Skip to main content
GDPR: Personal Data Protection Policy

The TrackingTime Personal Data Protection Policy based on the European General Data Protection Regulation (GDPR).

Diego Wyllie avatar
Written by Diego Wyllie
Updated over a year ago

Version History

VERSION

NOTES

DATE

01

New Document

02.05.2018

02

Modifications to comply to latest regulatory changes.

13.12.2022

1. INTRODUCTION

1.1. Object

TRACKING TIME, LLC (TRACKING TIME or the Company, or the Data Controller) attaches great importance to the processing of personal data as a key element in its activity.

For this reason, TRACKING TIME has decided to define, approve and implement the present Personal Data Protection Policy that includes the regulatory requirements according to the particular characteristics of TRACKING TIME in the processing of personal data in accordance with its activity and depending on its structure and available resources.

This document is intended to be a stable framework, but due to the continuous evolution and intrinsic changes of information systems and the complexity of the regulations, this Policy must be completed or developed by other documents.

Likewise, with the acceptance of the present policy, the data retention and deletion policy and the Data Protection Protocol are also accepted.

1.2. Principles

The principles relating to the processing of personal data are as follows:

- Principle of lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and transparently in relation to the data subject.

- Purpose limitation principle: personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

- Data minimisation principle: personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

- Data accuracy principle: personal data must be accurate and, where necessary, kept up to date.

- Principle of limitation of the storage period: data should be kept for no longer than is necessary for the purposes of the processing.

- Principle of integrity and confidentiality: personal data must be processed in such a way as to ensure adequate data security.

- Principle of proactive responsibility: manifested, inter alia, in extreme diligence in the choice of the data processing provider and in the implementation, prior to the start of processing, of appropriate technical and organisational measures (obligation of privacy by design) and allowing that, by default, only data necessary for each of the specific purposes are processed (obligation of privacy by default).

1.3. Regulatory Framework

The specific related legislation is mainly the following:

Legislation

Reference

GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Article 78

Article 24.2

Responsibility of the data controller

LOPD Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights

Full text

1.4. Legitimation for processing

The legal basis depends on the Services you use and how you use them. This means that we collect and use your information only when we need it to provide the Services to you, including to operate the Services, provide customer support and personalized features and protect the security of the Services.

It meets a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests; we need to do so to satisfy the terms of our agreement with you; you consent to us doing so for a specific purpose; or we need to process your data to comply with a legal obligation.

If you have consented to us using your information for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we use your information because we or a third party (for example, your employer) have a legitimate interest in doing so, you have the right to object to that use, although, in some cases, this may mean stopping your use of the Services.

2. SCOPE

The scope of application of this Policy is limited exclusively to TRACKING TIME, on an individual basis.

2.1. Legitimation of your data

In order for you to enjoy the services we offer you at TRACKING TIME, we will use some information about you that has been provided exclusively by yourself. You can see this in detail below:

We collect information about you when you provide it to us, when you use our Services and when other sources provide it to us, as described below.

  • Account and Profile Data: We collect information from you when you register for an account, create or modify your profile, set your preferences, register or make purchases through the Services. For example, you provide your contact information and, in some cases, billing information when you register for the Services. You also have the option to add a profile picture and other details to your profile information to be displayed on our Services.


  • Services: We keep a record of your preferences when you select settings within the Services.


  • Data you provide through our products: The Services include the TRACKING TIME applications you use, where we collect and store the content you post, send, receive and share. This content includes any information about you and that you choose to include (the name of your tasks, projects, clients or services and the working times associated with those entities and you...).


  • Data you provide through our websites: The Services also include websites owned or operated by us such as trackingtime.co. We collect other content that you submit to these websites and data relating to your use of social media in connection with the Services, for example, when you "like" or "share" something displayed through the Services using a widget provided by Facebook. Data you provide to us when you give us feedback or when you participate in any interactive features (such as the ability to post comments), surveys, promotions or activities.


