Shingers Prestige

01782 409402
Privacy Policy

1. INTERPRETATION

1.1 DEFINITIONS

Automated Decision-Making (ADM): When a decision is made solely based on automated processing, including profiling, which has legal effects or significantly impacts an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met), but not Automated Processing.

Automated Processing: Any form of automated processing of Personal Data involving the use of Personal Data to evaluate specific personal aspects relating to an individual. This includes analysing or predicting aspects concerning the individual’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. Profiling is an example of Automated Processing.

Company name: Shingers Prestige

Company Personnel: All employees, workers, contractors, agency workers, consultants, directors, members, and others.

Consent: Agreement that must be freely given, specific, informed, and an unambiguous indication of the Data Subject’s wishes, signifying agreement to the Processing of Personal Data relating to them, either by a statement or by a clear positive action.

Data Controller: The person or organization that determines when, why, and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to our Company Personnel, prospective Company Personnel/Candidates, and Personal Data used by us in the operation of our business for our own legitimate commercial purposes.

Data Subject: A living, identified, or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Privacy Impact Assessment (DPIA): Tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.

Data Protection Officer (DPO): The person required to be appointed in specific circumstances under the GDPR. Where a mandatory DPO has not been appointed, this term refers to a data protection manager or other voluntary appointment of a DPO or the Company data privacy team with responsibility for data protection compliance.

EEA: The 28 countries in the EU, including Iceland, Liechtenstein, and Norway.

Explicit Consent: Consent that requires a clear and specific statement, rather than just action.

General Data Protection Regulation (GDPR): The General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR.

Personal Data: Any information that identifies a Data Subject or relates to a Data Subject and can be identified (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (e.g., name, email address, location, or date of birth) or an opinion about that person’s actions or behaviour.

Personal Data Breach: Any act or omission that compromises the security, confidentiality, integrity, or availability of Personal Data or the physical, technical, administrative, or organizational safeguards that we or our third-party service providers put in place to protect it. The loss, unauthorized access, disclosure, or acquisition of Personal Data is considered a Personal Data Breach.

Privacy by Design: Implementing appropriate technical and organizational measures effectively to ensure compliance with the GDPR.

Privacy Notices (also referred to as Fair Processing Notices): Separate notices providing information to Data Subjects when the Company collects information about them. These notices may take the form of general privacy statements applicable to specific groups of individuals (e.g., employee privacy notices, candidates, or the website privacy policy) or stand-alone, one-time privacy statements covering Processing related to a specific purpose.

Processing or Process: Any activity involving the use of Personal Data, including obtaining, recording, holding, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Pseudonymisation or Pseudonymised: Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms. This ensures that the person to whom the data relates cannot be identified without the use of additional information kept separately and securely.

Related Policies: Any Company policies, operating procedures, or processes related to this
Privacy Standard designed to protect Personal Data.

Sensitive Personal Data: Information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offenses and convictions.

 

 

2. INTRODUCTION

This Privacy Standard outlines how Shingers Prestige handles the Personal Data of its customers, prospective customers, suppliers, employees, prospective employees, candidates, workers, and other third parties.

It applies to all Personal Data processed by us, regardless of the storage media or whether it pertains to past or present employees, candidates, workers, customers, clients, supplier contacts, shareholders, website users, or any other Data Subject.

This Privacy Standard is applicable to all our staff members, and it is essential for them to read, comprehend, and comply with its provisions when Processing Personal Data on our behalf. They will receive training on the requirements of this Privacy Standard. The purpose of this Privacy Standard is to ensure our compliance with applicable laws. Compliance with this Privacy Standard is mandatory. We may have Related Policies and Privacy Guidelines to assist in interpreting and adhering to this Privacy Standard. Failure to comply with this Privacy Standard may result in disciplinary action.

Prior authorization from the Data Protection Officer (DPO) is required before sharing this Privacy Standard with third parties, clients, or regulators.

 

 

 

3. SCOPE

We acknowledge that the proper and lawful handling of Personal Data is crucial for maintaining trust in our organization and enabling successful business operations. Safeguarding the confidentiality and integrity of Personal Data is a significant responsibility that we consistently prioritize. Failure to comply with the provisions of the GDPR may expose our company to potential fines of up to EUR 20 million (approximately £18 million) or 4% of our total worldwide annual turnover, whichever is higher, depending on the nature of the breach.

