Des-Case Privacy Policy

At Des-Case Corporation entities, (“Des-Case Group” or “Company”), a strong ethical culture is preserved worldwide with integrity, honesty, fair business practices, and full compliance with all applicable laws.

No policy can anticipate every situation that may arise. Accordingly, this Privacy Policy is intended to serve as a source of guiding principles to ensure that we operate with the highest levels of ethical conduct.

Table of Contents

Section I: Commitment to Data Privacy 3

Section II: Scope 3

Section III: Retention of GDPR Data 3

Section IV: Right of Transparency of Information 4

Section V: Right of Erasure & Right of Restriction of Processing 4

Section VI: Right to Object 5

Section VII: Right to Rectification 6

Section VIII: Right to Data Portability 6

Section IX: Personal Data Types (customer & employee) 6

Section X: Customer Consent 7

Section XI: Applicant and Employee Consent 9

Section XII: Routine Erasure & Blocking of Personal Data 10

Section XIII: GDPR Principles in Practice 10

Section XIV: Contact Information 11

1. Des-Case USA-Europe & RMF Systems Commitment to Data Privacy

   Des-Case Corporation and its Affiliates respects your privacy. Data protection is of high priority for its management and its affiliates. Directive 94/46/EC of the European Parliament and of the Council is called the General Data Protection Regulation (GDPR). The fundamental guiding principle of the GDPR is the protection of natural persons with regard to the processing of their personal data with respect of their fundamental rights and freedoms, regardless of nationality or residence, in particular their right to the protection of personal data (Preamble:1,2 GDPR). If there is any conflict between this Privacy Policy and the GDPR, the GDPR principles for natural citizens of the European Union (also EEA) shall govern respectively unless otherwise required by a local jurisdiction or provided for in a subsequent or different notice.

   By means of this data protection declaration, our Company would like to inform the General Public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, Data Subjects are informed by means of this data protection declaration of the rights to which they are entitled.

   The protection of personal data is a fundamental right. Our Company is committed to international compliance with data protection laws.

2. Scope

   This Privacy Policy applies to all customers and employees of the Des-Case Group.

   For the sake of clear definitions for this policy, personal data is considered any information relating to an identified natural person. An identifiable person is one who can be identified, directly or indirectly, by a reference to an identifier such as a name, an identification number, location, data, an online identifier or to one or more factors related to any social identifier (Article 4:1 GDPR).

3. Retention of GDPR Data

   The length of time for which GDPR personal data is held will vary depending upon the purposes for which the data is being used and relevant requirements related to legal compliance, applicable laws, rules and regulations.

   Personal data will be destroyed or erased from our systems when no longer required for the purposes set forth with collection of such data (Article 3:63 GDPR) unless applicable laws or regulations support and/or require retention of specific data.

4. Right of Transparency of Information

   The Data Subject shall be informed before his or her personal data is collected and recorded. He or she shall expressly consent to having this data received (Preamble:58 GDPR). The Company provides opportunities for consent wherever personal data is collected.

   Per the GDPR, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data Subject’s agreement to the processing of personal data relating to him or her, such as a written statement, including electronic means, or an oral statement (Preamble:32 GDPR). In our Company, ticking a box when visiting our website is one such example. The button used to do so on the web platform provides complete access to this Privacy Policy.

5. Right of Erasure & Right to Restriction of Processing

   Each customer Data Subject has the right to request of the Controller erasure of personal data (Article 17 GDPR) concerning him or her without undue delay.

   The Company shall have the obligation to erase personal data without undue delay where one of the following grounds applies if processing is not necessary:

   1. Customer Data Subject requests erasure of personal data as his or her fundamental right unless deemed a non-compliant action based on applicable laws, rules or regulations.
   2. Customer Data Subject requests erasure of personal data as his or her fundamental right with the understanding that the lack of basic customer data may result in the Company’s inability to effectively transact with the customer.
   3. Personal data are no longer necessary in relation to the purposes for which they were collected, and/or otherwise processed, and/or have exceeded relevant retention requirements.
   4. The Data Subject withdraws consent to which the processing is based according to point Article 6:1a of the GDPR, or Article 9:2a of the GDPR, and where there is no other legal ground for the processing.
   5. Data Subject objects to the processing pursuant to Article 21:1 of the GDPR and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21:2 of the GDPR.
   6. Personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.
   7. Personal data have been collected in relation to the offer of information society services referred to in Article 8:1 of the GDPR.

