v1.1, last updated 13 May 2018
1. THIS POLICY
While ‘personal data’ is a defined term in EU law, we use it here to also cover ‘personally identifiable information’ as defined in US law, and other similar legal definitions. Essentially ‘personal data’ means any information relating to an identified or identifiable natural person, namely one who can be identified directly or indirectly from that information alone or in conjunction with other information. This Policy sets out what personal data we might collect, how we process and protect that data, the lawful grounds for that processing, and your related rights. In most cases, the lawful ground will be that the processing: (i) is necessary for our legitimate interests in carrying out our business, including to grow and improve our Services, provided those interests are not outweighed by your rights and interests (‘Legitimate Interests’), (ii) is necessary to perform a contract with you (‘Contract’), or (iii) we have a legal obligation to carry out the processing (‘Legal Obligation’). Where processing is based on your consent (‘Consent’), we will identify the processing purposes and provide you with relevant information to make the processing fair and transparent. As data protection law and practice are constantly developing, we’ll need to update this policy from time to time, which we’ll do by posting a new policy on the Website that takes effect from the date stated. It is your responsibility to return to the Website from time to time and check for changes.
2. HOW DO WE OBTAIN PERSONAL DATA?
We might collect or be provided personal data in the normal course of business, for example: you may provide us with your details when you become a customer, such as your name, email and employer (‘Account Data’), when you visit the Website, we may collect information about your visit such as your IP address and the pages you visited and when you use our Services we may collect information on how you use those Services (‘Improvement Data’), you may provide us with your details when you ask about our Services (through the Website, by email or otherwise) and we may obtain legally-compliant lists of potential business customers for our Services for our marketing purposes (‘Marketing Data’), and we may receive personal data from our customers when using our Services, such as names of team members or data entered into the Services (‘Service Data’). We are the ‘data controller’ of Account, Improvement and Marketing Data and we are the ‘data processor’ of Service Data – the customer remains the ‘data controller’ of Service Data. We do not collect or retain any debit or credit card data ourselves. Any such data is collected and processed by our payment processors to process the relevant payments and we and those processors will at all times comply with the applicable industry codes and laws regarding security and retention of such data, for example the Payment Card Industry Data Security Standard. When you provide us with personal data about yourself or another person, you are confirming to us that you are authorised to provide us with that information and that any personal data you give us is accurate and up-to-date. Provision of personal data to us is never a requirement, however if you do not provide us with the personal data necessary for us to carry out an action at your request or under a contract with or relating to you, for example to respond to your query or provide Services to you, we may not be able to respond to your query or provide Services to you.
3. SENSITIVE PERSONAL DATA
4. HOW DO WE USE PERSONAL DATA?
We use personal data in the normal course of our business, including to provide and improve our Services and meet any binding contractual or legal obligations. For example: to respond to enquiries, to provide the Websites and Services, to provide advice and support, and to invoice accordingly. Lawful basis: Legitimate Interests or Contract. to analyse and improve the Website and Services, for example for technical or security purposes and to improve the customer experience. Lawful basis: Legitimate Interests, however where for example applicable law requires your consent to use certain cookies, we will ask for your Consent having provided you with relevant information. to market and sell our Services, including to communicate with you about same or similar services that we offer. If we do so, we will provide you with an easy and free way to opt-out of receiving such communications in the future. Legal basis: Legitimate Interests (or Consent as above). in certain circumstances, to share it with a limited number of third parties as described in this policy, for example for operational requirements and business continuity purposes. Lawful basis: most processing will be based on Legitimate Interests, some processing will be based on Contract and, where necessary (as above) some processing may be based on your prior Consent.
5. SHARING DATA & INTERNATIONAL TRANSFERS
As a default position, we will only retain personal data for any statutory retention period, then a reasonable period (if any) for the above purposes. This is subject, for example, to any valid opt-out or withdrawal of consent where processing is based on consent, or other valid exercise of your data subject rights.
The security of data is very important to our business. In accordance with our legal obligations, we take appropriate technical and organisational measures to protect your personal data and keep those measures under review. However, we can only be responsible for systems that we control and we would remind you that the internet itself is not a secure environment.
