Harmonic Group Data Protection Policy
|1.1||Data Controller - means any natural or legal person, which, alone or jointly with others, determine the purposes and means of the processing of Personal Data.|
|1.2||Data Processor - means a natural or legal person who processes Personal Data on behalf of the Data Controller.|
|1.3||Data Subject - means an individual who is the subject of Personal Data.|
|1.4||EEA - means the European Economic Area, the current members at the date hereof being the European Union Member States, Iceland, Liechtenstein and Norway.|
|1.5||Personal Data - means any information relating to a Data Subject, who can be identified, directly or indirectly.|
|1.6||Processing - performing any operation or set of operations on the Personal Data, whether or not by automatic means, including collecting, recording, organising, storing, amending, using, retrieving, disclosing erasing or destroying it. The rules around the processing of Personal Data applies whether the activity takes place in the European Union ("EU") or not, where the processing activities are related to:
|3.1||Personal Data Shall Be:
|3.2||Fair and Transparent Processing
Fairly obtained Personal Data requires that Harmonic, at the time the Personal Data is collected, make the Data Subject aware of the following:
Harmonic will ensure that all information and communications relating to the processing of Personal Data will be clear, concise, transparent, intelligible, easily accessible and easy to understand using clear and plain language. Harmonic will ensure that these transparency requirements are adhered to at all stages of the collection and processing of Personal Data.
Pursuant to Article 6, Harmonic can process Personal Data lawfully to the extent that at least one of the following applies:
Harmonic will only collect and process Personal Data for purposes that are specific, explicit and for legitimate purposes. Harmonic will process data for the following purposes:
The Personal Data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is being processed.
|3.6||Keep It Accurate and Up-To-Date
Harmonic will ensure that the Personal Data held is accurate and kept up to date. The accuracy of any Personal Data will be checked at the time of collection and at regular intervals or triggers thereafter. Harmonic will take all reasonable steps to amend inaccurate or out-of-date Personal Data without delay.
Harmonic will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Subject to compliance with local retention laws Harmonic will take all reasonable steps to erase all Personal Data which is no longer required. Harmonic will be clear when informing the Data Subject about the length of time for which Personal Data will be kept and the reason why the information is being retained. Harmonic is aware of any required statutory retention periods where an obligation exists to retain a Data Subject's Personal Data for fixed periods and ensure that Personal Data is retained in line with such statutory requirement(s) and that the Data Subject is aware of this retention period.
|3.8||Kept Safe and Secure
Processing will be conducted in a manner that ensures appropriate security and confidentiality of the Personal Data. Harmonic takes all commercially reasonable steps to secure the Personal Data from unauthorised access by third parties, alteration, disclosure, accidental loss, destruction or any form of computer corruption. Harmonic has implemented the following information security measures:
|3.9||Access Provided to a Data Subject on Request
Under the Data Protection Legislation, the Data Subject shall have the right to obtain from Harmonic access to any Personal Data concerning him or her. However, this right is limited to certain circumstances (please see Section 4).
|3.10||Transferring Personal Data to a Country Outside the EEA
Aside from an adequacy decision, which allows the free flow of Personal Data from the EU without Harmonic having to implement any additional safeguards or being subject to further conditions, the Data Protection Legislation allows a transfer if the Data Controller or Data Processor has provided appropriate safeguards.
These safeguards may be provided for by:
In the normal course of business (for back-up or servicing purposes) it may be necessary for Harmonic to transfer Personal Data for processing to the following: (i) certain third parties whose involvement is necessary to carry out all or part of Harmonic's duties and obligations contemplated under the Business Contract and in accordance with Harmonic’s internal procedures. Examples of such third parties would be in the case of the Personal Data of an employee/independent contractor transferred by Harmonic to a payroll services provider; (ii) an agent, delegate, subcontractor or other representative of Harmonic (which may or may not be an affiliate of Harmonic) appointed by Harmonic pursuant to authority contained in the Business Contract. Any such entity in (i) or (ii) shall be a "Permitted Processor". As part of normal business dealings between Harmonic and the Permitted Processor Harmonic will transmit Personal Data to such Permitted Processor. Certain Permitted Processors may be located outside the EEA and so Personal Data may be stored on servers outside the EEA. Any transmission of data by Harmonic outside the EEA shall be in accordance with the conditions of the Data Protection Legislation. Subject to applicable provisions of the Data Protection Legislation, the Personal Data shall not be shared by Harmonic with third-parties other than Permitted Processors.
