location, but some US data storage facilities are compliant.
‘PECR’ Privacy and Electronic Communications (EC Directive) Regulations 2003
‘Electronic communication’ is any communication over a phone system or internet connection, but excluding generally available information such as the content of web pages or broadcast programming.
‘Unsolicited message’ is any message that has not been specifically requested.
‘Soft opt-in’ is an existing (not prospective) customer or client who has not withdrawn consent.