Intellectual property
The copyright of the present internet site and the elements that compose it such as texts, stationery or animated visuals, logos, or others, belongs to Ampersand World SA, in accordance with the Federal Law on Copyright and Associated Laws (Copyright Law – Loi sur le Droit d’Auteur, LDA). Ampersand World SA only authorises you to display the present internet site for personal and private reasons and excludes its display or distribution in a public context. Authorisation to copy is only granted to you in digital form on the computer used for consultation with the objective of displaying pages opened by your browser. Paper copies are authorised for private usage only. The internet user cannot copy in any way whatsoever, nor download, offer for sale, resell, distribute, retransmit, publish, or download automatically, in any form whatsoever, any data available or hosted on the Ampersand World internet site. Any usage requires the prior special written permission of Ampersand World SA. Abusive appropriation of distribution rights will be sanctioned by the regulatory and legal dispositions relative to the Federal Law on Copyright.Brand names and other names appearing on the site are the property of Ampersand World SA or its commercial partners. You are not authorised to copy them.
Absence of guarantees as to the content of the present internet site
Ampersand World SA has done its best to compile and present the information contained in the present internet site. The information published on the Ampersand World SA internet site, including its visual presentation and features, is not contractually binding. This information does not in any way constitute an assertion, a guarantee or any commitment whatsoever on the part of Ampersand World SA regarding any product or service. The information available on the present internet site has been compiled from several sources and is subject to modification without notice. Ampersand World SA declines all responsibility, be it deliberate or implicit, as to this information’s completeness, exactitude or appropriateness to a given objective. Ampersand World SA has made every effort to insure that the information accessible through the intermediary of its internet site is correct. However, we do not guarantee in any way that this information is correct, complete or up-to-date. Ampersand World SA does not offer any guarantee, deliberate or tacit, concerning its internet site as a whole or a part of it. In no case can Ampersand World SA be held responsible for any direct or indirect damage, of whatever nature, resulting from usage of its internet site. Neither Ampersand World SA nor its host can be held responsible for the contents of sites or resources available on the internet network to which hypertext links have been provided. Ampersand World SA declines all responsibility concerning the content of sites linked to the Ampersand World SA internet site. Ampersand World SA declines all responsibility as to the relevance of the information supplied and the use that an internet user is likely to make of it.
1. Scope and object of the terms and conditions of use
1. All the terms and conditions set out below are in respect of the related services, which are offered by the company Ampersand World S.A. (“Ampersand World”), at various domain names (https://ampersand-world.com, among others), to persons seeking jobs in the labour market.
2. These terms and conditions govern the use of the Applicant Area and the Premium Services. For all users of the Premium Area and the services offered, these terms and conditions of use apply exclusively, even if they are being used or accessed from outside of Swiss territory.
3. By registering on Ampersand World and thereby gaining the ability to use the Premium Area in its entirety, the user formally declares that he/she has read and understood the terms and conditions of use, and agrees to their application. Registration on Ampersand World’s domain names and, consequently, use of the Premium Area is prohibited for any user who will not accept the terms and conditions of use. Persons less than 18 years old may not use Ampersand World’s Premium Services either.
4. Unless explicitly otherwise stated, new versions, updates and other new services that supplement or improve the current version of the Premium Services are also subject to these terms and conditions of use. The Premium Services are offered in the version thereof approved by Ampersand World, subject to availability.
2. Ampersand World’s Premium Services/Availability
1. Ampersand World’s Premium Services constitute an online career-management service, which makes available to users additional services that complement the basic services for monitoring their applications, access to exclusive offers and preferential contact with Ampersand World’s team.
2. Ampersand World offers Internet users the chance to use the platform made available at the domain names, along with a variety of services for seeking a job. Each user can register once for Ampersand World Basic free of charge, offering him/her the chance to make partial use of the Ampersand World website. Full use of the Premium Services with all their functions is only possible once a paid Premium subscription has been taken out (see clause 6).
3. Registration for the Premium Services confers on the user the inalienable and non-exclusive right to use, personally and for his/her own purposes, the services on the Ampersand World web portal, pursuant to these terms and conditions of use. Any other use of the Premium Services requires the express, written, advance and specific consent of Ampersand World. This applies, without prejudice to the legal requirements in respect of the right of reproduction, specifically to the reproduction and to the assignment or provision of the Ampersand World service or of copies or parts of that service to third parties, for valuable consideration or free of charge, including when such use takes place on computers that belong to the user.
