GDPR

 

AED Locator (E.U.) Ltd Trading as HeartSafe® General Data Protection Regulations Policy

 

In compliance with the European Union General Data Protection Regulations (GDPR) we wish to inform you of the following information regarding collection, processing and retention of your personal/business data.  This agreement may be updated frequently as we work to provide the most accurate information possible to our clients, please check back regularly to ensure you understand your rights.

 

HeartSafe® AED Locator may, during the course of business, be required to collect personal information about you.  

 

Data Collection

 

Data collection and processing for the purposes of Accounting, including but not limited to names, addresses, contact information, payment information is required to fulfil the legal obligations of the company and its director.  Data collected for this purpose will be held for as long as is legally required and then securely destroyed.

 

HeartSafe® AED Locator may collect data during the course of business, this may include but is not limited to such information as names, addresses, email addresses, telephone numbers, usernames, passwords and other such information.  This information is required by HeartSafe® AED Locator to provide continuous service to our clients including marketing of potentially beneficial products or services and is classified as “legitimate interests” under GDPR as HeartSafe® AED Locator require the collection, storage and processing of this data to provide our services and ongoing recommendations to our clients.  This data may also be shared with third parties in order to provide services to you or your organisation.

 

HeartSafe® AED Locator may collect data during the course of business, this data is often provided by customers for monitoring, diagnostic or consultancy purposes and may include all and any personal data provided to the client by service users.  This information is required for HeartSafe® AED Locator to provide contractually obligated services to customers and will be retained for a maximum of 10 years, or until such time as this is no longer required.  This information may be considered as held for “legitimate interests” under GDPR until such time as the customer requests removal of such data.

 

If you have concerns that HeartSafe® AED Locator may hold personal data shared from clients that no longer have legitimate interest in holding your data, please in the first instance contact the client directly whom you provided the information to and request they contact us, if this course fails, please contact the data controller with the information below.

 

HeartSafe® AED Locator may collect data in regards to support provided, this may include but is not limited to, support session data, chat logs, connection information, customer satisfaction surveys, computer and user information, IP addresses, call recordings, login information, files and folders from your computer.  By accepting this agreement, you are authorising this collection and processing of data by HeartSafe® AED Locator for the purposes of providing support and on-going services to yourself and your organisation.  This information may at any time be shared with your organisation or the organisations listed below in the interests of that organisation.  “Your organisation” is defined as the organisation who contract HeartSafe® AED Locator to provide IT Support Services on your behalf, this may be your employer or an external agency providing services that require support under. 

 

HeartSafe® AED Locator may collect data in regards to your usage of the website.  Further information is available within our Website Privacy Policy.  We hold this data for up to 10 years from a tracked users last access to our services and deleted it after this time.

 

This policy may change in future, at which point we will update this page, please ensure you check back regularly to ensure you are aware of your rights.

 

How we protect your information

 

We adopt appropriate data collection, storage, processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of both personal and business information. 

 

Client Data Sharing

 

HeartSafe® AED Locator may during the course of business be provided or gain access to personal data held by our customers regarding their own clients.  Customers of HeartSafe® AED Locator should ensure that their clients are informed that data may be shared with their IT support provider for business operations, including but not limited to support and assistance with problems relating to the files containing data, the software used to access the data or providing backup services for the data.  Data may be held by HeartSafe® AED Locator as required to provide assistance to the client.  All requests for data management with regards to customer data should in the first instance be directed to the customer directly, if this fails the client can contact the HeartSafe® AED Locator Data Controller.

 

During the course of business, clients will be required to provide personal information relating to staff, etc in order to allow HeartSafe® AED Locator to set up accounts and provide support.  Please ensure your staff, etc are aware that you are sharing this information and that in turn, HeartSafe® AED Locator may share that information with service providers in order to provide you with the services required.

