1.1 Here at CMS Systems Solutions Ltd (“CMS”) we take both our clients’ as well as our personnel privacy and personal information seriously. For this reason, this Privacy Policy was developed in order to demonstrate CMS’s commitment to both our clients’ as well as our personnel privacy.

1.2 This Privacy Policy explains what Personal Information is and how CMS collects, uses, holds, protects and processes this information during the course of providing our clients with a wide range of professional services.

This Privacy Policy also explains what Personal Information in relation to its personnel is and how CMS collect, uses, holds, protect and processes such information.

1.3 This Privacy Policy should be read in conjunction with CMS’s Terms of Use .

1.4 In addition to this Privacy Policy, CMS has also published a privacy policy related to the usage of its website, being the Website Privacy Policy.

1.5 As used herein, note that the following terms shall have the meanings as presented below:

-“Data subject” is any person whose personal information is being collected, held or processed.

-“Personal Information” or personal data of a data subject as defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) is ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

-“Cloud Services” means computing resources provided by way of the Internet and may include the provision of storage, software, platform, computing services or other resources.

-“Website” means www.cms-ss.com.

1.6 CMS is not required to appoint a specific Data Protection Officer since it is doesn’t meet the criteria presented in the GDPR.

However, CMS is aware and is regularly informed regarding the GDPR requirements and processes including its responsibilities and data subjects’ rights, and has in place procedures to ensure that CMS is compliant with the related requirements.

If you have any questions about this Privacy Policy, please contact us at:

Physical Address:

CMS Systems Solutions Ltd
22 Athinon Street,
Strovolos, Nicosia 2040
Cyprus

Postal Address:

P.O.Box 28029
Nicosia 2090
Cyprus

Telephone: +357 22817503

Fax: +357 22817516

E-mail: info@cms-ss.com.

3.1 CMS collects Personal Information directly from its clients and its personnel.

3.2 CMS uses and discloses Personal Information obtained from its clients only as described and up to the extent that each client has provided its consent for and as described in this Privacy Policy and CMS’s Terms of Use .

3.3 A client can withdraw its consent at any time by communicating this to info@cms-ss.com.

3.4 CMS uses and discloses Personal Information obtained from its personnel only as described in this Privacy Policy.

CMS collects Personal Information through a variety of means as presented below:

4.1 Through a contract

When a client becomes a contractual party to related agreements with CMS
When a client completes an order form regarding a purchase of CMS products and/or services (including purchasing licence and licence renewal)
When a client completes and returns the Client Communication Details Confirmation document to CMS

4.2 Through serving legitimate interests

When a client contacts CMS for support on technical or other related issues and for the usage of the software products and services that it has obtained from CMS
During the provision of the support services to its clients, CMS collects
Personal Information through the following means to be able to provide the support that each client needs in a case-by-case situation:
When a client through a telephone communication requests CMS assistance on a matter regarding CMS’s products or services.
When a client registers and uses the Cloud Services as offered by CaseWare Cloud Ltd, where the client may provide CMS with documents that it needs CMS’s assistance with.
Clients can choose not to provide Personal Information to CMS, but it may mean that CMS will be unable to provide them with support services to the extent that they may need it in a case-by-case situation.
When a data subject registers and attends Trainings organised by CMS for the usage of CMS products and services
When a user logs in the website to download the current version of various CMS products that he purchased

For more information regarding the privacy policy of the usage of CMS’s website please refer to the Website Privacy Policy.

4.3 Through obtaining consent from a data subject

When a data subject gives its consent to CMS through other ways than the above, in order for CMS to use its Personal Information for specific purposes

In the event that the consent is provided in such a way, then the consent can be withdrawn by the data subject at any time.

4.4 Through employment process

When a prospect employee provides its curriculum vitae and application form that includes Personal Information to CMS for a potential employment
When a data subject enters into an employment contract with CMS

5.1 Through contracts

Contact details of the data subject that enters into an agreement of any form representing the client. These include full name, address, telephone and e-mail.

Additionally, CMS may require some other form of Personal Information which will be communicated directly to the data subject upon request

5.2 Through the purposes of serving legitimate interests

Full name and contact details of the data subjects including e-mail address and telephone number.

Additionally, CMS may require some other form of Personal Information which will be communicated directly to the data subject upon request.

5.3 Through obtaining consent from a data subject
Full name and contact details of the data subjects including e-mail address and telephone number.

5.4 Through employment contract and other employment related documents

Full name and contact details of the employee including personal address, personal e-mail address, personal mobile telephone and home telephone.

Details of the bank that the data subject prefers to obtain its salary through including its IBAN number and bank account number.

Other personal details of the employee including TIC, Social Insurance and ID number.

In the case that the employee was previously employed somewhere else during the year, documentation from its previous employer is obtained that states all the details of the salary that the data subject obtained during the year.

CMS processes, collects, uses and discloses information including Personal Information for a variety of purposes as presented below:

6.1 For the performance of a contract

CMS processes Personal Information based on the contracts and other agreements it has with each client depending on the requirements for each product and/or service.

