GDPR (Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC )  can be considered as the world's strongest set of data protection rules, which enhance how people can access information about them and places limits on what organizations can do with personal data. The regulation exists as a framework for laws across the continent and replaced the previous 1995 data protection directive. The GDPR's final form came about after more than four years of discussion and negotiations – it was adopted by both the European Parliament and European Council in April 2016. GDPR came into force on May 25, 2018. Countries within Europe were given the ability to make their own small changes to suit their own needs

• Data minimization - Controller should not collect more personal information than he needs from his users. The principle is designed to ensure organization doesn't overreach with the type of data they collect about people,
• Integrity and confidentiality (security) - Personal data must be protected against "unauthorized or unlawful processing," as well as accidental loss, destruction or damage. This means that appropriate information security protections must be put in place to make sure information isn't accessed by hackers or accidentally leaked as part of a data breach.
• Accountability - It makes an organization responsible for complying with the GDPR and says that organization must be able to demonstrate its compliance.
• Lawfulness, fairness and transparency - An organization must identify valid grounds under GDPR for collecting and using personal data.
• Purpose limitation - An organization must be clear about its purposes for processing from the start. Personal data can be used for only one purpose, which must be a part of the documentation obligations and must be specified in privacy notice for individuals.  
• Accuracy- Controller should take all reasonable steps to ensure the personal data is not incorrect or misleading as to any matter of fact. 
• Storage limitation - Data must not be kept for longer than the Controller needs or is obligated to keep
   

In PinMeTo, your personal data is very important to us. You can rest assured that we make every effort to process your personal data in accordance with above principles and with any other relevant privacy legislation.

This is information that allows a living (natural) person to be directly, or indirectly, identified from data that's available. This can be something obvious, such as a person's name, location data, or a clear online username, or it can be something that may be less instantly apparent: IP addresses and cookie identifiers can be considered as personal data.

Under GDPR there's also a few special categories of sensitive personal data that are given greater protections. This personal data includes information about racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person's sex life or orientation.

Controller is the main decision-maker. He exercises overall control over the purposes and means of the processing of personal data. PinMeTo is a Controller to your data in cases:

• When you visit our website, 
• When you apply for job for us or, 
• When you are a potential client looking for our services,
• When you are our client, we are the Controller of your employees (who use our platform) personal data.
  
  

Processor

Processor acts on behalf of, and only on the instructions of, the relevant Controller. PinMeTo may act as a Processor if it is entitled to process personal data of your clients or people who will be searching for your services using supported platforms.

Your rights/Data Subject Rights

GDPR gives you, as a Data Subject, several rights which guarantee you that you have control over your data and you know that data is processed in accordance with legal requirements. You have the right to:

• be informed about the collection and use of your personal data.
• access and request copies of your personal data.
• request inaccurate or outdated personal information to be updated or corrected.
• request your personal data be deleted. Note that this is not an absolute right and may be subject to exemptions based on certain laws.
• request the restriction or suppression of your personal data.
• ask for your data to be transferred to another controller or provided to them. The data must be provided in a machine-readable electronic format.
• object to the processing of your personal data.
• object to decisions being made with their data solely based on automated decision making or profiling.
• make a complaint to relevant Data Protection Authorities, if you think that PinMeTo has not complied with your data protection rights. 
  
  

Not all of these rights can be exercised in all situations, depending on factors such as the basis for the processing of personal data, but PinMeTo makes every effort to ensure that your rights are respected.

Why does PinMeTo collect my personal data and what is the legal basis of processing?

As stated above PinMeTo, acting as Controller, will require or will be obligated by law or contractual obligations to collect personal data from you. Information we collect includes both information you knowingly and actively provide us when using or participating in any of our services and promotions, and any information automatically sent by your devices in the course of accessing our products and services. 

In the table below you can read about.

1. what we will use your personal data for (the purpose).
   
   
2. which types of personal data we use for that purpose, and if the personal data comes directly from you or from another source. In the cases where we have received personal data about you from another source, we provide the name of that source in brackets.
   
   
3. what legal rights we have under current data protection legislation, such as the GDPR, to process the data about you, referred to as our “legal basis”.

We keep your personal data only for as long as we need to or we are obligated by law or contractual requirements. This time period may depend on what we are using your information for. If your personal data is no longer required, we will delete it or make it anonymous by removing all details that identify you.(data anonymization)

However, if necessary, we may be obligated to retain your personal data for our compliance with a legal or contractual obligation.

Who do we share your personal data with?

PinMeTo is a European company and we may transfer your personal data to all our European offices. PinMeTo will take responsible steps to ensure that personal data is protected and any such transfer complies with GDPR.

PinMeTo transfers and maintains personal data of all individuals covered by this Policy on servers or databases inside the European Economic Area (“EEA”). Our cloud service provider, AWS, is contractually obligated to store our databases in its European located infrastructure. However, in case of the transfer outside the EEA, your personal data will still be covered by GDPR, since our partner has adopted new Standard Contractual Clauses (new SCCs adopted by the European Commission (EC) in June 21) in order to achieve compliance with the General Data Protection Regulation. 

PinMeTo may share your personal data with our subcontractors. Our subcontractors guarantee that appropriate technical and organizational measures are implemented in a manner that subprocessing meets the requirements of GDPR. In other cases, 

PinMeTo may be obligated to share your personal data with public authorities to comply with relevant legislation. 

Taking into account Personal Data regulations and privacy challenges that SAAS company may face, PinMeTo is obligated to inform that all software development is performed in-house and all of our developers are based and employed  by our HQ in Malmo, Sweden. Above approach mitigates the risks related with possible personal data transfers and is an expression of our responsible approach to legislation compliance and protection of the privacy of our clients.