4. Ampersand World reserves the right to modify, interrupt or cancel, temporarily or permanently, all or part of the functions of the software, with or without notice to the user. The user declares that he/she accepts Ampersand World’s lack of responsibility, both to him-/herself and to third parties, in the event of modification, interruption or cancellation, temporary or permanent, of all or some of the services.
3. Copyright and other protected rights
1. All Ampersand World content is protected by copyright. The copying of content without Ampersand World’s written consent is prohibited.
2. The Premium Services are the property of Ampersand World. In particular, the source code and other developments necessary for its functioning are the exclusive property of Ampersand World. Ampersand World can, at its sole discretion, develop, use, sell or licence any piece of software or similar tool for data-processing or relating to the developments carried out by Ampersand World.
4. Data protection
1. The security and processing of applicant-users’ personal data are of particular concern for Ampersand World’s Applicant Space. Ampersand World’s Applicant Space undertakes to respect the legal requirements in respect of data protection. In addition, Ampersand World’s legal notices in respect of data protection apply.
2. Notice is hereby given that Ampersand World’s Applicant Space records applicant-users’ data in a form readable by computer for the digital processing of those data. Personal data will be collected, recorded and used in the context of the service agreement. Personal data are those that contain information about a given applicant-user’s personal and physical configuration. They are recorded electronically. In addition, the websites’ login details will be stored.
3. The applicant-user is liable for the use that he/she makes of his/her Ampersand World login details (e-mail address and password).
4. By registering with Ampersand World, the user agrees to the collection, use and analysis of his/her data, as stated in the Privacy Policy. The applicant-user consents to Ampersand World’s Applicant Area using his/her anonymised data for the purposes of advice, advertising and market research, and of the improvement and development of the service, depending on its needs. Any applicant-user may object to the passing-on to third parties of his/her pseudonymised data for the purposes of advice, advertising and market research, and to the creation of anonymised user profiles. To exercise his/her right to object, the applicant-user merely has to send an email to contact@ampersandworld.ch. In addition, Ampersand World’s legal notices in respect of data protection apply.
5. The purpose of the collection of data is to provide users with an effective, fast and targeted service. The analysis of users’ data, whether recorded or not recorded on Ampersand World, is necessary for the continual improvement of Ampersand World’s services. For that purpose, Ampersand World will use the information voluntarily provided by the user during the registration process and the information provided during the creation of the user profile to analyse the data anonymously. The user’s identity will actually remain unknown and cannot be matched to the user’s personal data.
6. The personal preferences entered by the user are recorded. This enables each applicant-user to be sure that his/her personal preferences will be in place when he/she starts each new session (in other words, each time he/she logs in). To achieve that, Ampersand World generally uses what are known as “cookies”. A cookie is a text file that makes it possible to store information about the user on his/her computer. The data stored in a cookie are anonymous and are not linked, without your permission, to personal details that could identify you. The user has the option of deciding, at any time, whether he/she wants to accept cookies or not, by changing the settings of his/her browser. If the user refuses cookies, it can have negative effects on the unrestricted use of the site.
7. Our site uses Google Analytics, the web traffic tool of Google Inc. (“Google”). Google Analytics uses what are known as “cookies”: text files that are saved on your computer and enable analysis of your use of the site.
8. The user expressly consents to receiving newsletters via e-mail. These newsletters form an integral part of the service and give the user regular updates on current issues relating to the labour market and recruitment, and to news about Ampersand world and about its partners’ offers. Messages will also be specifically sent to some members. The user can unsubscribe from the newsletter at any time by following the link given at the end of each newsletter.
9. Should the user wish to amend, rectify or erase his/her personal data, he/she will be able to do so at any time, through his/her personal account in the site’s Applicant Area. When a user erases his personal data, he/she permanently deletes his/her Ampersand World account. Should the user amend the data in his/her own account, the old data will automatically be erased. In that event, there is no need for rectification or cancellation. Ampersand World cannot be held responsible if some data remain available after erasure, as a result of caching or proxy servers.
10. The applicant-user has the right to be informed, at any time and free of charge, by our service in respect of the personal data recorded relating to him/her. This information will be communicated to him/her in writing. Requests for information shall be sent in writing, enclosing a copy of the user’s identity document, to Ampersand World SA | 36 rue de Lausanne | CH-1201 Genève | Switzerland.
