This Privacy Notice is effective as of 22nd March 2021.
Please note that this Privacy Notice will be updated regularly to reflect any changes in the way we handle your personal data or any changes in applicable laws.
xWave Technologies registered in Ireland under company number 605730 and offices at 20 Harcourt Street, Dublin 2, Ireland is a software-as-a-service provider that empowers its customers to achieve digital transformation by providing health care professionals with tools to manage efficiency, transparency and accountability. For more information about xWave services visit our homepage xwave.ie
We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who interacts with us and will only collect / use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”)
What Does This Privacy Notice Cover?
This Privacy Notice (“Notice”) describes the manner in which xWave collects, uses, maintains and discloses information from visitors to our website, customers, prospective customers, employees or job candidates, in situations in which xWave is a data controller, and from the use and performance of our cloud platform xRefer. It also explains your rights under the law relating to your personal data.
For purposes of this Privacy Notice, the terms “user,” “customer,” “employees,” “you,” and “your” are meant to refer to the individuals about whom we may collect personal information, and at times may be used interchangeably within this Notice. The term “Personal data” is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified’.
If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided at the end of this Privacy Notice.
What Personal Data Do We Collect?
We collect personal data of our employees, potential employees, clients, potential clients, suppliers, business contacts and website users. If the data we collect are not listed in this privacy notice, we will give individuals (when required by law) appropriate notice of which other data will be collected and how it will be used.
Below describes the categories of personal data we collect:
Personal details, contact details and identifiers: Personal data is collected on our website through forms you complete including registering to events, downloads, newsletter. Our website also collects personal data about your website visit including information about your computer through 3rd party cookies (see below). Our Cloud service xRefer also collects such details in order to use the service. xWave may also collect personal details for recruitment/employment purposes, such as national identification number, social security number, insurance information, marital/civil partnership status, domestic partners, dependents and emergency contact information.
Education history, professional information, sensitive data and immigration documents for recruitment: xWave may collect information about your education and professional employment history. Information that you submit in CVs, letters, writing samples, or other written materials (including photographs). Information generated by interviewers and recruiters related to you including any assessments. We may also collect certain type of sensitive information such as background checks, medical information and legal documents such as data on citizenship, passport data, residency, work permits where permitted or required by law or with your consent.
Financial information for payroll, benefits or customer invoicing: We may collect your banking details and other relevant financial details for payroll purposes or in order to conduct business with you.
3rd party Cookies
The following Cookies may be placed on your computer or device:
• Google Analytics: used to store and update a unique value for each page visited.
• Google Analytics: used to throttle the request rate – limiting the collection of data on high traffic sites
• Google Analytics: used to distinguish unique users by assigning a randomly generated number as a client identifier
What Is Our Legal Basis For Processing?
Under the GDPR, we must always have a lawful basis for using your personal data. The following describes how we will use your personal data and our lawful bases for doing so:
For the purpose of using our xRefer service, to improve our services and for customer support: Necessary for the performance of a contract and our legitimate interest to ensure performance and security of our service
For the purpose of marketing communication and interactions on our website, including when you request information from us, sign up to newsletters, complete web forms or surveys: Based on consent given by the data subject
For the purpose of promoting our products and services to you in general: Based on consent given by the data subject or our legitimate interests to communicate with our customers
For the purpose of managing our contractual obligations as a technology provider: Necessary for the performance of a contract
For the purpose of operating and managing our business operations: On the basis of our legitimate interests for ensuring the proper functioning of our business operations
Managing our contractual obligations as an employer including performing any administrative functions (e.g. expenses, benefits): Necessary for the performance of a contract
Performing any legally required reporting and to respond to legal process related to employment or business operations: Necessary for the compliance with a legal obligation to which we are subject
Manage applications from prospective employees: Based on your consent
Monitoring your use of our systems (including monitoring the use of our website and any apps and tools you use): On the basis of our legitimate interests of avoiding non-compliance and protecting our reputation.
Where the above states that we rely on our legitimate interests for a given purpose, we are of the opinion that our legitimate interests are not overridden by your interests, rights or freedoms.
Consent for children
xWave Technologies does not knowingly collect personal information from children under the age of 16. We do not provide services to children, nor do we market to children.
