The Board of Directors and management of Five Nines Digitals Ltd. are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the "rights and freedoms" or individuals.
Five Nines Digitals Ltd. collects and processes personal information in accordance with The General Data Protection Regulation (EU) 2016/679, which replaces the current EU Data Protection Directive of 1995 and UK Data Protection Act of 1998 and supersedes all previous laws and instructions.
Document links within this document are available only to Five Nines Digital Ltd. Staff and agreed third parties.
Data
This policy applies to all Data held or processed by Five Nines Digital Ltd., for customers', clients', employees, suppliers' and partners'. Whether managed on premise or remotely via client connections.
This includes personal data, the organisation processes from any source, and held by the company in either electronic or paper format that has been classified as Confidential or Restricted (Five Nines Digital Ltd. Classification Policy), particularly Personally Identifiable Information held or processed by Five Nines Digital Ltd. on any of the following (but not limited to):
Third Parties
Partners and third parties working with, or for Five Nines Digital Ltd. and who have, or may have access to personal data, will be expected to have read, understood and to comply with this policy (see section on Third Party / Suppliers).
Geographical Jurisdiction
The GDPR applies to all controllers and processors that are established in the EU (European Union). It will also apply to controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behaviour of data subjects who are resident in the EU.
In respect of Five Nines Digital Ltd - this applies to all offices in all jurisdictions.
Personal Information / PII
Personal Information or Personally Identifiable information is any information related to a natural person or 'Data Subject' that can be used to "directly or indirectly identify" a person. It can be anything from a name, a photo, an email address (personal or business), bank details, posts on social networking sites, medical information, or a computer IP address. See Annex B for more information related to PII.
Special Categories of Personal Data
Personal data revealing any of the following categories cannot be processed unless the conditions listed below are met;
Data Subject
Any living individual who is the subject of personal data held by an organisation.
Data Controller / Controller / Co-Controller
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which the personal data are, or are to be processed.
Data Processor / Processor
A natural or legal person, public authority, agency or other body, who processes personal data on behalf of the controller
(Five Nines Digital Ltd. is a data processor when collecting data on behalf of Clients, including SaaS and Support).
Processing
Any operation or set of operations which is performed on personal data or on sets of personal datas, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data Breach
A breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Third Party
A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Filing System
Any structured or set of personal data, which are accessible according to specific criteria, whether, centralised, decentralised or dispersed on a functional or geographical basis.
Pseudonymisation
The technique of processing personal data in such a way that it can no longer be attributed to specific "data subject" without the use of additional information, which must be kept separately and be subject to technical and organisational measures to ensure non-attribution.
Policy
Compliance with the GDPR is described by this and other relevant policies listed in Annex A and relates to all connected processes. Any breach of this Policy will be dealt with under Five Nines Digital Ltd.'s incident management process, must be reported to the Supervising Authority (where it involves Personal Information and presents a risk to the rights and freedoms of an individual). It may invoke the disciplinary policy and if deemed a criminal offence, will be reported as to the appropriate authorities.
People
This Policy applies to all permanent, temporary or contract staff, third party suppliers or affiliates and visitors to Five Nines Digital Ltd. premises.
The GDPR Officer will be responsible for;
The GDPR Officer will also review the retention dates of all personal data processed by Five Nines Digital Ltd., by reference to the data inventory, and will identify any data that is no longer required in the context of the registered purpose.
Five Nines Digital Ltd. understands 'consent' to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject's wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal datas relating to him or her. The data subject can withdraw their consent at any time.
Five Nines Digital Ltd. understands 'consent' to mean that the data subject has been fully informed of the intended processing and has signified their agreement.
Consent will not be inferred from non-response to a communication.
For sensitive data, explicit written consent must be obtained, unless an alternative legitimate basis for processing exists.