  • Data you provide through our support channels: The Services also include our customer support, where you may choose to submit information about a problem you are experiencing with the Services. Whether you designate yourself as a technical contact, open a support ticket, speak to one of our support representatives directly, or otherwise contact our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation and screenshots or information that may be helpful in resolving the problem. In some cases, it may be useful for us to access your account. In such cases, we will ask for your permission beforehand.

  • Payment Details: We collect certain payment and billing information when you sign up for the Payment Services. For example, we ask you to designate a billing representative, including name and email address, when you sign up for a payment plan. We use this information to send you invoices and payment receipts. However, we never collect or store your credit card information. Your credit card details, such as card number, expiry date or security code, are securely processed by Stripe Inc. our payment provider. For more information about the compliance and security of your payment data, please visit Stripe's website (https://stripe.com/).

Information we automatically collect when you use the Services

We collect information about you when you use our Services, including when you browse our websites and perform certain actions within the Services.

  • Use of the Services: We use third party services to track certain information about you when you visit and interact with any of our Services. The third parties that provide these services are listed in the Data Protection Protocol. This information includes, for example, the features you use; the links you click; the dates you log in to your account; and how you interact with the Services.


  • Device and connection information: We collect information about your computer, phone, tablet or other devices that you use to access the Services. This device information includes connection type and settings when you install, access, update or use our Services. We also collect information through your device about your operating system, browser type, IP address, referring/exit page URLs, device identifiers and crash data. We use your IP address and/or country preference to approximate your location and provide you with a better Service experience. The amount of this information we collect depends on the type and configuration of the device you use to access the Services.


  • Cookies and other tracking technologies: TRACKING TIME and our third-party vendors, such as our analytics providers, use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide analytics, functionality and to recognize you across different Services and devices. These third party providers are listed in the Data Protection Protocol. Please refer to their privacy policies for more information about their use of cookies and other tracking technologies they use.

Information we receive from other sources

We receive information about you from other users of the Services and from third party services. We may combine this information with information you provide to us and information we collect about you.

  • Other users of Services: Other users of our Services, including your employer, may provide information about you when they submit data through the Services. For example, someone else may assign you a task that could include personal information about you or your work. We may also receive your email address from other users of the Service or your employer when they provide it to invite you to the Services. Similarly, an administrator may provide your contact information when they designate you as a billing contact on their company account.


  • Other services you link to your account: We receive information about you when you or your administrator integrate or link a third party service with our Services. For example, if you create an account or sign in to the Services with your Google credentials, we receive your name and email address, as permitted by your Google profile settings, to authenticate you. You or your administrator may also integrate our Services with other services you use. For example, you may use the TRACKING TIME button for Chrome to track time on various third-party services. In this case, we automatically collect data from the integrated service, such as task and project names.

  • We use the term "Personal Data" to refer to all of the above information and any other information we hold about you.

2.2. Processing of Personal Data

We will use your Personal Data for the following purposes.

  • To provide the Services and personalize your experience: We use information about you to provide the Services to you, including processing transactions with you, authenticating you when you log in, providing customer service, and operating and maintaining the Services. For example, we use the name and profile picture you provide in your account to identify you to other users of the Service within your organization.


  • For research and development: We are always trying to make our Services better, faster, safer and more useful to our customers. We use the collective knowledge of how people use our Services and the feedback they provide directly to us to troubleshoot problems and identify trends, usage, activity patterns and areas for improvement in the Services. For example, when we launch a new feature, we track how often it is used and by whom.


  • To communicate with you about the Services: We use your contact information to send you transactional communications by email and within the Services, including confirming your payments, reminding you when subscriptions are due, responding to your comments, questions and requests, providing customer support, and sending you technical notices, updates, security alerts and administrative messages. We send you email and in-app notifications when you or others interact with you on the Services, for example, when you are assigned a task. We also provide personalized communications based on your activity and interactions with us. For example, certain actions you take on the Services may automatically trigger an email or in-app message. We also send you messages as you join our team to help you become more proficient in using our products. These communications are part of the Services and you can always unsubscribe from them. In addition, you can always change your notification settings according to your preferences to avoid receiving certain types of notifications. To learn more about how you can customize your notification preferences and how to unsubscribe, please see this article.


