Data privacy policy

Introduction

This data privacy policy (“Privacy Policy”) sets forth the general rules and policies governing the process and protection of Personal Data according to EU Regulation 2016/679 (“GDPR”), applicable laws and regulations.

Norbloc Profile

Norbloc was founded in 2016 in Stockholm by a team bringing together wealth of financial institutions and consulting experience with blockchain and banking software expertise.

Norbloc has its headquarters in Stockholm, Sweden, its Development Hub in its Athens branch in Greece, its M. Eastern branch in DIFC in Dubai, UAE and its newest office in London, England.

The company is a member of the Hyperledger consortium and its executives are thought leaders and regular speakers on the intersection of digital corporate and individual identity and blockchain technology.

Purpose

It is norbloc’ s policy that Personal Data, as defined hereinafter, in all its forms will be processed lawfully and protected from accidental or intentional unauthorized modification, destruction or disclosure. This protection includes an appropriate level of security over the equipment and software used to collect, process, store and transmit information.

All policies and procedures are documented and made available to involved persons responsible for their implementation and compliance. All documentation will be periodically reviewed for appropriateness, a period of time to be determined by the management of norbloc.

Definitions

Data Protection Officer (DPO): a person designated by norbloc to carry out tasks related to the protection and the lawful processing of Personal Data under article 37 par. 4 of the GDPR.

Data Subject: an identified or identifiable natural person whose Personal Data are processed under this Data Privacy Policy.

Involved Persons: every worker of norbloc, no matter what their status. This includes directors, employees, contractors, consultants, external service suppliers, temporaries, and volunteers.

Involved Systems: all computer equipment and network systems that are operated within or by norbloc. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed inhouse or licensed from third parties) contained on those systems.

Law or Legal framework: EU Regulation 2016/679 (GDPR), applicable laws, regulations and administrative acts.

Personal Data (or Data): any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Private blockchain: a permissioned blockchain. Private blockchains work based on access controls which restrict the people who can participate in the network. There are one or more entities which control the network and this leads to reliance on third-parties to transact.

Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Personal Data Processing

Depending the nature of the process, norbloc may act either as a controller, or as a processor of Personal Data. In both cases, nobloc is committed to lawfully, fairly and in a transparent manner process Personal Data, only for the following legitimate reasons: (a) the performance of an agreementor the intention to award an agreement, such as the execution of a work or the provision of services and its products, in order to meet contractual obligations in that context; (b) safeguard and protect an individual’s and/or norbloc’s legitimate interests; (c) compliance with obligations and duties imposed by law or administrative acts; or (d) with data subject’s consent, provided under the specific conditions set forth in the applicable legal framework or on the basis of contractual relations or when contacting norbloc.

Norbloc does not have access to any Personal Data while providing its products and related services.

When a user uses Norbloc’ s website, information about their computer hardware and software may be automatically collected. This information can include but not limited to: IP address, traffic source, search keywords, page views, visits, referring Internet site addresses, language (aggregate), location (aggregate), browser and operating systems (aggregate), network (aggregate), device (aggregate), as well as other connection data like time and transferred data (collectively referred to as “automated data”).This information is used by norbloc for the operation of its website and to provide general statistics regarding its use.

Sensitive personal information, such as race, religion, political affiliations, trade union membership, health record, sexual orientation, or criminal record are not collected by any means.

The data processed are adequate, relevant and limited to what is necessary in relation to purposes for which they are processed (i.e. name, address, social security number, marital status etc of norbloc’s employees, contact details of clients’ representatives etc). Norbloc does not process special categories of Personal Data (article 9 of GDPR) or data related to criminal convictions and offences (article 10 of GDPR).