The GDPR permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
Data shall be; | ||
---|---|---|
1 | Processed lawfully, fairly and in a transparent manner | |
2 | Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purpose | further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes |
3 | Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed | |
4 | Accurate and, where necessary, kept up to date | every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay: |
5 | Personal data shall not be kept for longer than is necessary for that purpose or those purposes for which it was originally collecte | Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures. Data must be deleted in line with our Records Management Policy / Schedule. Where data retention that exceeds the retention periods defined in our Records Management Policy / Schedule, justification must be subject to written approval from our GDPR Officer and clearly identified and in line with the requirements legislation. |
6 | Processed in a manner that ensures appropriate security of the personal dat | including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures incorporating "Privacy by Design / Privacy by Default" in line with out Secure Development Policy |
Can include but are not limited to;
Non-Technical Measures
Applying appropriate training levels through Five Nines Digital Ltd. - All Employees/Staff will be provided with training to ensure that they understand Five Nines Digital Ltd.'s policy and the procedures it has put into place to implement that policy. This will take place within 1 week of joining and annually thereafter.
Five Nines Digital Ltd. ensures that data subjects may exercise the following rights as per our Data Subject Rights Request Process
The Right | |
---|---|
The Right to be Informed *(in the form of a privacy notice at the time the data is collected - or within 30 days if not collected directly) | In the form of a Privacy Notice |
The Right of Access (Response without undue delay but provided within one month at no cost | Information about how data is being process - Access to that data in a commonly used electronic format if requested - Any other supplementary information (as per privacy notice |
The Right to Rectification (Response without undue delay but provided within one month at no cost | |
The Right to Erasure / Right to be Forgotten (Response without undue delay but there is no specific timeline mandated for completion (again no cost) | Where the personal data is no longer necessary in relation to the purposes for which it was originally collected / processed - When the individual withdraws consent - When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. - The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR). - The personal data must be erased in order to comply with a legal obligation |
Right to Restrict Processing | |
The Right to Data Portability (Response without undue delay but provided within one month at no cost | The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It must be provided in a structured, commonly used and machine-readable form. Open formats include CSV files (this does not include PDF files). Note: if the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individua |
The Right to Object | |
Rights in relation to automated decision making and profiling | This is automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict
|
When it has a legal or similarly significant effect on the individual. In this case, it is necessary to obtain human intervention, permit the data subject to express their point of view; and obtain an explanation of the decision and challenge it.
Privacy Notice
Privacy notices must be issued at the time of Data collection or within 30 days if data is not obtained directly from the data subject.
Five Nines Digital Ltd. has established a data inventory and data flow process as part of it approach to address risks and opportunities throughout its GDPR compliance project. Five Nines Digital Ltd.'s data inventory flow determines;
All employees/staff, contractors or temporary personnel are responsible for reporting any and all personal data breaches (including those that appear to be insignificant) to the Information Security Manager in line with our Incident Management Policy & Process and using the Incident Report.
Five Nines Digital Ltd. must ensure that personal data is not disclosed to unauthorised third parties. All employees/staff should exercise caution when asked to disclose personal data held on another individual to a third party and if unsure, should refer to the Information Security Manager.
Partners and any third parties working with or for Five Nines Digital Ltd. and who have access to personal data will be expected to have read, understood and to comply with this policy.
No third party may access personal data held by Five Nines Digital Ltd. without having first entered into a data confidentiality agreement in line with our Supplier Relationships document, which imposes on the third party, obligations no less onerous than those to which Five Nines Digital Ltd. is committed, an which gives Five Nines Digital Ltd. the right to audit compliance with the agreement.
Data cannot be shared with any third parties or change of third parties without disclosure to the Data Subject.
Data cannot be shared with any third parties or change of third parties without prior intention communicated to the Data Controller where applicable.
Five Nines Digital Ltd. shall not keep personal data in a form that permits identification of a data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.
Five Nines Digital Ltd.'s data retention and data disposal procedures in line with our Records Management Policy/Schedule will apply in all classes.
All data received or databases created, processed, stored or received for clients must be recorded on the data register (data recording process).
Personal data must be disposed of securely and must be done in accordance with the secure disposal procedure included in our Information Classification Policy.