 

Sharing of Data

 

HeartSafe® AED Locator may require, for the accurate and timely fulfilment of Legal Obligations, HR and Accountancy processes and to provide you with a range of products and services, to share your data with third p[arties.  These Companies may include, but are not limited to:-

 

·         Accountancy and Payroll Management

·         HR Management

·         Service Providers

·         Hardware / Software Suppliers

·         Support Partners

·         Solicitors

·         Accountants

·         Marketing/Advertising

·         Third Party Service Providers who help us operate our business and/or administer activities on our behalf.

 

Changes will be updated as required.

 

List of Data Categories

 

HeartSafe® AED Locator stores data for a number of purposes to enable the day-to-day running of the company.  The purpose of this data retention may include, but not limited to:-

 

·         Accountancy – Customers (customer name & contact details), Suppliers (supplier name, contact details and banking details)

·         HR (employee name, contact details, NI number, bank details & next of kin)

·         Sales / Marketing – Quotes, CRM Systems (customer name, contact details & information relating to the business IT systems)

·         Engineering – Helpdesk Systems, SOD’s Job Sheets (customer name, contact details, IT technical information including limited number of passwords/logon’s)

·         The company stores encrypted online backups for our clients.  This data is encrypted at source and remains in this secure format at all times whilst in our possession. 

·         Emails – Sent & received throughout departments – (name, email address and other areas of possible sensitive data sent by third party which we are unable to categorise)

·         Website – Please refer to our Website Privacy Policy for further information

·         Telephones – Voicemail / Recordings

·         CCTV – Camera Footage

 

Retention Schedule

 

HeartSafe® AED Locator abides by the retention schedule listed below, however, if data is no longer required it may be deleted in advance of the retention period stated. 

 

·         Accountancy – All financial data will be retained for 6 financial years, in line with UK financial requirements.  In some cases data will be stored for 10 years to ensure the company is able to defend any potential legal County Court or High Court claim.  In some cases, data will be stored for 10 years to ensure the company is able to prove safeguarding measures were adhered to.

·         Sales / Marketing data will be removed within a 12 month period of the data no longer having a valid use in the case of prospective information.  Customer information (including previous and existing customer) may be retained for up to 10 years to ensure the company is able to defend any potential County Court or High Court claim. 

·         Engineering data will be removed within a 12 month period of the data no longer having a valid use,  customer information (including previous and existing customer) may be retained for up to 10 years to ensure the company is able to defend any potential County Court or High Court claim. 

·         Retention Period upon Termination

·         When an encrypted online backup ceases, all data will be removed at the end of the retention period.  Encrypted online backups are retained for a period of between 28 to 90 days in accordance with the customers contracted retention period.  Customers should assume this period of retention is 28 days, unless otherwise stated. 

·         Email will be available for 18 months before being automatically archived for up to 8.5years.  Data may be retained for up to 10 years to ensure the company is able to defend any potential County Court or High Court claim and to ensure that HeartSafe® AED Locator is able to comply with the Companies Act of 2006 which requires a 10 year retention period for information relating to shareholder meetings, decisions, resolutions and members. 

·         Websites data is held for up to 10 years from a tracked users last access to our services and deleted.  Website data is categorised according to the nature of the information as either, Accountancy, Sales / Marketing or Engineering. 

·         Recorded telephone conversations can be held for up to 10 years.  Telephone recording data is categorised according to the nature of the information as either, Accountancy, Sales / Marketing or Engineering. 

·         CCTV footage may be retained for up to 10 years for security and safeguarding measures and to ensure the company is able to defend any potential County Court or High Court claim.

 

Data Destruction

 

Electronic information stored on redundant media / systems will be securely destroyed by a third party WEEE recycling and data destruction specialist.  This method of destruction allows HeartSafe® AED Locator to obtain a certificate of data destruction ensuring total data security whilst ensuring ethical disposal of media and electronic equipment. 

 

Documented data containing sensitive information is securely destroyed by a third party document destruction company.  This method of destruction allows HeartSafe® AED Locator to obtain a certificate of document destruction.

