Privacy Policy

This privacy policy sets out how The Magnwave Limited obtains, holds, uses and discloses personal data and how we protect it.

The Magnwave Limited is committed to only holding personal data that is accurate, adequate, relevant and not excessive.

This policy provides further details about how we do this, along with details on how to contact us if required.

 

Collection and Use of personal data

The Magnwave Limited collects personal data for a small number of specific reasons, including;

  1. To enable us to perform our contractual responsibilities for support services and / or project delivery
  2. To enable us to provide quotations for products and services
  3. To enable us to process orders for products and services, including delivery
  4. To send informative and relative marketing messages about our products and services

Personal Data is processed in relation to bullet points 1, 2 and 3; “Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract”.

In regard to bullet point 4, Personal Data is processed on the basis of legitimate interest for existing The Magnwave Limited customers. A customer is defined as an organisation which has had a transaction with The Magnwave Limited within the last 24 months. For any other organisations personal data will be processed on the basis of consent. On occasion The Magnwave Limited will process personal data that is either shared, loaned or acquired from third party organisations. In these circumstances The Magnwave Limited will ensure that the data can legitimately be shared / loaned / sold and use the appropriate basis for the processing of that data inline with any preferences made by the data subject. In all cases you, as the data subject, have the right to opt out of receiving any marketing material from The Magnwave Limited by either selecting the unsubscribe link in any marketing email received from The Magnwave Limited or by emailing us at contact@magnwave.com and requesting to be opted-out of receiving any future marketing communications.

For us to be able to carry out the above-mentioned activities we may need to share your data with relevant third parties as follows:

– To suppliers to enable us to process quotations for products and services

– To vendors to be able to raise support incidents and requests

– To third party support organisations where The Magnwave Limited outsource elements of support or are acting on the customers behalf

– Marketing partners for the purpose of executing The Magnwave Limited marketing campaigns

Please be assured that The Magnwave Limited will never sell or lease personal data to third party organisations for direct marketing purposes.

The types of data The Magnwave Limited may collect include:

  1. Personal details, including; name, job title, email, telephone number and address. Usually the address will be your place of work, however occasionally The Magnwave Limited may need to know of your home address if we are supporting you whilst you are working remotely.
  2. IP address, if required for resolving support issues or during project delivery services if our services are connected to your remote working environment.

The Magnwave Limited will only collect relevant personal data that is required for us to provide you with our services. Normally this data will be obtained directly from you, although we may occasionally use third party marketing services. Where this is the case we will always ensure that the third party marketing agency hold the correct permissions for your data to be used for the intended purpose.

 

Retention and deletion policy

The Magnwave Limited is committed to ensuring that your data is protected. In order to prevent unauthorised access The Magnwave Limited has put in place appropriate physical and electronic security to keep your data safe.

The Magnwave Limited will keep your data for an appropriate length of time to enable us to continue providing our services to you, or until such time you withdraw your consent (if consent is the basis for processing).

 

Changes to privacy policy

Any changes to this privacy policy will be published via The Magnwave Limited website, www.magnwave.com. It is recommended that you check our website regularly to view the latest privacy policy.

Access to your information

You may request details of personal information which we hold about you. If you would like a copy of the information held on you please write to the following address:

The Magnwave Limited

1F., No. 41, Dayong St.,

Sanchong Dist.,

New Taipei City,

Taiwan (R.O.C.)

Or email to contact@magnwave.com

Rights of the Data Subject

In all cases, please direct your queries to:

The Magnwave Limited

1F., No. 41, Dayong St.,

Sanchong Dist.,

New Taipei City,

Taiwan (R.O.C.)

Or email to contact@magnwave.com

 

All information you provide to us is stored on our secure servers. Payment transactions may be undertaken by third party service providers and will be encrypted using industry standard SSL technology. Where we have given you (or where you have chosen) a password which enables you to access your online account, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. Although we make every effort to protect the personal information which you provide to us, the transmission of data over the internet is not completely secure. As such, you acknowledge and accept that we cannot guarantee the security of your information transmitted to the Website and that any such transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access

Third party websites

The Website may, from time to time, contain links to websites operated by third parties. Please note that this privacy policy only applies to the personal information that we collect through this Website and we cannot be responsible for personal information collected and stored by third parties. Third party websites have their own terms and conditions and privacy policies, and you should read these carefully before you submit any personal information to these websites. We do not accept any responsibility or liability for third party terms and conditions or policies

Cookies

 Our Website uses cookies, which are small files placed on your internet browser when you visit our Website. We use cookies in order to offer you a more tailored experience in the future, by understanding and remembering your particular browsing preferences.