CMS based on these requirements, could use the Personal information to provide the data subjects with the following:

Invoices and statement

Notifications for updates

Website access to download product updates

6.2 For the purposes of serving legitimate interests

To verify existing client’s identity in order to be able to provide its assistance based on the products and/or services that the client has purchased.

To monitor for internal business management purposes, to improve the service support provision and to facilitate future conversations with clients, by keeping track of the tasks that it has provided its support for (support queries) and the respective users that requested the assistance.

To monitor activity usages of the website in order to improve and manage the services that it provides.

For more information regarding the privacy policy of the usage of CMS’s website please refer to the Website Privacy Policy.

CMS shall not use the Personal Information of any data subject in any other way that those included in this Privacy Policy and the Terms of Use and shall keep confidential all information as disclosed.

To assist the client with a document of any kind that may or may not include Personal Information about others (including any Personal Information of the customers of the client or third parties), if asked to do so.

CMS shall not use the Personal Information about others in any way and shall keep confidential all information as disclosed. This shall be read in line with the Terms of Use .

Following the above, the client should take all necessary steps to obtain all necessary consents to disclose such Personal Information to CMS, and to allow CMS to process such Personal Information in accordance with this Privacy Policy.

To issue personal Training attendance certificates and update our training records. We use that information only if asked by the data subject, such as re-issue a Training attendance certificate and to provide a more complete support service.

6.3 For the reasons that each data subject has provided its consent for

During this process, CMS’s primary usage of the Personal Information of the data subjects could be for the provision of marketing and other related information including but not limited to:

Announcements for new development or new products

Newsletters

Other marketing information

Events notification

Notification for Trainings

Notification regarding related webinars

Other useful information that CMS believes is relevant for them

CMS will only provide the above information to data subjects that have given their consent to be notified for these purposes.

6.4 For personnel and prospect employees related matters

During the employment of each data subject, CMS uses the Personal Information to calculate and pay its employees’ wages and salaries, social insurance and related taxes.

During the employment process, CMS uses the information obtained through the prospect employee’s curriculum vitae, application form and personal interviews to decide regarding the potential employment of the prospect data subject and how it will continue through the employment process.

If the employment with CMS is terminated, then CMS uses the personal information obtained for archive and historical purposes.

If the prospect employee doesn’t enter into an employment contract with CMS, then CMS uses the personal information obtained for archive purposes.

Both CMS and its employees shall not use the Personal Information of any employee or previous employee or prospect employee in any other way that those included in this Privacy Policy and shall keep confidential all information as disclosed.

6.5 To comply with CMS’s legal obligations, resolve disputes, and enforce agreements

CMS will retain and use Personal Information as obtained from its clients and its personnel, as necessary to comply with the above.

CMS during the provision of the support services to its clients, and in line with the Terms of Use, could provide its services remotely using the Cloud Services as offered by CaseWare Cloud Ltd.

During this process, the data subject should register to the Cloud Services and could provide CMS with documents that it needs CMS’s assistance with.

During this process, CMS obtains the client’s e-mail address.

CMS should not be considered liable in the case where a client provides CMS with documents through any other means including e-mail. Since the Internet is not in itself a secure environment, it is CMS’s opinion that the Cloud Services offered by CaseWare Cloud Ltd provide a more secured environment than other means including e-mail communications.

For more information about CaseWare Cloud Ltd Cloud Services please refer to “CaseWare Cloud Privacy Policy” .

CMS shall not use the Personal Information about others in any way, and shall keep confidential all information as disclosed. This shall be read in line with the Terms of Use .

Following the above, the client should take all necessary steps to obtain all necessary consents to disclose such Personal Information to CMS, and to allow CMS to process such Personal Information in accordance with the Terms of Use as well as this Privacy Policy.

8.1 Client Personal Information

CMS shall keep the Personal Information regarding each data subject for as long as the data subject has a business relationship or represents a legal entity that has business relationship with CMS.

In the event where the business relationship between the client and CMS ceases, then CMS as a general rule shall retain the Personal Information obtained for at least two years following the termination date, taking into account any additional legal requirements that may exist.

8.2 Personnel and prospect employees Personal Information

CMS shall keep the Personal Information regarding each employee for the whole length of their employment with CMS.

In the event where the employment is terminated then CMS as a general rule shall retain the Personal Information obtained for at least two years following the termination date, taking into account any additional legal requirements that may exist.

In the event where the prospect employee doesn’t enter into an employment contract with CMS then CMS as a general rule shall retain the Personal Information obtained for at least two years following the date that it obtained the Personal Information.

9.1 CMS uses an internal CRM System to store the following full licensing and contact details for all of its contracted customers, the primary contacts within customer businesses, users who contact the support services and users that have provided their consent to be notified about marketing and other relation information as presented above.

The information regarding the primary contacts within each customer business is being reviewed and updated accordingly by each client during the renewal notification process.

In addition, CMS stores information regarding the support queries that each user has requested assistance for during the provision of support services.

9.2 CMS stores and transfer its clients Personal Information within the European Economic Area in compliance to GDPR or equivalent regulations and standards.

