LAST UPDATED: May 3rd, 2018

SCOPE

The general data protection regulations (GDPR) apply if the organization who controls the data or organization who processes the data is based in the European Union. For organizations which are not based on the European Union, the regulations apply for any personal data relating to European Union residents.

 

POLICY

1. What kind of data is subject to the GDPR?

1.1 Any data defined as personal data by the European Union is subject to the general data protection regulation (GDPR). Personal data is broadly defined and can include any kind of data that links back to the personal identity of a European Union Citizen or resident. Examples of such data include (but are not limited to) first name, last name, home address, a photo in which the subject can be identified, an email address, login credentials, government identifier, an email address, banking details, credit card information, identifying posts on Internet forums or social media, medical records, information that identifies the subject’s phone or computer such as IP addresses or cookies or other data which links directly back to an individual and allows identification of that individual.

1.2 These regulations apply to natural persons, they do not apply to legal persons such as corporations. The protection of GDPR data of natural persons applies to both processing by automated means including but not limited to computerized systems as well as to manual processing if the personal data are contained or are intended to be contained in a structured filing system.

1.3 Paper files are sets of paper files as well as the cover pages which are not structured according to the regulations are not applicable.

1.4 The GDPR regulations do not apply to the processing of personal data by natural persons who are processing this data from a purely personal or household activity and with no connection to any kind of commercial or professional organization.

1.5 The GDPR regulations do not apply to personal data of deceased persons.

 

2. When will we process your GDPR data?

GDPR data only may be processed if there is a lawful basis to do so. There are a limited number of lawful bases for processing GDPR data.

2.1 We will obtain full, unambiguous and clearly affirmative consent from the subject, to agree to have his or her data processed for one or more specific purposes

2.2 At no time will we obtain your implied consent by automatic means such as silence being taken to indicate consent, or by pre-ticked boxes or deem inactivity to indicate consent, or any other means of consent by default or implication.

2.3 Where processing of your GDPR data is for multiple purposes we will obtain consent for each of the purposes.

2.4 We will only process the data if such data is necessary for the performance of a contract to which the subject has agreed or when the subject requests such processing before a contract is entered into.

2.5 The data we will collect is sufficient relevant and specific only to what is necessary for the specific requirements of the purpose of processing.

2.6 You have the right to withdraw consent to process or store your data any time.

2.7 We will only process your data when it is deemed necessary for each specific purpose.

2.8 We will maintain a record of all processing activities within which the data is processed this includes purpose of processing, category of processing, and how long we will retain your data in personally identifiable form.

2.9 We will only process your personal data for purposes other than those for which the personal data first collected when that processing is compatible with the purposes for which the personal data were initially collected.

2.10 Processing includes any set of operations performed on sets of personal data by manual or automated means including collecting recording organizing structure and storing adapting altering retrieving reporting on use of transmission of or any combination of the above.

 

3. How will we protect your data when processing it?

3.1 At all times we will process your data in a way that ensures adequate security and confidentiality are respected including prevention of unauthorized access.

3.2 Your data will either be encrypted using strong encryption algorithms or your data will be pseudonymized, using strong cryptographic hashing algorithms.

3.3 If your data is encrypted, the encryption keys will be securely stored separately from the pseudonymized data.

3.4 We will only retain your data in personally identifiable form as long as is needed for business purposes, at the end of which we will pseudonymize or purge your data.

3.5 We will periodically review your data and the purposes for which it is stored or processed in order to ensure your data are not kept longer than necessary.

3.6 When storing or processing GDPR data we will periodically undergo a risk review in order to evaluate the risks inherent in the processing of such data so that we may implement sufficient protective measures to mitigate those risks.

3.7 Measures taken to mitigate risks to GDPR data will ensure an appropriate level of security which will include confidentiality, integrity and availability. Risks to be considered will include but not be limited to the following: accidental or unlawful destruction loss alteration authorize disclosure of or access to personal data transmitted stored or otherwise processed which may in particular lead to physical material and nonmaterial damage.

3.8 Measures taken to mitigate data security risk will take into account the state-of-the-art as well as cost to implement in due consideration to the risks and nature of the personal data to be protected.

3.9 We will show on our website or other correspondence with you a clear and unambiguous statement of our identity.

3.10 The network upon which the data will be stored will be protected by us by network and information security means including prevention of unauthorized access to the network, prevention of installation of malware on that network, and prevention of denial of service attacks as well as other means of maintaining availability authenticity integrity and confidentiality of the data.

 

4. What happens if your data is involved in a data breach?

4.1 We will notify the relevant GDPR supervisory authority as soon as possible, within 24 hours after we have been made aware of the data breach.

4.2 Where we are unable to notify supervisory authority within 24 hours a reason for the delay will be provided, will accompany the notification of breach and subsequent information provided in phases without undue further delay.

4.3 We will notify you as soon as is reasonably possible if we believe you may suffer any adverse impact as a result of the breach.

