Privacy Policy of Sisi Alero
Effective Date: January 17, 2025
PREAMBLE
This Privacy Policy ("Policy") sets forth the legal obligations and rights concerning the processing of personal data by Sisi Alero ("www.sisialero.com"), which is operated by Alero Omatsola, serving in the statutory capacity of Data Controller. The enactment of this Policy is pursuant to and in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Data Protection Act 2018, and applicable legal frameworks within the jurisdiction that govern data privacy and security. Your use of www.sisialero.com (the Website") constitutes your unequivocal and informed consent to the practices described herein, in accordance with Article 4(11) and Article 7 of the GDPR.
1. Legal Definitions and Scope
This section sets forth the key legal definitions and the scope as established under the General Data Protection Regulation (EU) 2016/679 ("GDPR") which governs the processing of personal data by Sisi Alero ("the Company"):
• Personal Data: Information related to any identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, particularly by reference to identifiers such as names, identification numbers, location data, or online identifiers. This encompasses a broad spectrum of information that pertains to physical, physiological, genetic, mental, economic, cultural, or social identities. (Article 4(1) GDPR)
• Processing: Encompasses any operation or set of operations which is performed on personal data or sets of personal data, irrespective of the mechanism. This includes but is not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. (Article 4(2) GDPR)
• Data Subject: Any living individual who is the subject of personal data, highlighting the GDPR's focus on protecting the privacy and rights of individuals. (GDPR Context)
• Data Controller: The entity (either natural or legal person, public authority, agency, or other body) that determines the purposes and means of the processing of personal data. For the purposes of this policy, Sisi Alero acts as the data controller. (Article 4(7) GDPR)
• Data Processor: Any natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller, emphasizing the operational and functional roles that contribute to data handling. (Article 4(8) GDPR)
• Consent: A freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data. This includes clear affirmative action such as a written statement or another verifiable means of confirmation. (Article 4(11) GDPR)
• Personal Data Breach: Any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed, necessitating rigorous security measures and compliance protocols. (Article 4(12) GDPR)
• Genetic Data: Data concerning the unique genetic characteristics of a natural person which provide detailed information about the physiology or the health of that individual, thereby requiring enhanced protections. (Article 4(13) GDPR)
• Biometric Data: Data from specific technical processing related to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm unique identification. (Article 4(14) GDPR)
• Data Minimization: The principle that ensures that personal data are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. (Article 5(1)(c) GDPR)
• Accountability: The obligation of the data controller to implement appropriate technical and organizational measures to demonstrate that processing activities comply with The GDPR. (Article 5(2) GDPR)
• Third Party: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who are authorized to process personal data under the direct authority of the controller or processor. (Article 4(10) GDPR)
• Supervisory Authority: An independent public aAuthority established by a Member State pursuant to Article 51 of the GDPR, responsible for monitoring the application of GDPR, enhancing public awareness, and investigating alleged infringements.
• Profiling: Any form of automated processing of personal data intended to evaluate certain pepersonal aspects relating to a natural person or to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliAbility, behaviour, location, or movements. (Article 4(4) GDPR)
• Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure non-attribution. (Article 4(5) GDPR)
• Encryption: A security measure that involves converting information or data into a code, particularly to prevent unauthorised access and ensure the confidentiality and integrity of data.
• Data Protection Officer (DPO): A designated, independent expert on data privacy who oversees an entity's data protection strategy and its implementation to ensure compliance with GDPR requirements. (Article 37 GDPR)
• International Data Transfer: Transfers of personal data which are processed or are intended for processing after transfer to a third country or an international organization, subject to compliance with the protective measures prescribed by the GDPR. (Articles 44-50 GDPR)
• Right to Rectification: The right of data subjects to have inaccurate personal data corrected and to have incomplete personal data completed. (Article 16 GDPR)
• Right to Object: The right of data subjects to object to the processing of their personal data in certain circumstances, including for direct marketing, profiling, or in situations where processing takes place for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. (Article 21 GDPR)
2. Identity and Contact Information of the Data Controller
The Data Controller, defined under Article 4(7) of the GDPR, is the entity responsible for determining the purposes and means of processing personal data:
• Name: Alero Omatsola
• Email: info@sisialero.com
3. Principles Relating to Processing of Personal Data
Adhering to Article 5 of the GDPR, the Company ensures that personal data are:
• Processed lawfully, fairly, and in a transparent manner.