  • To market, promote and drive engagement with the Services: We use your contact information and information about how you use the Services to send promotional communications that may be of specific interest to you, including by email. These communications are intended to drive engagement, including selling the Services to you, and to maximize what you get from the Services, including information about new features, survey requests and newsletters that we think may be of interest to you. We also communicate with you about new product offerings, updates and promotions.


  • Customer support: We use your data to resolve technical issues you encounter, to respond to your support requests, to analyze crash information and to repair and improve the Services.


  • For safety and security: We use information about you and your use of the Service to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies.


  • To protect our legitimate business interests and statutory rights: Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we may use information about you in connection with legal claims, compliance, regulatory and audit functions.


  • With your consent: We use information about you when you have given us your consent to do so for a specific purpose not mentioned above. For example, we may publish testimonials or featured customer stories to promote the Services, with your permission.

2.3. Transfer of data

We share the information we collect about you in the ways discussed below, but we do not sell information about you to advertisers or other third parties.

Sharing with other users of the Services

When you use the Services, we share certain information about you with other users of the Service within your team or organization.

  • For collaboration: You can create content, such as tasks, to-dos and comments, which may contain information about you, and grant permission to others to view, edit and copy that content. Some of the collaborative features of the Services display some or all of your profile information to other users of the Service when you share or interact with specific content. For example, when you comment on a task, we display your profile picture and name alongside your comments so that other users with access to the task know who made the comment. Please note that any data posted on the Services, including information about you, your company or your employees, is not publicly viewable and is only available to active users of your organization's account who have previously been granted access by an account administrator.


  • Managed accounts and administrators: If you register or access the Services using an organization account owned by your employer or another organization or using an email address with a domain owned by your employer or another organization, and that organization wishes to establish an account or site, certain information about you, including your name, profile picture, contact information, content and past use of your account, may become accessible to that organization's administrator and other users of the Service who share the same TRACKING TIME account.

Sharing with third parties

We share information with third parties who help us operate, provide, improve, integrate, customize, support and market our Services.

  • Service providers: We work with third party service providers to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analytics and other services for us, which may require them to process, access or use information about you. These service providers are listed in the Data Protection Protocol. Some of these service providers use "cookies" or other tracking devices on our site, which are software programs or other systems that collect information about your use of our Services. If a service provider needs to access information about you to perform services on our behalf, it does so under strict instructions from us, including policies and procedures designed to protect your information.


  • Third-party applications: You, your administrator or other users of the Service may choose to add new functionality by integrating third party applications into the Services. In doing so, the third party applications may have access to your account and information about you, such as your name and email address, as well as any content you choose to use in connection with those applications. For example, if you or your account administrator use Zapier to integrate TRACKING TIME with other online services, your account information will be shared with the services you choose.


  • Links to third party sites: The Services may include links that direct you to other websites or services whose privacy practices may differ from ours. If you submit information to any of those third party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.


  • Third party widgets: Some of our applications and websites may contain social media widgets and features, such as Twitter's "tweet" button. These widgets and features collect your IP address, the page you are visiting on the Services, and may set a cookie to enable the feature to function properly. Social media widgets and features are either hosted by a third party or hosted directly on our Services. Your interactions with these features are governed by the privacy policy of the company providing them. If you do not know which company provides a particular widget, please contact us so that we can provide you with the information you need.


  • With your consent: We share information about you with third parties when you give us your consent to do so. For example, we often display personal testimonials from satisfied customers on our public websites. With your consent, we may publish your name alongside the testimonial.

  • International transfers: TRACKING TIME is based outside the EEA, as are many of our external service providers, so the processing of your personal data will involve a transfer of your personal data outside the EEA but the processing of the data is in accordance with the GDPR. The location in which our external service providers process your personal data is shown in the Data Protection Protocol.

    Please contact us if you would like more information about the specific mechanism we use when transferring your personal data outside the EEA.

