This statement discloses the information practices for Arrive Systems websites, including what type of information is gathered and tracked, how the information is used, and with whom the information is shared. t sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.
We have implemented these practices for the Arrive Systems website (www.arrivesys.com). We have instructed our web-masters to include information on these privacy practices wherever personal information is collected on an Arrive Systems website.We regret that if there are one or more points in the subsequent statements with which you are not satisfied with or disagree on, your only recourse is to leave our website immediately.
We take seriously the protection of your privacy and confidentiality. We understand that all visitors to our website are entitled to know that their personal data will not be used for any purpose unintended by them, and will not accidentally fall into the hands of a third party.
We undertake to preserve the confidentiality of all information you provide to us, and hope that you reciprocate.
Our policy complies with UK law accordingly implemented, including that required by the EU General Data Protection Regulation (GDPR). Please see GDPR in Section 8 below for more detailed information.
The law requires us to tell you about your rights and our obligations to you in regards to the processing and control of your personal data. We do this now, by requesting that you read the information provided at www.knowyourprivacyrights.org
Except as set out below, we do not share, or sell, or disclose to a third party, any information collected through our website.
2. About Personal Information that we may collect
In general, you can visit Arrive Systems on the Web without telling us who you are and without revealing any information about yourself. There are times, however, when we or our partners may need information from you.
You may choose to give us personal information, such as your name and address or e-mail ID that may be needed, for example, to correspond with you, to process an order or to provide you with a subscription to our newsletters or other publication, grant access to our partner and training portals, or provide technical support. It is our intent to let you know how we will use such information before we collect it from you on the Internet. We provide this information through a privacy link, which is presented wherever personal information is collected. If you tell us that you do not want us to use this information as basis for further contact with you, we will respect your wishes.
3. Information security and quality
We intend to protect the quality and integrity of your personally identifiable information. Arrive Systems’ business processes will be designed and applied to appropriately safeguard your personal information, having regard to the sensitivity and use of that information. We are implementing appropriate technical and organizational measures, such as giving unsubscribe options in our digital publications for example, to help us keep your information secure, accurate, current, and complete and to provide you with options for personal data sharing.
We will make a sincere effort to respond in a timely manner to your requests to correct inaccuracies in your personal information. To correct inaccuracies in your personal information please return the message containing the inaccuracies to the sender such as firstname.lastname@example.org with details of the correction requested.
If you don’t want your personal information disclosed to others, or if you would like to be removed from any of Arrive Systems’subscription lists, please click the unsubscribe button that are included in all Arrive digital mailers or email email@example.com if you are unable to do so. Arrive Systems will not sell or rent your personal information to any other organization without your explicit permission.
4. Online advertising
Arrive Systems’ has certain companies help us deliver our marketing,promotions and other online communications. These companies may collect and use information about customers to help us better understand the offers, promotions, and types of advertising that are most appealing to our customers. The information they collect is aggregated so it is not identifiable to a specific individual.
5. Privacy technology
Technology will increasingly help you to have more control over your personal information. It will also help organizations to manage their privacy practices and policies. As an information technology provider, Arrive Systems’ actively supports the development of privacy technologies to help achieve these goals, and to help create greater trust and confidence in the way personal information is handled. Products and services are available which can help give you privacy protection while navigating the Web. It is in your best interest to make use of these 3rd party products, however Arrive Systems’has no control over how the personal information data is collected or used and therefore is not liable to any issues that may arise from the use of such products.Please note that Arrive Systems’ has not formally evaluated all of these 3rd party products or tools.
6. Cookies, web analytics and other technologies.
We sometimes collect anonymous information from visits to our sites to help us provide better customer service through page tracking codes embedded in pages within our sites. For example, we keep track of the domains and locations from where people visit and we also measure visitor activity on Arrive Systems web sites, but we do so in ways that keep the information anonymous. This anonymous information is sometimes known as ‘clickstream data.’ Arrive Systems or its analytic vendors may use this data to analyze trends and statistics and to help us provide better customer service. Also, when we collect personal data from you in connection with a transaction we may extract some information about that transaction in an anonymous format and combine it with other anonymous information such as clickstream data. This anonymous information is used and analyzed only at an aggregate level to help us understand trends and patterns. None of this information is reviewed at an individual level. If you do not want your transaction details used in this manner, you can either disable your cookies or opt-out at the order or request page.
7. Business relationships
The Arrive Systems sites contain links to other Web sites. Arrive Systems is not responsible for the privacy practices or the content of such Web sites.
8. About the European General Data Protection Regulation (GDPR)
Arrive Systems understands the value and importance of effectively leveraging data to solve modern business problems, but also respects the need to protect data and to comply with data protection rules, especially when it comes to personal data and the rights of individual data subjects. Thus, Arrive Systems welcomes GDPR as an important update to the global view on privacy, data protection, and cybersecurity.