Duration of Processing

The duration norbloc may retain Personal Data is determined under the following criteria:

  • If the process is required by applicable law, Personal Data will be stored for the period prescribed in the relevant provisions;
  • If the process takes place on a contractual basis, Personal Data will be stored for the period necessary to ensure due performance of the contract and thereafter for the establishment, exercise and/or defense of legal claim arising from the contract or required by law, however norbloc does not have access to such Personal Data;
  • If processing is carried out on behalf of a controller, until termination of the contract or the end of provision of services by norbloc;
  • In case of marketing, Personal Data will be retained, only with the explicit consent of the Data Subject, until the individual exercises the right to opt out of receiving newsletters and information about new products and services from norbloc.

Data Subject’s Rights

Norbloc respects and facilitates the exercise of all legal rights by a data subject while processing his or her Personal Data, which are: (a) to obtain confirmation as to whether or not Personal Data concerning the Data Subject are being processed, and, where that is the case, access to the Personal Data and request information about the processing and the Data; (b) to obtain the rectification of inaccurate Personal Data. Taking into account the purposes of the processing, the Data Subject has the right to have incomplete Personal Data completed, including by means of providing a supplementary statement; (c) to obtain the erasure of Personal Data concerning the Data Subject, when processed with his or her consent. In case of compliance with a legal obligation and/or the Data are necessary in relation for the purposes for which they were collected (i.e. there is a contractual agreement in force) this right might be subject to limitation or unobtainable, as the case may be; (d) to obtain restriction of processing if (i) the accuracy of the Personal Data is contested, for a period enabling norbloc to verify the accuracy of the Personal Data; (ii) the processing is unlawful and the data subject opposes the erasure of the Personal Data and request the restriction of their use instead; (iii) norbloc no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims; (iv) the Data Subject has objected to processing while pending the verification whether the legitimate grounds of the controller override those of the Data Subject; (e) to object, on grounds relating to the Data Subject’s particular situation, at any time to processing of Personal Data for the legitimate and contractual purposes described hereinabove. Where Personal Data are processed for purposes of direct marketing, which includes profiling to the extent that it is related to such direct marketing, the individual shall have the right to object at any time to processing of his or her Personal Data; (f) to receive his or her Personal Data, which the Data Subject has provided to norbloc or to a data controller, where norbloc acts as data processor, in a structured, commonly used and machine-readable format and has the right to transmit those Data to another controller where (i) the processing is based on the Data Subject’s consent or on an agreementbetween the Data Subject and norbloc or the Data Subject and the data controller, where norbloc will act as data processor and (ii) the processing is carried out by automated means. The Data Subject, also, shall have the right to have the Personal Data transmitted directly from norbloc to another controller, where technically feasible; (g) to withdraw consent, if processing is based only on Data Subject’s consent; and

(h) to file a complaint to the supervisory authority.

With the exception of the rights to withdraw consent and file a complaint (see par. (g) and (h) herein above), all other rights can be exercised by a Data Subject, only after providing proof of his or her identity to norbloc. Information provided by norbloc in reply to a request by a Data Subject shall be in writing or the appropriate electronic means. All communications and actions taken by norbloc upon such a request are free of charge, excluding manifestly unfounded or excessive requests.

When a request is filed by a Data Subject, the DPO shall determine whether norbloc processes the data concerned as a controller or as a processor, the involved persons and the involved systems. In case norbloc has acted as a processor, norbloc shall notify without undue delay the controller about the request and provide assistance in ensuring compliance with controller’s obligations. Under article 12 of the GDPR, a controller is obligated to respond to a request within one month of receipt of the request. Taking into account the complexity and number of the requests, norbloc may, within one month of receipt of the request, inform the Data Subject that an extension of two further months is required and the reasons of the delay.

A data subject, when providing consent to the process of his or her Personal Data through the use of private blockchain, acknowledge that rectification and erasure of data may be unobtainable due to the nature of the said technology.

