The Board of Directors and management of Five Nines Digitals Ltd. are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the "rights and freedoms" or individuals.
Five Nines Digitals Ltd. collects and processes personal information in accordance with The General Data Protection Regulation (EU) 2016/679, which replaces the current EU Data Protection Directive of 1995 and UK Data Protection Act of 1998 and supersedes all previous laws and instructions.
Document links within this document are available only to Five Nines Digital Ltd. Staff and agreed third parties.
This policy applies to all Data held or processed by Five Nines Digital Ltd., for customers', clients', employees, suppliers' and partners'. Whether managed on premise or remotely via client connections.
This includes personal data, the organisation processes from any source, and held by the company in either electronic or paper format that has been classified as Confidential or Restricted (Five Nines Digital Ltd. Classification Policy), particularly Personally Identifiable Information held or processed by Five Nines Digital Ltd. on any of the following (but not limited to):
- External Media
- Hosting infrastructure
- Hard copy media
Partners and third parties working with, or for Five Nines Digital Ltd. and who have, or may have access to personal data, will be expected to have read, understood and to comply with this policy (see section on Third Party / Suppliers).
The GDPR applies to all controllers and processors that are established in the EU (European Union). It will also apply to controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behaviour of data subjects who are resident in the EU.
In respect of Five Nines Digital Ltd - this applies to all offices in all jurisdictions.
Personal Information / PII
Personal Information or Personally Identifiable information is any information related to a natural person or 'Data Subject' that can be used to "directly or indirectly identify" a person. It can be anything from a name, a photo, an email address (personal or business), bank details, posts on social networking sites, medical information, or a computer IP address. See Annex B for more information related to PII.
Special Categories of Personal Data
Personal data revealing any of the following categories cannot be processed unless the conditions listed below are met;
- The racial or ethnic origin of the data subject,
- Religious beliefs or other philosophical beliefs of a similar nature,
- Trade Union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
- Physical or mental health or condition,
- Genetic or biometric data
- Sexual orientation or data concerning a natural person's sex life
- There are also separate safeguards for alleged or criminal convictions
- The data subject has given explicit consent;
- It is necessary to fulfil the obligations of controller or of data subjects;
- It is necessary to protect the vital interests of the data subject;
- Processing is carried out by a foundation or not-for-profit organisation (only those in blue text)
- The personal data has manifestly been made public by the data subject (press leaks excluded)
- Establishment, exercise or defence of legal claims;
- Reasons of public interest in the area of public health; (NHS for instance)
- Archiving purposes in the public interest; (Census)
- A Member State has varied the definition of a special category. (if UK excludes anything)
Any living individual who is the subject of personal data held by an organisation.
Data Controller / Controller / Co-Controller
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which the personal data are, or are to be processed.
Data Processor / Processor
A natural or legal person, public authority, agency or other body, who processes personal data on behalf of the controller
(Five Nines Digital Ltd. is a data processor when collecting data on behalf of Clients, including SaaS and Support).
Any operation or set of operations which is performed on personal data or on sets of personal datas, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data Breach
A breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Any structured or set of personal data, which are accessible according to specific criteria, whether, centralised, decentralised or dispersed on a functional or geographical basis.
The technique of processing personal data in such a way that it can no longer be attributed to specific "data subject" without the use of additional information, which must be kept separately and be subject to technical and organisational measures to ensure non-attribution.
Compliance with the GDPR is described by this and other relevant policies listed in Annex A and relates to all connected processes. Any breach of this Policy will be dealt with under Five Nines Digital Ltd.'s incident management process, must be reported to the Supervising Authority (where it involves Personal Information and presents a risk to the rights and freedoms of an individual). It may invoke the disciplinary policy and if deemed a criminal offence, will be reported as to the appropriate authorities.
4. Roles & Responsibilities
This Policy applies to all permanent, temporary or contract staff, third party suppliers or affiliates and visitors to Five Nines Digital Ltd. premises.
