• Privacy, Sharing and Security Protocols
  • Ctrl-X Digital Ltd
  • Date: 14 May 2018
  • Version: 1.1

Introduction

We are fully committed to information security in accordance with the General Data Protection Regulation (GDPR). This document outlines our position, responsibilities and procedures in relation to privacy and security.

Definitions

  • Clients – anyone commissioning or receiving services from Ctrl-X Digital Ltd.
  • Client Data – information supplied by clients containing customer information.
  • Customer Information – identifiable personal data such as name, email, address, phone number etc.

Data Controller Identity – Ctrl-X Digital Ltd is the data processor and our clients are either data controller or data processor. We undertake to carry out client support and service fulfilment based on the client already having either explicit consent to mail or having agreed legitimate interest. As a business we expect and demand that the onus is on the client to have the necessary controls in place from the end client to send communications including email and SMS messages legitimately and we are in no way liable should this not be the case.

Types of Data and Purposes – We require only the relevant customer information to be able to carry out our duties. Any additional information supplied should be flagged to our client and removed before we proceed further.
Recipients – Unless required by applicable law or a court order, our underlying policy is never to disclose your customer information to any third parties without the clients specific permission.

Retention Period – We only hold on to customer information long enough to ensure the job is complete. Where customer information is held on a mailing platform such as MailChimp or Campaign Monitor it is the responsibility of the client (as data controller) to ensure it is held in accordance with the GDPR and any other relevant data protection laws

Legitimate Interest – We utilise the data provided by clients for the legitimate interest of providing services and do so on the understanding that we work within the GDPR guidelines and any other relevant data protection laws at all times.

Data Subject Rights – Your customers have a number of rights under GDPR. These rights (subject to conditions) include the right of data portability, the right to object to the processing of their personal data, the right to require you to update and correct their data, the right to erasure of their personal data, the right to obtain a restriction on processing of the data, the right to withdraw where applicable their consent to processing of that data.

Finally, the end client has a right to lodge a complaint with the data protection authority should they wish. Our role is to help facilitate the requests from your clients in a timely, efficient and professional method within the GDPR guidelines and any other relevant data protection laws.

Agreement

This Agreement is to be used for the purpose of sharing information in relation to Ctrl-X Digital Ltd. It is a formal agreement on how client data will be handled.

It sets out the purpose of information exchange, the information to be exchanged and requires the exercise of professional judgement in the sharing of information in relation to Ctrl-X Digital Ltd.

It outlines the terms and conditions under which identifiable information can be shared, and the safeguards that must be implemented.

For the purposes of this agreement, clients include all people and organisations receiving professional services from Ctrl-X Digital Ltd.

This agreement adheres to relevant data protection legislation such as the General Data Protection Regulation (GDPR) the European Convention on Human Rights and the Common Law Duty of Confidentiality.

The information shared and processed may be held in both manual and electronic record format.

Defined Purposes

The following range of purposes are agreed as justifiable for the transfer of personal information between the client as defined within the remit of this protocol:

  • Deliver and support client services and support by Ctrl-X Digital Ltd.
  • Monitor, plan and improve future integrated services.

Disclosure of data may also be required under certain circumstances to meet legitimate statutory requirements.

Other purposes may emerge from time to time which cannot be foreseen at the time this agreement was written. Each new purpose must be:

  • To be legal (in line with Scots Law)
  • Consistent with UK and European Data Protection Law

Undertaking

All parties accept that the agreement laid down in this document will provide a secure framework for the sharing of information between client and Ctrl-X Digital Ltd. This will be done in a manner compliant with their statutory and professional responsibilities. As such, they undertake to implement and adhere to this agreement.

Any confidentiality or data breach will be notified to all other parties.

Transfer and Storage of Customer Information

Data transfer of customer information between Ctrl-X Digital Ltd and the client and vice versa should occur in the following ways:

  • By email as a password protected attachment.
  • Password to be provided by telephone or SMS.
  • By telephone to relevant staff with the client’s explicit consent.
  • By hand in sealed envelopes and handed over personally to designated users.

On site data will be securely stored:

  • As appropriate on network drives and online systems with controlled and password access, and secure encryption in place (if online).
  • Personal or sensitive data will not be made available on removable media

Ctrl-X Digital Ltd secure operating procedures

Where Ctrl-X Digital Ltd have access to data stored online i.e. WordPress, MailChimp or other online service:

  • Strong passwords will always be used.
  • Passwords are stored in a secure password management system.
  • The password system is only accessible to Ctrl-X Digital Ltd staff.
  • Separate logins for accounts and services will be used to control access.
  • Where a there is shared login, passwords will changed on a regular basis.
  • No client data will be downloaded or stored except for operational reasons.
  • Any downloaded client data will be deleted once the task is complete.
  • Work on client sites and accounts will only be via a secure network connection.
  • All life-expired equipment is securely wiped of all information.
  • IT support companies have access to the Ctrl-X Digital Ltd network drives and online system only to provide technical support.
  • Ctrl-X Digital Ltd network drives are housed in a restricted area which is:
    • accessible during office hours.
    • locked during out of office hours.
  • Ctrl-X Digital Ltd staff have access to the network drives and online system.
  • Personal data is not stored on removable media.
  • Support agreements are in place with the following companies
    • UKWSD Ltd
    • Prospect Host Ltd
    • Duneidyn Ltd