6. Right to Object

   The Data Subject may, related to differing purposes and use, object to the processing of his or her data at any time. This objection must occur no later than the time of first communication with the Data Subject. As per the language of the GDPR, the “right to object” shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information (Article 21 GDPR). This Privacy Policy helps to serve as notification to the Data Subject.

   Regarding employment or contractual work inside/outside of the EEA, objection of the processing may result in the Company’s inability to employ or work contractually with a Data Subject as certain documents and forms may be required due to the sensitive nature of such relationships (e.g. intellectual property or NDA’s). Regardless, it is the Data Subject’s right to object to the processing of his or her personal data.

   If the Company processes personal data for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. In such cases, the Company will no longer process the personal data for these purposes. In addition, the Data Subject has the right to object to processing of personal data concerning him or her by the Company for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless such processing is necessary for the performance of a task carried out for reasons legally legislated in for the sake of public interest.

   In order to exercise the right to object, the Data Subject may contact any employee of the Des-Case Group. In addition, the Data Subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications. Each Data Subject shall have the right granted by the European legislator for those natural citizens in the EEA not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision: (1.) is not necessary for entering into, or the performance of, a contract between the Data Subject and a data controller, or (2.) is not authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, or (3.) is not based on the Data Subject’s explicit consent. If the decision is necessary for entering into, or the performance of, a contract between the Data Subject and a data controller, or is based on the Data Subject’s explicit consent, the Company shall implement suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.

   Ultimately, the Data Subject may exercise his or her rights concerning automated individual decision-making to withdraw data protection consent at any time.

7. Right to Rectification

   The Data Subject shall have the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her (GDPR Article 16).

8. Right to Data Portability

   Each Data Subject shall have the rights granted by his or her respective governing legal entity to receive personal data concerning him or her. In the EU, EEA and other jurisdictions with similar legal requirements, all Data Subjects have the right to request and receive their personal data in a structured, commonly used and machine-readable format given it does not affect the rights and freedoms of others (Article 20:4 GDPR). In other countries and jurisdictions, personal data related to employment may receive different treatment based on applicable laws, rule, and regulations.

   In exercising his or her right to data portability (Article 20:1 GDPR), the Data Subject shall have the right to have the personal data transmitted from one controller to another where technically feasible, legally required, and allowable without impeding upon the rights and freedoms of others. In order to assert the right to data portability, the Data Subject may at any time contact RMF Systems.

9. Personal Data Types (customer & employee)

   Any processing of personal data with the Des-Case Group must be lawful and fair (Article 3:39 GDPR). It must be transparent to natural persons that personal data concerning them are collected, used, consulted or processed, with the scope of such processing aligned with the Data Subjects’ rights.

   The Company considers the lawful and correct treatment of personal data as a vital component of its operations. The personal data of both employees and customers is handled ethically and responsibly with a high level of confidentiality and security. Not an all-inclusive list, the following key principles concerning Personal Data (Article 3 GDPR) are adhered at the Des-Case Group:

   1. Personal data is only processed with consent of the Data Subject
   2. Policies on personal data are transparent and clearly communicated
   3. Only relevant personal data is collected and limited to what is necessary
   4. All third-party contracts involving personal data must contain clauses requiring respective third parties to comply with GDPR where applicable
   5. Personal data is subject to confidentiality and secured with appropriate organizational and technical measures to prevent unauthorized access or illegal processing or distribution