 

The above destruction methods ensure HeartSafe® AED Locator complies with legislative requirements, whilst ensuring client, employee and confidential business information is kept secure at all times. 

 

Technical / Business Security Measures

 

The information provided within this section has been summarised to ensure greater level of security and to remove potential security risk.

 

HeartSafe® AED Locator takes the security of data very seriously and takes the steps to ensure data is kept safe.

 

·         Our premises are securely locked, alarmed and monitored.  Visitors to our offices are accompanied / monitored at all times.

·         Documentation is securely managed within the business via the use of lockable rooms, storage / filing cabinets and locked documentation destruction cabinets. 

·         A business class firewall provides secure protection from unauthorised access to and from our local and internet based networks, whilst also providing a secures VPN connection for staff when using potentially unsecure public WiFi. 

·         All business devices, where applicable / possible are encrypted.  This includes, but not limited to: USB memory sticks, USB hard drives, mobile phones (iPhones), tablets (iPads), SD cards, smart watches, laptops, computers, network attached storage devices and servers.

·         Staff are not permitted to use personal devices to access or use company data unless the device is encrypted and HeartSafe® AED Locator, where possible has the permission of the individual to remotely delete the device in the event of the device being lost or stolen.  This ensures data remains within our control, is securely managed and protected at all times.

·         As an added level of security, email accounts and historic email information can be securely removed from devices that may be lost or stolen. 

·         Our day-to-day business applications in some instances require us to store our data online.,  HeartSafe® AED Locator will only use secure online business applications from reputable organisations who themselves comply with GDPR.  These organisations may include but not limited to Microsoft, Quickbooks ...…

·         HeartSafe® AED Locator where possible, will always ensure that applications and/or operating systems are running the very latest secure versions of the software and will where possible, ensure the latest security updates and patches are applied where it is safe to do so. 

·         All staff must adhere to this GDPR policy.

 

List of Your Rights

 

GDPR includes the following rights for individuals:

 

·         The right to be informed

·         The right of access

·         The right to rectification

·         The right to erasure

·         The right to restrict processing

·         The right to data portability

·         The right to object

·         The right not to be subject to automated decision making including profiling

 

HeartSafe® AED Locator, will where possible, conform in full and to completion to these rights within 30 days of notification.  This period of compliance may be extended by a further two months where requests are complex or numerous.  In this case the individual will be notified within 30 days of receipt. 

 

To ensure data security, HeartSafe® AED Locator will need to verify the identity of the person making the request, using “reasonable means”.

 

 In some instances HeartSafe® AED Locator will be unable to conform to the individual’s rights.  In these instances HeartSafe® AED Locator will partially conform to the individual’s rights and where possible notify the individual as to why the company was unable to fully comply. 

 

Information will be provided free of charge.  A reasonable fee may apply when a request is manifestly unfounded or excessive, particularly if it is repetitive or for requests for further copies of the same information.

 

Where a particular situation becomes unclear or the individual disagrees, advice and guidance will be sought from the ICO.

 

If you would like to exercise the right, please write to the Data Protection Officer below. 

 

How to contact the Data Protection Officer

 

Please use the contact information below to writ to the Data Protection Officer.  In order for us to fully comply with your rights under the act, all requests being made should clearly mention “General Data Protection Regulations” and include your full name, address and relevant contact information for a response.  Requests submitted by any other means than written letter may not be processed. 

 

Data Protection Officer

 

Name:                  Mr Clive Setter

Position:              Company Director

Address:              East Barn, Whitecross Farm, Bristol Road, West Harptree, BS40 6HQ

 

Data Breaches

 

In the unlikely even to fa serious Data Breach, HeartSafe® AED Locator will contact you via the last known contact details we hold on file for you or your organisation.  You will be informed as far as is technically possible of the data that has been potentially compromised and where you can seek further advice about your rights.