In certain circumstances Harmonic and/or Permitted Processors may be legally obliged to share Personal Data and other financial information with respect to the Business Contract with their local regulatory or governmental authorities (including but not limited to tax authorities) or courts (each an "Authority") and the local receiving Authority may, in turn, exchange this information (through automatic reporting, information exchange or otherwise in accordance with applicable laws and regulations) with foreign Authorities including Authorities located outside the EEA.
|4.1||Right to Access
The Data Subject shall have the right to obtain confirmation from Harmonic as to whether or not Personal Data concerning them is being processed.
Where Harmonic is processing their Personal Data the Data Subject will have the right to access such Personal Data and the following information:
The right to obtain a copy of the Personal Data undergoing processing will not adversely affect the rights and freedoms of others.
Harmonic will not charge a fee for complying with the Data Subject’s access request unless it can be demonstrated that the cost will be excessive, in which case the fee must be reasonable.
The information must be provided without delay and within one month, but where requests are complex Harmonic will be able to extend the deadline for providing the information to three months. However, Harmonic must still respond to the request within a month, explaining why the extension is necessary.
A request to Harmonic may be made in electronic format as well as by written request.
|4.2||Right to be Forgotten
The Data Subject shall have the right for Personal Data to be erased without undue delay in certain contexts to include, but not be limited to; where the Personal Data has been processed unlawfully or where the Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise.
Given the specific nature for which Harmonic uses the Personal Data it collects, this is not likely to be applicable to the Data Subjects of Harmonic.
|4.3||Right to the Restriction of Processing
Data Subjects have the right to require that Harmonic restrict processing of Personal Data in certain circumstances, including, but not limited to, where the Personal Data is inaccurate, the Personal Data is no longer required in light of the purposes of the processing or the Data Subject has exercised their right to object (pending verification of any legitimate grounds of Harmonic which overrides those of the Data Subject).
Where processing has been restricted, such Personal Data shall, with the exception of storage, only be processed with the Data Subject's consent. Harmonic will inform the Data Subject before the restriction of processing is lifted.
|4.4||Right to Object
The Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of Personal Data concerning them where the processing is based on the legitimate interests pursued by Harmonic.
Harmonic shall no longer process the Personal Data unless Harmonic demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Data Subjects shall have the right to object to the processing of Personal Data for direct marketing purposes at any time. Where the Data Subject objects to processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes.
|5.1||The Data Controller and the Data Processor and, where applicable, their representatives, shall cooperate, on request, with the relevant supervisory authority in the performance of its tasks.
|5.2||In the case of Harmonic Group the Lead Supervisory Authority is the Commission Nationale pour la protection de données – CNPD in Luxembourg (the "Lead Supervisory Authority").
|6.1||Harmonic should maintain records of all its processing activities. This requires that Harmonic determine what Personal Data it holds, where it came from and who it shares it with. This should all be documented, which will assist in complying with the legislation's "accountability principle".
|6.2||Harmonic will retain Personal Data for a period of up to seven years following the point from when the Data Subject’s Business Relationship with Harmonic has ceased, subject to applicable retention laws. Harmonic and its duly authorised agents/delegates will refrain from collecting any further Personal Data and after expiry of the retention period (subject to applicable retention laws) shall take appropriate steps to dispose of any records containing the Data Subject’s Personal Data, to the extent this is operationally feasible and proportionate.
|7.1||If Harmonic detects and records a data breach it shall notify the Lead Supervisory Authority without delay, and in any case not later than 72 hours, unless the breach is unlikely to result in a risk to the rights of the Data Subject. The notification form is available on the Lead Supervisory Authority’s website and is accessible via this link: https://cnpd.public.lu/fr/actualites/national/2018/02/formulaire-violation-donnees.html
|7.2||Each Data Processor shall notify Harmonic without undue delay after becoming aware of a Personal Data breach.
|7.3||The Data Subject must also be notified if the data breach is likely to result in a high risk to their rights and freedoms. The notification shall describe in clear and plain language the nature of the breach, the name of the contact point where more information can be obtained, the likely consequences and measures taken to mitigate or address the breach.