5. Conclusion of the contract
1. The user declares to Ampersand World that he/she is aged 18 or over.
2. Ampersand World is entitled to check the user’s personal data by means of the appropriate official documents. The user therefore promises that he/she will send Ampersand World photocopies of his/her official documents, should the latter so request, in particular his/her identity document.
3. The contract is deemed to have been concluded once the user has successfully signed up to Ampersand World. By registering, the user declares his/her acceptance that these terms and conditions apply.
6. Charges
1. The creation of a profile and any changes thereto are free of charge. Also free of charge, the user can look at and apply for offers on line (except for exclusive Premium offers, available to all after a certain time) and receive notifications that new positions have been posted on line (job alerts).
2. If the user wants access to all Premium functions with no restrictions, he/she can only do so by taking out a Premium Subscription.
3. You can see the Premium Subscription prices here.
4. Should the user wish to subscribe to the Premium Services, he/she will be notified of their chargeable nature in advance. The charges and means of payment are explained.
5. Any complaint about the amount of the charges debited or invoiced shall be sent to Ampersand World in writing, no later than 7 days after the sums have been debited.
7. Payment conditions
1. The charges for the Premium Subscription shall be paid in advance to Ampersand World, pursuant to the terms and conditions for the type of subscription taken out. The charges are automatically debited from the user’s account or transferred by him/her. For a Premium subscription, the payment intervals are based on the agreed monthly subscription payment.
2. By taking out a Premium subscription and communicating his/her bank or credit card details, the user gives Ampersand World prior consent to take direct debit or credit card payments to cover the charges for the agreed validity term and renewals thereof.
8. User’s obligations
1. The user has sole liability for the content of his/her profile.
2. The user is prohibited from uploading sexual, pornographic, immoral, extremist or otherwise unlawful content onto his/her profile. Setting up a profile on behalf of third parties is also prohibited.
3. The photos sent to Ampersand World for use on a profile shall be current and shall enable the user to be identified. His/her face shall be visible in its entirety. Ampersand World is not, under any circumstances, liable for any breaches of third parties’ copyright over images.
4. Any use of Ampersand World’s websites or databases for another purpose is prohibited. In particular, the following are prohibited: the collection and storage of data taken from the database and its use, in whole or in part, or by means of the extraction of data from the Internet for the sale of addresses, or as a database or resource for compiling or adding to lists of, among other things, participants or addresses, or the consultation of on-line databases for the purposes set out above or for other commercial purposes.
5. The user is prohibited from using mechanisms, software or scripts in relation to the use of Ampersand World’s websites and databases, and from the blocking, overwriting, modifying or, in particular, copying of Ampersand World’s websites and databases, using web search robot technology. The user may, however, use the interfaces and software offered by Ampersand World in the context of the services offered on Ampersand World websites.
6. The user shall also refrain from any action that could harm Ampersand World’s infrastructure and, in particular, could place an excessive burden thereon.
9. Term and termination
1. The Premium subscription is concluded for a term agreed with Ampersand World (1, 3, 6 or 12 months). Unless the subscription is terminated before the agreed term is completed, it is tacitly renewed for the same term each time. Any claims coming after the renewal of the subscription will be deemed invalid. Termination at the and of the validity period can take place one month before the Premium Subscription falls due, in the user’s personal section: “My account”, under “Premium Subscription”. In the event of an automatic renewal, termination can also take place one month before the renewal date.
2. Where a user breaches these terms and conditions of use, Ampersand World is entitled, at any time, to block his/her access, or to completely erase the corresponding registration and terminate the licensing agreement with immediate effect. When reaching its decision, Ampersand World will take into account the significance of the breach along with its own legitimate interests, and will also take into consideration whether the breach is one for which the user has no liability or one which constitutes a criminal offence.
3. In the event that a user’s access is blocked as a result of breach of contract, Ampersand World retains the residual credit balance, in proportion to the period elapsed, plus administrative processing fees in the amount of CHF 50.
4. At the end of the contract, all the user’s data are retained in his/her Candidate Area.
10. Warranty
1. In the event of a defect, Ampersand World may repair it or offer alternative solutions (subsequent performance). While Ampersand World’s attempts at subsequent performance are still under way or have not definitively failed, the user has no right to a reduction in the agreed remuneration or to withdrawal. In the event that subsequent performance fails, the user can have the price reduced or withdraw from the contract, provided that the defect at issue is sufficient. If the defect is negligible, withdrawal is not permitted. The user shall offer Ampersand World sufficient assistance in its attempts at subsequent performance.