4.4 You will not be notified of any breach of pseudonymized data, as there is no adverse impact from the loss of such data.
Additionally we will notify the data controller within 24 hours after we have been made aware of the data breach.

4.5 After any potential breach we will examine all appropriate technological protection and organizational measures so that we may determine if a personal data breach has actually taken place.

 

5. Your right to have decisions reconsidered

5.1 If your data is processed by an automatic decision-making algorithm and the decision made based on your personally identifiable characteristics you have the right to request a review of the decision made.

 

6. Your right to access your data

6.1 You have the right to access your GDPR data.

6.2 You have the right to request information about how your GDPR data is being processed by us.

6.3 You have the right to ask us for how long we intend to retain your GDPR data

6.4 We will provide you upon request a description of the categories of data that we process.

6.5 We will provide you upon request a copy of your data that we store.

6.6 Will provide you upon request a list of those with which we share your data.

6.7 We’ll provide you upon request a description of how we acquired your data.

6.8 You may contact us with respect to your data by email, by phone or through our website.

6.9 A role shall be appointed, called the data protection officer who will be responsible for ensuring your data is protected under the rules and regulations of the GDPR.

6.10 Any descriptions, lists, FAQs, explanations or correspondence related to your data will be in clear and plain language which is easy to understand.

6.11 You have the right to ask us to ensure that any of your personal data which is inaccurate is rectified or erased.

6.12 You have the right to be forgotten, including the right to ask us to remove and raise your data upon request.

6.13 We will respond to requests about your data without undue delay and at the latest within one month from the date of the request.

6.14 Where possible we will provide you with a secure portal in which you will have direct access to your GDPR data

6.15 We have the right to use all reasonable measures to verify your identity before providing you with online access to GDPR data and if you’re unable to prove to our satisfaction that you have the right to access the data.

 

7. Your right to erasure

7.1 You have the right to request that your data is erased at any time by making a request to us to do so.

 

8. Your right to transfer your data

8.1 You have the right to ask us to transfer your personal data from us to another electronic processing system upon request. We will do this for you, upon request within a reasonable timeframe.

8.2 If you ask us to transfer your personal data to another electronic processing system we will provide you a copy of this data in an open standard electronic format.

 

9. Your right to complain

9.1 You have the right to Lodge a complaint with the supervisory authority if you believe your rights under the GDPR regulations have been infringed.

 

10. Responsibilities to supervisory bodies

10.1 Upon request by the supervisory body we will demonstrate by means of policies, codes of conduct, approved certifications and guidelines to which we are compliant with this regulation.

10.2 We will implement internal policies and measures which meet the principles of data protection by design and by default. These measures include but are not limited to the minimization of processing of personal data, pseudonymization of personal data as soon as possible, transparency with regards to the functions and processing of personal data, providing ability of the data subject to monitor the data processing, and maintaining strong security measures to protect confidentiality, integrity and availability of the data.

10.3 Where data is jointly or subsequently processed by third parties a clear allocation and description of responsibilities under these regulations will be agreed upon between us and the third party in a contract which will be made available for review to a supervisory body upon request.

10.4 Where data is processed by third parties, only third parties providing sufficient guarantees particularly in terms of expert knowledge reliability and resources to implement technical and organizational measures which requirements of the GDPR including for the security of processing will be used to process the data.

10.5 We will designate a representative of the organization who is available to be addressed by any supervisory body regarding any GDPR data stored or processed by us. The representative will be explicitly designated in written documentation and representative made aware of his or her responsibilities as a representative. The tasks of the representative will be designated in our policies in clear and unambiguous language. The designated representative will be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

10.6 Any processing of GDPR data will be described and maintained in records of processing activities. These records will be made available to supervisory bodies upon request.

 

11. Ensuring compliance of third parties

11.1 With respect to data for which we are the controller, we will ensure compliance with the regulations by validating compliance of any third parties who process your data. We will validate such third parties as to the regulations by validating the following approved code of conduct or an approved certification mechanism.

11.2 Any GDPR data processed by a third party will be governed by a contract in which the obligations of the third party under the regulations will be spelled-out.

11.3 Any contracts specifying the obligations of third party processors will be written to comply with European Union member state law.

11.4 Any contracts specifying the obligations of third party processors will include terms which specify the duration of the period of processing, subject matter content of the data purposes for which the processing will take place, definition and categories of data relating to data subject, tasks and responsibilities of the processor.

11.5 At the conclusion of the processing of the data on behalf of the controller, the processor will return or erase the data to the controller.

 

POLICY COMPLIANCE

12. Compliance Measurement

The Attendease team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

 

13. Exceptions

Any exception to the policy must be approved by the Attendease team in advance.

 

14. Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

 

ANNUAL REVIEW OF GDPR POLICY

At intervals of no less than once per year, this policy is to be reviewed, and if necessary, revised under the supervision of the CEO.