Data Processing Policy
Data Processing Policy
This Data Processing policy applies to the personal data that we process and hold when providing the Services to you. This policy must be read alongside the Service Agreement and any other documents referred to in it. The definitions contained in the Service Agreement apply to this policy.
You are the Data Controller in relation to any personal data you input into the ImpactReady Software including your Customer Data and Project Participants. We are the Data Processor in relation to any of the above personal data.
You agree to the terms of this policy to ensure compliance with the provisions of the UK GDPR legislation in relation to all processing of the personal data by us as the Data Processor for you, the Data Controller.
Our processing of data
In providing the Service we will:
• process the Personal Data that you enter into the ImpactReady Software in relation to your Customer Funded Project that relates to its activities and sessions.
• process the Personal Data in the following ways:
• storing data;
• making data available to you in different formats and media; and
• presenting that data to you in the form of summaries and reports based on the data;
• statistical analysis and calculation of SROI.
• process your data for the following purposes:
to collate and track Project Participant data relating to activities or sessions which are part of your Customer Funded Project;
to send surveys and analyse survey responses;
to allow such data to be edited and expanded on safely and quickly;
to make tools available to you so that you can analyse the data.
Types of personal data
We will process the following Personal Data:
|
name |
|
contact number |
postcode |
|
address |
date of birth |
gender |
housing status |
|
qualifications |
Referral reason |
photos |
Employment status |
|
Emergency contact details of a participant |
Legal guardian contact details |
|
|
We may also process the following Special Category data:
• Ethnicity
• Disability
• Religion
• Sexual orientation
• Medical details/health
Categories of Data Subject
The Service Provider will process the Personal Data of the People engaged in or with the Customers Funded Project, including:
• Users: employees, volunteers of the Customer;
• Project Participants: children, teens and adults participating in activities and sessions in the Customer Funded Project;
• Any other Customer Data.
Duration of processing
We will carry out these activities for the duration of our contract with you. Unless we are required by the Data Protection Legislation to store the Personal Data, we will anonymise/delete your Personal Data:
• on your written instruction;
• on termination of your Service Agreement;
• following a data subject request for deletion.
As the Data Controller you shall retain control of the Personal Data at all times and shall remain responsible for its compliance with the Data Protection Legislation including, but not limited to, its collection, holding, and processing of the Personal Data, having in place all necessary and appropriate consents and notices to enable the lawful transfer of the Personal Data to the Data Processor, and with respect to the written instructions given to the Data Processor.
The Data Processor’s Obligations
The Service Provider shall, in relation to any Personal Data within the Customer Data:
• process that Personal Data only on the written instructions of the Customer unless the Service Provider is required by the Applicable Law to process that Personal Data otherwise. For the avoidance of doubt, entering this Agreement by the Customer constitutes written instructions to the Service Provider to process the Personal Data to enable the Service Provider to operate and provide the Services, and to otherwise process such Personal Data as identified in this Agreement for that purpose only;
• only on the Data Controller’s written instruction, or in anticipation of termination of this Agreement either return or delete the Personal Data in accordance with “Data Return and Destruction” as set out in the Service Agreement, unless required by Applicable Law to continue to store the Personal Data;
• The Data Processor shall promptly comply with any written request from the Data Controller requiring the Data Processor to stop, mitigate, or remedy any unauthorised processing involving the Personal Data.
The Service Provider will not transfer any Personal Data within the Customer Data outside of the European Economic Area.
The Service Provider is permitted to process the Customer Data by anonymising it and (where applicable following such anonymisation) aggregating it with other data sources in connection with the Service Provider’s development of its products, strategies, or services or any further purpose related to the Service Provider’s business, including for analytics, marketing, research, development, benchmarking purposes and additional services. For the avoidance of doubt, following such anonymisation, the derivative data shall not be considered to be Personal Data for which the Service Provider is the data processor on behalf of the Customer.
The Customer consents to the Service Provider appointing the following classes of third-party processors of Personal Data under this Agreement:
• service providers acting as processors based in the EEA who provide IT, hosting development and system administration services including: Amazon WS EU West
• Go Cardless (to process payment)
• Stripe (to process payment).
The Service Provider confirms that it has entered or (as the case may be) will enter into a written agreement incorporating terms which are substantially similar to those set out in this clause with any third-party processor who has access to Personal Data within the Customer Data. As between the Customer and the Service Provider, the Service Provider shall remain fully liable for any failure of such third-party processor to fulfil such substantially similar data protection obligations as if such actions were the actions of the Service Provider.
We will promptly comply with any written request from you requiring us to amend, transfer, delete (or otherwise dispose of), or to otherwise process the Personal Data.
Security of Processing
The Service Provider is registered with the Information Commissioners Officer for the purpose of handling personal data within the UK.
Our Employees only have access to the ImpactReady Software and your personal data in so far as access is needed to enable them to support your use of the Service. The Service Provider and its employees do not undertake any work involving your personal data without your permission and hold no responsibility for the maintenance and content of your data.
Technical and Organisational Data Protection Measures
The Service Provider shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Customer, it maintains security measures to a standard appropriate to:
• the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data;
• the nature of the Personal Data.
• ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
• ensure that all hardware and software used in the processing of the Personal Data is properly maintained, including but not limited to, the installation of all applicable software updates;
• prevent unauthorised access to the Personal Data;
• protect the Personal Data during transfer and processing using encryption;
• protect the Personal Data using pseudonymisation, where it is practical to do so;
• ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
• ensure that all employees who are to access and/or process any of the Personal Data are given suitable training on the Data Protection Legislation, the Data Processor’s obligations under it, their obligations under it, and its application to their work, with particular regard to the processing of the Personal Data have a secure procedure for backing up all electronic Personal Data and storing back-ups; and
• have a secure method of disposal of unwanted Personal Data including for back-ups.
Payment Data
Payment of any Licence Fee is completed by using one of the following third party providers:
1. Go Cardless
The Go Cardless system is available to complete payment of the Annual Licence Fee. Go Cardless is ISO 27001 certified. No bank/card details are held by the Service Provider. See more information on Go Cardless security here: FAQ Security | GoCardless
2. Stripe
The Stripe Gateway is available to complete payment of the Annual Licence Fee. Stripe are certified as Level 1 PCI provider; the highest possible certification level. No card numbers are stored by the Service Provider. See more information on Stripe security here: Security at Stripe | Stripe Documentation
Data Subject Rights and Complaints
If we receive any request from a data subject to exercise any of their rights under the Data Protection Legislation including, but not limited to, a data subject access request, we shall notify you as the Data Controller as soon as reasonably possible.
We will cooperate fully (at your cost) and provide all reasonable assistance in responding to any complaint, notice, other communication, or Data Subject request, including by:
• providing you with full details of the complaint or request;
• providing the necessary information and assistance in order to comply with a subject access request;
• providing you with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Data Controller) if you are unable to attain it yourself; and
• providing you with any other information requested by you.
We will only act on your instructions and shall not disclose any Personal Data to any Data Subject or to any other party except as instructed in writing by you as Data Controller, or as required by domestic law.
Personal Data Breaches
We will notify you immediately if we become aware of any form of Personal Data breach including, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data.
We will provide:
• a description of the Personal Data Breach;
• a description of the measures taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
We will use all reasonable endeavours to restore any Personal Data lost, destroyed, damaged, corrupted, or otherwise rendered unusable in the Personal Data Breach as soon as possible after becoming aware of the Personal Data Breach.
As Data Controller you will have the right to determine whether or not to notify affected Data Subjects, the Information Commissioner, law enforcement agencies, or other applicable regulators of the Personal Data Breach as required by law or other applicable regulations, or at the Data Controller’s discretion, including the form of such notification.
Anonymisation and the return or deletion of Personal Data
Once all Customer Data (in particular Project Participant data) has been fully processed and all activities and sessions are completed, the Service Provider (or Customer) will anonymise the personal data on the ImpactReacy Software once the Customer Funded Project is completed. This anonymised data can be retained on your behalf to enable future analysis on the SROI of the Customer Funded Project.
All Personal Data processed by us for you will be securely returned or deleted to you within a reasonable time after:
• making a written request as Data Controller;
• termination of the Service Agreement;
• the provision of Services ends; or
• the processing of that Personal Data is no longer required.
As Data Processor we will not retain all or any part of the personal data after returning or deleting it unless required to by law.
If we are required to retain copies of all or any part of the Personal Data by law, regulation, government, or other regulatory body, we will notify you of such requirement(s) in writing, including precise details of the Personal Data that it is required to retain, the legal basis for the retention, details of the duration of the retention, and when the retained Personal Data will be deleted (or otherwise disposed of) once it is no longer required to retain it.
Audits
As Data Processor we will, on reasonable prior notice, allow you as Data Controller to audit our compliance with our obligations under this Agreement and with the Data Protection Legislation.
The Data Processor shall provide all necessary assistance (at the Data Controller’s cost) in the conduct of such audits including, but not limited to:
a) access to all of its employees who are to access and/or process any of the Personal Data including, where reasonably necessary, arranging interviews between the Data Controller and such employees; and
b) access to and the inspection of all Records, infrastructure, equipment, software, and other systems used to store and/or process the Personal Data.
Liability and Indemnity
You will be liable for, and shall indemnify (and keep indemnified) the Data Processor in respect of, any and all actions, proceedings, liabilities, costs, claims, losses, expenses (including reasonable legal fees and payments on a solicitor and client basis), or demands, suffered or incurred by, awarded against, or agreed to be paid by, the us as the Data Processor (and any subcontractor appointed by the Data Processor) arising directly or in connection with:
• any non-compliance by the you as the Data Controller with the Data Protection Legislation;
• any Personal Data processing carried out by the Data Processor (or any subcontractor) appointed by us in accordance with instructions given by the Data Controller to the extent that the instructions infringe the Data Protection Legislation; or
• any breach by the Data Controller of its obligations or warranties under this Agreement.
Changes to this agreement
The Service Provider may, at any time on not less than 30 days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Agreement).
The Service Provider reserves the right to modify its processing policy where required by Data Protection Legislation from time to time.