The GDPR Officer will be responsible for;
- Development and implementation of the GDPR as required by this policy
- Security and risk management in relation to compliance with our Risk Assessment Process & Methodology Document
- Ensuring that Five Nines Digital Ltd. complies with the GDPR
- Being the first point of call for Employees/Staff seeking clarification on any aspect of data protection compliance.
The GDPR Officer will also review the retention dates of all personal data processed by Five Nines Digital Ltd., by reference to the data inventory, and will identify any data that is no longer required in the context of the registered purpose.
Five Nines Digital Ltd. understands 'consent' to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject's wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal datas relating to him or her. The data subject can withdraw their consent at any time.
Five Nines Digital Ltd. understands 'consent' to mean that the data subject has been fully informed of the intended processing and has signified their agreement.
Consent will not be inferred from non-response to a communication.
For sensitive data, explicit written consent must be obtained, unless an alternative legitimate basis for processing exists.
The GDPR permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
- To safeguard national security;
- Prevention or detection of crime including the apprehension or prosecution of offenders;
- Assessment or collection of tax duty;
- Discharge of regulatory functions (includes health, safety and welfare of persons at work);
- To prevent serious harm to a third party; and to protect the vital interests of the individual, this refers to life and death situations
6. The Principles
|Data shall be;|
|1||Processed lawfully, fairly and in a transparent manner|
|2||Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purpose||further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes|
|3||Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed|
|4||Accurate and, where necessary, kept up to date||every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay:|
|5||Personal data shall not be kept for longer than is necessary for that purpose or those purposes for which it was originally collecte||Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures. Data must be deleted in line with our Records Management Policy / Schedule. Where data retention that exceeds the retention periods defined in our Records Management Policy / Schedule, justification must be subject to written approval from our GDPR Officer and clearly identified and in line with the requirements legislation.|
|6||Processed in a manner that ensures appropriate security of the personal dat||including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures incorporating "Privacy by Design / Privacy by Default" in line with out Secure Development Policy|
7. Technical Measures
Can include but are not limited to;
- Password protection
- Acceptable Use
- Automatic locking of idle terminals
- Virus checking software and firewalls
- Role-based access rights
- Encryption of devices
- Security of local and wide area networks
- Privacy enhancing technologies such as pseudonymisation and anonymisation
- Identifying appropriate international security standards relevant to Five Nines Digital Ltd.
- All personal data should be accessible only to those who need to use it, and access may only be granted in line with our Five Nines Digital Ltd. Control Policy
Applying appropriate training levels through Five Nines Digital Ltd. - All Employees/Staff will be provided with training to ensure that they understand Five Nines Digital Ltd.'s policy and the procedures it has put into place to implement that policy. This will take place within 1 week of joining and annually thereafter.
- Ensuring awareness programme in place
- Measures that consider the reliability of employees
- The inclusion of data protection in employment contracts;
- Identification of disciplinary action measures for data breaches;
- Monitoring of staff for compliance with relevant security standards;
- Physical access controls to electronic and paper records;
- Adoption of a clear desk policy;
- Storing of paper based data in lockable fire-proof cabinets;
- Implementing a BYOD and Mobile Policy for portable devices
- Restricting the use of employee's own personal devices being used in the workplace using and MDM solution
- Making regular, secure backups of personal data and storing the media off collection site;
- The imposition of contractual obligations on the importing organisations to take appropriate security measures when the transferring data outside the EEA
8. The Rights of The Individual
Five Nines Digital Ltd. ensures that data subjects may exercise the following rights as per our Data Subject Rights Request Process
|The Right to be Informed *(in the form of a privacy notice at the time the data is collected - or within 30 days if not collected directly)||In the form of a Privacy Notice|
|The Right of Access (Response without undue delay but provided within one month at no cost||Information about how data is being process - Access to that data in a commonly used electronic format if requested - Any other supplementary information (as per privacy notice|
|The Right to Rectification (Response without undue delay but provided within one month at no cost|
|The Right to Erasure / Right to be Forgotten (Response without undue delay but there is no specific timeline mandated for completion (again no cost)||Where the personal data is no longer necessary in relation to the purposes for which it was originally collected / processed - When the individual withdraws consent - When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. - The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR). - The personal data must be erased in order to comply with a legal obligation|
|Right to Restrict Processing|
|The Right to Data Portability (Response without undue delay but provided within one month at no cost||The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It must be provided in a structured, commonly used and machine-readable form. Open formats include CSV files (this does not include PDF files). Note: if the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individua|
|The Right to Object|
|Rights in relation to automated decision making and profiling||This is automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict|
When it has a legal or similarly significant effect on the individual. In this case, it is necessary to obtain human intervention, permit the data subject to express their point of view; and obtain an explanation of the decision and challenge it.
