The purpose of this Data Privacy Policy is to outline how Arcsen (formerly Coberg) collects, processes, stores, and protects personal data to ensure compliance with applicable data protection laws and regulations. This policy is designed to safeguard the privacy and security of personal data across all operational regions where Arcsen operates.
1. Scope
This policy applies to:
- All Arcsen employees, contractors, consultants, and third parties who have access to personal data.
- All types of personal data collected, processed, and stored by Arcsen, including data collected through websites, client interactions, and internal business processes.
- All Arcsen operations globally, including offices, subsidiaries, and affiliates.
2. Data Privacy Principles
Arcsen adheres to the following core principles to ensure data privacy:
- Lawfulness, Fairness, and Transparency: Data is collected and processed in a manner that is lawful, fair, and transparent to individuals.
- Purpose Limitation: Data is collected for specified, legitimate purposes and is not further processed in a manner incompatible with those purposes.
- Data Minimization: Only personal data necessary for the intended purpose is collected and processed.
- Accuracy: Personal data is accurate, complete, and kept up-to-date.
- Storage Limitation: Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected.
- Integrity and Confidentiality: Personal data is processed securely to protect against unauthorized access, disclosure, alteration, or destruction.
- Accountability: Arcsen is accountable for complying with data protection principles and must be able to demonstrate compliance.
3. Data Collection
3.1 Types of Data Collected
Arcsen collects various categories of personal data, including:
- Identification Data: Name, job title, employee ID, and government identification numbers.
- Contact Data: Email address, phone number, physical address, and emergency contact details.
- Professional Data: Employment history, qualifications, professional certifications, performance reviews, and payroll information.
- Technical Data: IP addresses, browser types, operating system details, and usage data collected through cookies and other tracking technologies.
- Client Data: Business information, client contact details, project data, and any information shared during consulting engagements.
- Sensitive Data: Where applicable, data related to health, religion, or other sensitive categories, handled with special care.
3.2 Data Collection Methods
Personal data is collected through:
- Direct Interactions: Information provided directly by individuals via job applications, contracts, client communications, and surveys.
- Automated Technologies: Data collected via cookies, web beacons, and similar technologies used on Arcsen’s websites and digital platforms.
- Third Parties: Data received from partners, vendors, and other third parties in connection with business operations and client engagements.
4.3 Data Collection Purposes
Personal data is collected for:
- Employment Management: Recruitment, onboarding, training, performance evaluation, and payroll management.
- Client Engagement: Providing consulting services, managing client relationships, and fulfilling contractual obligations.
- Business Operations: Operational management, internal communications, project management, and business strategy development.
- Compliance: Adherence to legal, regulatory, and contractual obligations, including financial reporting and auditing.
- Marketing and Business Development: Informing individuals about Arcsen’s services, events, and promotional offers (with consent where applicable).
5. Data Use
5.1 Purpose Limitation
Personal data will be used only for the purposes for which it was collected, which are communicated to individuals at the time of collection. Any use of personal data beyond the original purpose will require additional consent.
5.2 Data Sharing and Disclosure
Personal data may be shared with:
- Arcsen Affiliates and Subsidiaries: To facilitate global business operations and provide consistent services across regions.
- Third-Party Service Providers: Vendors and partners who perform services on Arcsen’s behalf, including IT support, payroll processing, and data analysis, subject to stringent data protection agreements.
- Regulatory Authorities: As required to comply with legal or regulatory obligations, including data protection authorities and law enforcement agencies.
- Business Transfers: In the event of mergers, acquisitions, or asset sales, personal data may be transferred as part of the transaction, subject to confidentiality agreements.
5.3 Data Transfer
- International Transfers: Personal data may be transferred across borders to Arcsen’s affiliates, partners, or service providers located in different countries. Transfers will be conducted in compliance with applicable international data protection laws.
- Transfer Mechanisms: Arcsen uses mechanisms such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) to ensure adequate protection for international data transfers.
