Cardinus is committed to protecting the privacy of our employees and those who do business with us.
Cardinus develop and supply a variety of risk management software programs designed to identify risk and allow employers to mitigate that risk to comply with any relevant laws and policies. As such we collect and use personal data about people including employees; prospective customers; customers; customers’ employees in order to carry on its business and meet its customers’ requirements effectively. We recognise that the lawful and correct treatment of personal data is very important to successful operations and to maintaining our customers’ confidence in ourselves.
Any personal data which we collect, record or use in any way whether it is held on paper, on computer or other media will have appropriate safeguards applied to it to ensure that we comply with the Data Protection Act 1998 and the EU-U.S. Privacy Shield Framework.
In Europe, Cardinus endorses and adheres to the eight principles of Data Protection as set out in the Data Protection Act 1998. These principles state that personal data must be :-
- fairly and lawfully processed
- processed for limited purposes and not in any other way which would be incompatible with those purposes
- adequate, relevant and not excessive
- accurate and kept up to date
- not kept for longer than necessary
- processed in line with the data subject’s rights
- kept secure
- not transferred to a country which does not have adequate data protection laws.
In the United States, Cardinus complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Cardinus has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
Under the EU-U.S. Privacy Shield, Cardinus remains liable if its service provider or agent processes Personal Information received under the Privacy Shield in a manner inconsistent with Privacy Shield Principles, unless Cardinus was not responsible for the event giving rise to the damage.
Our purpose for holding personal data and a general description of the categories of people and organisations to whom we may disclose it are listed in the Data Protection register.
You may inspect this or obtain a copy from the Information Commissioner’s Office. In order to meet the requirements of the principles, we will:
- observe the conditions regarding the fair collection and use of personal data
- meet our obligations to specify the purposes for which personal data is used
- collect and process appropriate personal data only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
- ensure the quality of personal data used
- apply strict checks to determine the length of time personal data is held
- ensure that the rights of individuals about whom the personal data is held, can be fully exercised under the Act
- take appropriate security measures to safeguard personal data
- ensure that personal data is not transferred abroad without suitable safeguards.
When we collect any personal data from you, we will inform you why we are collecting your data and what we intend to use it for. The data will not be used for purposes other than those for which it was collected, except where required by law. Personal data will be retained only as long as necessary for the fulfillment of those purposes.
Where we collect any sensitive data, we will take appropriate steps to ensure that we have explicit consent to hold, use and retain the information. Sensitive data is personal data about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sex life, details of the commission or alleged commission of any offence and any court proceedings relating to the commission of an offence.
We have a responsible marketing policy and do not give details of our customers or related individuals to any other company. We may contact customers by mail, e-mail or telephone with details of products and services offered by Cardinus. If they do not wish to be marketed to in this way they can write to the Chief Information Officer at Cardinus Risk Management Limited.
Cardinus uses a self-assessment approach to assure compliance with the Data Protection Act and the EU-U.S. Privacy Shield Framework, and periodically verify that this Privacy Notice is accurate, comprehensive for the information intended to be covered, prominently displayed, and is completely implemented and accessible. Cardinus is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Cardinus commits to resolve complaints about your privacy and its collection or use of your Personal Information, and encourages interested persons to raise any concerns using the contact details below. Cardinus will investigate and attempt to resolve any complaints and disputes regarding the collection, use, and disclosure of Personal Information which is processes.
The address for such submission is:
UK and Europe:
Chief Information Officer,
Cardinus Risk Management Limited,
3 East Grinstead House,
Chief Information Officer,
8335 Sunset Blvd,
Cardinus has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to an independent dispute resolution mechanism. If you have an unresolved privacy or data use concern that Cardinus has not satisfactorily addressed, please contact your EU Data Protection Authority for resolution.