All exports of data from within the European Economic Area (EEA) to non-European Economic Area countries (referred to in the GDPR as 'third countries') are unlawful unless there is an appropriate "level of protection for the fundamental rights of the data subjects".
The EEA countries are currently the EU countries plus Iceland, Liechtenstein and Norway:
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, & United Kingdom.
Agreed Countries with adequacy decision
Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay
Privacy Shield
If there is a requirement to transfer or store personal data from the EU to an organisation in the United States, the receiving organisation must be signed up to the Privacy Shield framework at the U.S. Department of Commerce. A statement of adherence to the framework is not sufficient - they must be registered.
Binding corporate rules & Model Contract Clauses
Five Nines Digital Ltd. may adopt approved binding corporate rules or pre-approved model contract clauses for the transfer of data outside the EU with other organisations. This requires submission to the relevant supervisory authority (Information Commissioners Office) for approval of the rules that Five Nines Digital Ltd. is seeking to rely upon.
(refer to International Transfers Document for detailed information).
In the absence of any of the above transfers can still be made under the following conditions;
None of these exceptions will negate the Right to be informed.
Information Classification Policy
Information Security Policy
Risk assessment process & methodology
Records Management
Incident Management Policy & Process
Incident Report
Secure Development Policy
Control Policy
GDPR_Form_Data Subject Rights Request Process
GDPR_Form_Subject Access Request (SAR)
GDPR_Form_Data Subject Rights Request
GDPR_Form_Complaint
Note: this is not a definitive list. It is for guidance.
Category of Information | Comments |
---|---|
A letter written in a person's official capacity | |
Bank Details | |
Business Cards | |
Business Telephone Number | Direct Line |
Bio-metric Data - Retina, face, fingertips, handwriting | Sensitive Personal |
Car VIN Number or number plate (where registered to an individual) | |
Cookies | |
Credit Cards / Bank Cards / Store Cards | |
Credit Score / Record | |
Criminal Record | carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects |
Date of Birth | |
Details about a person's land ownership or disputes to do with their land | |
Digital Identity | |
Disability Information | |
Driver's License Number | |
Education and employment history | |
Email address (personal and business) | |
Ethnicity / Race | |
Events attended | |
Fingerprints | |
Full Name | |
Gender | |
Genetic Information | Sensitive Personal |
History / background | |
Home address | |
Insurance Details | |
IP Address | (not PII by itself in USA) |
Job Position / title (with Company) | |
Location information | |
MAC address | |
Maiden Name | |
Medical / Health Information | |
Mother maiden name | |
National ID numbers / Social security number | |
Next of Kin information | |
NI Numbers | |
Opinions given as part of a person's employment | |
Organisation Memberships | |
Patient ID | |
Passport Number | |
Passwords | |
Photographic Passes (train / business) | |
Photos | |
Place of birth | When used in conjunction with other information |
Political and religious leanings and affiliation | Sensitive Personal |
Salary | |
Security Tokens | |
Session Information and tokens e.g. JSESSIONID | |
Sexual Orientation | Sensitive Personal |
Status | |
Mobile Phone number or house phone | |
Trade Union Membership | Sensitive Personal |
Usernames / Screen names / aliases | |
Vehicle Registration Plate Number (where vehicle registered to individual) | |
Video Recording | |
Views on controversial issues / Philosophical beliefs | Sensitive Personal |
Visas | |
What are you doing when / status (Social Network Sites) | |
Where the information is so unique that it cannot be anyone else |
Our Co-Founder is the owner of this document and is responsible for ensuring that this policy document is reviewed annually as a minimum.
A current version of this document is available to all members of our staff on our Platform.
This policy was approved by our Co-Founder and is issued on a version-controlled basis under his signature.
Issue | Description of Change | Approval | Date of Issue |
---|---|---|---|
1.0 | Initial Issue | Co-Founder | 06/04/2020 |
This Document is the property of Five Nines Digital Ltd. Classification - Public