GDPR & CCPA Compliance

GDPR and CCPA Compliance

We are fully GDPR and CCPA compliant to legally operate in Europe and California. We further extend many of these legal protections to consumers outside of the EU or California who would not otherwise be covered under these provisions. Our GDPR and CCPA compliance policies are below.

 

GDPR Compliance Policy Introduction

The EU General Data Protection Regulation (“GDPR”) came into effect across the European Union on 25 May 2018 and instituting significant changes to data protection law. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age. The 21st century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new regulation aims to standardize data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.

 

Our Commitment

Compass Electronics Solutions is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. We recognize our obligation to protect personal data and maintain our privacy program to comply with the GDPR. Compass Electronics Solutions is dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation. Our GDPR compliance has been summarized in this statement and include the development and implementation of new data protection roles, policies, procedures, controls, and measures to ensure maximum and ongoing compliance.

 

How We are Prepared for the GDPR

Compass Electronics Solutions data protection and security policies are in effect across our organization in accordance with our aim to be fully compliant with the GDPR.

  • Information Audits – company-wide information audits help to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed.
  • Policies & Procedures – reviewing data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
    • Data Protection – our main policy and procedure document for data protection has been crafted to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy by design and the rights of individuals.
    • Data Retention & Erasure – our retention policy and schedule to ensure that we meet the ‘data minimization’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
    • Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all relevant employees.
    • International Data Transfers & Third-Party Disclosures – Compass Electronics Solutions has robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of all data. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.
    • Subject Access Request (SAR) – Our SAR procedures accommodate the 30-day timeframe for providing the requested information and for making this provision free of charge. Our procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply and a suite of response templates to ensure that communications with data subjects are compliant, consistent and adequate.
  • Legal Basis for Processing – we review all processing activities to identify the legal basis for processing and ensure that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
  • Legal Basis for Processing – we review all processing activities to identify the legal basis for processing and ensure that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
  • Privacy Notice/Policy – Our Privacy Notice(s) complies with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
  • Obtaining Consent – Our consent mechanisms for obtaining personal data, ensure that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time.
  • Direct Marketing – Our processes for direct marketing include clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
  • Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, involves large scale processing or includes special category/criminal conviction data; we have developed stringent procedures and assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).
  • Processor Agreements – where we use any third-party to process personal information on our behalf (e. Payroll, Recruitment, Hosting, etc.), we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they (as well as we), meet and understand
    their/our GDPR obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organizational measures in place and compliance with the GDPR.
  • Special Categories Data – where we obtain and process any special category information, we do so in complete compliance with the Article 9 requirements and have high-level encryptions and protections on all such data. Special category data is only processed where necessary and is only processed where we have first identified the appropriate Article 9(2) basis or the Data Protection Bill Schedule 1 condition. Where we rely on consent for processing, this is explicit and is verified by a signature, with the right to modify or remove consent being clearly signposted.

 

Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy to access information upon formal request of an individual’s right to access any personal information that Compass Electronics Solutions processes about them and to request information about:

  • What personal data we hold about them.
  • The purposes of the processing.
  • The categories of personal data concerned.
  • The recipients to whom the personal data has/will be disclosed.
  • How long we intend to store your personal data for.
  • If we did not collect the data directly from them, information about the source.
  • The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this.
  • The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use.
  • The right to lodge a complaint or seek judicial remedy and who to contact in such instances.

 

Information Security & Technical and Organizational Measures

Compass Electronics Solutions takes the privacy and security of individuals and their personal information very seriously and takes every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures.

 

GDPR Roles and Employees

Compass Electronics Solutions has a data privacy team to develop and implement our roadmap for complying with the data protection Regulation. The team is responsible for promoting awareness of the GDPR across the organization, assessing our GDPR readiness, identifying any gap areas and implementing the policies, procedures and measures.

Compass Electronics Solutions understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans. We have implemented an employee training program specific to compliance, which will be provided to all employees and forms part of our induction and annual training program.

If you have any questions about our preparation for the GDPR, please contact us.

Sincerely,
Compass Electronics Solutions

 

CCPA Compliance Policy
Introduction

The California Consumer Privacy Act (CCPA) took effect on January 1st, 2020, extending new rights to Californians and expanding the responsibility of companies to be transparent when collecting consumer data. Compass Electronics Solutions privacy policy already offers consumers the ability to exercise CCPA rights, regardless of California residency. This document details these rights, the data we collect and why, as well as your means to request access or deletion of this data from our systems.

