The CMR is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, rest assured that it will only be used in accordance with this privacy statement.
The CMR may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 25/05/2018, starting date of the new GDPR.
What personal data we collect and why we collect it
We will collect your basic personal data from the contact form in order to reply to you properly and as soon as possible and we will keep it in order to contact you in the future. If you want to remove your data from our register, you just have to contact us. No external partner of this website will collect any personal data.
It is not possible to leave comments on the website. Comments can be submitted exclusively through the “Contact us” page.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after one day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
We use Google Analytics to trace number of visitors, and the origin from them, no any other personal data will be provided and used by us.
Who we share your data with
We will not share any personal data with anyone.
How long we retain your data
We store the personal information that registered users (if any) provide in their user profile. All users can see, edit, or delete their personal information at any time (except their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, you can request to receive an exported file of the personal data we hold about you, including any data you have provided us with. You can also request the removal of any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
You can contact us about your privacy to this email: email@example.com
What data breach procedures we have in place
The policy is designed to aid compliance with the General Data Protection Regulation or GDPR, and takes account of the Article 29 Data Protection Working Party’s guidance on personal data breach notifications.
As the Working Party state in that guidance, “controllers and processors are … encouraged to plan in advance and put in place processes to be able to detect and properly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary”.
A formal personal data breach notification procedures is recommended by the Working Party: “To aid compliance with Articles 33 and 34, it would be advantageous to both controllers and processors to have a documented notification procedure in place, setting out the process to follow once a breach has been detected, including how to contain, manage and recover the incident, as well as assessing risk, and notifying the breach”.
“Personal data breach” under the GDPR covers more than just the unauthorised disclosure of personal information. The phrase is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the company”.
The policy covers three different types of notification: (i) notifications by a data controller to a supervisory authority, such as the Information Commissioner’s Office in the EU; (ii) notifications by a data processor to the data controller whose data is the subject of the breach; and (iii) notifications by a data controller to data subjects, ie human beings. Three schedules to the policy contain notification forms, one for each type of notification.
Whilst the policy does cover incident detection and response in summary form, it is primarily concerned with notification, and larger organisations at least should combine this document with more detailed policies covering detection and response. Moreover, the policy focuses upon personal data breaches, not information security incidents generally.
The policy is not designed for use in relation to any non-GDPR data breach notification rules and – if any other such rules apply to the relevant business – the policy would need to be adapted accordingly before use.