QB Ireland GDPR Compliance Policy
Defining Personal Data
Personal data is any data which can be used by itself or combined with other data to identify an individual.
Under GDPR, the term ‘personal data’ is defined more widely than it was under the DPA – and considers a wide range of things that could identify a person such as unique identification names/numbers, IP addresses, online behavioural data and location data.
Controller and processor
An organisation which determines how and for what purposes personal data is processed is called a ‘controller’.
A processor processes personal data on behalf of a controller.
The GDPR place legal obligations on controllers. In QB Ireland, Georges Van Cauwenbergh is the sole processor responsible for all personal data.
The one system used by QB Ireland is called ‘ACT’. This is a reputable CRM system and all the entries are set to private with no access for additional users.
All data is locally stored in Act and all personal data in the cloud (not protected by the service provide (i.e. Microsoft) is deleted.
No remote access to Act and personal data is available. All electronic storage (hard disk drives, USB Drives, flash drives) are encrypted with Bitlocker
(Microsoft encryption level) No data is or will be shared with a 3rd part organisation or person.
Data Principles. Personal data must be:
Each person of which we have personal data, can at any time Opt-Out by following this link and select ‘OPT OUT’
Each person of which we have personal data can at any time request to see the data QB Ireland holds in the single point CRM ‘Act’.
QB Ireland will do an audit every month to check and see:
- if there is any personal data (electronically, on paper or in any other form) that has not been discovered yet or has not been consented by the owner of the data. Some of this can be since some people are slow to respond to our GDPR compliance email/letter.
- If there is data that needs to be deleted because of Opt-out information received. - If there is no need any longer to keep the data.
- If all contacts in ‘Act’ are set to ‘Private’ status.
1. The right to be informed. QB Ireland will comply with any request to provide the personal data of any individual we have on or system. This information will be provided in an email.
2. The right of access. The information will be provided free of charge. Unless the request is ‘manifestly’ unfounded or excessive’, when a reasonable fee can be charged. In summary, information must be provided without delay and within one month of receipt. There is an obligation to verify the identity of the individual making the request using “reasonable means”. Requests made in electronic format should be provided in a commonly used format. Act! provides a detailed Contact Report which can be run against an individual Contact to provide a full account of the information stored about them.
3. The right to rectification. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. This must be done within a month with the possibility for an extension if the request is complex. If no action is being taken, it must be explained to the individual, along with their rights to complain. Third parties to which data have been passed must also rectify the data. Act! enables a record to be made of the request to rectify, for example as a History. The create date of the History will be stored. Follow ups to the request can be recorded as an additional History or Activity for a specified User.
4. The right to erase. Also known as the right to be forgotten. This right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Individuals have a right to have personal data erased and to prevent processing in specific circumstances given in the GDPR. Third parties to which data has been passed must also be informed. Act! allows the deletion of Contact records, which will in turn delete all entries and data associated with the record (unless these are associated with other, remaining contacts). The deletion is recorded in History of the Act! user who performed the deletion, noting the date, time, and contact name.
5. The right to restrict processing. Like with the DPA, individuals have a right to block processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future. A custom field is used to track the customer’s preference on no processing.
6. The right to data portability. Individuals may obtain and reuse their personal data for their own purposes across different services. The processor has to respond within a month. They should be able to move copy or transfer data from one IT service to another, securely and without hindrance. The personal data must be provided in an open format that is structured, commonly used and machine readable. You may have to transmit the data to another organisation if that is technically feasible. You shouldn’t prejudice the rights of others, e.g. by disclosing third party data.
7. The right to object. QB Ireland will stop processing or using direct marketing if objected. a. Processing based on legitimate interests (including profiling) b. Direct marketing (including profiling) c. Individuals must be informed of their rights to object at the point of first communication and in the privacy notice. The notice must be brought explicitly to the attention of the data subject and be presented clearly and separately from any other information. If the processing activities are carried out online, there must be a way for individuals to object online.
8. The right to opt back in if they opted out previously. The same procedure and for Opt-In will be used.
9. The rights to automatic decision making and profiling.
The GDPR gives individuals’ rights when they are the subject of automated decision making and automated profiling. (The ICO describes profiling as “automated processing of personal data to evaluate certain things about an individual”.) These rights are stronger when automated decision making, and profiling has a legal or similarly significant effect on an individual.
10. In case you want to discuss anything further you can email : email@example.com