All CEOs, Directors, Managers, Heads of Department, Supervisors, and Senior Personnel have the responsibility of ensuring that all our staff members comply with this Privacy Standard. They are required to implement appropriate practices, processes, controls, and training to ensure such compliance.

The DPO, Lisa Shinger (email address: info@shingersprestige.co.uk), is responsible for overseeing this Privacy Standard and, where applicable, developing Related Policies and Privacy Guidelines.

Please contact the DPO for any inquiries regarding the operation of this Privacy Standard, the GDPR, or if you have concerns about its implementation. Specifically, you must contact the DPO in the following circumstances:

  • if you are uncertain about the lawful basis for Processing Personal Data, including the legitimate interests relied upon by the Company (refer to Section 5.1 below).
  • if you believe that Consent is necessary and/or Explicit Consent needs to be obtained (refer to Section 5.2 below).
  • if you believe that Privacy Notices or Fair Processing Notices need to be drafted or shared (refer to Section 5.3 below).
  • if you are unsure about the retention period for the Personal Data being Processed (refer to Section 9 below).
  • if you are unsure about the security measures or other measures necessary to protect Personal Data (refer to Section 10.1 below).
  • in the event of a Personal Data Breach (Section 10.2 below).
  • if you are unsure about the legal basis for transferring Personal Data outside the European Economic Area (EEA) (refer to Section 11 below).
  • if you require assistance regarding your rights or the rights invoked by a Data Subject (refer to Section 12).
  • when you believe that a significant new Processing activity or a change in Processing is likely to require a Data Privacy Impact Assessment (DPIA) (refer to Section 13.4 below), or if Personal Data is to be used for purposes other than those for which it was collected.
  • if you suspect that Automated Processing, including profiling or Automated Decision-Making, is taking place (refer to Section 13.5below).
  • if you need guidance or advice on complying with applicable laws regarding direct marketing activities or if you have concerns about any direct marketing activities in which the Company is involved (refer to Section 13.6 below); or
  • if you require assistance with contracts or other aspects related to our sharing of Personal Data with third parties, including vendors (refer to Section 13.7 below).

4. PRINCIPLES OF PERSONAL DATA PROTECTION

At Shingers Prestige, we adhere to the principles outlined in the GDPR regarding the Processing of Personal Data. These principles require that Personal Data should be:

  • Processed in a lawful, fair, and transparent manner (Lawfulness, Fairness, and Transparency).
  • Collected only for specified, explicit, and legitimate purposes (Purpose Limitation).
  • Adequate, relevant, and limited to what is necessary for the intended purposes of Processing (Data Minimisation).
  • Accurate and, when necessary, kept up to date (Accuracy).
  • Stored in a form that allows identification of Data Subjects only for as long as necessary for the intended purposes of Processing (Storage Limitation).
  • Processed in a manner that ensures its security, using appropriate technical and organizational measures to protect against unauthorized or unlawful Processing, accidental loss, destruction, or damage (Security, Integrity, and Confidentiality).
  • Not transferred to another country without adequate safeguards in place (Transfer Limitation).
  • Made accessible to Data Subjects, who are entitled to exercise certain rights regarding their Personal Data (Data Subject’s Rights and Requests).

We are responsible for ensuring compliance with these data protection principles and must be able to demonstrate such compliance (Accountability).

 

 

5. LAWFULNESS, FAIRNESS, TRANSPARENCY

5.1 LAWFULNESS AND FAIRNESS

In relation to the Data Subject, Personal Data must be Processed in a lawful, fair, and transparent manner.

At Shingers Prestige, we collect, Process, and share Personal Data only in a fair and lawful manner, for specific purposes. The GDPR imposes restrictions on our actions concerning Personal Data, aiming to ensure that Processing is conducted fairly and without adverse effects on the Data Subject.