10. Consent – Customer

    
    As a customer, there are three sets of business processes for which the GDPR may impact your personal data. The first set of processes are related to use of the Company website at
    
    www.descase.com

11. The second set of business processes are to all transactional activities in the buying or selling of products, services, or subscriptions with Des-Case and its affiliates.
12. First and foremost, when visiting the Company website, two action items are requested (1.) acceptance of website cookies, and (2.) review of this Privacy Policy. As an important note, since internet-based data transmissions are not guaranteed to be protocol-free of security gaps, absolute protection of data transmitted via the internet is not guaranteed. For this reason, every Data Subject is free to transfer personal data to us through alternative means.Per the GDPR, consent should be given by a clear affirmative act establishing a freely given, specific, unambiguous indication of the Data Subject’s agreement to the processing of personal data relating to him or her. This includes ticking a statement when visiting a website (Preamble:32 GDPR). The following website activities take place to help the organization both better serve website customers and ensure website effectiveness:

    1. Cookies

       Session cookies is one method for which the Des-Case Group collects information. Cookies are text files stored in a computer system via an internet browser. A “cookie” is a unique numeric code used to identify with a user’s computer to optimize future visits and enhance Company web pages. More specifically, the Company website uses persistent cookies in conjunction with a third party technology partner to analyze search engine usage and web traffic patterns. Users may set preferences regarding the storage of cookies within

       their individual web browsers, which can also be used to remove stored cookies. If you choose to limit cookies, some website functionality may be limited.

    2. Google Analytics

       
       Our website uses Google Analytics, a web analytics service of Google Inc. In similar fashion to session cookies, Google Analytics uses cookie text files to analyze how the website is being used. More specifically, Google uses the data stored on these cookies to compile reports on website activities with the intention of providing analytics that best service the needs of the website visitors. For more information, please visit:
       www.google.com/policies/privacy/partners/
       Users can opt-out of the collection and use of information by blocking third party cookies and other tracking mechanisms via web browser settings or operating systems settings.

    3. Server Logs

       All web servers collect very basic visitor information to monitor site usage and performance.

    4. Social Media

       Our website uses social media features, such as the Tweet share button. These features may collect your IP address and the specific page visited on the Company website. A cookie may be need to be enabled for this functionality.

       Since social media features are hosted by third parties, user interactions with these third parties are governed by the organization providing the service.

    5. Contact Us

       Should a website visitor wish to contact the organization via the website, the Des-Case Group will store the personal data required to enable the interaction. This personal information will be used consistent with the intended purposes of engagement.

    6. Website Promotions, Company Blogs, Subscription to Newsletters

       On Company websites, users may be given the opportunity to subscribe to newsletters. The input mask used for this purpose determines what personal data are transmitted, as well as when the newsletter is ordered from the controller. The Company may choose to inform its customers and business partners regularly by means of a newsletter and related products and services offers. The Company’s newsletter may only be received by the Data Subject if: (1.) the Data Subject has a valid email address and (2.) the Data Subject

       registers for the electronic delivery of the newsletter. A confirmation email may be sent to the email address registered by a Data Subject upon sign-up commencement with an opt-in procedure that includes the option to review the Company Privacy Policy. During website registration for any Company web platform-based service, IP addresses are stored on the computer system assigned by the internet service provider (ISP) as well as the date and time of the registration. Personal data collected as part of a registration for the newsletter will only be used for purposes described upon registration. There will be no transfer of personal data collected by the Company to third parties. The subscription to our newsletters, blogs, etc. may be terminated by the Data

       Subject at any time. The consent to the storage of personal data, which the Data Subject has given for shipping the newsletter, may be revoked at any time. For the purpose of revocation of consent, a corresponding link is found in each newsletter for said purposes. It is also possible to unsubscribe from the newsletter at any time directly on the Company websites or via communication with the controller.

