We have therefore set out the following information in a Q&A format, which we hope is helpful:
How long do you store the personal data you receive from us?
We store personal data from customer’s orders for up to 6 years before it is deleted from our systems. This is to make sure we can respond to any legal claims and handle any customer service queries after an order has been made.
Have you appointed a data protection officer?
We have not appointed a data protection officer – we are not required to do so under the GDPR as the way we use personal data is not particularly complex.
What other organisations have access to the data we share with you, and why?
We may give other organisations access to data so that we can fulfil our contractual obligations and offer the high standard of service which is expected from our company. Examples of these organisations include but are not limited to:
- Customer service providers;
- Repair service providers;
- Insurance providers;
- Retail/Consumer finance service providers;
- Retail payment processing providers;
- MDM solution providers.
These third parties that we share personal data with have been carefully selected based on technical expertise, trustworthiness and compliance with legislation.
If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA.
Furthermore, we may give access to relevant authorities as required by law.
Have you carried out due diligence in relation to such organisations’ handling of data?
We are in the process of asking our contractors to complete a blank version of this questionnaire, and varying the contracts to integrate (either directly or by means of a side letter) the appropriate GDPR clauses.
Thereafter, we will be carrying out periodic reviews with the organisations who handle data on our behalf to ensure they still comply with the GDPR.
Do your employment terms and conditions clearly set out the confidentiality and information security standards expected of your staff?
This also directly links to our disciplinary procedure.
How often does your staff receive data protection/information security training?
We seek to provide all staff with information and training relevant to their roles and keep this updated throughout their employment with our company. Training is regularly reviewed to reflect new regulatory and legislative requirements.
Please describe the physical security measures you have in place to protect the data we send to you.
- Restriction of access to buildings, data centres and server rooms as necessary
- Adequate locks on all doors.
- Monitoring of unauthorised access.
- Written procedures for employees, contractors and visitors covering confidentiality and security of information.
Please describe the technical security measures you have in place to protect the data we send to you.
- Restricting access to systems depending on the sensitivity/criticality of such systems.
- Password protection for all systems, in addition to this, multi-factor authentication is used where applicable.
- Maintaining records of the access granted to individuals (which is granular and varies depending on the seniority of that individual and their role within the business).
- Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
- Appropriate security over wireless networks (802.11x) and remote access tools (including multi-factor authentication).
- Encryption of mobile devices.
Where is the data we send to you physically stored?
- Physical data is stored in secured locations on our premises in the UK.
- Electronic data will be stored in our data centres and/or cloud locations. Where we use international data centres/cloud locations, we only do so when they have complied with the GDPR’s international data transfer requirements.
Do you use any automatic processing of data?
- Through our payment gateway agreements, personal data is automatically processed, and decisions are made with regard to applicable fraud regulations.
- Aside from the above, we do not process data automatically for the purpose of automated decision making (such as profiling, or making consumer credit decisions).
Please describe the processes you have in place to detect and notify us of security incidents in relation to the data we send to you.
- We have a Data Security Breach Policy and procedure in place.
- Employees receive regular training so a breach can be prevented and identified quickly.
- We run a security operations centre who regularly monitor the integrity of our IT systems.
What is your data destruction policy/procedure?
Personal data is retained for the period described in our response to question 1. The destruction of the digital data is done either by physically destroying the storage media (e.g. drives, tapes) or by secure erasure of the storage media followed by reformatting. Where we hold the data in a physical format, the data is shredded using crosscut shredders on site.
As mentioned above, please direct any queries you have in connection with GDPR compliance to GDPR@dataselect.com.