Processing personal data for Marketing
With your permission and/or where permitted by law, we will use your personal data for marketing purposes, which may include contacting you by email AND/OR telephone with information, news and offers on our services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the Data Protection Legislation, and you will always have the opportunity to opt-out.
We will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose.
The bulk of the personal data we collect and use for marketing purposes relates to individuals employed by our clients and other companies we work with. We may also obtain contact information from public sources, including content made public on social media sites, to make an initial contact with a relevant individual.
Like most companies, xWave has customer relationship management (CRM) database to manage and track our marketing efforts. Personal data used for this purpose includes contact data, publicly available information such as social media posts, your responses to targeted mailing, web activity of registered users. If you wish to be excluded from our CRM databases please contact us.
Do We Share Your Personal Data?
We may sometimes share your data with a third party to supply services on our behalf. In some cases, the third parties may require access to some or all of your data. Where any of your data is required for such a purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights.
We may share personal data with third parties that provide services to us such as billing/ payment processing, web publishing, marketing services, customer support, email processing, communication interfaces, web/application hosting and CRM services.
We are careful only to share the information that is necessary for the purposes described. Any third party who receives this information is bound by a contract with xWave setting out their obligation in relation to your data as required per Article 28 of the GDPR.
xWave takes strong measures to help protect your data from inappropriate access or use by unauthorized persons. We take all necessary steps to ensure that your data will be given adequate protection as required under the GDPR and xWave’s own internal policies.
Unless stated otherwise , transfers of personal data from within the European Economic Area (EEA) to third parties outside the EEA are based on an adequacy decision or are governed by the standard contractual clauses (SCC). Any other non-EEA related transfers of your personal data will take place in accordance with the appropriate international data transfer mechanisms and standards.
How Long Will We Keep Your Personal Data?
We will retain your personal data only for as long as necessary for the purposes outlined above related services provided to you, to comply with our legal obligations, resolve disputes, and enforce our agreements.
We maintain specific records management and retention policies and procedures, so that personal data is deleted according to the following retention key criteria:
• As long as we have an ongoing and active relationship with you (in particular, if you have a contract with us).
• As long as we have your consent keeping you informed.
• As long as it is needed in order to comply with our global legal and contractual obligations.
How Do We Keep Your Data Secure?
We are committed to ensuring that your information is secure with us and with any third parties who may act on our behalf.
We hold an ISO27001 certification, which validates that we adhere to the highest and strictest information security standards. This is a security standard awarded and audited by an independent organisation. ISO27001 is the only auditable international standard that defines the requirements for an Information Security Management System ("ISMS").
We use a variety of security measures to securely process your personal information when you interact with our website. Our advanced security techniques are governed by a mature IT infrastructure and framework. Our approach is focused on achieving the best mitigation of all known security risks and the implementation of ISO 27001 certification standards and compliance. In order to help us in this regard, we employ a secure server so that all supplied information is transmitted via Secure Socket Layer (SSL) technology and encryption whenever possible to reduce the impact of any potential incidents. As the security of communications via the internet is not completely secure, we cannot guarantee the security of any information that you disclose using your internet connection. You accept the inherent security implications of using the internet. We will not accept liability for any direct, consequential, incidental, indirect, or punitive losses or damages arising from your use of online communications.
All staff working for xWave have a legal duty to keep information about you confidential and all staff are aware of our information security policy. We take a number of important measures defined in our security policies, including the following:
• limiting access to your personal data to those employees, agents, contractors, and other third parties with a legitimate need to know and ensuring that they are subject to duties of confidentiality
• procedures for dealing with data breaches (the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data) including notifying you and/or the Data Protection Commission’s Office when we are legally required to do so
• training for staff in data protection policies and procedures
What Are My Rights?
Under the GDPR, you have the following rights, which we will always work to uphold:
(a) The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions.
(b) The right to access the personal data we hold about you.
(c) The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
(d) The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have.
(e) The right to restrict (i.e. prevent) the processing of your personal data.
(f) The right to object to us using your personal data for a particular purpose or purposes.
(g) The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
(h) Rights relating to automated decision-making and profiling. We do not use your personal data in this way.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided below.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Office of Data Protection Commission.
How Can I Access My Personal Data?
If you want to know what personal data we have about you, you can ask us for details of your personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown below.
There is normally no charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
How Do I Contact You?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details: firstname.lastname@example.org