2. The warranty does not apply if the user cannot reproduce the error or cannot demonstrate it by means of computer readouts.
3. Ampersand World incurs no liability in respect of the data used. Ampersand World disclaims all other warranties of absence of virus.
11. Limitation of liability
1. Regardless of the legal grounds, Ampersand World’s liability is limited to damage caused intentionally or due to serious negligence.
2. Should Ampersand World’s be held liable for a case of simple negligence, the entitlement to indemnification shall not exceed the total sums paid to Ampersand World.
3. Consequential damages are entirely excluded, particularly those relating to data losses and lost profits.
4. Where Ampersand World’s liability is excluded, that exclusion also applies to the personal liability of Ampersand World’s workers, employees, subcontractors, representatives and vicarious agents.
5. Both parties acknowledge that, with the current state of technical knowledge, programming errors cannot be excluded, even when the greatest care has been taken and operation has been without interruptions or faults, so the complete elimination of potential programming errors cannot be guaranteed.
6. Ampersand World disclaims all liability for the functioning of the website and in no way guarantees the truthfulness, relevance, reliability, accuracy or correctness of the information contained thereon.
7. In particular, Ampersand World disclaims all liability in the event of interruption, change to the functioning or destruction of its website due to force majeure, to strikes, to lockouts, to technical difficulties or to structural damage outside its control.
8. Ampersand World may not be held liable for the unauthorised and wrongful discovery of users’ personal data by third parties (for example, by means of the database being hacked), or for third parties benefiting from information and data made available to them by users, for example through disclosure of their password.
12. Amendments to the terms and conditions
1. Ampersand World reserves the right to amend these terms and conditions of use.
2. Ampersand World will give the user timely notice of amendments to the terms and conditions of use and to the licensing agreement. Should the user not object to the amendment within a period of two weeks starting from the day after the notice of amendment, the amendment shall be deemed accepted. Should the user not accept the amendment, Ampersand World reserves the right to terminate the agreement starting from the end of the agreed validity period; the user shall no longer use Ampersand World’s service starting from the date on which the termination comes into force.
3. The notice of amendment shall include, in addition to an indication of the amended text, a reminder of the user’s option of objecting and of the period granted to the user in which to do so, along with the meaning and even the consequences of failure to object. The notice of amendment can be sent by means of e-mail, among other means, to the address given by the user.
13. Other terms and conditions
1. Ampersand World may exclude users – without notice and without stating grounds – from continuing to use some or all of Ampersand World’s services. It may also reject some profiles.
2. If an excluded user continues, despite his/her exclusion, to use Ampersand World’s on-line offering or tries, in this way, to conclude a Premium service, for example under another identity, Ampersand World expressly reserves the right to bring legal proceedings.
3. Ampersand World’s operations are at the sole discretion of Ampersand World. Ampersand World is authorised, but not required, to examine the content of any text or photograph stored in respect of the directives serving as the basis hereof and, where necessary, to amend or erase them.
4. Ampersand World reserves the right, among other things, to claim damages in the event of a breach of these terms and conditions of use or other breaches of legislation.
5. The contractual relationships between Ampersand World and each user are governed solely by Swiss law and the competence of the courts of Geneva, with the exception of appeals to the Federal Supreme Court in Lausanne.
6. The present or future invalidity of any of the clauses of these terms and conditions does not affect the validity of the other clauses.
Personal Data Protection Policy
1. Purpose, Scope and Users
Ampersand World, hereinafter referred to as the “Company”, strives to comply with applicable laws and regulations related to Personal Data protection in countries where the Company operates. This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data. This Policy applies to the Company and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Economic Area (EEA) or processing the personal data of data subjects within EEA. The users of this document are all employees, permanent or temporary, and all contractors working on behalf of The Company.
2. Reference Documents
• EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
• Employee Personal Data Protection Policy
• Data Retention Policy
• Data Protection Officer Job Description
• Guidelines for Data Inventory and Processing Activities
• Data Subject Access Request Procedure
• Data Protection Impact Assessment Guidelines
• Cross Border Personal Data Transfer Procedure
• Breach Notification Procedure
3. Definitions
The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:
Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.
Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the ability to link personal data to a data subject. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.
Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR;
Lead supervisory authority: The supervisory authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data; it is responsible, among others, for receiving the data breach notifications, to be notified on risky processing activity and will have full authority as regards to its duties to ensure compliance with the provisions of the EU GDPR;
Each “local supervisory authority” will still maintain in its own territory, and will monitor any local data processing that affects data subjects or that is carried out by an EU or non-EU controller or processor when their processing targets data subjects residing on its territory. Their tasks and powers includes conducting investigations and applying administrative measures and fines, promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as obtaining access to any premises of the controller and the processor, including any data processing equipment and means.
“Main establishment as regards a controller” with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; “Main establishment as regards a processor” with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation; Group Undertaking: Any holding company together with its subsidiary.
4. Basic Principles Regarding Personal Data Processing
The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
4.1. Lawfulness, Fairness and Transparency: Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
4.2. Purpose Limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.3. Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.
4.4. Accuracy: Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
4.5. Storage Period Limitation : Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.
4.6. Integrity and confidentiality: Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, the Company must use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
4.7. Accountability: Data controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.
5. Building Data Protection in Business Activities
In order to demonstrate compliance with the principles of data protection, an organisation should build data protection into its business activities.
5.1. Notification to Data Subjects: (See the Fair Processing Guidelines section.)
5.2. Data Subject’s Choice and Consent: (See the Fair Processing Guidelines section.)
5.3. Collection: The Company must strive to collect the least amount of personal data possible. If personal data is collected from a third party, Ampersand World must ensure that the personal data is collected lawfully.
5.4. Use, Retention, and Disposal: The purposes, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Notice. The Company must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data must be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches. Ampersand World is responsible for compliance with the requirements listed in this section.
5.5. Disclosure to Third Parties: Whenever the Company uses a third-party supplier or business partner to process personal data on its behalf, Ampersand World must ensure that this processor will provide security measures to safeguard personal data that are appropriate to the associated risks. For this purpose, the Processor GDPR Compliance Questionnaire must be used.
The Company must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data to carry out its contractual obligations towards the Company or upon the instructions of the Company and not for any other purposes. When the Company processes personal data jointly with an independent third party, the Company must explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Supplier Data Processing Agreement.
5.6. Cross-border Transfer of Personal Data: Before transferring personal data out of the European Economic Area (EEA) adequate safeguards must be used including the signing of a Data Transfer Agreement, as required by the European Union and, if required, authorization from the relevant Data Protection Authority must be obtained. The entity receiving the personal data must comply with the principles of personal data processing set forth in Cross Border Data Transfer Procedure.
5.7. Rights of Access by Data Subjects: When acting as a data controller, Ampersand World is responsible to provide data subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.
5.8. Data Portability: Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, for free. Ampersand World is responsible to ensure that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other individuals.
5.9. Right to be Forgotten: Upon request, Data Subjects have the right to obtain from the Company the erasure of its personal data. When the Company is acting as a Controller, Ampersand World must take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request.
6. Fair Processing Guidelines
Personal data must only be processed when explicitly authorised by Ampersand World.
The Company must decide whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines.
6.1. Notices to Data Subjects: At the time of collection or before collecting personal data for any kind of processing activities including but not limited to selling products, services, or marketing activities, Ampersand World is responsible to properly inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect personal data. This information is provided through Privacy Notice.
If your company has multiple data processing activities, you will need to develop different notices which will differ depending on the processing activity and the categories of personal data collected – for example, one Notice might be written for mailing purposes, and a different one for shipping purposes.
Where personal data is being shared with a third party, Ampersand World must ensure that data subjects have been notified of this through a Privacy Notice.
Where personal data is being transferred to a third country according to Cross Border Data Transfer Policy, the Privacy Notice should reflect this and clearly state to where, and to which entity personal data is being transferred.
Where sensitive personal data is being collected, the Data Protection Officer must make sure that the Privacy Notice explicitly states the purpose for which this sensitive personal data is being collected.
6.2. Obtaining Consents: Whenever personal data processing is based on the data subject's consent, or other lawful grounds, Ampersand World is responsible for retaining a record of such consent. Ampersand World is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
Where collection of personal data relates to a child under the age of 16, Ampersand must ensure that parental consent is given prior to the collection using the Parental Consent Form.
