1. Introduction
This GDPR Policy is intended to ensure that riskFORCE.io and its parent company LastRecord, LLC comply with the General Data Protection Regulation (GDPR) and protect the privacy rights of our customers and employees. This policy outlines the measures we take to safeguard personal data and ensure that it is processed lawfully, fairly, and transparently.
2. Scope
This policy applies to all personal data processed by riskFORCE.io and LastRecord, LLC, whether on paper or electronically, and includes data relating to our customers, employees, contractors, and suppliers.
3. Definitions
In this policy, the following terms have the meanings set out below:
- "Personal data" means any information relating to an identified or identifiable natural person (data subject).
- "Data subject" means an individual who is the subject of personal data.
- "Processing" means any operation or set of operations which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.
- "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
4. Principles of Data Protection
riskFORCE.io and LastRecord, LLC are committed to complying with the GDPR's principles of data protection, which include the following:
- Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimization: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date.
- Storage limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
5. Lawful Bases for Processing Personal Data
riskFORCE.io and LastRecord, LLC will only process personal data where we have a lawful basis to do so. The lawful bases for processing personal data under the GDPR are:
- Consent: the data subject has given consent to the processing of their personal data for one or more specific purposes.
- Contract: the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
- Legal obligation: the processing is necessary for compliance with a legal obligation to which the controller is subject.
- Vital interests: the processing is necessary to protect the vital interests of the data subject or another natural person.
- Public interest: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Legitimate interests: the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data