The GDPR permits Processing for specific purposes, some of which are outlined below:

  • The Data Subject has given explicit Consent.
  • Processing is necessary for the performance of a contract with the Data Subject or in anticipation of entering into a contract.
  • To meet our legal obligations.
  • To protect the vital interests of the Data Subject.
  • To pursue our legitimate interests, provided they do not override the interests, rights, and freedoms of the Data Subjects. The specific purposes for which we Process Personal Data based on legitimate interests are detailed below. We are confident that we have identified these interests, ensured the necessity of Processing, and balanced the interests, rights, and freedoms of individuals. We believe that we use an individual’s data in ways that they would reasonably expect, considering there are no less intrusive methods to achieve the same result.
  • To perform specific tasks in the public interest as set out by law.

The legal grounds relied upon by Shingers Prestige for Processing Personal Data are as follows:

  • Company Personnel Data: Contractual necessity, as we require Personal Data to fulfil our contractual obligations, and Legitimate Interests, as it is necessary for operating our business.
  • Prospective Company Personnel: Contractual necessity, as we need to process Personal Data to evaluate whether to hire a candidate, and Legitimate Interests, as it is beneficial to our business and the candidate’s appointment.
  • Clients and Customers: Contractual necessity, as we need to process Personal Data to fulfil our contractual obligations with clients/customers, make decisions regarding contract formation, including providing quotations, and Legitimate Interests, as it is necessary for operating our business.
  • Suppliers: Contractual necessity, as we need to process Personal Data to fulfil our contractual obligations with suppliers, and Legitimate Interests, as it is necessary for operating our business.
  • Business Contacts, Marketing Prospects, and Prospective Clients and Customers: Contractual necessity, as we need to process Personal Data to assess potential contractual relationships with this group of individuals, and Legitimate Interests, as it is necessary for operating our business. Marketing to potential clients and customers is also a Legitimate Interest.

5.1.1 SENSITIVE DATA

We only process Sensitive Personal Data relating to Company Personnel, Prospective Company Personnel, and Candidates. For the processing of Sensitive Personal Data, we must satisfy a specific condition under Article 9 of the GDPR. Shingers Prestige meets the requirements of condition B under Article 9(2), as Processing is necessary for carrying out employment-related obligations and exercising specific rights of the Data Controller or the Data Subject. We may also obtain specific Consent for such Processing.

 

 

5.2 CONSENT

As a Data Controller, we may only Process Personal Data based on one or more of the lawful bases specified in the GDPR, including Consent.

Consent is obtained when the Data Subject clearly indicates agreement, either through a statement or positive action, towards the Processing. Consent requires affirmative action, and silence, pre-ticked boxes, or inactivity cannot be considered valid Consent. If Consent is obtained through a document covering other matters, it must be clearly separated from those other matters.

Data Subjects should be able to easily withdraw their Consent at any time, and such withdrawals must be promptly respected. If we intend to Process Personal Data for a different and incompatible purpose that was not disclosed at the time of obtaining Consent, Consent may need to be refreshed.

Explicit Consent may be required for Processing Sensitive Personal Data, Automated Decision-Making, and cross-border data transfers, unless another legal basis for Processing applies. Usually, we rely on other legal bases as specified above and do not require Explicit Consent. When Explicit Consent is necessary, we will provide a Fair Processing Notice to capture such Explicit Consent.

We will maintain evidence of Consent and keep records to demonstrate compliance with Consent requirements.

 

 

5.3 TRANSPARENCY (NOTIFYING DATA SUBJECTS)

The GDPR mandates that Data Controllers provide detailed and specific information to Data Subjects, depending on whether the information is collected directly from the Data Subjects or from other sources. This information must be provided through appropriate Privacy Notices or Fair Processing Notices, which must be concise, transparent, intelligible, easily accessible, and presented in clear and plain language to ensure Data Subjects can understand them.

When collecting Personal Data directly from Data Subjects, including for human resources or employment purposes, we will provide all the required information, including the identity of the Data Controller and DPO, details on how and why we will use, Process, disclose, protect, and retain that Personal Data. This information will be provided through a Fair Processing Notice presented at the time of collecting the Personal Data.