9.3 CMS during the provision of the support services, may be required in rare cases to transfer information, data or documentation, to its respective suppliers through CaseWare International Inc. systems, in order to be able to fully assist its clients. In such cases the documentation/information that its clients provide CMS with, will be transferred outside the EU. The parties that will obtain the information in these cases have in place standards similar to the EU data protection standards.

In such cases, CMS will request written permission from its clients prior of transferring the documentation/information.

9.4 CMS uses third party data hosting providers (Hostgator) to host its website. For information about Hostgator’s Terms of Service please refer to “Hostgator’s Terms of Service”.

9.5 CMS uses the Cloud Services as offered by CaseWare Cloud Ltd, which uses third party hosting providers (Amazon Web Services) to host its Cloud Services and Subscriber Data on servers that are located within the EU region.

For more information about CaseWare Cloud Ltd Cloud Services please refer to “CaseWare Cloud Privacy Policy” .

10.1 CMS has in place secured internal servers and is committed to protecting the security of the information including Personal Information as disclosed to it and takes all reasonable precautions to protect it from unauthorized access, modification and disclosure.

10.2 However, CMS cannot give an absolute assurance that Personal Information will be secure at all times, since the Internet is not in itself a secure environment.

11.1 As per GDPR a personal data breach means “A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.

11.2 For the purposes of this Privacy Policy, a breach of the data security policy occurs when an identified weakness in the system or policies indicates a breach of data, information security policy or failure of safeguards.

11.3 In the event that any actual or suspected data security breach took place, the steps that should be followed depend on the severity, nature and extent of the breach as well as the type of breach (if it was an internal personnel breach or external party breach). In all cases the Management Team that deals with such matters should be notified immediately.

11.4 All details concerning the security data breach or incident should be recorded in writing in due course by the designated individual within the related Management Team. The details that should be recorded should include the timing, the nature, source and extent of the breach, details of any data loss and damages that were resulted from the breach, any future risks that may result from the breach and future steps to ensure that this doesn’t happen again, details of who discovered the incident and their steps, assessment of the necessity to inform the data subject and subsequent actions to be followed.

In line with the above assessment, an investigation of the incident needs to take place to establish the facts and decide regarding the subsequent actions to be followed. During this investigation the full facts of the data breach should be examined in order for the risks, issues and root causes to be identified and the appropriate recommendations to address these issues to be of an appropriate nature. During this investigation the responsible person should interview people involved, inspect the any equipment and location involved and examine any physical evidence and documentation that is available.

11.5 In the event that an internal personnel breach took place meaning that a member of CMS staff undertook a breach of data security policy, then the procedures that CMS should follow are according to the internal standard disciplinary procedures that CMS has in place.

11.6 In the event that an external or third-party breach took place meaning that the breach was caused by a CMS external agent, representative or any other third-party, then CMS should notify the Management Team that deals with such matters should immediately.

11.7 In all cases, CMS shall notify accordingly the relevant data subject if such breach of security took place to its data, if it considers it necessary depending on the nature and extent of the breach. In the case that CMS considers it necessary to inform the data subject, then it shall disclose to it the nature and extent of the breach and the respective threat.

Further, it shall give all necessary assistance to the relevant data subject to prevent or stop such a breach or threatened breach and eliminate further related risks.

It is the client’s and personnel responsibility to ensure that the Personal Information it provides to CMS is as accurate, truthful, complete, reliable, and up-to-date as necessary for the purposes for which it is going to be used.

In addition, it should ensure that it does not infringe the rights of others.

Right of confirmation

Each data subject has the right to obtain from the controller the confirmation as to whether or not its Personal Information are being processed by CMS.

Right of access

Each data subject has the right to access the Personal Information that CMS holds about it, and CMS can provide the information, upon request, within the timeframe as presented in the GDPR.

Right to rectification

Each data subject shall have the right to obtain from CMS the rectification of inaccurate Personal Information that concerns it.

Right to erasure (to be forgotten)

Each data subject has the right to change or delete the Personal Information about it that CMS holds by communicating with CMS, as long as the processing is not necessary. CMS will delete the records within the timeframe as presented in the GDPR.

Right of restriction of processing

Each data subject shall have the right to obtain from CMS restriction of processing the Personal Information that concerns it.

Right to data portability

Each data subject shall have the right to receive the personal data concerning it, which was provided to a controller, and to transmit these data to another controller.

Right to object

Each data subject shall have the right to object, on grounds relating to its particular situation, at any time, to processing of personal data concerning it, which is based on point (e) or (f) of Article 6(1) of the GDPR.

Each data subject has the right to change its preferences for being communicated by CMS for particular purposes.

Automated individual decision-making, including profiling

Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling.

Right to withdraw data protection consent

Each data subject has the right to withdraw its consent at any time by communicating this to CMS.

CMS reserves the right to change this Privacy Policy at any time, and any amended Privacy Policy will be posted immediately on the website.

CMS’s clients will be deemed to have accepted the terms of any amended Privacy Policy following their continued use of the website after any amendments.

CMS’s personnel will be deemed to have accepted the terms of any amended Privacy Policy as long as they are employment with CMS.