This Document outlines the steps and processes Adiuvo use in order to comply with the General Data Protection Regulation (EU) 2016/679) (GDPR) legislation which come into effect on 25th May 2018.
All of the below refers to our work on behalf of clients providing outsourced emergency help desks and in our self-defined role as Data Processors.
In order to prevent theft of data or information from premises;
- Adiuvo uses shutters on all doors and windows with a key holder policy in place which includes replacing of locks and updating codes within 12 hours of when key holders leave or when broken windows, doors or locks are reported.
- All sensitive data and systems are stored in or behind secured doors.
- Adiuvo has internal and external CCTV for the prevention and detection of physical access to data
Adiuvo staff have all completed and passed online training with Enguard (www.enguard.ie), a specialist compliance company.
Our Data Controller will be Colin Stokes (Managing Director)
What information do we hold?
- Adiuvo has reviewed what personal and sensitive data it holds about individuals and confirmed it is basic contact details including name, address, phone and email information.
How do we hold the information?
- In order to process callers request we store the information on our cloud based system which is housed securely on Amazon’s European servers.
- Call recordings are held by our Telecoms company on secure servers within the UK
Where does it come from?
- The source of this information is either collected from callers when they contact us in order for us to provide maintenance assistance or from access to clients systems should they provide it (which will be subject to their own Data Protection Policy)
Who do we share the information with?
The contact details above are the only data we share with a third party (contractors or emergency services) and is done so expressly to organise the assistance callers request. Adiuvo maintain a register of the details relating to each third party for regulatory and monitoring purposes and maintain an Outsourcing and Supplier Policy & Procedure. This enables us to meet our obligations and to ensure that all outsourced functions are handled according to our own strict procedures and protocols
Notifying individuals their information is being shared
Callers are advised (and therefore we consider provide consent) via a pre connection message that we will provide contact details to contractors/other forms of assistance and that all calls are being recorded.
On what lawful basis do we hold the information?
Callers have contacted us for assistance
- After three years, personal information (which is only held electronically) will be expunged. This we believe this to be the correct period of time to allow for any disputes to arise. After this time records we hold will still include the details of requests and actions but with no name or phone number data. The address will remain but without any connection to an individual.
- Call recordings are deleted after 6 months in their entirety
Data Protection Impact Assessment
Although we do not believe scope of captured information will change significantly we will use a DPIA to identify and mitigate against any risks should new requirements occur
International Data Transfer
Adiuvo do intend to transfer information internationally as we have established an office in India. At present there is an absence of an Adequacy Decision requiring this jurisdiction therefore we have provided appropriate safeguards and have ensured that enforceable data subject rights and effective legal remedies for data subjects are available. These transfers are subject to contractual arrangements between our sub-processor and ourselves. When or if an Adequacy Decision by the Commission is established we shall regularly check notices and publications for its withdrawals/changes of decisions.
Data Breach Response Plan
The company has 72 hours to report the breach to the Data Protection Commissioner’s Officer although it will be our aim to notify clients within 24 hours. Our Data Breach plan should personal information have been exposed include; threat isolation, forensic investigation, engaging legal counsel, PR communications and media outreach
Our Website includes a suitable Privacy Statement and we only collect cookies for visitor Analytics.
Subject Access Request
Adiuvo have a dedicated procedure for handling subject access requests and request refusals. Where a data subject exercises their Right of Access, we provide them with the following information
1. The purposes of the processing;
2. The categories of personal data concerned
3. The recipients or categories of recipients to whom the personal data has/will be disclosed.
4. Whether the personal data has/will be transferred to a third countries or international organisations.
5. Pursuant to the above, the right to be informed of the appropriate safeguards used.
6. The envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period.
7. The existence of the right to request rectification or erasure of personal data.
8. The existence of the right to restrict processing of personal data or to object to such processing.
9. The right to lodge a complaint with the Data Protection Commissioner.
10. Where the personal data was not collected directly from the data subject, information as to the source.
11. The existence of automated decision-making (including profiling) and details of the logic involved, as well as any significant/envisaged consequences of such processing.
12. Adiuvo will have to have a process in place for rectifying inaccurate personal data and/or completing incomplete personal data completed (including supplementary statements).
Right to Erasure
Our procedures also include the Right To Erasure; where a data subject exercises their Right to Erasure, we shall the request against the following list before complying:
1. The data subject withdraws consent on which the processing is based.
2. The personal data has been unlawfully processed.
3. The personal data has to be erased for compliance with a legal obligation.
4. The personal data has been collected in relation to the offer of information society services.
5. The data subject objects, on the grounds relating to their particular situation, to processing of concerning them which is based on points (e) or (f) of Article 6(1).
6. The data subject objects to the processing of pursuant to data being processed for direct marketing purposes.
Where the accuracy of the personal data is contested by the data subject, Adiuvo will restrict processing for a period to enable verification of the accuracy of the personal data and that where a data subject has obtained restriction of processing they are informed in writing before restriction is lifted. We shall also discard all data unless a good business or legal reason exists to maintain that data.
GDPR DPP v1.2 (22/5/18