Responsibility
At Nimonik, the Chief Executive Officer (CEO), Jonathan Brun, holds the highest authority within the organization and is responsible for ensuring compliance with and implementation of compliance to applicable laws and regulations governing data protection and protection of personal information. Jonathan Brun, CEO is in charge of the protection of personal information. However, Jonathan Brun also delegates this responsibility, in whole or in part, to other members of the organization, such as the Operations Manager or the Risk Manager, to ensure effective management and compliance.
Privacy
We respect your privacy. We will not misuse, sell, or exploit any information provided to us. All of your information provided to us is for the express purpose of billing or rendering the Nimonik services. By supplying such information, we will retain only the information needed to offer you access to relevant information in your industrial sector, legal jurisdiction, and areas of interest. We may also collect information relevant to invoicing and billing. Any information provided to us will not be shared with any other company or 3rd Party.
Nimonik staff and contractors will not access your corporate information unless given explicit permission by an authorized person at your organization. This permission may be granted to help train or debug your account. The access granted by you to Nimonik may be revoked at any time.
We protect the security of your personal information during transmission by using Secure Sockets Layer (SSL) software, which encrypts the information you transmit.
GDPR European Union Compliance
Our Privacy Policy is designed to be in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”).
Data Protection – Data Protection Laws means the EU Data Protection Laws and the laws of other states and territories that create and regulate substantially similar concepts and legal principles as are contained in the EU Data Protection Laws in relation to the processing of personal data and sensitive personal data.
EU Data Protection Laws means, up to and including 24 May 2018, any legislation in force from time to time which implements the EU Directive 95/46/EC and relevant national implementations of the same and, with effect on and from 25 May 2018, means the GDPR and any relevant national implementations of the same;
personal data, sensitive personal data, consent, controller, processor, data subject and processing mean those concepts, roles and activities as defined in the applicable EU Data Protection Laws and on and from 25 May 2018 sensitive personal data means those classes of personal data that are described in Article 9 of the European General Data Protection Regulation 2016/679) or, where relevant, equivalent concepts, roles and activities as described in other Data Protection Laws.
We are the controller in respect of personal data and sensitive personal data, such as account registration details, that we collect directly from users of the Services (End Users), which we use for the purposes of our business.
You are the controller and we are the processor in respect of any other personal data and sensitive personal data (including within Your Modifications) that is uploaded by End Users including data, templates, information, content, code, video, images or other material of any type (Materials), or which is provided by the End Users you have established in your account.
On and from 25 May 2018, to the extent that the Services and/or Non-Charge Services comprise the processing of personal data or sensitive personal data where we are the processor and you are the controller and the processing of personal data or sensitive personal data is subject to the GDPR:
- you will comply with the requirements of the GDPR as the same apply to you as controller of the personal data or sensitive personal data; and
- the provisions of this Privacy Policy shall apply
We will present our Privacy Policy to you and to others who may download Materials where we are a controller. To the extent that we do not have direct contact with End Users or the relevant data subjects, for example, where personal data or sensitive personal data is uploaded relating to your employees or customers, and where we are a processor and not a controller, it is your responsibility to ensure that in accordance with Article 13 of the GDPR:
Data Processing
Nimonik shall:
- Process personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or the national law of an EU member state to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement appropriate organisational and technical measures as required pursuant to Article 32 (security of processing) of the EU General Data Protection Regulation 2016/679. The measures that we consider appropriate are more fully described in Nimonik’s IT Security document and internal ISO 27001 documentation. This document outlines:
- Our architecture and infrastructure through which Services are provided;
- Security controls employed by us and our service providers in protecting personal and/or sensitive personal data; and
- Security controls employed by our support channels which handle personal data or sensitive personal data.
- Respect the conditions for engaging another processor referred to in paragraphs 2 and 4 of Article 28 (processor) of the EU General Data Protection Regulation 2016/679;
- Taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the EU General Data Protection Regulation 2016/679;
- Assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the EU General Data Protection Regulation 2016/679 taking into account the nature of the processing and the information available to the processor;
- At the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless EU law or the national law of an EU member state or another applicable law, including any Australian state or Commonwealth law to which the processor is subject requires storage of the personal data;
- Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 (processor) of the EU General Data Protection Regulation 2016/679 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (in each case at the controller’s cost).
Mobile Application Permissions
In order to allow users to attach supporting media to audit questions, the Nimonik mobile app requires access to the following:
- Camera
- Audio recording
- External storage
The processing of this data conforms to the same standards as listed above.
Responsible Person: Steven Herry, Operations Lead
For questions and concerns, or to report a suspected incident, please reach out to security@nimonik.com.