For detailed information on the cookies we use and the purposes for which we use them, please refer to our Cookies Policy. By continuing to use the Website and/or our services, you are agreeing to our use of cookies as described in our Cookies Policy.

 

Data Breach Policy

1. Introduction

1.1 This policy sets out the policies and procedures of The Magnwave Limited (the “company”) with respect to detection of personal data breaches, responding to personal data breaches and notification of personal data breaches to supervisory authorities, data controllers and data subjects.

1.2 When dealing with personal data breaches, the company and all company personnel must focus on protecting individuals and their personal data, as well as protecting the interests of the company.

2. Definitions

2.1 In this policy:

(a) “appointed person” means the individual primarily responsible for dealing with personal data breaches affecting the company, being the data protection officer of the company;

(b) “data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

(c) “data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(d) “data subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(e) “personal data” means any information relating to a data subject;

(f) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the company (including any temporary or permanent loss of control of, or inability to access, personal data); and

(g) “supervisory authority” means the Information Commissioner’s Office of the Republic of China.

3. Detection of personal data breaches

3.1 The company has put in place technological measures to detect incidents that may result in personal data breaches.

3.2 The company has put in place organisational measures to detect incidents that may result in personal data breaches.

3.3 The company shall regularly review the technical and organisational measures it uses to detect incidents that may result in a personal data breach. Such reviews shall be carried out at least quarterly.

4. Responding to personal data breaches

4.1 All personnel of the company must notify the appointed person immediately if they become aware of any actual or possible personal data breach. This obligation shall be included in the staff handbook of the company.

4.2 The appointed person is primarily responsible for investigating possible and actual personal data breaches and for determining whether any notification obligations apply. Where notification obligations apply, the appointed person is responsible for notifying the relevant third parties in accordance with this policy.

4.3 All personnel of the company must cooperate with the appointed person in relation to the investigation and notification of personal data breaches. This obligation shall be included in the staff handbook of the company.

4.4 The appointed person must determine whether the company is acting as a data controller and/or a data processor with respect to each category of personal data that is subject to a personal data breach.

4.5 The steps to be taken by the appointed person when responding to a personal data breach may include:

(a) ensuring that the personal data breach is contained as soon as possible;

(b) assessing the level of risk to data subjects as soon as possible;

(c) gathering and collating information from all relevant sources;

(d) considering relevant data protection impact assessments;

(e) informing all interested persons within the the company of the personal data breach and the investigation, including any clients;

(f) assessing the level of risk to the company; and

(g) notifying supervisory authorities, data controllers, data subjects and others of the breach in accordance with this policy.

4.6 The appointed person shall keep a full record of the response of the company to a personal data breach, including the facts relating to the personal data breach, its effects and the remedial action taken. This record shall form part of the personal data breach register of the company.

5. Notification to supervisory authority

5.1 This section 5 applies to personal data breaches affecting personal data with respect to which the company is acting as a data controller.

5.2 The company must notify the supervisory authority of any personal data breach to which this section 5 applies without undue delay and, where feasible, not later than 72 hours after the company becomes aware of the breach, save as set out in subsection 5.4.

5.3 Personal data breach notifications to the supervisory authority must be made by the appointed person using the form set out in schedule 1 (Notification of personal data breach to supervisory authority). The completed form must be sent to the supervisory authority by secure and confidential means. The appointed person must keep a record of all notifications, and all other communications with the supervisory authority relating to the breach, as part of the personal data breach register of the company.

5.4 The company will not notify the supervisory authority of a personal data breach where it is unlikely to result in a risk to the rights and freedoms of natural persons. The appointed person shall be responsible for determining whether this subsection 5.4 applies, and the appointed person must create a record of any decision not to notify the supervisory authority. This record should include the appointed person’s reasons for believing that the breach is unlikely to result in a risk to the rights and freedoms of natural person. This record shall be stored as part of the personal data breach register of the company.