8. ANONYMISED DATA
9. THIRD PARTY SERVICES
10. YOUR RIGHTS
You have the right to know if we process any personal data about you and, if we are, with certain limitations, to a copy of that personal data. You also have the right to ask us to remove or correct any of that personal data that is inaccurate, to object to certain processing and to withdraw any consent you may have given us for any processing of your personal data. You have the right, at any time, to object to the processing or your personal data for direct marketing purposes. As from 25 May 2018, you will also have the right to ask us to restrict processing certain of your personal data and to 'port' certain of your personal data to you or another provider, provided in each case that we have such data and certain conditions are met.
11. 'DO NOT TRACK'
The Website and Services do not use technologies that respond to 'Do-Not-Track' signals communicated by your internet browser.
12. CONTACT US
If you've any question you can always contact us at the address above or by email to email@example.com. You have the right, at all times, to notify a complaint to any regulator such as the UK Information Commissioner, although we would welcome the opportunity to discuss and resolve any complaint with you first.
Polarisoft: GDPR Statement
The UK's data protection framework is changing on 25th May 2018, when the existing Data Protection Act 1998 will be replaced with the European Union General Data Protection Regulation ('GDPR') (2016/679). Whilst the UK will soon be leaving the EU, the replacement data protection legislation being progressed through Parliament is very closely aligned to the requirements of GDPR. Polarisoft Limited ('Polarisoft') provides SaaS (software-as-a-service) applications to its customers, and as such is responsible for the secure and compliant processing of personal data related to our customers, as well as the protection of our customers' information (which may include personal data) whilst it is being processed by one of our software applications. This GDPR statement has been prepared to provide key information about these various personal data processing activities to our customers.
2. Data Protection by Design and Default
Article 25 of GDPR requires that data processing activities (e.g. Polarisoft software solutions) provide data protection by design and default. Polarisoft has achieved this requirement by ensuring that its applications have been designed in accordance with industry best practice, using trusted technologies, and are subject to regular tests to ensure that vulnerabilities are being properly managed, and configurations remain effective. Polarisoft utilises resilient EU an UK data centres which are subject to formal ISO27001 certification. Unless we have entered into a specific agreement with a customer to host their instance of PPMAnywhere in a non-EU country, we commit that all personal data processing is undertaken within the EU, under the prevailing UK data protection framework. Article 35 of GDPR requires that formal Data Protection Impact Assessments ('DPIA') are undertaken by organisation where there is a 'high risk to the rights or freedoms of natural person'. Whilst Polarisoft has assessed that there are no high risks to individuals who may purchase or use our software solutions.
3. Legal Basis for Personal Data Processing
Article 6 of GDPR requires that the lawfulness of data processing be advised. Polarisoft uses 'legitimate interests' as the basis for the secure processing and storage of its customer data in order to deliver solutions to them. This includes the communication of direct marketing information related to our solutions or similar matters. We occasionally communicate with non-customers and will only do so based upon the 'explicit consent' which we have been provided with by the data subject, either through a positive confirmation on a web form, or by their communication preferences shared from social media channels. We provide clear methods for data subjects to remove or vary their consent if they wish to do so.
4. Customer Documented Processing Instructions
Article 28 of GDPR requires that our customers should formally communicate their data processing requirements to Polarisoft (as their data processor). In the event that a customer does not provide such written instructions to Polarisoft (a) this omission does not remove their obligation to do so, and (b) Polarisoft will deliver the software solutions in accordance with its published service definitions and other related materials.
5. Data Controller and Data Processor
Polarisoft acts as: Data Controller (as per GDPR Article 24) for the (i) personal data relating directly to its customers and necessary for the management, provision and operation of the software solutions, and (ii) for its own employee management purposes, or Data Processor (as per GDPR Article 28) in respect of the personal data which may be loaded into the Polarisoft software solutions by its customers. In accordance with Polarisoft Terms & Conditions, each customer is responsible for ensuring that they have an appropriate legal basis for processing personal data within an Polarisoft software solution and will fully indemnify Polarisoft in the event of any claim of any sort being brought for not having a valid basis.
