It is a legal requirement that the Company processes data correctly; the Company must collect, handle and store personal information in accordance with the relevant legislation.
The relevant legislation in relation to the processing of data is:
- the General Data Protection Regulation (EU) 2016/679 (“the GDPR”)
- Data Protection Act 2018 (GDPR)
- the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); and
- any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the European Union
3. Collection Sources of Personal Data
When you interact online or offline with OPEX Group, we may receive your Information, including your Personal Data.
For example, we receive your Information when you;
- Visit our website and or social media platforms
- Visit our office
- Download materials through our website
- Request a Contact Us Form through our website
- Signup to our Newsletter
- Register or attend OPEX Group events (such as user forum groups, webcasts)
- Communicate with us including by emails, phone & texts
- Provide testimonials
- Contract with OPEX for their solutions and or services
- Use our online solutions such as OPTIX
- Submit feedback or support requests
4. What Personal Data do we collect?
The Personal Data we collect includes such things as:
- Email address
- Title / position
- Phone number
- Work location
- Email Address
- Photographs (for example, when visiting our offices or attending an event)
4.1 Consent as a ground of processing will require to be used from time to time by the Company when processing Personal Data. It should be used by the Company where no other alternative ground for processing is available. In the event that the Company requires to obtain consent to process a data subject’s Personal Data, it shall obtain that consent in writing. The consent provided by the data subject must be freely given and the data subject will be required to sign a relevant consent form if willing to consent. Any consent to be obtained by the Company must be for a specific and defined purpose (i.e. general consent cannot be sought).
5. Processing of Personal Data
OPEX uses the Information it collects to fulfil our legal obligations, or to conduct necessary business activities, for any of the following reasons.
- To enable us to supply you with the information you have requested
- Where we have your consent to do so (if required), we will provide you with our newsletter, new solutions announcements & or case studies. In accordance with applicable law, we give you the choice to opt out of receiving these communications.
- To undertake and perform our obligations and duties to you in accordance with the terms of our contract with you
- To provide you with online access to our solutions portals (e.g. OPTIX)
- To respond to feedback, you provide and or support requests
- For all other purposes consistent with the proper performance of our operations and business
- To comply with any applicable law, regulation, legal process, or governmental request, or to protect our legal rights or those of others.
Prior to us processing your Personal Data for any purpose other than that set out above, we will provide you with information about such processing, and obtain your consent.
6. Solutions Data
We collect and process different types of product data (described below) when you deploy our Solutions in order to fulfil our legal obligations to you and operate our business.
We work hard to help ensure a balance between our legitimate interests and your privacy rights.
Licence Usage Data is Information that allows us to identify your account entitlements, such as license consumption, capacity, or type in our systems through an assigned user ID. We use this information to validate accounts and automate license verification.
Usage Data is Information about your operating environment, user/product interactions, and sessions. This includes information such as your network and systems architecture, OS and product versions, page loads and views, searches by number and type, errors, number of active and licensed users, source types and format (e.g., json, xml, and csv), web browser, http referrer page, and app workflows.
We use Usage Data to fulfill our legal obligations in providing the solutions to you and to fulfill our legitimate interest in supporting and enhancing them. For example, we may use this data to:
- Troubleshoot issues, provide support, and update our Solutions
- Provide guidance to help you optimize your usage of our Solutions
- Better understand how our users configure our Solutions
- Determine which configurations or practices optimize performance (e.g., best practices)
- Benchmark key performance indicators (“KPIs”)
- Recommend enhancements
- Perform data analysis and audits
- Identify, understand, and anticipate performance issues and the factors that affect them
- Identify product security issues that may affect you
- Improve and develop new features and functionality
- Monitor the health, performance, and security of our Solutions
We hash or otherwise pseudonymize identifiable information connected to user activity for data analytics purposes.
7. Data Sharing
The Company shares its data with various third parties for numerous reasons in order that its day to day activities are carried out in accordance with the Companies relevant policies and procedures. In order that the Company can monitor compliance by these third parties with Data Protection laws, the Company will require the third-party organisations to enter in to an Agreement with the Company governing the processing of data, security measures to be implemented and responsibility for breaches.
7.1 Data Sharing
- Personal data is from time to time shared amongst the Company and third parties who require to process personal data that the Company process as well. Both the Company and the third party will be processing that data in their individual capacities as data controllers.
- Where the Company shares in the processing of personal data with a third-party organisation (e.g. for processing of the employees’ pension), it shall require the third party organisation to enter in to a Data Sharing Agreement with the Company in accordance with the terms of the model Data Sharing Agreement.
7.2 Data Processors
A data processor is a third - party entity that processes personal data on behalf of the Company and are frequently engaged if certain of the Companies work is outsourced (e.g. payroll, maintenance and repair works).
- A data processor must comply with Data Protection laws. The Companies data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify the Company if a data breach is suffered.
- If a data processor wishes to sub-contact their processing, prior written consent of the Company must be obtained. Upon a sub-contracting of processing, the data processor will be liable in full for the data protection breaches of their sub-contractors.
- Where the Company contracts with a third party to process personal data held by the Company, it shall require the third party to enter in to a Data Protection Addendum with the Company in accordance with the terms of the model Data Protection Addendum set out in Appendix 4 to this Policy.