What is the GDPR? The General Data Protection Regulation (GDPR), is an updated European privacy and data protection law that re-emphasizes , reinforces, codifies and unifies existing data privacy laws across all European Union member countries. GDPR also adds new rules that are designed to expand legal and privacy rights protections for EU citizens.
Why does the GDPR matter? Penalties for non-compliance with the provisions of the GDPR regarding collecting and using personal data are potentially devastating.
Who does the GDPR affect? The GDPR is applicable to any business collecting personal data from a citizen of the EU.
What are key provisions of the GDPR? Personal data is defined as any information related to a natural person that can be used to directly or indirectly identify that person.
Where to learn more about the GDPR? A complete version of the EU General Data Protection Regulation, formatted for easy reading, is available here.
Key provisions of GDPR
The GDPR defines personal data as any information related to a natural person (data subject) that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer IP address.
Under such a broad definition, enterprises must take documented steps to limit access to all personal data to only authorized and credentialed employees with job roles that specifically require access to that data. Security breaches from lack enforcement of security protocols will be met with stiff fines and financial penalties under the GDPR.
The GDPR also establishes specific rights with regard to data subjects. To comply with the GDPR, these codified rights must be acknowledged and implemented by all companies collecting personal data on EU citizens.
The GDPR specifically prohibits the use of long, convoluted terms and condition statements, particularly statements that contain legalese. Any request for consent, declaration of terms, or statement of privacy must be presented clearly and concisely, and without any ambiguity of meaning. Furthermore, it must be as easy to withdraw consent as it is to give it.
Compliance with the GDPR requires companies to notify all data subjects that a security breach has occurred within 72 hours of first discovering it. The method of this notification will include as many forms as deemed necessary to disseminate the information in a timely manner, including email, telephone message, and public announcement.
Right to access
The GDPR requires companies to provide, at the data subject's request, confirmation as to whether personal data pertaining to them is being processed, where it is being processed, and for what purpose. Companies must also be able to provide, free of charge, a copy of the personal data being processed in an electronic format.
Right to be forgotten
Under the GDPR, companies will erase all personal data when asked to do so by the data subject. At that point, the company will cease further dissemination of the data, and halt all processing. Valid conditions for erasure include situations where the data is no longer relevant, or the original purpose has been satisfied, or merely a data subject's subsequent withdrawal of consent.
The GDPR requires companies to provide mechanisms for a data subject to receive any previously provided personal data in a commonly used and machine-readable format. Under this provision, the data subject also has the right to request the company transmit the data to another processor, free of charge.
Privacy by Design
Compliant companies must follow Privacy by Design principles and implement appropriate technical and organizational measures in an effective way to meet the requirements of the GDPR and protect the rights of data subjects. In practical terms, this provision means that companies will process only the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject.
Data Protection Officers
Large enterprises wishing to comply with the GDPR will maintain thorough and comprehensive records pertaining to the collection, processing, and storage of personal data. In addition, these enterprises will designate a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse and unauthorized access and other security breaches. If an enterprise meets the criteria, a designated DPO is a requirement, not an option.
Unfortunately for enterprises the world over, the specific criteria for when an enterprise is required to designate a DPO is still in flux. A general rule of thumb to follow, based on the EU Commission's writings on the topic, is that a DPO is required for any enterprise with over 250 employees or for any enterprise processing the personal data of over 5,000 data subjects in any 12-month period.
Penalties for noncompliance with the GDPR
Penalties for failing to comply with the provisions of the GDPR can be severe and carry significant risk of liability for any company. The maximum assessable penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company. The maximum penalty will be imposed on organizations failing to acquire sufficient customer consent to process data or for violating the Privacy by Design concept.
Other violations are assessed on a tiered basis depending on the infraction. For example, a company can be fined 2% for not having its records in order, not notifying the supervising authority and the data subject about a security breach in a timely manner, or for not conducting a required impact assessment of a security breach.
Arrive Systems is committed to GDPR readiness
Arrive Systems is acutely aware of GDPR and its implications both for Arrive Systems and for our customers. There are many new requirements to work through to achieve compliance readiness by May 25, 2018, and implementation work at Arrive Systems remains ongoing. It includes:
Accounting for and managing third-party risk
Arrive Systems’ GDPR team is reviewing and updating Arrive Systems’ existing vendor and third party risk programs to account for GDPR implications when hiring third parties.
Privacy and security by design/default
The Arrive Systems GDPR team are proactively engaging in Arrive Systems’ software development processes to further enhance “Privacy by Design” and “Privacy by Default” activities to improve the process and ensure GDPR-ready development programs.
9. Notification of Changes
This privacy statement was last updated on May 23, 2018. A notice will be posted on our web site news page for 30 days whenever this privacy statement is changed.