1. Introduction 

Noventiq (its subsidiaries, including each Noventiq operating company - together, "Noventiq") is committed to ensure the protection of Personal Data of its Customers, Employees, Business Partners and any other individual.

The Data Protection Policy (hereinafter, the "Policy") shows how Noventiq process the personal data of clients, suppliers, employees and other categories of natural persons, namely describes the principles applicable to the personal data processing within Noventiq.

Noventiq's mission and objective is to observe privacy/data protection legal obligations and highest standards in all data processing instances, throughout the entire personal data life cycle.

The Policy is the document that provides a high-level guidance on Noventiq's actions relating to personal privacy and data protection and it is the statement of the management of Noventiq of the standards that need to be met.

2. Definitions

3. Scope

Noventiq processes personal data from several general purposes, which are listed in the record of personal data processing activities, under the form of a registry. This Policy applies to any Personal Data Processing that is done for or by Noventiq.

This Policy shall be complied with by all employees, contractors, consultants, including all personnel affiliated with third parties who may have access to any Noventiq resources.

4. Application of national law

The present Policy presents the principles applicable to personal data processing, which must be observed within Noventiq, without replacing the legislation on data protection applicable in all countries where Noventiq is established or does business in. The legislation prevails over this Policy, if it contains divergent provisions or additional conditions. In particular, any conditions regarding reporting and authorization existing in the legislation concerning data processing based in the national legislation must be observed.

5. Principles of data processing

Each personal data processing must observe the rights and freedoms of the data subject, in accordance with the principles stated below. These must be observed even when new data processing is initiated or when the existing ones are extended or diversified.

Personal data processing is fair and lawful, meaning Noventiq has a legitimate business purpose (and, where required, a legal basis) for processing personal data. Where Noventiq acts as a processor, it will generally rely on the controller to establish this legal basis.  

Personal data processing is limited to the minimum necessary, meaning Noventiq collects and retains the minimum amount of personal data necessary for the business purpose. Where Noventiq acts as a processor, it must also process personal data only as directed by the controller. 

Noventiq is transparent with data subjects how and why their personal data will be processed. Where Noventiq is a processor, this information is likely to be provided to the data subjects by the controller.  

Personal data is processed in accordance with the rights of data subjects (e.g. to access, erase or correct personal data). Where Noventiq acts as a controller, it must respect and observe any exercise of these rights, and where it is a processor it will be required to assist the controller in responding. 

Personal data is accurate, up-to-date and complete.  Where it acts as processor, Noventiq will assist the controller to ensure this.

Personal data is kept secure, meaning Noventiq applies appropriate security safeguards to personal data, including where processed by third parties. Where Noventiq acts as a processor, it will be required to implement its own appropriate safeguards and provide assistance to the controller in doing the same. 

Personal data is transferred internationally in accordance with applicable law.

Noventiq is accountable and can demonstrate compliance with its obligations under applicable data privacy laws.

6. Rights of the data subject

Together with the principles mentioned above, Noventiq keeps in mind and observes the rights of the data subject in all personal data processing according with the applicable law, which might include:

• Right to information and transparency - Noventiq ensures that the data subject is informed with regard to the personal data processing;
• Right to access - Noventiq observes the procedure in order to ensure the access of data subject s to information regarding their data processing.  
• Right to rectification - Regardless of the grounds for the processing, the data subject s have the right to request Noventiq to rectify or complete their data, as the case may be, on the basis of an additional statement.   
• Right to restrict the processing - The data subjects can request Noventiq to restrict the processing of the personal data concerning them.  
• Right to erasure ("right to be forgotten") - The data subjects have the right to request and obtain the erasure of personal data in some cases;
• Right to data portability - The data subjects have the right to request Noventiq to provide a copy of their personal data to the data subject or a Third Party in some cases.
• Right to oppose the processing/ Right to oppose the processing in direct marketing purposes: Noventiq shall not make decisions about data subjects based solely on automated processing.

7. Disclosure of personal data. Assignees. Transfer to Third-Party Countries

Type and purposes of personal data disclosures

Personal data shall only be disclosed if the party that receives it is personally liable for the data it has received or only if the party that receives them will use it in accordance with the instructions obtained from the party that discloses it.

Personal data can shall be disclosed for allowed purposes, mentioned in Noventiq's records, in view of the performance of Noventiq's activity, for observing legal obligations or if there is consent from the data subject.

Processors/Data importers

In situations in which the processing will be performed by another natural person or legal entity in the name of Noventiq, they will be an processor/data importer in the sense of the applicable law and must offer enough guarantees for the application of adequate technical and organizational measures for personal data protection, which it will process in the name of Noventiq and by observing the rights of the data subjects.

Transfer of data to a third-party country

There is a transfer to another country when the personal data is transmitted, visualized or accessed by persons who are in another country.

If the personal data collected and stored by Noventiq is transferred to a person situated in a different country than the one where Noventiq has its registered office, the person who received the data must guarantee a personal data protection level equivalent to the level ensured by Noventiq.

8. Contact points

9. Compliance

The Global Data Protection Officer is owner of this Policy. Noventiq is committed to ensuring that this Policy is observed by all employees, contractors, consultants, including all personnel affiliated with third parties who may have access to any Noventiq resources.    

Compliance with this Policy is verified by various means, including reports from available business tools, internal and external audits, self-assessment, and/or feedback to the policy owner(s). Noventiq monitors its compliance with this Policy on an ongoing basis. Any exceptions to this Policy requires the written approval of the Global Data Protection Officer.

Failure to comply with this Policy, including attempts to circumvent it may result in disciplinary actions, including termination, as allowed by local laws.

Violations of regulations designed to protect Personal Data may result in administrative sanctions, penalties, claims for compensation or injunctive relief, and/or other civil or criminal prosecution and remedies.

April 14th, 2023