Cardinus is committed to protecting all personal data it holds irrespective of its form or where it is located.
Cardinus adheres to all data protection laws in the countries in which it operates and regularly reviews its controls and procedures to ensure continued compliance.
Cardinus offers various risk management software, services and products to organisations and individuals designed to help them identify and control their own organisational risks.
In offering these products and services, Cardinus will often need to process personal data on behalf of the instructing party (the client) with the specific aim of assisting them in understanding and reducing the risks they face. When Cardinus collects, records or uses any personal data, all appropriate safeguards will be applied to ensure the relevant legislation is adhered to at all times.
What will we do with your information
Personal data will not be used for purposes other than those for which it was collected, except where required by law. Personal data will only be retained for as long as is necessary to fulfil those purposes.
Who we share your information with
Cardinus do allow third parties access to certain personal data in order to fulfil their obligation in supplying certain services to its clients. Any third parties granted access must commit to adhering to certain controls and procedures and accept joint liability with Cardinus for their actions when accessing personal data.
We have a responsible marketing policy and do not give details of our customers or related individuals to other company. We may contact our customers by mail, e-mail or telephone with details of products and services offered by Cardinus if consent has been granted. Consent can be withdrawn at any time by emailing [email protected] or contacting via the website https://www.cardinus.com.
The lawful basis for Cardinus processing personal data is legitimate interest and adheres to key principles of data protection as set out in GDPR regulations and UK Data Protection Act 2018.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Individuals have various rights under privacy legislation. A summary of these rights is set out below
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
US & Privacy Shield
Cardinus complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Cardinus has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
Under the EU-U.S. Privacy Shield, Cardinus remains liable if its service provider or agent processes Personal Information received under the Privacy Shield in a manner inconsistent with Privacy Shield Principles, unless Cardinus was not responsible for the event giving rise to the damage.
Cardinus is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
To meet the requirements, Cardinus will:
- observe the conditions regarding the fair collection and use of personal data
- meet our obligations to specify the purposes for which personal data is used
- collect and process appropriate personal data only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
- ensure the quality of personal data used
- apply strict checks to determine the length of time personal data is held
- ensure that the rights of individuals about whom the personal data is held, can be fully exercised
- take appropriate security measures to safeguard personal data
- ensure that personal data is not transferred abroad without suitable safeguards.
Cardinus will only disclose an individual’s non-public personal information to third parties where required to the extent necessary to meet a legal obligation, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation.
Cardinus has further committed to refer unresolved privacy queries under the EU-U.S. Privacy Shield Principles to an independent dispute resolution mechanism. If you have an unresolved privacy or data use concern that Cardinus has not satisfactorily addressed, please contact your EU Data Protection Authority for resolution. You may also have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Additional information can be found here: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
However, in July 2020 the Court of Justice of the European Union deemed Privacy Shield is no longer suitable for transferring data under the GDPR regulations, and as a result Cardinus now also uses standard contractual clauses with individual clients when they are requested to do so and where it is deemed appropriate. This is in place to ensure personal data can legally continue to flow to and from the United States.
Questions and complaints
If you have any questions or complaints about our processing of your personal data, you can contact us in writing at the address or email below.
| UK and Europe:
Data Protection Officer
Cardinus Risk Management Limited
Data Protection Officer
4725 Piedmont Row Drive Ste 600
United States of America
Last Reviewed: 6 August 2021