  • Corporate transactions: If TRACKING TIME or substantially all of its assets are acquired by a third party, personal data held by TRACKING TIME about its customers will be one of the transferred assets.

2.4. How we store and protect the information we collect

We use data hosting service providers in the United States, which are listed in the Data Protection Protocol, to host the information we collect, and we use technical measures to secure your data. For more information about where we store your information, please contact us.

Although we implement security measures designed to protect your information, no security system is impenetrable and, due to the inherent nature of the Internet, we cannot guarantee that data, during transmission over the Internet or while stored on our systems or in our care, will be absolutely safe from intrusion by third parties. All security measures are further developed in the Data Protection Protocol.

2.4. Retention period of your personal data

The length of time we keep the information we collect about you depends on the type of information, as described in more detail below. After that time, we will either delete or anonymise your information or, if this is not possible (for example, because the information has been stored in backup files), we will securely store your information and isolate it from further use until such time as deletion is possible. Please refer to the Data Retention and Deletion Policy.

Account information

We retain your account information for as long as your account is active and for 9 months thereafter should you choose to reactivate the Services. When we retain information for Service improvement and development, we only use the information to discover collective insights about your use of our Services, not to specifically analyze personal characteristics about you.

If your account is deactivated or disabled, some of your information and the content you have provided will remain to allow your team members or other users to make full use of the Services. For example, we continue to display messages you sent to users who received them and we continue to display content you provided.

Managed Accounts

If the Services are made available to you through an organization (for example, your employer), we retain your information for as long as your account administrator requires. For more information, see "Managed accounts and administrators" above.

Marketing information

If you have opted-in to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our Services, such as when you last opened an email from us or stopped using your TRACKING TIME account. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information is created.

3. PROCEDURE FOR MANAGING THE RIGHTS OF DATA SUBJECTS

Current data protection legislation regulates both the rights that the data subject may exercise and the procedure for exercising them before the Data Controller or, where appropriate, the Data Processor.

Any employee who becomes aware of the exercise by a data subject of any of his or her rights regarding the protection of personal data must immediately notify the Security Officer by email at gdpr@trackingtime.com who, after receiving the advice of the Data Protection Officer, will respond in accordance with the provisions of this document.

General issues on the exercise of rights

  • The rights may be exercised directly by the data subject or through a legal representative or volunteer.


  • Data subjects may exercise their rights free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive nature (more than once within a period of six months, without legitimate grounds), the controller may (a) charge a reasonable fee in relation to the administrative costs incurred in providing the information or communication or carrying out the requested action, or (b) refuse to act on the request. The controller shall bear the burden of demonstrating that the request is manifestly unfounded or excessive.


  • The controller must have informed data subjects in advance of the means available to them to exercise their rights. The means must be easily accessible to the data subject. The exercise of the right may not be refused on the sole ground that the data subject opts for another means.


  • The data processor may respond on behalf of the controller to requests from data subjects to exercise their rights if this is provided for in the contract or legal act binding them.


  • Proof of compliance with the duty to respond to the data subject's request to exercise his or her rights shall lie with the data controller.

The rights that the data subject may exercise are as follows:

Right of access: is the right of the data subject to obtain from the Controller confirmation as to whether or not personal data relating to him or her are being processed, and in the event that processing is confirmed, to be provided with access to the data and to the information available to him or her, such as a) the purposes; b) the categories of data; c) the recipients, in particular recipients in third parties or international organizations and appropriate safeguards concerning the transfer; (e) the existence of the right to request rectification, erasure, restriction or objection; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data have not been obtained from the data subject, any available information on their origin; (h) the existence of automated decisions.

Right of rectification: the data subject shall have the right to obtain from the controller without undue delay the rectification of personal data relating to him or her which are inaccurate. Having regard to the purposes for which the data have been processed, the data subject shall have the right to have the personal data supplemented where they are incomplete, in particular by providing an additional statement.

If the inaccurate data have previously been communicated to a third party, the transferee of the data must be notified of the rectification, who must in turn carry out the same rectification.