6. Children's Personal Data
The Polarisoft software solutions are not directed towards children under the age of 13. If you learn that a child under the age of 13 has provided their personal information to us without having parental consent, please contact Polarisoft immediately so that we can take appropriate action. In accordance with Section 5 above, should an Polarisoft customer select to upload children's personal data into their deployment of an Polarisoft software solution then they will be required to evidence that the have a valid legal basis for doing so.
7. Sensitive Personal Data
Article 9 of GDPR specifies a set of personal data categories which are considered to be 'sensitive', and which require special consideration by Data Controllers. The software solutions provided by Polarisoft do not knowingly collect or process any sensitive personal data. In accordance with Section 5 above, should an Polarisoft customer select to upload sensitive personal data into their deployment of a Polarisoft software solution then they will be required to evidence that the have a valid legal basis for doing so.
8. Data Subject Rights
Articles 16-21 of GDPR provide data subjects with several rights in relation to their personal data, including:
Right of access by the data subject (Art.15) Right to rectification (Art.16,19) Right to erasure (Art.17,19) Right to restriction of processing (Art.18) Right to data portability (Art.20) Right to object to processing (Art.21) Where Polarisoft is acting as Data Controller (see 4(a) above), then it will receive, validate, record, progress and respond to any such data subject requests received. Should Polarisoft, acting as Data Processor (see 4(b) above), then it will advise the applicant of the customer's details that should be used to make their request. As a responsible Data Processor, Polarisoft will assist its customers with complying with valid requests. Should a data subject decide to exercise their rights, they should contact Polarisoft as below.
9. Declaration of Sub-Processors
Polarisoft confirms its use of: Secure EU data centres with ISO27001 certification. Being EU-based, they are subject to prevailing EU data protection legislation. In accordance with our security operating protocols, details of the providers and locations are only made available upon specific request to Polarisoft.
Polarisoft confirms that:
It has undertaken applicable due diligence and validation on each of the declared sub-processors to ensure that they are aware of and able to deliver their applicable requirements under the EU General Data Protection Regulation. It will not vary or replace any of the declared sub-processors without having first given advanced notice to all applicable customers. 10. Record Keeping & Breach Reporting Polarisoft confirms that it securely retains and manages data which records the use of our software solutions, including user credentials and IP addresses. Many features of our software solutions generate read-only audit logs, which are not possible for individual users to reverse. Should a customer require assistance with information contained within our data processing records, please contact Polarisoft as below. We actively monitor our software solutions for unusual activities and issues, which includes indications of data breaches. Polarisoft will promptly act to notify either the customer or the ICO (as applicable to our role) in the event of a data breach being suspected (as per Article 33), and if acting as Data Controller will also inform affected data subjects (as per Article 34).
11. Removal of Personal Data
It remains the customer's responsibility to remove all personal data prior to terminating their service provision with Polarisoft. Should the customer not do this, then Polarisoft will securely purge their data at the point when the resources are to be redeployed: but this does not take place instantly and customers are strongly recommended to (a) remove their own personal data beforehand, or (b) contact Polarisoft Support if assistance is needed to do this.
12. Polarisoft Personnel
All Polarisoft personnel receive regular, formal instruction in matters relating to information security and data protection. Those with specific roles relating to the management of risk assessments, data protection impact assessments, data subject rights and incident management receive more focused training.
13. Security of Web Links
Polarisoft software solutions may include relevant hyperlinks to external websites not controlled by us. Whilst all reasonable care has been exercised in selecting and providing any such links, you are advised to exercise caution before clicking any external links. We cannot guarantee the ongoing suitability of external links, nor do we continually verify the safety or security of the contents which may be provided to you. You are advised, therefore, that your use of external links is at your own risk and we cannot be responsible for any damages or consequences caused by your use of them.
Polarisoft Limited is registered with the Information Commissioner's Office under the UK Data Protection Act 1998: registration number 00010066845 applies. If an Polarisoft customer or data subject believes that Polarisoft has not delivered upon its obligations under GDPR, they have a right to make a compliant to the ICO. They can be reached by telephone on 0303 123 1113 or by using the contact form on their website.
15. Contact Polarisoft
Data Protection Manager Polarisoft Limited Harmsworth House 13-15 Bouverie Street London, EC4Y 8DP Email: firstname.lastname@example.org