Clarity and Readability:
The statement is generally well-structured, with clear headings for different sections. Consider using
subheadings for better organization within each section. Ensure that the language used is clear and
easily
understandable by a broad audience.
Consent and Legal Grounds:
Clearly state when consent is required for processing personal data and how users can provide or withdraw
consent. Explicitly mention the legal grounds for data processing, such as legitimate interests, as
you've done
in some sections.
Data Subjects' Rights:
The section on data subjects' rights is mentioned to be at the end of the privacy statement, but it's not
provided in the text you've shared. Ensure that this section is comprehensive and includes information on
how
individuals can exercise their rights.
Contact Information:
Include specific details for contacting the Data Protection Officer or the relevant department handling data
protection matters.
Data Retention:
The text mentions that personal data will be stored "as long as needed for the purposes it has been
collected
for." Consider providing more specific information on retention periods for different types of data.
Cookies Section:
Since cookies are mentioned in the text, ensure that there is a dedicated section providing detailed
information
about the use of cookies, including types, purposes, and how users can manage or disable them.
Local Documentation and Legislation:
Emphasize the importance of checking for local documentation and legislation, especially if there are
variations
in data subject rights based on different jurisdictions.
Accessibility:
Consider providing a summary or a condensed version of the privacy statement for users who may prefer a
quick
overview.
Consistency:
Ensure that the language and terminology used are consistent throughout the document.
Hyperlinks:
If possible, provide hyperlinks to relevant documents, such as the Privacy Policy or any additional local
documentation.
Cookies
Observations:
Explains the use of cookies for identification and improvement of services. Informs users about the option
to
disable cookies and the potential impact on service usage.
Suggestions:
Consider providing a link to the detailed Cookie Policy for more information. Clarify the types of cookies
used
and their purposes.
Remarketing
Observations:
Describes the use of Google AdWords Remarketing for targeted advertisements. Informs users about opting out
through the Lofty cookie setting tool and other options.
Suggestions:
Provide a link to a more detailed remarketing policy. Include information on how long remarketing data is
retained.
Website Analytics
Observations:
Mentions the use of website analytics tools (Adobe Analytics and Google Analytics). Offers an opt-out option
through the KONE cookie setting tool and Google Analytics Opt-out Browser Add-on.
Suggestions:
Specify the types of data collected by analytics tools.
Provide a link to a comprehensive analytics privacy policy.
Transfers of Personal Data
Observations:
States that Lofty will not transfer personal data outside the corporation or its partners. Mention potential
processing by subcontractors outside the EU/EEA but with adherence to Lofty's data processing
standards.
Suggestions:
Clarify the specific technical and practical requirements necessitating data processing by subcontractors
outside the EU/EEA.
1. Ensure transparency about the subcontractors' locations.
2. Lofty’s Customer Relationship Management Databases
Observations:
Introduces the use of CRM databases for sales and marketing activities. Lists types of personal data
collected
in connection with CRM.
Suggestions:
Clarify the purpose of collecting personal data for CRM. Specify how long the CRM data is retained.
Provide information on CRM data security measures.
Collected Personal Data
Observations:
Lists specific categories of personal data collected through CRM.
Suggestions:
Include a statement about obtaining consent for processing this personal data. Mention the lawful basis for
processing this data.
The Purposes and Legal Grounds of the Processing
Observations:
Clearly outlines the purposes of processing personal data, including facilitating business, supporting
sales
activities, managing deliveries, maintenance services, invoicing, customer contact, marketing, incident
handling, claims management, and customer assistance.
Specifies that customer loyalty surveys are conducted based on consent. Acknowledges the necessity of
processing
personal data for the performance of sales contracts and legitimate interests. Emphasizes
confidentiality and
security measures in customer loyalty surveys.
Suggestions:
Consider providing more specific details on the types of marketing activities, incident handling
procedures, and
claims management processes involved. Include information on how and when consent is obtained for
customer
loyalty surveys.
Clarify the specific legitimate interests pursued by Lofty.
Source(s) of Personal Data and Retention Period
Observations:
Identifies sources of personal data, including customers, interactions with representatives, and potential
collection from public registers.
States that personal data will be stored as long as needed for the specified purposes.
Suggestions:
Provide more details on the circumstances under which personal data might be collected from public
registers.
Consider specifying a general retention period for personal data or providing examples.
Transfers of Personal Data
Observations:
Specifies that personal data is generally used for internal business purposes and not transferred to
external
parties. Acknowledges the possibility of accessibility and processing by subsidiaries, subcontractors, and
service providers, with contractual obligations for data protection. Mentions processing personal data
outside
the EU/EEA with a legal basis for such transfers.
Suggestions:
Consider providing more details on the types of data accessible to subsidiaries, subcontractors, and service
providers.
1. Specify the legal basis for data transfers outside the EU/EEA.
2. Lofty’s Supplier and Subcontractor Data
Observations:
Introduces the use of Supplier Databases for managing contact data of suppliers and subcontractors.
Lists types of personal data collected in connection with Supplier Databases.
Suggestions:
Clarify the purpose of collecting personal data for Supplier Databases. Specify how long the Supplier
Databases'
data is retained.
Provide information on the security measures in place for Supplier Databases.
Collected Personal Data
Observations:
Lists specific categories of personal data collected through Supplier Databases.
Suggestions:
• Include a statement about obtaining consent for processing this personal data.
• Mention the lawful basis for processing this data.
The Purposes and Legal Grounds of the Processing
Observations:
• Clearly outlines the purposes of processing personal data, including sourcing, purchasing, invoice
handling,
contract management, resolving claims, managing incidents, supplier due diligence, and ensuring quality and
safety.
• Mentions the use of contact information for general communications and supply relationship management.
• Emphasizes the necessity of processing personal data for the performance of sourcing contracts and
legitimate
interests.
Acknowledges the potential obligation to collect certain information due to local laws.
Suggestions:
• Specify the types of information collected for supplier due diligence, especially regarding quality and
safety.
• Provide examples or details regarding the obligations imposed by applicable local laws.
• Offer clarity on the legitimate interests pursued by Lofty in regular business activities.
• Consider providing a brief overview of the supplier onboarding process.
Source(s) of Personal Data and Retention Period
Observations:
• Identifies sources of personal data, including suppliers, subcontractor companies, and potential
collection
from public registers.
• States that personal data will be stored as long as needed for the specified purposes.
Suggestions:
Provide more details on the circumstances under which personal data might be collected from public
registers.
Consider specifying a general retention period for personal data or providing examples.
Transfers of Personal Data
Observations:
• Specifies that personal data is generally used for internal business purposes and not transferred to
external
parties.
• Acknowledges the possibility of accessibility and processing by subsidiaries, subcontractors, and service
providers, with contractual obligations for data protection.
• Mentions processing personal data outside the EU/EEA with a legal basis for such transfers.
Suggestions:
Consider providing more details on the types of data accessible to subsidiaries, subcontractors, and service
providers.
Specify the legal basis for data transfers outside the EU/EEA.
Data Subjects’ Rights
Observations:
• Clearly outlines the rights of data subjects, including access, rectification, erasure, withdrawal of
consent,
objection, data portability, and the right to lodge a complaint.
• Provides a clear process for data subjects to exercise their rights.
Suggestions:
• Consider providing more information on the process for data portability.
• Specify the reasonable fee conditions for certain requests.
Updates to the Privacy Statement
Observations:
Informs users about the possibility of updates to the Privacy Statement.
Suggestions:
• Consider specifying how users will be notified of updates (e.g., through email, website notification).
• Provide a link to the current Privacy Statement for easy reference.
 }})
