4TEUS Solutions Limited (the “Company”) has adopted the General Data Protection Regulation 2016 (“GDPR”) which has replaced the EU Data Protection Directive of 1995. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge and, wherever possible, that it is processed with their consent.
This Policy applies to all of the personal data of the Company’s clients, their employees, suppliers and partners and is to be adhered to by all the Company’s employees, suppliers, partners, contractors and sub-contractors.
This Policy applies to the Company software solutions: the 4TEUS™ GRCS and the 4TEUS™ Counterparty Review System, (together the “Applications”).
This Policy is effective from 31 March 2018.
- What is “Personal Data”?
Within the GDPR, personal data means any information relating to a person who can be directly or indirectly identified, in particular, by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data and/or online identifier.
- Why do we collect Data?
Our Applications allow a user to manage their risk and evaluate their counterparties. By their very nature these services necessitate the collection of personal data from our users for which we are a data processor under the GDPR.
- What Personal Data is Collected and How is it Used?
Two types of personal data may be collected from you.
- Data you provide to us for Sign Up/Sign In
We require identifying personal data when you sign into our Applications in order to create a secured sign-in procedure to allow you to access your account and the data it contains. Once you sign into the Applications, you are not anonymous to us. We may on occasion use the email address and other contact details you provided to us on sign up to contact you regarding service-orientated issues. We may also use this identifying personal data for policing our users’ accounts.
- Data you provide to us for Processing
The data you enter into our Applications is under your control and may include personal data. The personal data collected may include data about your employees, partners, clients, suppliers, contractors, sub-contractors and any other stakeholders associated with your business (together “Stakeholders”).
Privacy by design: We have undertaken to design our Applications in such a way to minimise the collection and use of personal data other than data required to ensure secure access.
Consent: You must seek and gain the consent of your Stakeholders, where required under the GDPR, BEFORE entering and storing their personal data into the Applications. You must also inform all those who consent to have their personal data stored by us, exactly what data will be stored, and for what purposes it is stored. You agree to take full responsibility in ensuring full consent is sought from all the Stakeholders if such consent is required under the GDPR.
Although we may, on occasion, scan the database when required for administrative and invoicing purposes, we do not monitor, edit or review whether the data provided by you is correct or complete. We maintain a strict policy not to access any user’s account uninvited and will not modify any data stored in our system.
If you are an employee of a company using our Applications and you do not wish to have access to our Applications you have every right to ask your employer not to enter your email address or mobile phone number into our system.
If you are an employee of a company using our Applications you have every right to ask for your Employer to delete from our system any data relating to you which is not legally required to be kept in it. To do this please inform your employer that you do not want to have your non-statutory required data held and ask them to remove it. We do not entertain any requests for deletion of employee personal data ourselves; you must ask your employer to delete the data. We do not, and will not, access any user’s account to modify any data stored in our system. The only person that can help you to delete what is legally allowed to be deleted is your employer. If you object to this arrangement on how your data can be deleted you should discuss it with your employer on how to take the matter further.
- Our Duty of Care and Use Restrictions under GDPR
Our provisions to promote accountability and governance: As a Data Processor we are fully committed to our duty to safeguard and secure your data. We will treat your data with as much care as if it were our own. Further details relating to our Information Security Policies can be found in Appendix A.
- Data processing rights and obligations
We shall process your personal data in accordance with the GDPR, and will not make any use of your personal data or allow any use of your personal data except as strictly necessary for the purpose of the services provided under contract and, in particular, will not use any of the personal data for our own or any other commercial purposes.
- Security and Confidentiality of the Data
We shall hold your personal data in the strictest confidence and shall not disclose or allow access to the personal data or any part of the personal data without your prior consent.
We will not disclose the personal data to anyone except your intended recipients or if we are required to do so by law or are ordered to do so by a Court.
We shall restrict access to your personal data by our own Personnel – access will be limited to only those Personnel that are required to have access to the personal data for the purpose of providing the services offered.
- Our Personnel
We shall ensure that our Personnel:
– are reliable and fit and proper persons to have access to your personal data;
– are informed of the confidential nature of the personal data and are bound by contractual or statutory confidentiality obligations in relation to the personal data; and
– have received appropriate, regular and recent training and guidance on data protection and security.
- Our Technical and Operational safeguarding measures
– implement and maintain appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing, destruction, loss, alteration, damage to or disclosure of, or access to, your personal data;
– ensure that the technical and organisational measures implemented are appropriate to the risks presented by its processing of the personal data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and the harm that might result from the accidental, unauthorised or unlawful processing, destruction, loss, alteration, damage to or disclosure of, or access to, the personal data;
– regularly review and update the technical and organisational measures implemented; and
– maintain a fully resourced and funded Data Protection Officer.
- Data Protection Officer
Our Data Protection Officer’s minimum tasks will be:
– to inform and advise our personnel about their obligations to comply with the GDPR and other data protection laws;
– to monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train personnel and conduct internal audits; and
– to be the first point of contact for individuals whose data is processed (employers, employees, clients, etc.) and report directly to the board of Directors.
- International transfers of Data
We shall not transfer your personal data outside the European Economic Area (EEA), the European Union (EU) or the UK without your prior written consent.
We shall not, without your written consent, allow any third party sub-contractor to process your personal data. In the event that you do provide written consent to the processing of the personal data by a third party, we shall, to the best of our abilities, ensure that the third party has implemented and maintained technical and organisational means to prevent unauthorised or unlawful processing of, or accidental loss of, or destruction of the personal data.
