Pennasoft BV has made it its job to protect individuals, their personal data and their privacy, and value their demands. Pennasoft is committed to preserving personal data and being transparent about how it collects data, uses it and discloses personal data.
We use personal data that relates to three key categories of individuals (or “data subjects”):
- People who use our website – www.pennaware.com
- Our customers, suppliers and people we work with (this includes employees of our customers and service providers); and
- People with personal data relating to them this is available on the Dark Web and other public internet sources that we collect information from for Threat Intelligence.
For the purpose of the General Data Protection Regulation (GDPR), the Data Controller is Pennasoft BV, Da Vincilaan 1, Zaventem 1930 Belgium.
INFORMATION WE COLLECT AND USE:
People who use Our Site
Personal data and purpose:
We will collect any personal data you provided us via the webforms on Our Site.
We will also automatically collect the following anonymised information, which cannot be traced back to you and will only be used for the purposes of improving our website and understanding how users interact with it:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
- Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from Our Site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks), methods used to browse away from the page.
Our legal ground for using the personal data we collect relating to people who visit Our Site is that doing so is necessary for the legitimate interests of our business. We will not use personal data for the purposes of our legitimate interests where an individual’s interests and rights override our business interests.
We only store personal data collected via Our Site while it is needed for our business purposes up to a maximum of 24 months. We will only keep personal data collected via Our Site for longer where necessary to comply with our legal obligations or to safeguard are legal rights.
Our customers and people we work with
We use personal data relating to our customers and people we work with for the purposes of administering, developing and promoting our business. In that view, we collect personal data relating to our customers, the employees of our customers and other individuals we work with. This personal data includes:
- Name, address, contact details;
- Position and company;
- Professional social media (for example, LinkedIn and Twitter);
- Order history and payment details;
- Records of contact and correspondence.
We receive this information directly from individuals or from their companies or the companies we work with.
If you are an individual who has a contract with us, our primary ground for using personal data relating to you will be for the performance of the contract. If you do not provide the personal data, we need to perform the contract, we may not be able to provide services to you.
We may also use personal data relating to you for the legitimate interests of our business or the legitimate interests of a third party such as our customers in order to develop and promote our business. We will not use personal data for the purposes of our legitimate interests where your interests and rights override the legitimate interests we have identified.
If you are an individual who we work with but do not have a direct contract with (for example, employees of our customers or services providers), our legal ground for processing your personal data relating is the legitimate interests of our business or the legitimate interests of a third party such as our customers so that we can perform our contracts by contacting you. We will not use personal data for the purposes of our legitimate interests where your interests and rights override the legitimate interests we have identified.
We will generally store personal data that is related to our customers or other people we work with for a maximum of 36 months after termination of the contract or from our last relevant contact date. We will only keep personal data relating to customers or other people we work with for longer where necessary to comply with our legal obligations or to safeguard our legal rights.
As part of our products that we provide our customers through our platform, we have a modular cyber threat intelligence solution called Threat Intelligence. Our customers are given access to a copy of previous information security breaches relating to their data.
To identify breaches, Threat Intelligence collects a limited range of information from surface, Deep and Dark Web sources including Tor sites and social and text repository sites like Pastebin.
Threat Intelligence is primarily seeking to identify breached information relating to our customers such as:
- Usernames and obusticated passwords.
Threat Intelligence does routinely collect data that includes personal data. This personal data includes personal data relating to the staff of our customers and any other personal data that is included in the public sources Threat Intelligence monitors.
Threat Intelligence can be accessed by our customers to review personal data relating to them that has previously been breached in a consolidated view in the platform. Our customers can then access this personal data or other information and decide how to use it.
Our legal ground for using the personal data collected by Threat Intelligence is that doing so is necessary for the legitimate interests of our business or the legitimate interests of a third party such as our customers. We will not use personal data for the purposes of our legitimate interests where your interests and rights override the legitimate interests we have identified.
Where a public body uses Threat Intelligence as a customer, the legal ground may be for the performance of a task carried out in the public interest or official authority.
Retention: All personal data collected by Threat Intelligence is stored for as long as it’s still publicly available and for a further 36 months (maximum) before deletion.
Where you request personal data relating to you to be removed from our system, please note it may take up to 28 days for this process to be completed.
Separately from the legitimate interests of our business and the performance of contracts we have with individuals, we will also use personal information when we are required to do so by law. Where that is the case, our legal ground is that the use of personal data is necessary to comply with a legal obligation.
DISCLOSURE OF PERSONAL DATA:
To help administer, develop and promote our business, we share personal data with and receive personal data from the following types of service provider:
- Payment processors.
- Advertising partners.
- Analytics service providers.
- IT providers.
- Email database management.
- Consumer relationship management.
- Professional services (for example, accountants and lawyers).
We have contracts in place with these service providers that strictly govern how they may use the personal data we share with them.
We do not sell, trade, or otherwise transfer to outside parties your personal data. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential or where the data is already accessible in the public domain. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect our or others’ rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
We will share personal data with potential buyers, group companies, investors and/or business partners where necessary for a reorganization, restructuring, merger, sale or transfer of assets involving Pennasoft and/or the Service.
Where Threat Intelligence identifies information relating to one of our customers, that customer is able to access that information. Customers are strictly limited to only searching for personal data that relates to them and their business domain(s).
WHERE WE STORE PERSONAL DATA:
We store personal data within the European Economic Area. However, the personal data held may be transferred to service providers or others based outside the EEA. Where we transfer personal data outside of the EEA, we implement safeguards such as standard contractual clauses approved by the European Commission.
You have the right to:
- Information about how we use personal data (which is what this policy is for);
- Access to personal data;
- Object to direct marketing and the use of personal data based on the grounds of legitimate interest;
- Erasure of personal data;
- Portability of personal data;
- Withdraw consent where our use of personal data is based on consent;
- Rectification of personal data;
- Restriction of personal data; and
- Complain to the competent data protection authority.
Please be aware that these rights are not absolute and there may be some situations in which they cannot be exercised, or they are not relevant. You can find out more detail about these rights on the website of the Belgian Data Protection Authority www.gegevensbeschermingsautoriteit.be or the UK Information Commissioner’s Office – www.ico.org.uk.
Should we send you information and you no longer wish to be contacted please unsubscribe or contact us by email (firstname.lastname@example.org). Your request will be processed within 28 days. If you are a customer, your preferences can also be managed directly via your account.
OTHER SITES REFERENCED ON WWW.PENNAWARE.COM:
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Children’s Online Privacy Protection Act Compliance
We are in compliance with the requirements of COPPA (Children’s Online Privacy Protection Act), we do not collect any information from anyone under 13 years of age. Our website, products and services are all directed to people who are at least 13 years old or older.
MSSPs and Resellers Using Our Platform
By post: Pennasoft BV, Da Vincilaan 1, Zaventem 1930 Belgium
By email: email@example.com
How to contact the appropriate authority
Should you wish to report a complaint or if you feel that Our Company has not addressed your concern in a satisfactory manner, you may contact the Belgian Data Protection Authority (GBA). You can find the contact details on their website.