8. Data Storage and Security
All Personal Data held by the Company must be stored securely, whether electronically or in paper format.
8.1 Paper Storage
If Personal Data is stored on paper it should be kept in a secure place where unauthorised personnel cannot access it. Employees should make sure that no Personal Data is left where unauthorised personnel can access it. When the Personal Data is no longer required it must be disposed of by the employee so as to ensure its destruction. If the Personal Data requires to be retained on a physical file then the employee should ensure that it is affixed to the file which is then stored in accordance with the Companies storage provisions.
8.2 Electronic Storage
Personal Data stored electronically must also be protected from unauthorised use and access. Personal Data should be password protected when being sent internally or externally to the Companies data processors or those with whom the Company has entered into a Data Sharing Agreement. If Personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media must be stored securely at all times when not being used. Personal Data should not be saved directly to mobile devices and should be stored on designated drivers and servers.
A data breach can occur at any point when handling Personal Data and the Company has reporting duties in the event of a data breach or potential breach occurring. Breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach require to be reported externally in accordance with Clause 7.3 hereof.
9.1 Internal Reporting
The Company takes the security of data very seriously and in the unlikely event of a breach will take the following steps:
- As soon as the breach or potential breach has occurred, and in any event no later than six (6) hours after it has occurred, the DPO must be notified in writing of (i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s);
- The Company must seek to contain the breach by whatever means available;
- The DPO must consider whether the breach is one which requires to be reported to the ICO and data subjects affected and do so in accordance with this clause 7;
- Notify third parties in accordance with the terms of any applicable Data Sharing Agreements
9.2 Reporting to the ICO
The DPO will require to report any breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach to the Information Commissioner’s Office (“ICO”) within 72 hours of the breach occurring. The DPO must also consider whether it is appropriate to notify those data subjects affected by the breach.
10. Data Subject Rights
A Data Protection Officer is an individual who has an over-arching responsibility and oversight over compliance by the Company with Data Protection laws.
The DPO will be responsible for:
- monitoring the Companies compliance with Data Protection laws and this Policy;
- co-operating with and serving as the Companies contact for discussions with the ICO
- reporting breaches or suspected breaches to the ICO and data subjects in accordance with Part 7 hereof.
11. Data Subject Rights
- Certain rights are provided to data subjects under the GDPR. Data Subjects are entitled to view the personal data held about them by the Company, whether in written or electronic form.
- Data subjects have a right to request a restriction of processing their data, a right to be forgotten and a right to object to the Companies processing of their data. These rights are notified to the Companies tenants and other customers in the Companies Fair Processing Notice.
11.1 Subject Access Requests
Data Subjects are permitted to view their data held by the Company upon making a request to do so (a Subject Access Request). Upon receipt of a request by a data subject, the Company must respond to the Subject Access Request within one month of the date of receipt of the request. The Company:
- must provide the data subject with an electronic or hard copy of the personal data requested, unless any exemption to the provision of that data applies in law.
- where the personal data comprises, data relating to other data subjects, must take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the Subject Access Request, or
- where the Company does not hold the personal data sought by the data subject, must confirm that it does not hold any personal data sought to the data subject as soon as practicably possible, and in any event, not later than one month from the date on which the request was made.
11.2 The Right to be Forgotten
- A data subject can exercise their right to be forgotten by submitting a request in writing to the Company seeking that the Company erase the data subject’s Personal Data in its entirety.
- Each request received by the Company will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with clause 9.4 and will respond in writing to the request.
11.3 The Right to Restrict or Object to Processing
- A data subject may request that the Company restrict its processing of the data subject’s Personal Data, or object to the processing of that data.
- In the event that any direct marketing is undertaken from time to time by the Company, a data subject has an absolute right to object to processing of this nature by the Company, and if the Company receives a written request to cease processing for this purpose, then it must do so immediately.
- Each request received by the Company will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with clause 9.5 and will respond in writing to the request.
12. Privacy Impact Assessments ("PIAs")
These are a means of assisting the Company in identifying and reducing the risks that our Operations have on personal privacy of data subjects.
The Company shall:
- Carry out a PIA before undertaking a project or processing activity which poses a “high risk” to an individual’s privacy. High risk can include, but is not limited to, activities using information relating to health or race, or the implementation of a new IT system for storing and accessing Personal Data; and
- In carrying out a PIA, include a description of the processing activity, its purpose, an assessment of the need for the processing, a summary of the risks identified and the measures that it will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data
- The Company will require to consult the ICO in the event that a PIA identifies a high level of risk which cannot be reduced. The Data Protection Officer (“DPO”) will be responsible for such reporting, and where a high level of risk is identified by those carrying out the PIA they require to notify the DPO within five (5) working days.
13. Archiving, Retention and Destruction of Data
The Company cannot store and retain Personal Data indefinitely. It must ensure that Personal data is only retained for the period necessary. The Company shall ensure that all Personal data is archived and destroyed in accordance with the periods specified.
14. List of Related Documents
- OPEX 003 Fair Processing Notice
- OPEX 004 Cookies Policy
- OPEX 006 Subject Access Request
- OPEX 007 Data retention Periods
If you would like to review any of our related documents, then please contact Sarah Christie Chief Financial Officer on firstname.lastname@example.org.