• Collected for specified, explicit, and legitimate purposes as outlined herein.
• Adequate, relevant, and limited to the essentials required for processing purposes.
• Accurately maintained and updated as necessary.
• Retained only as long as necessary for the specified purposes.
• Protected against unauthorized or illegal processing and against accidental loss, destruction, or damage using appropriate technical or organizational measures.
4. Detailed Categories of Personal Data
The Company processes several categories of personal data, which include, but are not limited to:
• Identifiers: Such as names, postal addresses, and email addresses.
• Financial Information: Bank account details and payment-related information for transactions.
• Technical Data: Data such as IP addresses, browser types, and operating system details that are collected from the users' interaction with the Website.
• Special Categories of Data: Includes sensitive data such as photographs and detailed personal narratives, processed under the explicit consent mechanism provided by Article 9 of the GDPR.
5. Legitimate Purposes and Legal Bases for Data Processing
The processing of personal data is underpinned by specific legal bases and purposes:
• Contractual Obligations (Article 6(1)(b) of the GDPR): Processing necessary for the performance of a contract.
• Legal Compliance (Article 6(1)(c) of the GDPR): Processing necessary to comply with legal obligations.
• Legitimate Interests (Article 6(1)(f) of the GDPR): Processing necessary for the interests pursued by the Data Controller or a third party, unless overridden by the interests of the data subject.
• Explicit Consent (Article 6(1)(a) of the GDPR): Direct consent from data subjects for one or more specific purposes.
6. Data Retention Policy
By Article 5(1)(e) of the GDPR, personal data shall not be kept for longer than is necessary for the purposes for which the personal data are processed. The Company implements policies and procedures to ensure that personal data is deleted after the reasonable purposes for its processing have been met.
7. Rights of the Data Subject
Under the GDPR, data subjects are afforded rights detailed in Articles 15-22, which include:
• Access: Data subjects have the right to obtain access to their personal data.
• Rectification: The right to obtain rectification of inaccurate personal data.
• Erasure: Also known as the 'Right to be Forgotten', this allows data subjects to request the deletion of their data.
• Restriction of Processing: This right allows data subjects to block or suppress the processing of their data under certain circumstances.
• Data Portability: This right allows individuals to move, copy or transfer personal data easily from one IT environment to another.
• Objection: The right to object to the processing of their personal data in certain circumstances, including direct marketing.
8. Data Security Measures
Under Article 32 of the GDPR, the Company commits to implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with data processing activities. This includes safeguarding against unauthorized or unlawful processing, accidental loss, destruction, or damage by employing encryption, access controls, secure IT practices, and other such security measures.
9. Disclosure and Sharing of Personal Data
Consistent with Articles 13 and 14 of the GDPR, personal data may be disclosed to third parties only when necessary for fulfilling the processing purposes outlined above and under strict contractual confidentiality obligations.
10. International Data Transfer
The Company ensures that international transfers of personal data are conducted in compliance with Articles 44-50 of the GDPR, providing that personal data is protected according to the standards prescribed by GDPR regardless of geographical boundaries.
11. Automated Decision-Making and Profiling
As stipulated in Article 22 of the GDPR, the Company refrains from any decision-making processes, including profiling, that are based solely on automated processing and that might produce legal or similarly significant effects on an individual.
12. Use of Cookies and Similar Technologies
The Website uses cookies and similar tracking technologies in compliance with Recital 30 of the GDPR to enhance user experience and analyze site usage. Specifics of such use are outlined in the Company’s separate Cookie Policy.
13. Amendment Procedures
This Privacy Policy may be updated or amended in response to legal, technical, or business developments. Under Article 12 of the GDPR, the Company will take appropriate measures to inform data subjects of any significant changes to this Policy.
14. Lodging a Complaint
Data subjects retain the right to lodge a complaint with the relevant supervisory authority, particularly in the Member State of their habitual residence, as outlined in Article 77 of the GDPR.
15. Contacting the Data Controller
For any inquiries, concerns, or requests regarding the processing of personal data, data subjects may contact the Data Controller using the contact details provided in section 2 of this Policy.