Section 11 applies if you are based in the European Union (EU) during your interactions with us and sets out the additional information that we are required to provide to you under European data protection laws.
Under European data protection laws, use of personal information must be based on one of a number of legal grounds and we are required to set out the grounds in respect of each use.
11.1. Legal grounds for use of personal information
The principal legal grounds for our use of your personal information are as follows:
- Consent: where you have consented to our use of your information.
- Contract performance: where we are required to collect and handle your personal information in order to provide you with the products that we have contractually agreed to provide to you.
- Legal obligation: where we need to use your personal information to comply with our legal obligations.
- Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
The legal grounds for our use of the sensitive categories of personal information are:
- Consent: where you have explicitly consented to our use of your personal information. You may withdraw your consent to the use of your personal information.
- Vital interest: where we need to process your personal information in order to protect the vital interests of you or another natural person where you or the other person is physically or legally incapable of giving consent.
- Legal claims: where your personal information is necessary for us to establish, exercise or defend any legal claims.
- Substantial public interest: where we need to process your personal information for reasons of substantial public interest set out in EU law.
11.2. Relevant grounds that apply to each purpose of data processing
In the table below, we have set out the relevant grounds that apply to each purpose of data processing that is mentioned in this Privacy Policy.
Purposes of the data processing |
Use bases |
To provide you with RYCO products and services
|
- contract performance
- legitimate interests (to allow us to perform our obligations and provide our products to you)
For sensitive Personal Data
|
To provide you with commercial credit
|
- consent
- contract performance
- legitimate interests (to allow us to perform our obligations and provide our products to you)
|
For accounting, billing and other internal administrative purposes
|
- contract performance
- legal obligation
- legitimate interests (to allow us to correspond with you)
|
To maintain the integrity and safety of our data technology systems
|
- legal obligation
- legitimate interests (to cooperate with law enforcement and regulatory authorities)
For sensitive Personal Data
- legal claims
- substantial public interest
|
Enforce or defend our policies
|
For sensitive Personal Data
- legal claims
- vital interests
- substantial public interest
|
Investigation of data breaches
|
- legal obligation
- legitimate interests (to cooperate with law enforcement and regulatory authorities)
For sensitive Personal Data
- legal claims
- substantial public interest
|
For marketing purposes
|
- legitimate interests (in order to market to you) and consent (which can be withdrawn at any time)
|
Assessing your application for employment or other arrangement
|
- contract performance
- legitimate interests
|
11.3. Disclosure of information outside the EU
Your personal information will be transferred to, and accessed in, countries outside of the EU and we may be required by law to take specific measures to safeguard this personal information. Certain countries outside the EU have been approved by the European Commission as providing essentially equivalent protections to EU data protection laws and therefore no additional safeguards are required to export personal information from the EU to these jurisdictions. In countries which have not had these approvals, we will use appropriate safeguards to protect any personal information being transferred, such as enhanced IT security measures and entering into standard contractual clauses.
11.4. Retention period
Our retention periods for personal information are based on business needs and legal requirements. We retain personal information for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, we may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such information. When personal information is no longer needed, we either securely destroy it, or irreversibly anonymise the information (and we may further retain and use the anonymised information).
11.5. Additional Rights Under EU Law
In addition to the rights outlined elsewhere in this privacy statement, under certain conditions you may have the right under EU data protection law to ask us to:
- provide you with further details on how we use and process your personal information;
- delete personal information we no longer have grounds to process; and
- restrict how we process your personal information while we consider an inquiry you have raised.
In addition, under certain conditions, you have the right to:
- where processing is based on consent, withdraw the consent;
- lodge a complaint with a supervisory authority;
- object to any processing of personal information that we process on the ‘legitimate interests’ or ‘public interests’ grounds, unless our reasons for the underlying processing outweighs your interests, rights and freedoms; and
- object to direct marketing (including any profiling for such purposes) at any time.
You can exercise these rights by contacting us at the details set out at section 13 below.
These rights are subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of client legal privilege).