Privacy notices must be issued at the time of Data collection or within 30 days if data is not obtained directly from the data subject.
- The identity and contact details of the controller and where applicable, the controller's representative and the data protection officer (Information Security Manager)
- Purpose of the processing and the legal basis for the processing
- The legitimate interests of the controller or third party, where applicable
- Categories of personal data (where not obtained directly from the data subject)
- Who the data was obtained from (where not obtained directly from the data subject)
- Any recipient or categories of recipients of the personal data and safeguards
- Details of transfers to third country and safeguards
- Retention period or criteria used to determine the retention period
- Description of technical and organisational security measures
- The Rights
- The Principles
- How to complain to the company and supervisory authority
- How to withdraw consent
9. Data Inventory
Five Nines Digital Ltd. has established a data inventory and data flow process as part of it approach to address risks and opportunities throughout its GDPR compliance project. Five Nines Digital Ltd.'s data inventory flow determines;
- Business processes that use personal data;
- Source of personal data;
- Volume of data subjects;
- Description of each item of personal data;
- Processing activity;
- Maintains the inventory of data categories of personal data processed;
- Documents the purpose(s) for which each category of personal data is used;
- Recipients, and potential, of the personal data;
- The role of Five Nines Digital Ltd. throughout the data flow;
- Key systems and repositories;
- Any data transfers; and
- All retention and disposal requirements.
10. Breach Reporting
All employees/staff, contractors or temporary personnel are responsible for reporting any and all personal data breaches (including those that appear to be insignificant) to the Information Security Manager in line with our Incident Management Policy & Process and using the Incident Report.
- A Processor must report a breach to the Controller without undue delay and no later than 72 hours after becoming aware of it
- The Controller must report it to the supervisory authority, no later than 72 hours after having become aware of it (where the breach is likely to adversely affect the personal data or privacy of the data subject.)
11. Third Party / Suppliers
Five Nines Digital Ltd. must ensure that personal data is not disclosed to unauthorised third parties. All employees/staff should exercise caution when asked to disclose personal data held on another individual to a third party and if unsure, should refer to the Information Security Manager.
Partners and any third parties working with or for Five Nines Digital Ltd. and who have access to personal data will be expected to have read, understood and to comply with this policy.
No third party may access personal data held by Five Nines Digital Ltd. without having first entered into a data confidentiality agreement in line with our Supplier Relationships document, which imposes on the third party, obligations no less onerous than those to which Five Nines Digital Ltd. is committed, an which gives Five Nines Digital Ltd. the right to audit compliance with the agreement.
Data cannot be shared with any third parties or change of third parties without disclosure to the Data Subject.
Data cannot be shared with any third parties or change of third parties without prior intention communicated to the Data Controller where applicable.
12. Retention and Disposal
Five Nines Digital Ltd. shall not keep personal data in a form that permits identification of a data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.
Five Nines Digital Ltd.'s data retention and data disposal procedures in line with our Records Management Policy/Schedule will apply in all classes.