5.5 To the extent that the company is not able to provide to the supervisory authority all the information specified in schedule 1 (Notification of personal data breach to supervisory authority) at the time of the initial notification to the supervisory authority, the company must make all reasonable efforts to ascertain the missing information. That information must be provided to the supervisory authority, by the appointed person, as and when it becomes available. The appointed person must create a record of the reasons for any delayed notification under this subsection 5.5. This record shall be stored as part of the personal data breach register of the company.

5.6 The company must keep the supervisory authority informed of changes in the facts ascertained by the company which affect any notification made under this section 5.

6. Notification to data controller

6.1 This section 6 applies to personal data breaches affecting personal data with respect to which the company is acting as a data processor.

6.2 The company must notify the affected data controller(s) of any personal data breach to which this section 6 applies without undue delay and, where feasible, not later than 72 hours after the company becomes aware of the breach. In addition, the company must comply with the provisions of the contract(s) with the affected data controller(s) relating to such notifications.

6.3 Personal data breach notifications to the affected data controller(s) must be made by the appointed person using the form set out in schedule 2 (Notification of personal data breach to data controller). The completed form must be sent to the affected data controller(s) by secure and confidential means. The appointed person must keep a record of all notifications, and all other communications with the affected data controller(s) relating to the breach, as part of the personal data breach register of the company.

6.4 To the extent that the company is not able to provide to the affected data controller(s) all the information specified in schedule 2 (Notification of personal data breach to data controller) at the time of the initial notification to the affected data controller(s), the company must make all reasonable efforts to ascertain the missing information. That information must be provided to the affected data controller(s), by the appointed person, as and when it becomes available.

7. Notification to data subjects

7.1 This section 7 applies to personal data breaches affecting personal data with respect to which the company is acting as a data controller.

7.2 Notifications to data subject under this section 7 should, where appropriate, be made in consultation with the supervisory authority and in accordance with any guidance given by the supervisory authority with respect to such notifications.

7.3 The company must notify the affected data subjects of any personal data breach to which this section 7 applies if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, save as set out in subsection 7.5.

7.4 Personal data breach notifications to the affected data subjects must be made by the appointed person in clear and plain language using the form set out in schedule 3 (Notification of personal data breach to data subject). The completed form must be sent to the affected data subjects by appropriate means. The appointed person must keep a record of all notifications, and all other communications with the affected data subjects relating to the breach, as part of the personal data breach register of the company.

7.5 The company has no obligation to notify the affected data subject of a personal data breach if:

(a) the company has implemented appropriate technical and organisational protection measures (in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption), and those measures have been applied to the personal data affected by the personal data breach;

(b) the company has taken subsequent measures which ensure that a high risk to the rights and freedoms of data subjects is no longer likely to materialise;

(c) it would involve disproportionate effort (in which case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner), providing that the appointed person shall be responsible for determining whether this subsection 7.5 applies, and the appointed person must create a record of any decision not to notify the affected data subjects. This record should include the appointed person’s reasons for believing that the breach does not need to be notified to the affected data subjects. This record shall be stored as part of the personal data breach register of the company.

7.6 If the company is not required by this section 7 to notify affected data subjects of a personal data breach, the company may nonetheless do so where such notification is in the interests of the company and/or the affected data subjects.

8. Other notifications

8.1 Without affecting the notification obligations set out elsewhere in this policy, the appointed person should also consider whether to notify any other third parties of a personal data breach. Notifications may be required under law or contract. Relevant third parties may include:

(a) the police;

(b) other law enforcement agencies;

(c) insurance companies;

(d) professional bodies;

(e) regulatory authorities;

(f) financial institutions; and/or

(g) trade unions or other employee representatives.

9. Reviewing and updating this policy

9.1 The Data Protection Officer shall be responsible for reviewing and updating this policy.

9.2 This policy must be reviewed and, if appropriate, updated annually.

9.3 This policy must also be reviewed and updated on an ad hoc basis if reasonably necessary to ensure:

(a) the compliance of the company with applicable law, codes of conduct or industry best practice;

(b) the security of data stored and processed by the company; or

(c) the protection of the reputation of the company.

9.4 The following matters must be considered as part of each review of this policy:

(a) changes to the legal and regulatory environment;

(b) changes to any codes of conduct to which the company subscribes;

(c) developments in industry best practice;

(d) any new data collected by the company;

(e) any new data processing activities undertaken by the company; and

(f) any security incidents affecting the company.