The Board of Directors and management of Five Nines Digitals Ltd. are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the "rights and freedoms" or individuals.
Five Nines Digitals Ltd. collects and processes personal information in accordance with The General Data Protection Regulation (EU) 2016/679, which replaces the current EU Data Protection Directive of 1995 and UK Data Protection Act of 1998 and supersedes all previous laws and instructions.
Document links within this document are available only to Five Nines Digital Ltd. Staff and agreed third parties.
This policy applies to all Data held or processed by Five Nines Digital Ltd., for customers', clients', employees, suppliers' and partners'. Whether managed on premise or remotely via client connections.
This includes personal data, the organisation processes from any source, and held by the company in either electronic or paper format that has been classified as Confidential or Restricted (Five Nines Digital Ltd. Classification Policy), particularly Personally Identifiable Information held or processed by Five Nines Digital Ltd. on any of the following (but not limited to):
Partners and third parties working with, or for Five Nines Digital Ltd. and who have, or may have access to personal data, will be expected to have read, understood and to comply with this policy (see section on Third Party / Suppliers).
The GDPR applies to all controllers and processors that are established in the EU (European Union). It will also apply to controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behaviour of data subjects who are resident in the EU.
In respect of Five Nines Digital Ltd - this applies to all offices in all jurisdictions.
Personal Information / PII
Personal Information or Personally Identifiable information is any information related to a natural person or 'Data Subject' that can be used to "directly or indirectly identify" a person. It can be anything from a name, a photo, an email address (personal or business), bank details, posts on social networking sites, medical information, or a computer IP address. See Annex B for more information related to PII.
Special Categories of Personal Data
Personal data revealing any of the following categories cannot be processed unless the conditions listed below are met;
Any living individual who is the subject of personal data held by an organisation.
Data Controller / Controller / Co-Controller
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which the personal data are, or are to be processed.
Data Processor / Processor
A natural or legal person, public authority, agency or other body, who processes personal data on behalf of the controller
(Five Nines Digital Ltd. is a data processor when collecting data on behalf of Clients, including SaaS and Support).
Any operation or set of operations which is performed on personal data or on sets of personal datas, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data Breach
A breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Any structured or set of personal data, which are accessible according to specific criteria, whether, centralised, decentralised or dispersed on a functional or geographical basis.
The technique of processing personal data in such a way that it can no longer be attributed to specific "data subject" without the use of additional information, which must be kept separately and be subject to technical and organisational measures to ensure non-attribution.
Compliance with the GDPR is described by this and other relevant policies listed in Annex A and relates to all connected processes. Any breach of this Policy will be dealt with under Five Nines Digital Ltd.'s incident management process, must be reported to the Supervising Authority (where it involves Personal Information and presents a risk to the rights and freedoms of an individual). It may invoke the disciplinary policy and if deemed a criminal offence, will be reported as to the appropriate authorities.
This Policy applies to all permanent, temporary or contract staff, third party suppliers or affiliates and visitors to Five Nines Digital Ltd. premises.
The GDPR Officer will be responsible for;
The GDPR Officer will also review the retention dates of all personal data processed by Five Nines Digital Ltd., by reference to the data inventory, and will identify any data that is no longer required in the context of the registered purpose.
Five Nines Digital Ltd. understands 'consent' to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject's wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal datas relating to him or her. The data subject can withdraw their consent at any time.
Five Nines Digital Ltd. understands 'consent' to mean that the data subject has been fully informed of the intended processing and has signified their agreement.
Consent will not be inferred from non-response to a communication.
For sensitive data, explicit written consent must be obtained, unless an alternative legitimate basis for processing exists.
The GDPR permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
Can include but are not limited to;
Applying appropriate training levels through Five Nines Digital Ltd. - All Employees/Staff will be provided with training to ensure that they understand Five Nines Digital Ltd.'s policy and the procedures it has put into place to implement that policy. This will take place within 1 week of joining and annually thereafter.
Five Nines Digital Ltd. ensures that data subjects may exercise the following rights as per our Data Subject Rights Request Process
When it has a legal or similarly significant effect on the individual. In this case, it is necessary to obtain human intervention, permit the data subject to express their point of view; and obtain an explanation of the decision and challenge it.
Privacy notices must be issued at the time of Data collection or within 30 days if data is not obtained directly from the data subject.
Five Nines Digital Ltd. has established a data inventory and data flow process as part of it approach to address risks and opportunities throughout its GDPR compliance project. Five Nines Digital Ltd.'s data inventory flow determines;
All employees/staff, contractors or temporary personnel are responsible for reporting any and all personal data breaches (including those that appear to be insignificant) to the Information Security Manager in line with our Incident Management Policy & Process and using the Incident Report.
Five Nines Digital Ltd. must ensure that personal data is not disclosed to unauthorised third parties. All employees/staff should exercise caution when asked to disclose personal data held on another individual to a third party and if unsure, should refer to the Information Security Manager.
Partners and any third parties working with or for Five Nines Digital Ltd. and who have access to personal data will be expected to have read, understood and to comply with this policy.
No third party may access personal data held by Five Nines Digital Ltd. without having first entered into a data confidentiality agreement in line with our Supplier Relationships document, which imposes on the third party, obligations no less onerous than those to which Five Nines Digital Ltd. is committed, an which gives Five Nines Digital Ltd. the right to audit compliance with the agreement.
Data cannot be shared with any third parties or change of third parties without disclosure to the Data Subject.
Data cannot be shared with any third parties or change of third parties without prior intention communicated to the Data Controller where applicable.
Five Nines Digital Ltd. shall not keep personal data in a form that permits identification of a data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.
Five Nines Digital Ltd.'s data retention and data disposal procedures in line with our Records Management Policy/Schedule will apply in all classes.
All data received or databases created, processed, stored or received for clients must be recorded on the data register (data recording process).
Personal data must be disposed of securely and must be done in accordance with the secure disposal procedure included in our Information Classification Policy.
All exports of data from within the European Economic Area (EEA) to non-European Economic Area countries (referred to in the GDPR as 'third countries') are unlawful unless there is an appropriate "level of protection for the fundamental rights of the data subjects".
The EEA countries are currently the EU countries plus Iceland, Liechtenstein and Norway:
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, & United Kingdom.
Agreed Countries with adequacy decision
Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay
If there is a requirement to transfer or store personal data from the EU to an organisation in the United States, the receiving organisation must be signed up to the Privacy Shield framework at the U.S. Department of Commerce. A statement of adherence to the framework is not sufficient - they must be registered.
Binding corporate rules & Model Contract Clauses
Five Nines Digital Ltd. may adopt approved binding corporate rules or pre-approved model contract clauses for the transfer of data outside the EU with other organisations. This requires submission to the relevant supervisory authority (Information Commissioners Office) for approval of the rules that Five Nines Digital Ltd. is seeking to rely upon.
(refer to International Transfers Document for detailed information).
In the absence of any of the above transfers can still be made under the following conditions;
None of these exceptions will negate the Right to be informed.
Information Classification Policy
Information Security Policy
Risk assessment process & methodology
Incident Management Policy & Process
Secure Development Policy
GDPR_Form_Data Subject Rights Request Process
GDPR_Form_Subject Access Request (SAR)
GDPR_Form_Data Subject Rights Request
Note: this is not a definitive list. It is for guidance.
Our Co-Founder is the owner of this document and is responsible for ensuring that this policy document is reviewed annually as a minimum.
A current version of this document is available to all members of our staff on our Platform.
This policy was approved by our Co-Founder and is issued on a version-controlled basis under his signature.
This Document is the property of Five Nines Digital Ltd.
Classification - Public