When requests to correct, amend or destroy personal data records, Ampersand World must ensure that these requests are handled within a reasonable time frame. Ampersand World must also record the requests and keep a log of these.
Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). The Data Protection Officer is responsible for complying with the rules in this paragraph.
Now and in the future, Ampersand World must ensure that collection methods are compliant with relevant law, good practices and industry standards.
Ampersand World is responsible for creating and maintaining a Register of the Privacy Notices.
7. Organization and Responsibilities
The responsibility for ensuring appropriate personal data processing lies with everyone who works for or with the Company and has access to personal data processed by the Company.
The key areas of responsibilities for processing personal data lie with the following organisational roles:
The board of directors or other relevant decision making body makes decisions about, and approves the Company’s general strategies on personal data protection.
The Data Protection Officer (DPO) or any other relevant employee, is responsible for managing the personal data protection program and is responsible for the development and promotion of end-to-end personal data protection policies, as defined in Data Protection Officer Job Description;
The Legal Affairs Department/Counsel together with the Data Protection Officer, monitors and analyses personal data laws and changes to regulations, develops compliance requirements, and assists business departments in achieving their Personal data goals.
The IT manager, is responsible for:
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
• Performing regular checks and scans to ensure security hardware and software is functioning properly.
The Marketing manager, is responsible for:
• Approving any data protection statements attached to communications such as emails and letters.
• Addressing any data protection queries from journalists or media outlets like newspapers.
• Where necessary, working with the Data Protection Officer to ensure marketing initiatives abide by data protection principles.
The Human Resources Manager is responsible for:
• Improving all employees' awareness of user personal data protection.
• Organizing Personal data protection expertise and awareness training for employees working with personal data.
• End-to-end employee personal data protection. It must ensure that employees' personal data is processed based on the employer's legitimate business purposes and necessity.
The Procurement Manager is responsible for passing on personal data protection responsibilities to suppliers, and improving suppliers' awareness levels of personal data protection as well as flow down personal data requirements to any third party a supplier they are using. The Procurement Department must ensure that the Company reserves a right to audit suppliers.
8. Guidelines for Establishing the Lead Supervisory Authority
8.1. Necessity to Establish the Lead Supervisory Authority: Identifying a Lead supervisory authority is only relevant if the Company carries out the cross-border processing of personal data.
Cross border of personal data is carried out if:
a) processing of personal data is carried out by subsidiaries of the Company which are based in other Member States; or b) processing of personal data which takes place in a single establishment of the Company in the European Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
If the Company only has establishments in one Member State and its processing activities are affecting only data subjects in that Member State than there is no need to establish a lead supervisory authority. The only competent authority will be the Supervisory Authority in the country where Company is lawfully established.
8.2. Main Establishment and the Lead Supervisory Authority
8.2.1. Main Establishment for the Data Controller
The [top management of the Company] needs to identify the main establishment so that the lead supervisory authority can be determined.
If the Company is based in an EU Member State and it makes decisions related to cross-border processing activities in the place of its central administration, there will be a single lead supervisory authority for the data processing activities carried out by the Company.
If Company has multiple establishments that act independently and make decisions about the purposes and means of the processing of personal data, Ampersand World needs to acknowledge that more than one lead supervisory authority exists.
8.2.2. Main Establishment for the Data Processor
When the Company is acting as a data processor, then the main establishment will be the place of central administration. In case the place of central administration is not located in the EU, the main establishment will be the establishment in the EU where the main processing activities take place.
8.2.3. Main Establishment for Non-EU Companies for Data Controllers and Processors
If the Company does not have a main establishment in the EU, and it has subsidiarie(s) in the EU, then the competent supervisory authority is the local supervisory authority.
If the Company does not have a main establishment in the EU nor the subsidiaries in the EU, it must appoint a representative in the EU, and the competent supervisory authority will be the local supervisory authority where the representative is located.
9. Response to Personal Data Breach Incidents
When the Company learns of a suspected or actual personal data breach, Ampersand World must perform an internal investigation and take appropriate remedial measures in a timely manner, according to the Data Breach Policy. Where there is any risk to the rights and freedoms of data subjects, the Company must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours.
10. Audit and Accountability
The Audit Department or other relevant department is responsible for auditing how well business departments implement this Policy. Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
11. Conflicts of Law
This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which Ampersand World operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.