Data protection declaration

Introduction

The General EU Data Protection Regulation ("GDPR") will enter into force throughout the European Union on 25 May 2018 and will make the most significant changes to data protection legislation in the last two decades. Based on the concept of "privacy by design" and adopting a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
The 21st century is leading to a wider use of technology, new definitions of what constitutes personal data and a significant increase in cross-border processing. The new regulation aims to standardise laws and data protection processing throughout the EU; give individuals more extensive and consistent rights to access and control their personal information.

Our commitment to you

Tattoo4days is committed to ensuring the security and protection of the personal information we process and to providing a consistent and coherent approach to data protection. We have always had a robust and effective data protection program in place, in compliance with applicable legislation and in compliance with data protection principles. However, we recognize our obligation to update and expand this program to meet the requirements of the GDPR.

Tattoo4days is dedicated to the protection of personal information under our control and to the development of an effective data protection regime, adapted to this objective and demonstrating an understanding and compliance with the new regulation. Our preparation and compliance objectives for the GDPR have been summarized in this statement and include the development and implementation of new roles, policies, procedures, controls and data protection measures to ensure maximum and ongoing compliance.

Tattoo4days already has a high level of data protection and security throughout our organization. However, our objective is to be fully compliant with the GDPR. So our preparation includes:

Information audit

Conduct a company-wide information audit to identify and evaluate the personal information we hold, where it comes from, how it is processed and who has access to it.

Policies and procedures

We also revise our data protection policies and procedures to comply with the requirements and standards of the GDPR and all relevant data protection laws.

Data protection and privacy

our main data protection policy and procedure document has been revised to meet GDPR standards and requirements. Accountability and governance measures are in place to ensure that we properly understand and communicate and demonstrate our obligations and responsibilities.

Retention and deletion of data

we have updated our retention policy and schedule to comply with the principles of "data minimization" and "storage limitation" and to keep, archive and destroy personal information in a compliant and ethical manner. We have put in place dedicated erasure procedures to meet the new "Right of Erasure" obligation and are aware of the application of this right and the rights of other data subjects; as well as all exemptions, response times and notification responsibilities.

Data Breaches

Our breach procedures ensure that we have protective measures and measures in place to identify, evaluate, investigate and report any breach of personal data as soon as possible. Our procedures are robust and have been communicated to all employees, which has made them aware of the reporting lines and steps to follow.

International data transfers and third party information

In the event that Tattoo4days stores or transfers personal information outside the EU, we have put in place robust procedures and safeguards to secure, encrypt and maintain data integrity. Our procedures include a continuous review of the procedures and laws of these countries; standard data protection clauses or codes of conduct approved for these countries. We carry out rigorous due diligence on all recipients of personal data to assess and verify that they have appropriate safeguards to protect the information, guarantee the rights of the data subjects and have effective legal remedies for the data subjects where appropriate.

Request for access to your data

We have revised our procedures to reflect the 30-day deadline for providing the requested information and to make this provision free of charge. Our new procedures detail how to verify the data subject, what steps to take to process an access request, what exemptions apply and a series of response templates to ensure that communications with data subjects are compliant, consistent and appropriate.

Legal basis for the data processing operation

we examine all processing activities to determine the legal basis for the processing and ensure that each basis is appropriate for the activity to which it relates. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the PIER and Schedule 1 of the draft Data Protection Act are met.

Privacy Notice / Policy - we review our privacy policy to ensure that all individuals whose personal information we process have been informed of why we need it, how it is used, and who has access to it and what measures are in place to protect their information.

Obtaining consent

We review our consent mechanisms to obtain personal data, ensure that individuals understand what they are providing, why and how we use it and provide clear and defined means for us to process their information. We have developed rigorous processes to record consent, ensuring that we can prove your acceptance, as well as date and time records; and an easy way to view and access your consent at any time.

Data Protection Impact Assessments (DPIAs) - where we process personal information considered high risk; We have developed rigorous evaluation procedures and models to conduct impact assessments in accordance with the requirements of Article 35 of the GDPR. We have implemented documentation processes that record each assessment, allow us to assess the risk posed by the processing activity and implement mitigation measures to reduce the risk posed to the individual(s) concerned. Use of third-party services - when we use a third party to process personal information on our behalf (e.g. PAYPAL, SOFORT, OGONE, MAILCHIMP), we have verified that the processing is in accordance with GDPR obligations. These measures include initial and ongoing reviews of the service provided, the need for the processing activity, the technical and organizational measures in place and compliance with the GDPR.

Sensitive data

When we obtain and process sensitive information, we do so in full compliance with the requirements of Article 9 and have encryption and protection on all such data. Sensitive data are not processed. Your consent for the processing is explicit and the right to modify or withdraw consent is clearly indicated.

Your rights as a user of our services

In addition to the policies and procedures mentioned above that ensure that individuals can exercise their data protection rights, we provide easily accessible information via our tattoo4days website.

Users of our services can therefore request:

Also, users have the right to object to any direct marketing by us and the right to file a complaint or seek legal redress and who to contact in such cases.

Information security and technical and organisational measures

Tattoo4days takes the privacy and security of individuals and their personal information very seriously and takes all measures and precautions to protect and secure the personal data we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction, including several levels of security measures:

SSL encryption, access controls, password policy, pseudonymization, data access restrictions, and intra-company data management practices.

Data protection declaration

Menu

Paramètres

Rechercher