    7. Tracking Pixels

       Newsletters, blog pages, and email blasts may contain tracking pixels. A tracking pixel is a miniature graphic embedded in such emails, which are sent in HTML format to enable log file recording and analysis. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, the Company is able to learn when/if emails are opened by a Data Subject. Such personal data collected as tracking pixels are stored and analyzed by the controller in order for the Company to optimize the production of content that best serves our customers. These personal data will not be passed on to third parties. Data Subjects are at any time entitled to revoke the respective separate declaration of consent issued by means of the double-opt-in procedure. After a revocation, these personal data will be deleted by the controller. The Company automatically regards a withdrawal from the receipt of the newsletter as a revocation.

    8. CRM, Marketing Campaigns, and Other Related Sales and Marketing Activities

       In order to comply with the GDPR’s data protection provisions regarding sales and marketing activities in our Companies, explicit consent is the practice for which Data Subject information is gathered. The online declaration of consent form includes the following fields:

       • Purpose of use
       • Specific communication channel
       • Contact data fields
       • The Des-Case Group’s GDPR Principles in Practice overview (see XIII)
       • Right to withdraw reminder
       • Consent checkbox

    With some activities, the simple opt-in process is replaced by the double-opt-in process in which the interested party is required to confirm his or her original consent. For such cases, email correspondence is typically used for confirmation.

    The third set of business processes are related to the use and licenses of the Learning Management System which is hosted by a third party provider. Very basic user information and site usage and performance are tracked.

13. Consent – Applicant and Employee

    In employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicant’s personal data can be processed. If the candidate is rejected, his or her personal data must be deleted in observance of the required retention period, unless the candidate has agreed to remain on file for future selection process.

    We generally obtain consent from the Data Subject on required personal data for employment and contractual work. In addition, many Company benefits and state reporting requirements (i.e. remuneration, taxation, pensions, etc.) are inextricably tied to the use of Data Subject personal data. Declarations of consent will be required whenever applicable to such processes.

    The Des-Case Group will only process personal data in employment engagements that are both relevant and legal in relationship to the respective employee or contractor natural resident laws, rules and regulations. Ultimately, data processing must always relate to the purpose of the employment agreement or contract of employment (Article 88 GDPR).

    Based on local laws, rules and regulations, employment records will be kept in accordance with both allowable Company retention policies and state legal requirements. No Data Subject employment personal data will be kept without purpose and plan for eventual erasure.

14. Routine Erasure and Blocking of Personal Data

    The data controller shall process and store the personal data of the Data Subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the EU or other legislators in laws or regulations to which the controller is subject to. If the storage purpose is no longer required or applicable, or if a storage period prescribed by the EEA legislator or another competent legislator expires, personal data are routinely blocked or erased in accordance with legal requirements (Article 17 GDPR).

15. GDPR Principles in Practice

    As a final statement of our Company’s commitment to your privacy, the following (not an all-inclusive list) includes fundamental GDPR principles that embody our commitments to Data Subjects:

    1. Personal data shall be processed lawfully, fairly, and in a transparent manner.
    2. Less is more. Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
    3. Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate is erased or rectified without delay.
    4. Personal data shall be kept in a form which permits identification of the data subject for no longer than it is necessary for the purposes for which it is processed. Thereafter, the personal data shall be blocked or erased without delay.
    5. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing.
    6. Should a data breach occur with probability of resulting in high risk to the rights and freedoms a Data Subject, the controller shall communicate the personal data breach to the Data Subject without undue delay.
    7. The controller is responsible for compliance and accountability and must be able to demonstrate compliance.

16. Contact Information USA

If you have any question concerning this notice, please contact Kamiran Ibrahim (Information Technology Manager and Data Protection Controller for the US) at 00 1 (615) 672-8800 or via email at

[email protected]

or in writing at Des-Case Corporation, 675 N. Main Street, Goodlettsville, TN 37072.

European Economic Area

If you have any questions concerning this notice, please contact Leon Stoof (Regional Controller and Data Protection Controller) at +31 (0) 182-24-48-88 or via email at

[email protected]

or in writing to RMF Systems BV, Coenecoop 99, 2741 PH Waddinxveen, The Netherlands.

Please configure the Privacy Tools page in the admin interface.