If Personal Data is collected indirectly (e.g., from third parties or publicly available sources), we will provide the required information to the Data Subjects as soon as possible after receiving the data. We will also verify that the Personal Data was collected by the third party in compliance with the GDPR and on a basis that aligns with our proposed Processing of that Personal Data.

 

 

 

 

6. PURPOSE LIMITATION

Personal data should only be collected for specified, explicit, and legitimate purposes. It should not be further processed in any way that is incompatible with those purposes.

At Shingers Prestige, we will not use personal data for new, different, or incompatible purposes unless we have informed the data subject of the new purposes and obtained necessary consent, if required.

 

 

 

7. DATA MINIMISATION

Personal data should be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

At Shingers Prestige, we will only process personal data when it is necessary for performing our duties.

We will not process personal data for any reasons unrelated to our job duties. We will collect only the personal data that is required for our job duties and avoid collecting excessive data. We will ensure that any personal data collected is adequate and relevant for the intended purposes.

Once personal data is no longer needed for the specified purposes, we will either delete or anonymise it.

 

 

 

8. ACCURACY

Personal data should be accurate and kept up to date when necessary. It should be corrected or deleted without delay if found to be inaccurate.

At Shingers Prestige, we will ensure that the personal data we use, and hold is accurate, complete, up to date, and relevant to the purpose for which it was collected. We will check the accuracy of personal data at the point of collection and regularly thereafter. If we identify any inaccuracies or outdated information, we will take reasonable steps to correct or delete such data.

 

 

 

9. STORAGE LIMITATION

Personal data should not be kept in an identifiable form for longer than necessary for the purposes for which it is processed.

At Shingers Prestige, we will not retain personal data in a form that allows the identification of the data subject for a longer period than needed for the legitimate business purpose or purposes for which it was originally collected. This includes fulfilling any legal, accounting, or reporting requirements.

We will maintain retention policies and procedures to ensure that personal data is deleted after a reasonable time unless there is a legal requirement to retain it.

We will also ensure that third parties involved delete such data where applicable.

Data subjects will be informed of the storage period and how it is determined through relevant privacy notices or fair processing notices provided by the company.

 

 

 

10. SECURITY, INTEGRITY, AND CONFIDENTIALITY

10.1 PROTECTING PERSONAL DATA

Personal data must be safeguarded using appropriate technical and organizational measures to prevent unauthorized or unlawful processing, as well as accidental loss, destruction, or damage.

At Shingers Prestige, we will develop, implement, and maintain security measures suitable for our size, scope, and business operations. We will assess the effectiveness of these safeguards regularly to ensure the security of personal data we process. It is our responsibility to protect the personal data we hold. We will employ reasonable and suitable security measures to prevent unlawful processing and accidental loss or damage of personal data. Special attention will be given to protecting sensitive personal data from unauthorized access, use, or disclosure.

We will establish policies to maintain data security throughout the lifecycle of personal data, from collection to destruction. When transferring personal data to third-party service providers, we will ensure they adhere to our required policies, procedures, and adequate security measures as requested. We will maintain data security by upholding the confidentiality, integrity, and availability of personal data as follows:

  • Confidentiality: Only authorized personnel with a legitimate need will have access to the personal data.
  • Integrity: Personal data will be accurate and suitable for the intended purposes of processing.
  • Availability: Authorized users will be able to access personal data when needed for legitimate purposes.

We will maintain and comply with an Information Technology policy and will not attempt to bypass the administrative, physical, and technical safeguards we have implemented and maintained in accordance with the GDPR and relevant standards to protect personal data.

10.2 REPORTING A PERSONAL DATA BREACH

The GDPR mandates that data controllers notify the relevant regulator and, in certain cases, the data subject about any personal data breaches.

At Shingers Prestige, we have established a procedure to address suspected personal data breaches and will fulfil our legal obligations to notify affected data subjects or the applicable regulator.

If you become aware or suspect a personal data breach, please refrain from investigating independently and immediately contact the designated person or team responsible for personal data breaches, which is the Data Protection Officer (DPO). It is essential to preserve all evidence related to the potential breach.

 

 

11. TRANSFER LIMITATION

The GDPR imposes restrictions on the transfer of data to countries outside the EEA to ensure that individuals’ data protection rights under the GDPR are not compromised. At Shingers Prestige, when you transmit, send, view, or access Personal Data originating from one country in another country, you are transferring it across borders.