Right to erasure: this refers to the right of the data subject to obtain from the Controller, without undue delay, the erasure of personal data concerning him/her, in the cases provided for by law (the personal data are no longer necessary in relation to the purposes for which they were collected, the data subject withdraws consent, the data subject objects to the processing, the personal data have been processed unlawfully, ...).

Right of objection: the data subject may object at any time, on grounds relating to his or her particular situation, to the processing of personal data relating to him or her for the purposes of pursuing a public interest or legitimate interest, including profiling on the basis of such provisions.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data relating to him or her, which shall no longer be processed for those purposes.

Right to limitation of processing: this is the right to obtain from the Data Controller the limitation of the processing of personal data, when any of the following conditions are met:

  • the data subject contests the accuracy of the personal data, within a period of time which allows the controller to verify the accuracy of the personal data;


  • the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use;


  • the controller no longer needs the personal data for the purposes of the processing but the data subject needs them for the establishment, exercise or defense of claims;

  • the data subject has objected to the processing for the purposes of complying with a public interest or for the fulfillment of a legitimate interest, while it is being verified whether the legitimate grounds of the controller override those of the data subject.

Right to data portability: consists of the right to receive the personal data concerning him/her, which he/she has provided to a Data Controller, in a structured, commonly used and machine-readable format and to transmit it to another Data Controller without being prevented from doing so by the Data Controller to whom the data had been provided, when the cases legally foreseen for this purpose occur.

Deadline for response

The controller is obliged to respond to the data subject's requests, without undue delay, and at the latest within one month, and to give reasons if it does not comply with the request.

This period may be extended by a further two months if necessary, taking into account the complexity and number of requests, stating the reasons for the delay. Where the data subject submits the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise. The controller shall inform the data subject of any such extension within one month of receipt.

Formal requirements for the exercise of rights

The exercise of the rights must be exercised by means of a written request addressed to the Data Controller.

All applications must be accompanied by:

  • Name, surnames of the interested party and a copy of the identity document. In the exceptional cases in which representation is admitted, the identification by the same means of the person representing the interested party will also be required, as well as the document accrediting the representation. The photocopy of the identity document may be substituted provided that the identity is accredited by any other legally valid means.

  • The request in which the application is made.

Where the controller processes a large amount of information relating to the data subject and the data subject exercises his or her right of access without specifying whether it relates to all or part of the data, the controller may, before providing the information, request the data subject to specify the data or processing activities to which the request relates.

If exercising the right of rectification, the data subject shall indicate in his request to which data he is referring and the correction to be made.

  • Address for service

  • Date and signature of the applicant

  • Documents in support of the request you are making, where necessary

4. END USERS

Many of our products are intended for use by organizations. When the Services are made available to you through an organization (for example, your employer), that organization is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. In this case, please direct your data privacy questions to its administrator, as your use of the Services is subject to that organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may differ from this policy.

If you do not want an administrator to be able to exercise control over your account or use of the Services, please use your personal email address to register for or access the Services. If an administrator has not already exercised control over your account or access to the Services, you may update the email address associated with your account through your account settings in your profile. Once an administrator has assumed control of your account or use of the Services, you may no longer change the email address associated with your account without the administrator's approval.

5. ADDITIONAL DOCUMENTATION

This Policy is developed and complemented by the Personal Data Protection Protocol and other internal regulations on the subject.

6. DESCRIPTION

6.1. Protected resources

Protected resources within the scope of this policy include the applications and systems that process them, the computer equipment that supports them and the premises where they are located.

For proper control of IT resources, it is necessary to maintain an up-to-date inventory of the equipment, their corresponding locations and the applications used.

The Company shall keep the inventory of IT resources up to date at all times.

6.2. Treatment activities

TRACKING TIME will keep an up-to-date record of the processing activities carried out under its responsibility or on behalf of a controller.

The records shall be in writing, including in electronic form, and shall be made available to the supervisory authority upon request.

6.3. Structure and tasks in the area of data protection

TRACKING TIME has structured its organization with different data processing functions.

