Effective date: 2023-03-22
Effective date: 2023-03-22
Salesken is committed to all aspects of data protection and acknowledges its responsibilities, under the General Data Protection Regulation organization wide. This policy sets out how the organization deals with personal data, including Customer’s personal files and data subject access requests, and employees' obligations about personal data.
This policy applies to all parties (Customers, suppliers, vendors etc.) accessing personal information of customers stored and captured by clients. The policy should be followed by all employees as well as contractors, consultants, partners and any other external entity. Generally, it refers to anyone who is in close collaboration with Salesken or acts on its behalf and may need access to personal information of customers stored and captured by Salesken.
Establishment – the main establishment of the controller in the EU will be the place in which the controller makes the main decisions as to the purpose and means of its data processing activities. The main establishment of a processor in the EU will be its administrative centre. If a controller is based outside the EU, it will have to appoint a representative in the jurisdiction in which the controller operates to act on behalf of the controller and deal with supervisory authorities.
Personal data – any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data subject – any living individual who is the subject of personal data held by an organization.
Customer - A party that receives or consumes products (goods or services) and has the ability to choose between different products and suppliers. In the government, a customer will be either a government employee or a citizen or a resident or a visitor that will be consuming any of the provided government services.
Users - User is an individual, including employees (permanent & contracted employees) and non-employees (contractors, consultants, suppliers, vendors, partners, customers, etc.) of Salesken.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyses or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
Personal data breach – A breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.
Data subject consent - means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Child – the GDPR defines a child as anyone under the age of 16 years old, although this may be lowered to 13 by Member State law. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child.
Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Filing system – any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
2.1 The Board of Directors and Management of Salesken are committed to be compliant with all relevant EU and Member State laws with regards to personal data, and the protection of the “Rights and freedoms” of individuals whose information the client collects and processes in accordance with the General Data Protection Regulation (GDPR).
2.2 This policy applies to all personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other personal data the organization processes from any source.
2.3 The GDPR owner (henceforth will be mentioned as policy owner) will be responsible for reviewing the register of processing annually in the light of any changes to Salesken’s activities (as determined by changes to the data register and the management review) and to any additional requirements identified by means of data protection impact assessments. This register would be made available on the supervisory authority’s request.
2.4 Salesken needs to obtain and process personal information of people (in paper and electronic form, if applicable) that serves its business purposes. The information may refer to any offline or online information that makes a person identifiable such as names, email address, mailing addresses, customer photos, financial data, medical data, age etc.
2.5 Partners and any third parties working with or for Salesken and who have or may have access to personal data, will be expected to read, understand and comply with this policy. No third party may access personal data held by Salesken without having first entered into a data confidentiality agreement, which imposes on the third-party obligations no less onerous than those to which Salesken is committed, and which gives Salesken the right to audit compliance with the agreement.
3.1 Salesken is a Data Processor. Management and all those in managerial or supervisory roles throughout Salesken are responsible for developing and encouraging good information handling practices within Salesken; responsibilities should be set out in individual job descriptions.
3.2 The Job Description & Responsibilities of the Policy owner, is being a member of the senior management team who is accountable to the Board of Directors of Salesken for the management of personal data within Salesken and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:
3.3 The Policy owner will be that person to whom Board of Directors considers to be suitably qualified and experienced, has been appointed to take responsibility for Salesken’s compliance with this policy on a day-to-day basis and, in particular, has direct responsibility for ensuring that Salesken complies with the GDPR, as do other manager’s in respect of data processing that takes place within their area of responsibility.
3.4 The Policy owner would have specific responsibilities with respect to procedures such as the Subject Access Request Procedure and are the first point of call for Employees/Staff seeking clarification on any aspect of data protection compliance.
3.5 Compliance with data protection legislation is the responsibility of all Employees/Staff/Contractors of Salesken who process personal data.
