The scope of this Privacy Policy is bounded by the implemented Information Security Management System (ISMS) and the Privacy Information Management System (PIMS) at VERMEG.

VERMEG’s Privacy Policy applies to the processing by VERMEG, as Processor, of personal information of VERMEG’s clients, in processing VERMEG’s clients personal information, the organization is subject to a variety of privacy legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.

Please note that this privacy policy may be updated periodically to adhere to legal obligations or align with evolving business demands. The latest version can always be accessed on VERMEG’s website.

The most fundamental definitions with respect to this policy and also referring to the GDPR are as follows:

Personal data is defined as:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

With reference to this privacy policy and to VERMEG’s PIMS (Privacy Information Management System) scope the end-users of VERMEG’s clients are considered “Data Subjects”;

‘Processing’ means:

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Controller’ means:

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

With reference to this privacy policy, and to VERMEG’s PIMS (Privacy Information Management System) scope VERMEG’s clients are considered the “Controllers”;

‘Processor’ means:

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

With reference to this privacy policy, and to VERMEG’s PIMS (Privacy Information Management System) scope VERMEG is considered the “Processor”;

A ‘Sub-Processor’ means :

Third-party data processor engaged by a Data Processor who process personal data from a Data Controller;

With reference to this privacy policy, and to VERMEG’s PIMS (Privacy Information Management System) scope, VERMEG’s third-parties service providers are considered the “Sub-Processors”.

The scope of this Privacy Policy is bounded by the implemented Information Security Management System (ISMS) and the Privacy Information Management System (PIMS) at VERMEG.

VERMEG’s Privacy Policy applies to the processing by VERMEG, as Data Processor, of personal information of VERMEG’s clients.

This Privacy Policy applies also to third-Party Service Providers acting as Sub-Processors: VERMEG employs other companies and individuals to perform functions on its behalf, specifically MSPs (Managed System Providers).

In order to use a Sub-Processor (e.g. CSP) , VERMEG “The Data processor “ needs to have the controllers’ written permission. The terms regarding the usage of a Sub-Processor can be regulated between VERMEG’s clients  “The Data Controllers” and VERMEG “The data Processor” in their data processing agreement. If the controller has approved the usage of a Sub-Processor, VERMEG will establish a contract with the Sub-Processor that meet the requirements of a DPA (Data Processing Agreement). It is also vital to notice that VERMEG is committed to be liable to the Controller  regarding the Sub-Processors compliance.

VERMEG’s subcontractors are contractually obligated to adhere to the same standards of privacy and security in accordance to this privacy policy, and VERMEG regularly monitor their compliance to ensure clients’ information is always kept safe. Additionally, VERMEG requires all subcontractors acting as Sub-Processors to send an immediate notification without undue delay if there is any suspected or actual breach of security that may affect the Controller’s personal information.

VERMEG’s legal entities, which are based in different locations, process as Data Processors client’s personal information described in this Privacy Policy.

See the list of VERMEG’s locations.

VERMEG makes a strong focus on ensuring security and privacy of the information. The effectiveness of VERMEG’s security controls are verified through a range of compliance programs,  click here for further information regarding VERMEG’s compliance programs.

VEREMEG uses a range of physical, electronic and managerial measures to keep clients’ Personal Information secure, accurate and up to date. These measures include:

• education and training to relevant staff so they are aware of the privacy obligations when handling Personal Information;
• administrative and technical controls to restrict access to Personal Information on a ‘need to know’ basis;
• technological security measures, including firewalls, secured servers, encryption and anti-virus software; and
• physical security measures, such as staff security passes to access our premises.

VERMEG has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process personal data will be subject to due consideration of privacy issues.

Use of techniques such as data minimization and pseudonymization will be considered where applicable and appropriate.

VERMEG will ensure that all relationships it enters into that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by the applicable local legislation.

The processing of any personal data is always managed through agreements, contracts or DPAs (Data Processing Agreements), which include any privacy requirements with the client.

As mentioned in said contracts, agreements, and DPAs, VERMEG will ensure the respect of all of its clients instructions.

Any international transfers of personal data will be carefully reviewed prior to the transfer taking place to ensure that:

1. they fall within the limits imposed by the GDPR or by any other relevant applicable data protection laws and that
2. the relevant appropriate safeguards are put in place (e.g. adequacy decision of the European Commission, EU Standard Contractual Data Protection Clauses adopted by the European Commission).

It is VERMEG’s duty to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data.

In case of a personal data breach, VERMEG the ‘Processor’, with reference to this Privacy Policy, and to VERMEG’s PIMS (Privacy Information Management System) scope, will take all the required actions as agreed in the contract with the client “the Controller”.

VERMEG’s clients, who act as data Controllers, have privacy rights (such as deletion request, update request and/or transfer request) that are governed by the terms specified in the contracts or agreements established between them and VERMEG.

VERMEG has appointed a Global Data Protection Officer.

For any questions, inquiries, suggestions, comments please contact VERMEG DPO dpo@VERMEG.com.