1. Scope

All processing of personal data by CTS Systems is within the scope of this procedure.

  • Responsibilities
  • The GDPR Owner is responsible for ensuring that the privacy notice(s) is correct and that mechanisms exist such as having the Privacy Notice(s) on CTS Systems website to make all data subjects aware of the contents of this notice prior CTS Systems commencing collection of their data.
    • All staff that need to collect personal data are required to follow this procedure.
  • Procedure  Article 12
  • CTS Systems identifies the legal basis for processing personal data before any processing operations take place by clearly establishing, defining and documenting:
    • the specific purpose of processing the personal data and the legal basis to process the data under:
      • consent obtained from the data subject;
      • performance of a contract where the data subject is a party;
      • legal obligation that CTS Systems is required to meet;
      • protect the vital interests of the data subject, including the protection of rights and freedoms;
      • official authority of CTS Systems or to carry out the processing that is in the public interest;
      • necessary for the legitimate interests of the data controller or third party, unless the processing is overridden by the vital interests, including rights and freedoms;
      • national law.
    • any special categories of personal data processed and the legal basis to process the data under:
      • explicit consent obtained from the data subject;
      • necessary for employment rights or obligations;
      • protect the vital interests of the data subject, including the protection of rights and freedoms;
      • necessary for the legitimate activities with appropriate safeguards;
      • personal data made public by the data subject;
      • legal claims;
      • substantial public interest;
      • preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, provision of health or social care treatment, or management of health and social care systems and services, under the basis that appropriate contracts with health professionals and safeguards are in place;
      • public health, ensuring appropriate safeguards are in place for the protection of rights and freedoms of the data subject, or professional secrecy;
      • national laws in terms of processing genetic, biometric or health data.
  • CTS Systems records this information in line with its data protection impact assessment and data inventory (CTS GDPR DOC 2.4 and CTS GDPR REC 4.4).
  • Privacy Notices
  • When personal data collected from data subject with consent
    • CTS Systems is transparent in its processing of personal data and provides the data subject with the following:
      • CTS Systems’s identity, and contact details of the GDPR Owner and any data protection representatives;
      • The purpose(s), including legal basis, for the intended processing of personal data (clause 4.2 below);
      • Where relevant, CTS Systems’s legitimate interests that provide the legal basis for the processing;
      • Potential recipients of personal data;
      • Any information regarding the intention to disclose personal data to third parties and whether it is transferred outside the EU. In such circumstances, CTS Systems will provide information on the safeguards in place and how the data subject can also obtain a copy of these safeguards;
      • If CTS Systems is based outside of the EU and the data subject resides within it (the EU), the CTS Systems provides the data subject with contact details of a data protection representative in the EU;
      • Any information on website technologies used to collect personal data about the data subject;
      • Any other information required to demonstrate that the processing is fair and transparent.
  • All information provided to the data subject is in an easily accessible electronic format, using clear and plain language, especially for personal data addressed to a child.
    • CTS Systems facilitates the data subject’s rights in line with the data protection policy (CTS GDPR DOC 1.0) and the subject access request procedure (CTS GDPR DOC 2.2).
    • Privacy notice for this personal data processing is recorded (CTS GDPR REC 4.1)
  • When data is contractually required for processing
    • CTS Systems processes data without consent in order to fulfill contractual obligations such as collecting commissions for clients.
    • Privacy notice for this personal data processing is recorded (CTS GDPR REC 4.1)
  • When personal data has been obtained from a source other than the data subject
    • CTS Systems makes clear the types of information collected as well as the source of the personal data (publicly accessible sources) and provides the data subject with:
      • CTS Systems’s (data controller) identity, and contact details of the GDPR Owner and any data protection representatives;
      • The purpose(s), including legal basis, for the intended processing of personal data;
      • Categories of personal data;
      • Potential recipients of personal data;
      • Any information regarding disclosing personal data to third parties and whether it is transferred outside the EU – CTS Systems will provide information on the safeguards in place and how the data subject can also obtain a copy of these safeguards;
      • Any other information required to demonstrate that the processing is fair and transparent.
  • Privacy notice for this personal data processing is recorded (CTS GDPR REC 4.1)
  • Personal Data
    • CTS Systems provides the information stated in clauses 3 and 4 above within:
      • one month of obtaining the personal data, in accordance with the specific circumstances of the processing;
      • at the first instance of communicating in circumstances where the personal data is used to communicate with the data subject;
      • when personal data is first disclosed in circumstances where the personal data is disclosed to another recipient.
  • Clauses 3 and 4 above do not apply:
    • If the data subject already has the information;
    • If the provision of the above information proves impossible or would involve an excessive effort;
    • If obtaining or disclosure of personal data is expressly identified by Member State law; or
    • If personal data must remain confidential subject to an obligation of professional secrecy regulated by Member State law, including a statutory obligation of secrecy.

6.  E.U. – U.S. Privacy Shield

            6.1  CTS Systems complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, States.  CTS Systems has certified to the Department of Commerce that it              adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

            6.2  CTS Systems commits to cooperating with the EU data protection authorities and complying with the advice given by such authorities with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.

            6.3  You may contact CTS Systems with any inquiries or complaints at GDPR.US@CTSsystems.com or 678-503-4015.

            6.4   The following applies to all individuals:

                  6.4.1   You have the right to contact CTS Systems at any time to access your personal data

                  6.4.2   CTS Systems limits the use and disclosure of any and all personal data to only what is necessary to complete our contractual obligations to our existing clients.

                  6.4.3   The Federal Trade Commission has jurisdiction over CTS Systems’ compliance with the Privacy Shield.

                  6.4.4   Under certain conditions, an individual has the possibility to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms.  For additional information, please visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

            6.5  CTS Systems only discloses information to third parties, such as hotels, which already have said information, in order to confirm data is correct and collect commissions on behalf of its clients.

            6.6  In the context of an onward transfer, CTS Systems has the responsibility for the processing of personal information it receives under the Privacy Shield and subsequent transfers to a third party acting as an agent on its                behalf.  CTS Systems shall remain liable under the Principles if its agent processes such person information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

            6.7  CTS Systems is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Document owner and approver

A current version of this document is available to all members of staff from the GDPR Owner.

Change history

IssueDescription of ChangeApprovalDate of Issue
1Initial issueMark Lewington05/23/2018
2Review – No ChangeMark Lewington05/19/2019
3Update Privacy Shield InformationMark Lewington09/26/2019
4Review – No ChangeMark Lewington05/18/2020
5Review – No ChangeMark Lewington05/19/2021