3.6 Employees/Staff/Contractors of Salesken are responsible for ensuring that any personal data about them and supplied by them to Salesken is accurate and up-to-date.
The General Data Protection Regulation requires that all processing of personal data must be conducted in accordance with the below data protection principles.
4.1 Personal data should be processed lawfully, fairly and transparently
Lawful – identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing”, for example consent.
Fairly – for processing to be fair, the Data Controller (Client) must make certain information available to the data subjects as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources.
Transparently – Information must be communicated to the data subject in an intelligible form using clear and plain language.
The specific information that may be provided to the data subject may include:
4.1.1 The identity and the contact details of the controller and, if any, of the controller's representative;
4.1.2 The contact details of the GDPR Owner;
4.1.3 The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
4.1.4 The period for which the personal data will be stored;
4.1.5 The existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights, such as whether the lawfulness of previous processing will be affected;
4.1.6 The categories of personal data concerned;
4.1.7 The recipients or categories of recipients of the personal data, where applicable;
4.1.8 Where applicable, that the controller intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data;
4.1.9 Any further information necessary to guarantee fair processing.
4.2 Personal data can only be collected for specific, explicit and legitimate purposes
Data obtained for specified purposes should not be used for a purpose that differs from those formally notified to the supervisory authority as part of Salesken’s GDPR register of processing.
4.3 Personal data should be adequate, relevant and limited to what is necessary for processing
4.3.1 The policy owner is responsible for ensuring that Salesken does not collect information that is not strictly necessary for the purpose for which it is obtained.
4.3.2 All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must include a fair processing statement or link to privacy statement and approved by the GDPR Owner.
4.3.3 The Policy owner will ensure that, on an annual basis, all data collection methods are reviewed to ensure that collected data continues to be adequate, relevant and not excessive.
4.4 Personal data should be accurate and kept up to date with every effort to erase or rectify without delay
4.4.1 Data that is stored by the Data Controller should be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate.
4.4.2 The Policy Owner is responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.
4.4.3 It is also the responsibility of the data subject to ensure that data held by Salesken is accurate and up to date. Completion of a registration or application form by a data subject will include a statement that the data contained therein is accurate at the date of submission.
4.4.4 Employees/Staff/customers/others should be required to notify Salesken of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of Salesken to ensure that any notification regarding change of circumstances is recorded and acted upon.
4.4.5 The GDPR Owner is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, considering the volume of data collected, the speed with which it might change and any other relevant factors.
4.4.6 On at least an annual basis, the GDPR Owner will review the retention dates of all the personal data processed by Salesken, by reference to the data inventory, and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed in line with the Secure Disposal of Storage Media Policy.
4.4.7 The GDPR Owner is responsible for responding to requests for rectification from data subjects within one month (Subject Access Request Procedure
This can be extended to a further two months for complex requests. If Salesken decides not to comply with the request, the GDPR Owner must respond to the data subject to explain its reasoning and inform them of their right to complain to the supervisory authority and seek judicial remedy.
4.4.8 The GDPR Owner is responsible for making appropriate arrangements that, where third-party organizations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.
4.5 Personal data should be kept in a form such that the data subject can be identified only if necessary for processing.
4.5.1 Where personal data is retained beyond the processing date, it will be minimized & encrypted to protect the identity of the data subject in the event of a data breach.
4.5.2 Personal data will be retained in line with the Data Retention Policy and, once its retention date is passed, it must be securely destroyed as set out in this policy.
4.5.3 The GDPR Owner must specifically approve any data retention that exceeds the retention periods defined in Data Retention Policy and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.
4.6 Personal data should be processed in a manner that ensures security
The GDPR Owner will carry out a risk assessment considering all the circumstances of Salesken’s controlling or processing operations.
In determining appropriateness, the GDPR Owner should also consider the extent of possible damage or loss that might be caused to individuals (e.g. staff or customers) if a security breach occurs, the effect of any security breach on Salesken itself, and any likely reputational damage including the possible loss of customer trust.