6.3.1. Data controller

TRACKING TIME is responsible for determining the purposes, means of processing and the appropriate technical and organizational measures to be implemented in order to ensure and demonstrate that the processing of personal data is carried out in compliance with the applicable regulations, taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

6.3.2. Employees

All TRACKING TIME staff are considered users when processing personal data, both automated and non-automated. Each of them is assigned an access profile according to their functions and responsibilities.

All employees are trained and informed about the guidelines for the processing of personal data that may be processed as a result of the performance of their duties within the company, in addition to subscribing to a confidentiality commitment.

6.3.3. Security Officer

This is the person designated primarily to coordinate and control security measures.

6.3.4. Data Protection Officer

The Company will appoint a Data Protection Officer to advise and inform TRACKING TIME of its data processing obligations. His or her appointment does not exempt him or her from responsibility for data processing.

TRACKING TIME will provide the Data Protection Officer with the resources necessary for the performance of his or her duties, as well as access to personal data and processing operations.

The Data Protection Officer is accountable to the highest level of TRACKING TIME.

6.3.5. System Administrator

It is responsible for administering and maintaining the operational environment for data processing.

6.3.6. Personnel Officer

It is responsible for ensuring that internal rules are known to employees, taking the necessary publicity and training measures for this purpose.

6.3.7. Directly responsible for treatment activities

For each processing activity, a person directly responsible for it shall be identified whose main function is to collaborate directly with the Security Officer and Data Protection Officer in the performance of his or her duties. Likewise, he/she must propose changes and improvements and report any modification linked to the processing activity.

6.3.8. Processors

TRACKING TIME may appoint processors to process personal data for which it is responsible. The processor may only process such data on its instructions.

TRACKING TIME will only choose processors that offer sufficient guarantees in the implementation of appropriate technical and organizational measures, so that the processing by the processor ensures the protection of the rights of data subjects.

Processing by the processor shall be governed by a contract, which binds the processor to the controller and sets out the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller and processor, including the security measures to be implemented.

The processor may not have recourse to another processor without the prior written authorisation, specific or general, of the controller.

TRACKING TIME will have an updated list of all those service providers that process data under its responsibility.

6.4. Personal data security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons, TRACKING TIME will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Specific measures will be taken to ensure the security of special category data.

6.5. Risk Analysis

TRACKING TIME will carry out an analysis of the risks to the rights and freedoms of natural persons arising from the processing of their data. This risk analysis will cover all processing activities registered by the Company.

6.6. Training programme

Staff must at all times have the necessary knowledge of data protection and be aware of their roles and obligations within the company.

To this end, TRACKING TIME, within the training plan for its employees, will provide specific training on the processing of personal data according to the profile of each job position. (Some training should be provided).

6.7. Impact assessment of data processing operations

In compliance with the principle of proactive accountability, where a type of processing, in particular if it uses new technologies by its nature, scope, context or purposes, is likely to result in a high risk to the rights and freedoms of natural persons, TRACKING TIME will carry out prior to the processing, an assessment of the impact of the processing operations on the protection of personal data (EIPD)

The Company shall carry out the analysis of the need for the EIPD and the execution of the EIPD itself, recording these operations.

6.8. Security incident management

A security incident shall be considered to be any situation that compromises or may affect the security of personal data and information.

Any incident that causes the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to such data, will be considered a breach (or violation) of data security.

TRACKING TIME will keep an updated record of incidents with the identification of the type of incident, description and its consequences (notifications, effects and corrective measures) and will prepare a final report on each of them.

7. DRAFTING, UPDATING AND APPROVAL

The responsibilities for drafting, updating and approving the Policy, in order to achieve a correct segregation of duties that avoids the existence of conflicts of interest, are distributed as follows:

  • The development and updating of the Policy is the responsibility of the Security Officer with the support of the Controllers.

  • The Management of the Company studies and proposes its approval.

  • Review of compliance with the Policy is the responsibility of Internal or External Audit.

Its content is reviewed and updated at least once a year and as often as necessary to reflect significant changes that affect any of the elements that make up this Policy.

Any changes we make to our policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our policy.

Did this answer your question?