Personal Data may only be transferred outside the EEA if one of the following conditions is met:

  • The European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the rights and freedoms of the Data Subjects.
  • Appropriate safeguards are in place, such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism. You can obtain a copy of these safeguards from the Data Protection Officer (DPO).
  • The Data Subject has provided explicit consent to the proposed transfer after being informed of any potential risks.
  • The transfer is necessary for one of the other reasons specified in the GDPR, including the performance of a contract between us and the Data Subject, reasons of public interest, the establishment, exercise, or defence of legal claims, or the protection of the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving consent. In some limited cases, transfers may also be based on our legitimate interest.

12. DATA SUBJECT’S RIGHTS AND REQUESTS

Data Subjects have rights regarding how we handle their Personal Data. These rights include the following:

  • The right to withdraw consent to processing at any time.
  • The right to receive certain information about the Data Controller’s processing activities.
  • The right to request access to their Personal Data that we hold.
  • The right to prevent the use of their Personal Data for direct marketing purposes.
  • The right to ask us to erase Personal Data if it is no longer necessary for the purposes for which it was collected or processed, or to rectify inaccurate data or complete incomplete data.
  • The right to restrict processing in specific circumstances.
  • The right to challenge processing that has been justified based on our legitimate interests or the public interest.
  • The right to request a copy of an agreement under which Personal Data is transferred outside of the EEA.
  • The right to object to decisions based solely on automated processing, including profiling (ADM).
  • The right to prevent processing likely to cause damage or distress to the Data Subject or anyone else.
  • The right to be notified of a Personal Data Breach likely to result in a high risk to their rights and freedoms.
  • The right to make a complaint to the supervisory authority.
  • In limited circumstances, the right to receive or request the transfer of their Personal Data to a third party in a structured, commonly used, and machine-readable format.

We will verify the identity of individuals making requests under any of the rights listed above. We will not allow third parties to persuade us into disclosing Personal Data without proper authorization.

Any Data Subject request we receive will be immediately forwarded to the Data Protection Officer (DPO), and we will comply with the company’s Data Subject response process.

 

13. ACCOUNTABILITY

13.1 The Data Controller will implement appropriate technical and organisational measures effectively to ensure compliance with data protection principles. The Data Controller, Shingers Prestige, is responsible for demonstrating and ensuring compliance with the data protection principles.

Adequate resources and controls must be in place to ensure GDPR compliance and maintain documented records, including:

  • Appointing a suitably qualified Data Protection Officer (DPO) and an executive accountable for data privacy.
  • Implementing Privacy by Design when processing Personal Data and conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities affecting Data Subjects’ rights and freedoms.
  • Integrating data protection into internal documents, such as the Privacy Standard, Related Policies, Privacy Notices, or Fair Processing Notices.
  • Regularly training Shingers Prestige personnel on the GDPR, the Privacy Standard, Related Policies, and data protection matters, including Data Subject rights, Consent, legal basis, DPIAs, and Personal Data Breaches. Attendance at training sessions by Shingers Prestige personnel should be recorded.
  • Regularly testing privacy measures, conducting periodic reviews and audits to assess compliance, and using the results of testing to demonstrate continuous improvement efforts.

13.2 RECORD KEEPING

Under the GDPR, it is mandatory to maintain full and accurate records of all data processing activities. Shingers Prestige will keep precise corporate records that reflect its processing activities. These records will include, at minimum, the following information:

Name and contact details of the Data Controller and the DPO.

Clear descriptions of the types of Personal Data, Data Subject categories, processing activities, processing purposes, third-party recipients of Personal Data, Personal Data storage locations, Personal Data transfers, retention periods for Personal Data, and descriptions of security measures in place.

To create such records, data maps will be created, which should include the aforementioned details along with appropriate data flows.

13.3 TRAINING AND AUDIT

It is essential to ensure that all Shingers Prestige personnel have received adequate training to comply with data privacy laws. Regular testing of systems and processes should also be conducted to assess compliance.

All personnel must undergo mandatory data privacy-related training.