All data received or databases created, processed, stored or received for clients must be recorded on the data register (data recording process).
Personal data must be disposed of securely and must be done in accordance with the secure disposal procedure included in our Information Classification Policy.
13. International Data Transfers
All exports of data from within the European Economic Area (EEA) to non-European Economic Area countries (referred to in the GDPR as 'third countries') are unlawful unless there is an appropriate "level of protection for the fundamental rights of the data subjects".
The EEA countries are currently the EU countries plus Iceland, Liechtenstein and Norway:
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, & United Kingdom.
Agreed Countries with adequacy decision
Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay
If there is a requirement to transfer or store personal data from the EU to an organisation in the United States, the receiving organisation must be signed up to the Privacy Shield framework at the U.S. Department of Commerce. A statement of adherence to the framework is not sufficient - they must be registered.
Binding corporate rules & Model Contract Clauses
Five Nines Digital Ltd. may adopt approved binding corporate rules or pre-approved model contract clauses for the transfer of data outside the EU with other organisations. This requires submission to the relevant supervisory authority (Information Commissioners Office) for approval of the rules that Five Nines Digital Ltd. is seeking to rely upon.
(refer to International Transfers Document for detailed information).
In the absence of any of the above transfers can still be made under the following conditions;
- The data subject has explicitly consented to the proposed transfer (but must be informed of any possible risks before making that decision)
- The transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures.
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
- The transfer is necessary for important reasons of public interest
- The transfer is necessary for the establishment, exercise or defence of legal claims; and/or
- The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
None of these exceptions will negate the Right to be informed.
15. Annex A - Referenced Policies & Documents
Information Classification Policy
Information Security Policy
Risk assessment process & methodology
Incident Management Policy & Process
Secure Development Policy
GDPR_Form_Data Subject Rights Request Process
GDPR_Form_Subject Access Request (SAR)
GDPR_Form_Data Subject Rights Request
16. Annex B - PII
Note: this is not a definitive list. It is for guidance.
|Category of Information||Comments|
|A letter written in a person's official capacity|
|Business Telephone Number||Direct Line|
|Bio-metric Data - Retina, face, fingertips, handwriting||Sensitive Personal|
|Car VIN Number or number plate (where registered to an individual)|
|Credit Cards / Bank Cards / Store Cards|
|Credit Score / Record|
|Criminal Record||carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects|
|Date of Birth|
|Details about a person's land ownership or disputes to do with their land|
|Driver's License Number|
|Education and employment history|
|Email address (personal and business)|
|Ethnicity / Race|
|Genetic Information||Sensitive Personal|
|History / background|
|IP Address||(not PII by itself in USA)|
|Job Position / title (with Company)|
|Medical / Health Information|
|Mother maiden name|
|National ID numbers / Social security number|
|Next of Kin information|
|Opinions given as part of a person's employment|
|Photographic Passes (train / business)|
|Place of birth||When used in conjunction with other information|
|Political and religious leanings and affiliation||Sensitive Personal|
|Session Information and tokens e.g. JSESSIONID|
|Sexual Orientation||Sensitive Personal|
|Mobile Phone number or house phone|
|Trade Union Membership||Sensitive Personal|
|Usernames / Screen names / aliases|
|Vehicle Registration Plate Number (where vehicle registered to individual)|
|Views on controversial issues / Philosophical beliefs||Sensitive Personal|
|What are you doing when / status (Social Network Sites)|
|Where the information is so unique that it cannot be anyone else|
17. Document Owner and Approval
Our Co-Founder is the owner of this document and is responsible for ensuring that this policy document is reviewed annually as a minimum.
A current version of this document is available to all members of our staff on our Platform.
This policy was approved by our Co-Founder and is issued on a version-controlled basis under his signature.
Change History Record
|Issue||Description of Change||Approval||Date of Issue|
This Document is the property of Five Nines Digital Ltd. Classification - Public