Personal Information We Collect

We automatically collect and store only the following information about your visit: The Internet domain and IP address (a number that is automatically assigned to your computer whenever you are surfing the web) from which you access our website; the type of browser and operating system used to access our site; the date and time you access our site; the pages you visit; if you linked to our website from another website, and the address of that website.

No personally identifiable information is collected about visitors who simply browse this website or who download information from it. For these visitors, we only collect information on website usage for the purpose of improving said website.

If you participate in a survey, sign up for a newsletter, volunteer information for a download, purchase something or send an e-mail, your e-mail address, name, account information and the contents of the e-mail and information volunteered in response to the survey or newsletter will be collected. Submitting voluntary information constitutes your consent to the use of the information for the stated purpose. Visitors who request services available through this website may be required to furnish additional information which may be required by law or which is necessary to provide the service requested.

We use the personal information we collect about you on our site to provide you with the services you request and to process the transactions you authorize. The personal information we collect serves to facilitate the performance of our business operations including, providing you the requested products and services, responding to consumer inquiries (price quotes, capabilities questions, etc.), provide personalized support, and process transactions. We may use the information about your use of our website to improve the site itself and its functionality. We do not sell any of the information we collect for any purpose. If you purchase merchandise, we collect the personal information that you are prompted to enter when completing user registrations, financial transactions, and other forms. This personal information may include your:

  • Identifiers: Name, signature, postal address, email address, account name, employer, etc.
  • Commercial Information: Records of products/services purchased/provided.
  • Usage: Information on your behavior and usage of our website, collected for the purpose of improving said website.
  • Geolocation Data: your approximate physical/geographic location for the purposes of connecting you to our nearest/most relevant location.

We collect personal information from the following sources:

  • Our website.
  • Fillable forms consumers may choose to fill out, volunteering personal information.
  • Business partners when they chose to share information with us.
  • Publicly available data bases.
  • Social network information when you use a social network to interact with our social pages.

We will only disclose your information, without notice under the following conditions:

  1. To obey orders of the law or comply with legal process served on us.
  2. To protect and defend the rights of property of Compass Electronics Solutions and its websites.
  3. To act in urgent circumstances to protect Compass Electronics Solutions websites, its employees or the public.
  4. When you have an open account with us, information could be shared with credit agencies.

Personal information may be disclosed to trusted service providers for the purposes of hosting, maintaining, processing transactions, and distributing marketing communications. We only disclose identifiers and commercial information as necessary to provide you with the requested products/services.

You may access or update the personal information you provided at any time by sending a request by email or by postal mail to the contact information listed below.

Personal Information We Collect

Compass Electronics Solutions is committed to adhering to consumer privacy rights. Under the CCPA, Californians are entitled to the following rights.

  • Right of Access:
    • Contact us at any time to request access to any and all of your personal data we have collected.
    • We will provide the necessary information within the required 45-day window, often much sooner.
    • Upon receiving your request, we will disclose:
      • The categories of personal information we collected about you.
      • The categories of sources for the personal information we collected about you.
      • Our business or commercial purpose for collecting said personal information.
      • The specific pieces of personal information about you.
  • Right to Deletion:
    • Contact us at any time to request that we delete any and all of your personal data we have collected.
    • We will delete the requested information upon your request.
    • Personal information is exempted from the right to deletion when it is necessary for us to:
      • Provide you agreed upon goods or services.
      • Detect or resolve issues with security or functionality.
      • Comply with the law.
      • Conduct research on public interest.
      • Safeguard the right to free speech.
      • Carry out any actions for internal purposes that the consumer might reasonably expect.
  • Right to Non-Discrimination:
    • Consumers who exercise their rights under the CCPA will not be discriminated against in any way shape or form.
    • We will not:
      • Deny goods and services.
      • Charge different prices, whether through denial of benefits or imposed penalties.
      • Provide a different level of quality.

Consumers also have the right to refuse sale of their personal information. At Compass Electronics Solutions we do not sell any of the information we collect for any purpose.

Exercising Your Rights

You may request access to, or deletion of your data as described above by:

  • Phone: 952-941-8071
  • Email: marketing@compasses.com
  • Submitting a request through our contact us form.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information.

Your request must:

  • Provide specific enough information to reasonably verify that you are the person (or authorized representative of the person) whom we collected personal information about.
  • Be sufficiently detailed to allow us to properly understand, evaluate, and respond accordingly to your request.

To protect consumer data, we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request, and confirm the personal information pertains to you or your representative.

Personal information provided in the request will be used only for the purpose of verifying your identity to fulfill your request and will not be otherwise recorded or used.