PRIVACY POLICY GDPR
General Data Protection Regulation (GDPR)
We have updated our Privacy Policy to make it easier for you to understand what information we collect about you, how we use it and on what lawful basis.
We have made these changes in order to ensure our compliance with the General Data Protection Regulation (GDPR), which is in force across Europe from Friday 25 May 2018
We have acquired your information as a Customer, at Industry events, LinkedIn or you may be a contact person of one of our customers, suppliers or business partners. This relationship with you constitutes the basis to allow us to continue to process your personal data under the GDPR.
We would like to continue to keep you informed of our latest products and our attendance at exhibitions. However, as always, you have the right to unsubscribe / be forgotten from our correspondence at any point. If wish to unsubscribe or amend your details please email us on EDGEOPIA@EDGEOPIA.COM
Please see below our Privacy policy
EDGEOPIA GLOBAL SOLUTIONS VOF (hereinafter to be called EdgeOpia)is a B2B, (Business to Business) supplier of solutions, products and services. EdgeOpia is committed to the protection of the necessary personal information which we hold relating to our customers and contacts. This policy outlines EdgeOPia’s management of personal data in compliance with the General Data Protection Regulation 2018, (GDPR)
The principle behind our GDPR policy is that we shall only hold personal data where we have a contractual or legitimate reason to do so; we shall only retain it for as long as it is necessary and we retain a contractual or legitimate reason to do so and we shall only permit those individuals in our organisation, or those of our suppliers to see the personal data where there is a contractual or legitimate reason to do so
The nature of the personal data which EdgeOpia holds is dependent on the data subject to EdgeOpia’s business and may be categorised into three groups:
- Customers
- Suppliers
- Employees
Full details of what type of data we hold for each group and how we protect this data is described later in this policy. However, it will be shown that, with the exception of our own staff the personal data that we hold for our other stakeholders is not of a highly sensitive nature. Nonetheless, we protect it securely.
EdgeOpia have never and will never sell personal data to third parties.
This policy is in place to ensure that all staff and the relevant suppliers are aware of their responsibilities and outlines how EdgeOpia complies with the core principles of the GDPR.
Applicable Data
For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual. The GDPR applies to both automated personal data and to manual filing systems.
Customer information
- data that the Company will process for customers may include:
- name (first name, surname)
- salutation (Mr, Mrs, Miss, Ms)
- job title
- email address
- telephone number
- location and/or place of work
- interest (product, solution)
Suppliers information
- data that the Company will process for suppliers may include:
- name (first name, surname)
- salutation (Mr, Mrs, Miss, Ms)
- job title
- email address
- telephone number
- location and/or place of work
Employees personal information
Relevant personal data throughout employment and for as long as is legally necessary after the termination of employment
Management of information
Information is held for the following reasons:
- customers: provision of quotations, the fulfilment of a contract, after sales support contracts & e-marketing
- suppliers: Purchasing, fulfilment of a contract, provision of services
- employees: legal requirement of employment, provision of employee benefits
Information may be stored in hard copy, soft copy or both.
The following Third Parties have access to personal information EdgeOpia holds: Company Accountant, IT Support provider, EdgeOpia suppliers. These companies have confirmed compliance to GDPR.
Accountability Data Protection Officer
The Data Protection Officer (DPO), in EdgeOpia’s case this is the CEO, is responsible for ensuring the education of the company and its employees relating to compliance requirements, training staff involved in data processing, and conducting regular security audits. The DPO also serves as the point of contact between the company and any Supervisory Authorities that oversee activities related to personal data.
The DPO activities include, but are not limited to, the following:
- educating the company and employees on important compliance requirements
- ensuring compliance of third party suppliers
- training staff involved in data processing
- conducting audits to ensure compliance and address potential issues proactively
- serving as the point of contact between the company and GDPR Supervisory Authorities
- monitoring performance and providing advice on the impact of data protection efforts
- informing data subjects about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information
- maintaining comprehensive records of all communications received from data subjects and actions taken
- assessing requests and instructions for processing data for validity and lawfulness and advising data subjects accordingly
Lawful Processing
Under the GDPR, data will be lawfully processed under the following conditions:
- for the purposes of legitimate interests, except where such interests are overridden by the interests, rights or freedoms of the data subject
- for the performance of a contract with the data subject or to take steps to enter into a contract
- compliance with a legal and regulatory obligations
- protecting the vital interests of a data subject or another person
In the case of sensitive data processing will only take place under the following conditions:
- explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
- processing relates to personal data manifestly made public by the data subject
Data Security
Sensitive paper records will be kept in a locked filing cabinet, drawer or safe, with restricted access. Sensitive paper records will not be left unattended or in clear view anywhere with general access. Local digital data is password-protected, and is regularly backed up and stored off-site. Where data is saved on removable storage or a portable device, the device will be kept in a locked filing cabinet, drawer or safe when not in use.
Memory sticks will not be used to hold personal information unless they are password-protected and fully encrypted. All mobiles and laptops are password-protected to protect the information on the device in case of theft. Where possible, EdgeOpia enables electronic devices to allow the remote blocking or deletion of data in case of theft.
Employee’s will not use their personal laptops or computers for EdgeOpia purposes. All necessary members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.
In case of Email marketing, all email addresses are sent blind carbon copy (bcc), so email addresses are not disclosed to other recipients.
Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format, staff will take extra care to follow the same procedures for security, e.g. keeping devices under lock and key.
The person taking the information from EdgeOpia premises accepts full responsibility for the security of the data. Before sharing data, all staff members will ensure:
- they are allowed to share it
- that adequate security is in place to protect it
- who will receive the data has been outlined in a privacy notice. Under no circumstances are visitors allowed access to confidential or personal information. Visitors to areas of EdgeOpia containing sensitive information are supervised at all times.
- The physical security of EdgeOpia’s buildings and storage systems, and access to them, is reviewed on a regular basis. If an increased risk in vandalism/burglary/theft is identified, extra measures to secure data storage will be put in place. EdgeOpia takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action in accordance with the company handbook
EdgeOpia will not publish any personal information, including photos, on its website without the permission of the affected individual. When uploading information to the EdgeOpia website or social media, staff are considerate of any metadata or deletions which could be accessed in documents and images on the site.
The Data Protection Officer is responsible for continuity and recovery measures are in place to ensure the security of protected data.
In the event of a personal data breach we have in place procedures to ensure that the effects of such breach are minimised and shall liaise with you as appropriate. All notifiable breaches will be reported to the relevant supervisory authority within 72 hours of EdgeOpia becoming aware of it.
CCTV
EdgeOpia understands that recording images of identifiable individuals constitutes as processing personal information, so it is done in line with data protection principles. EdgeOpia notifies all staff and visitors of the purpose for collecting CCTV images in line with the CCTV policy. Cameras are only placed where they do not intrude on anyone’s privacy and are necessary to fulfil their purpose. All CCTV footage will be kept for six months for security purposes; the Data Protection Officer is responsible for keeping the records secure and allowing access.
Data retention
The policy for retaining data will be regularly reviewed by the DPO.
EdgeOpia may retain personal information indefinitely for the following purposes:
- if it is subject to a contract either previously or in the future
- potential e-marketing opportunities
- ensuring data subjects preferences and request under individuals rights are maintained
Requests under individuals’ rights will be recorded and audited regularly.
Personal data subject to removal will be de-identified and archived from use within the appropriate application to ensure it is no longer used for the purposes obtained