Disclosure of Personal Data

Norbloc may make available certain Personal Data, as required or permitted by law, to third parties, such as companies and individuals with whom norbloc contracts to perform business functions and services on norbloc’s behalf, e.g. implementation services, legal, accounting, marketing and other support services. In this case norbloc remains responsible while processing the Data. The processing shall be governed by contract that is binding and ensures that the third parties have committed themselves to confidentiality and adhere on all legal requirements, as well as that each Data Subject can freely exercise his or her rights.

It may be necessary − by law, legal process, litigation, requests and/or orders from judicial and administrative authorities within or outside an individual’s country of residence − for norbloc to disclose Personal Data. Norbloc may, also, disclose Personal Data, if norbloc determines that for purposes of national security, law enforcement or other reasons of public importance, disclosure is necessary or appropriate.

Norbloc may disclose Personal Data, if it is determined that disclosure is reasonably necessary to enforce an agreement with the Data Subject or protect norbloc’s operations. Additionally, in the event of reorganization, merger, or sale of the company, any and all information retained by norbloc may be transferred to the relevant third party.

Records

Norbloc, when acting as a processor of Personal Data on behalf of a controller, under contract, maintains records in electronic forms containing: (a) the name and contact details of each controller, the controller’s representative, the DPO and where applicable sub processor; (b) the categories and purposes of processing carried out on behalf of each controller; (c) a description of the categories of data subjects and Personal Data; (d) where applicable, transfers of Personal Data to a third country or an international organization, including their identification; and (e) a general description of the technical and organizational security measures.

Links to other websites

Norbloc’s website may provide links to other internet websites. Since norbloc has no control over the content of such websites, the user is strongly advised to review the privacy policies of the websites he/she chooses to link to from norbloc’s website so that she/he can understands how those websites collect, use and share information.

Security

Norbloc implements the appropriate technical and organisational measures to ensure a level of security and confidentiality of the data processed by norbloc appropriate to the nature, scope, context and purposes of each category of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects. The said measures include inter alia: (a) Thorough analysis of all involved systems owned or used by norbloc is conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted data. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of any vulnerability. (b) IT assets are in locations with security access restrictions, environmental conditions and layout according to the security classification and technical specifications of the aforementioned assets. Access to IT assets is forbidden for non-authorized personnel.

Granting access to the assets involved in the provision of a service must be done through the approved service request management and access management processes. (c) IT technical teams are the sole responsible for maintaining and upgrading configurations. None other users are authorized to change or upgrade the configuration of the IT assets. That includes modifying hardware or installing software. (d) Any involved system that handles confidential information is protected by a two factorbased access control system. (e) Discretionary access control list is in place to control the access to resources for different groups of users. (f) All involved systems and Personal Data are protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based. (g) Virus checking systems approved by the information security officer are deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems. (h) Physical and electronic access to protected software development information (PSDI), Personal Data and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures are instituted. (i) Unique user identification (user ID) and authentication is required for all systems that maintain or access Personal Data. (j) Technical security mechanisms are in place to guard against unauthorized access to Personal Data including encryption of data in storage and during transmission. (k) File servers containing PSDI, confidential and/or internal information are installed in a secure area (CLOUD), to prevent theft, destruction, or access by unauthorized individuals.

The technical and organizational security measures employed by norbloc are documented in detail and certified as per EN ISO 27001 : 2013.

Roles and Responsibilities

This policy applies to all involved persons. All involved persons understand and adopt this policy and are responsible for ensuring the implementation of this policy and the legal framework and the security of Personal Data processed by norbloc.

Privacy Policy changes

Norbloc reserves the right to modify this Data Privacy Policy at any time and to add new terms and conditions, which shall be published accordingly.

Data Protection Officer

For any assistance regarding the process of Personal Data and in order to exercise any of your rights stated hereinabove, please contact directly the appointed Data Protection Officer (DPO) via email legal@norbloc.com.

Any complaint concerning the process of Personal Data can be filed before the Hellenic Data Protection Authority T: +30 210 6475600, Fax: +30 210 6475628, e-mail: contact@dpa.gr