They should regularly review the systems and processes under their control to ensure compliance with the Privacy Standard and verify that adequate governance controls and resources are in place for the proper use and protection of Personal Data.

13.4 PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Privacy by Design measures must be implemented when processing Personal Data at Shingers Prestige. This involves implementing appropriate technical and organisational measures, such as pseudonymisation, to ensure compliance with data privacy principles.

Privacy by Design measures should be assessed for implementation in all programs, systems, or processes that involve the processing of Personal Data. This assessment should consider factors such as the state of the art, cost of implementation, nature, scope, context, and purposes of the processing, as well as the risks posed to the rights and freedoms of Data Subjects.

Data controllers must also conduct DPIAs for high-risk processing activities. Shingers Prestige will conduct a DPIA, in consultation with the DPO, before implementing major system or business change programs that involve the processing of Personal Data. These include activities such as the use of new or changing technologies, automated processing (including profiling and ADM), large-scale processing of Sensitive Data, and large-scale systematic monitoring of publicly accessible areas. A DPIA must include a description of the processing and its purposes, an assessment of necessity and proportionality, an assessment of risks to individuals, and a demonstration of risk mitigation measures and compliance.

13.5 AUTOMATED PROCESSING (INCLUDING PROFILING) AND AUTOMATED DECISION-MAKING

In general, Automated Decision-Making (ADM) is prohibited when it has a significant legal or similar effect on an individual unless one of the following conditions is met:

  • the Data Subject has explicitly consented,
  • the processing is authorized by law, or
  • the processing is necessary for the performance of a contract or entering into a contract.

If certain types of Sensitive Data are being processed, grounds (b) or (c) will not be allowed. However, processing of such Sensitive Data may be permissible if it is necessary (unless less intrusive means can be used) for substantial public interest, such as fraud prevention.

When a decision is based solely on Automated Processing (including profiling), Data Subjects must be informed of their right to object at the first communication with them. This right to object should be presented clearly and separately from other information. Suitable measures must be in place to protect the rights, freedoms, and legitimate interests of the Data Subject.

Shingers Prestige will inform Data Subjects of the logic involved in decision-making or profiling, the significance and expected consequences, and provide the right to request human intervention, express their point of view, or challenge the decision.

A DPIA must be conducted before any Automated Processing (including profiling), or ADM activities are undertaken.

13.6 DIRECT MARKETING

Shingers Prestige is subject to rules and privacy laws when conducting marketing activities to its customers.

For electronic direct marketing, such as emails, texts, or automated calls, prior consent from the Data Subject may be required. The “soft opt-in” exception allows organizations to send marketing communications to existing clients, customers, and contacts if their contact details were obtained during business dealings, the marketing is for similar products or services, and the opportunity to opt out was provided at the time of collecting the details and in every subsequent message.

The right to object to direct marketing will be explicitly offered to Data Subjects in a clear and distinguishable manner.

Shingers Prestige will promptly honour a Data Subject’s objection to direct marketing. If a customer opts out at any time, their details will be suppressed as soon as possible, retaining only enough information to respect their marketing preferences in the future.

13.7 SHARING PERSONAL DATA

Sharing Personal Data with third parties is generally restricted unless specific safeguards and contractual arrangements are in place.

Shingers Prestige will only share the Personal Data it holds with employees, agents, or representatives within its group (including subsidiaries and its ultimate holding company and its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.

Personal Data will be shared with third parties, such as service providers, only if:

  • They have a legitimate need to know the information to provide contracted services.
  • Sharing the Personal Data complies with the provided Privacy Notice and, if required, the Data Subject’s Consent has been obtained.
  • The third party has agreed to comply with the necessary data security standards, policies, procedures, and has implemented adequate security measures.
  • The transfer complies with any applicable cross-border transfer restrictions.
  • A written contract containing GDPR-approved third-party clauses has been executed.

14. CHANGES TO THIS PRIVACY STANDARD

Shingers Prestige reserves the right to amend this Privacy Standard at any time without prior notice.

Please note that this Privacy Standard does not supersede any relevant national data privacy laws and regulations in the countries where Shingers Prestige operates.