- Risk Assessments
We will conduct regular data privacy impact assessments (DPIAs) to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of electronic, paper, and other records containing personal data and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting such risks.
- Data breaches – Notification
We shall notify you without undue delay, and within 72 hours, if we become aware of any actual breach or reasonable grounds for suspicion of a personal data breach including without limitation any actual or suspected personal data breach affecting the personal data.
We shall include in our notification:
– a description of the nature of the breach;
– the details of our contact who can provide further information about the breach;
– a description of the likely consequences of the breach; and
– a description of the initial remedial measures taken or proposed to be taken to address the breach.
- Record keeping
We shall keep records of the processing of the Data and all information necessary to demonstrate our compliance with the GDPR. We shall on reasonable notice make available, on request, all information necessary to demonstrate compliance with GDPR obligations.
- Notification of Changes
We may update this GDPR Policy to reflect changes to data protection practices. If any material changes are made a prominent change notification will be displayed on our Website prior to the change becoming effective. You should review this page for the latest information on our privacy practices each time you visit our Website.
If we receive any complaint, notice or communication which relates directly to the processing of the personal data or to either our or your compliance with the Data Protection Laws, we shall immediately notify you and, where necessary, provide you with assistance in relation to any such complaint, notice or communication.
- Your Rights Under GDPR
- Right to Access the Personal Information We Hold about You
In accordance with Applicable Law, you have the right to access the personal data we hold about you. You can do this at any time by requesting that your Application Administrator discloses the material facts to you. Please note that if your employer’s contract with us has been terminated, all data is automatically deleted within 30 days of such termination and, if so requested, a copy of the data contained in the application is provided to your administrator.
- Right to Rectify Your Data
Pursuant to your rights to access your personal data held in the Application. After requesting a copy of the personal data from your Application Administrator, if errors are identified in the data then it is your responsibility to ensure that the information is true, accurate and complete. Any modification of data must be carried out by the Application Administrator or any additional users appointed by the Application Administrator at their sole discretion.
- Right to Data Portability
Pursuant to your rights to access your personal data held in the Application. Please request a copy of the personal data from your Application Administrator
- Right to Restrict Processing
When your personal data is entered into the Application your personal data will only be processed in accordance with our contract with your employer.
- Right to Erasure /’Right to be Forgotten’
Our contractual data retention policy for deletion of all data in the Applications is 30 days following termination of the contract. We will continue to retain personal data (such as usernames and login in emails) of users of the system for a minimum period of six years to the extent that such data continues to be business relevant for evidencing our contractual obligations and performance and also our invoicing records.
- Right to Object
If you have any questions of concerns about this GDPR Policy and/or our practices regarding Data Protection, or would like to exercise your rights in relation to your Data, please contact our Data Protection Officer at DPO@4teus.com or write to our registered office.
If you have a complaint or concern about how we are processing your personal data we will endeavour to address such concern(s). However, if you would like to direct your complaint/concerns to a Data Protection Authority, please contact the Information Commissioner’s Office.
Our Information Security Policy
As a Data Processor we have a responsibility for promoting good practice in information security across our organisation and for monitoring the effectiveness of information security.
Our information security policy is summarised below:
We require that:
– that any confidential information shall when not in use be placed in a secure location and the imposition of a ‘clear desk’ policy; and
– personnel to log off of systems when leaving a terminal/workstation unattended.
– ensure that Personnel who have access to the personal data are referenced prior to commencing work to ensure that they are reliable and fit and proper persons to have access to the personal data;
– adequately train Personnel on data protection and security;
– ensure that Personnel understand their obligations to keep the personal data secure and confidential; and
– ensure that Personnel have committed themselves to binding confidentiality obligations.
A2) Business continuity and incident management
– define procedures for dealing with incidents including without limitation investigation, planning of remedial action, resolution, communications, supervising activity and documenting actions taken;
– have business continuity strategies and processes/ disaster recovery plans including (without limitation) the ability to restore the availability of, and access to, the personal data in a timely manner in the event of a physical or technical incident; and
– regularly back up copies of the personal data, stored securely and separately from the live files.
A3) Virus and malware protection
– have in place industry-recognised virus and malware protection software and techniques to prevent infection by viruses and malware;
– maintain the use of automatic update mechanisms for anti-virus software; and
– regularly review the software and data content of systems supporting critical business processes and the presence of any unapproved files or unauthorised amendments shall be formally investigated.
A4) Security monitoring and audit
– have a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in place for ensuring the security of the processing of the personal data;
– have the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and
– shall regularly carry out monitoring, testing and audits of the measures in place to keep the personal data secure and confidential and make improvements based on the recommendations coming out of such monitoring, testing and audits.
A5) Access controls
We shall ensure that we have in place procedures that control access to files, documents and systems containing the personal data. We shall ensure that the access control arrangements:
– cover access by all Personnel including without limitation, business users, individuals running the system and specialist IT staff, such as technical support staff;
– include password controlled access to systems; and
– restrict access to the personal data in line with access control policies.
A6) Communication, transmission and storage of Data
– use encryption as appropriate when the personal data is in transit and at rest;
– not use, reproduce or store any of the personal data on an externally accessible computer or electronic information retrieval system; and
– implement controls to prevent the personal data being sent to or access by unauthorised parties.
A7) Physical and environmental security
We do not own facilities where personal data is processed and therefore, in this regard, no physical and environmental security is required.
A8) Destruction and deletion of data
We shall, as necessary, implement appropriate measures to securely destroy and permanently delete files and documents containing the personal data.