Data Collection Policy
Data Sources
Personal Data must be collected only from the Data Subject unless one of the following applies:
-
The nature of the business purpose necessitates the collection of Personal Data from other persons or bodies (e.g., Job references, Criminal record checks, etc.).
-
The collection of data must be carried out under emergency circumstances to protect the vital interests of the Data subject or to prevent serious loss or injury to another person.
If Personal Data is collected by an entity other than the Data Subject, the Data Subject must be informed of the collection unless one of the following applies:
-
The Data Subject has received the required information by other means
-
The information must remain confidential due to a legal non-disclosure agreement
-
A national law expressly provides for the collection, processing, or transfer of the Personal Data
Where it has been determined that notification to a Data Subject is required, notification should occur promptly, but in no case later than:
-
One calendar month from the first collection or recording of the Personal Data
-
The first communication with the Data Subject
-
The time of disclosure, if disclosed to another recipient
Data Subject Consent
Personal Data must only be obtained by lawful and fair means, and where appropriate with the knowledge and consent of the individual concerned. Where a need exists to request and receive the consent of an individual before the collection, use, or disclosure of its data, Orchestra will seek such consent. The DPO, in cooperation with other relevant business representatives, shall obtain and document the Data Subject’s consent, when necessary.
Data Subject Notification
Orchestra services or entities will, when required by applicable law or contract, or where appropriate, will provide the Data Subjects with information as to the purpose of the processing of their data. When the Data Subject is asked to give consent to the processing of Personal Data and when any Personal Data is collected from the Data Subject, all appropriate disclosures will be made, unless one of the following applies:
-
The Data Subject already has the information
-
A legal exemption applies to the requirements for disclosure and/or consent
The disclosures may be given electronically or in writing using a form approved by the DPO, and the associated receipt should be retained, or registered along with the date, content, and method of disclosure.
Privacy Notices on the WEB
Each website provided and/or controlled by Orchestra will include an online ‘Privacy Notice’ and an online ‘Cookie Notice’ fulfilling the requirements of applicable law; when necessary.