6. Data Security
6.1 Security Measures
Arcsen implements comprehensive security measures to protect personal data, including:
- Access Controls: Restricting access to personal data based on role, necessity, and authorization levels.
- Encryption: Encrypting personal data both in transit and at rest using industry-standard encryption protocols (e.g., AES-256).
- Network Security: Utilizing firewalls, intrusion detection and prevention systems (IDPS), and secure network configurations to protect against cyber threats.
- Physical Security: Securing physical access to facilities and systems where personal data is stored, including access controls, surveillance, and security personnel.
- Employee Training: Providing regular training on data protection and security best practices to all employees.
6.2 Incident Management
In the event of a data breach or security incident:
- Incident Detection: Continuously monitor systems for signs of potential breaches or vulnerabilities.
- Notification: Notify affected individuals and relevant authorities promptly, in accordance with applicable laws and regulations.
- Response and Containment: Implement response procedures to contain and mitigate the impact of the incident, including isolating affected systems and conducting forensic investigations.
- Post-Incident Review: Conduct a thorough review to identify the root cause, assess the impact, and implement measures to prevent future occurrences.
7. Data Subject Rights
Individuals have the following rights regarding their personal data:
7.1 Right to Access
Individuals can request access to their personal data held by Arcsen, including information about the data collected, the purposes of processing, and any third parties with whom the data has been shared.
7.2 Right to Rectification
Individuals can request correction or updating of inaccurate or incomplete personal data held by Arcsen.
7.3 Right to Erasure
Individuals can request the deletion of personal data when it is no longer necessary for the purposes for which it was collected, or if they withdraw consent on which the processing is based.
7.4 Right to Restriction of Processing
Individuals can request restriction of processing under certain conditions, such as when the accuracy of the data is contested or when processing is unlawful but they do not want it deleted.
7.5 Right to Data Portability
Individuals can request to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller.
7.6 Right to Object
Individuals can object to the processing of their personal data based on legitimate interests, or for direct marketing purposes.
7.7 Rights Related to Automated Decision-Making
Individuals have the right to challenge automated decisions that have a significant impact on them, if such decisions are not based on explicit consent or contractual necessity.
Requests to exercise these rights can be submitted to the Data Protection Officer (DPO) or designated privacy contact at [DPO Contact Information]. Arcsen will respond to such requests in a timely manner, in accordance with applicable laws.
8. Data Retention
8.1 Retention Periods
Personal data will be retained for the duration necessary to fulfill the purposes for which it was collected, as specified in the relevant data retention schedules. Retention periods will be determined based on:
- Legal Requirements: Compliance with legal, regulatory, and contractual obligations.
- Business Needs: The data’s relevance and necessity for ongoing business operations and legal obligations.
- Data Type: Different types of data may have different retention requirements.
8.2 Secure Disposal
When personal data is no longer needed, it will be securely disposed of using methods appropriate to its format:
- Electronic Data: Data will be securely deleted using data wiping or degaussing techniques to prevent unauthorized recovery.
- Physical Records: Paper documents will be shredded or otherwise destroyed in a manner that ensures complete and irreversible destruction.
9. Compliance with International Data Protection Laws
9.1 General Data Protection Regulation (GDPR)
Arcsen complies with the GDPR for personal data collected from individuals in the European Union (EU). This includes:
- Data Protection Impact Assessments (DPIAs): Conducting DPIAs for processing activities that may impact data subjects’ rights and freedoms.
- Data Protection Officer (DPO): Appointing a DPO to oversee GDPR compliance and act as a contact point for data subjects and regulatory authorities.
9.2 California Consumer Privacy Act (CCPA)
Arcsen complies with the CCPA for personal data collected from individuals in California. This includes:
- Consumer Rights: Providing California residents with the right to access, delete, and opt-out of the sale of their personal data.
- Privacy Notices: Including CCPA-compliant privacy notices in communications and privacy policies.
9.3 Other Applicable Laws
Arcsen complies with other relevant data protection laws applicable to its operations, including national data protection laws and regulations in jurisdictions where