When assessing appropriate technical measures, the GDPR Owner will consider the following:
When assessing appropriate organizational measures, the GDPR Owner will consider the following:
These controls have been selected based on identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed.
Personally Identifiable Information (PII)/Personal Data is/are any information about individuals maintained by Salesken, including any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, contact no., mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information etc.
There may also be other information about the employee located within the organization, for example in his/her line manager's inbox or desktop; with payroll; or within documents stored in a relevant filing system etc.
The Salesken may collect (if applicable) relevant personal information from employees or customers or data subject for equal opportunities monitoring purposes. Where such information is collected, the organization will anonymise it unless the purpose to which the information is put requires the full use of the individual's personal information.
The Salesken will ensure that personal information about a data subject, including information in personnel files, is securely retained. The organization will keep hard copies of information in a locked filing cabinet. Information stored electronically will be subject to access controls, and passwords and encryption software will be used where necessary.
The Salesken provides training on data protection issues to all employees who handle personal information during their duties at work. Such employees are also required to have confidentiality clauses in their contracts of employment.
Where laptops are taken off site, employees must follow the organization’s relevant policies relating to the security of information and the use of computers for working at home/bringing your device to work.
6.1 Data subjects have the following rights regarding data processing, and the data that is recorded about them:
6.1.1 To make subject access requests regarding the nature of information held and to whom it has been disclosed.
6.1.2 To prevent processing likely to cause damage or distress.
6.1.3 To prevent processing for purposes of direct marketing.
6.1.4 To be informed about the mechanics of automated decision-taking processes that will significantly affect them.
6.1.5 To not have significant decisions that will affect them taken solely by automated process.
6.1.7 To act for rectifying, blocking, erasing including the right to be forgotten, or destroy inaccurate data.
6.1.9 To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
6.1.10 To object to any automated profiling that is occurring without consent.
Salesken may charge or may not charge for allowing data subject’s access to information about them. The organization will respond to any data subject access request within  calendar days. The Salesken may reserve its right to withhold the data subject's right to access data where any statutory exemptions apply.
7.1 Salesken Management understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
7.2 There should be some active communication between the parties to demonstrate active consent. Consent cannot be inferred from non-response to a communication. The Salesken should be able to demonstrate that consent was obtained for the processing operation.
7.3 For sensitive data (such as Credit card information, Bank account details etc.), explicit written consent (Consent Procedure) of data subjects should be obtained unless an alternative legitimate basis for processing exists.
7.4 In most instances, consent to process personal and sensitive data is obtained routinely by Salesken by using standard consent documents e.g. when a new client signs a contract, or during customer first login or during induction for participants on programs etc.
8.1 All Employees/Staff are responsible for ensuring that any personal data that Salesken holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorized by the Salesken management to receive that information and has entered into a confidentiality agreement.
8.2 All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy All personal data should be treated with the highest security and must be kept:
8.3 Manual records may not be left unattended where they can be accessed by unauthorized personnel and may not be removed from business premises without explicit authorization. As soon as manual records are no longer required for day-to-day client support, they must be removed from secure archiving in line with retention policy.
8.4 Personal data may only be deleted or disposed of in line with the Data Retention Policy. Manual records that have reached their retention date are to be shredded and disposed of as ‘confidential waste’. Hard drives of redundant PCs are to be removed and immediately destroyed as required by disposal.
9.1 Salesken will ensure that personal data will not disclosed to unauthorized third parties which includes family members, friends, government bodies, and in certain circumstances, the Police.
9.2 All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorized by the GDPR Owner.
10.1 The Salesken may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or marketing purposes or statistical purposes, subject to the implementation of appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject.
10.2 The retention period for each category of personal data will be set out in the Data Retention Policy along with the criteria used to determine this period including any statutory obligations on which the organization has to retain the data.
10.3 The Salesken data retention and data disposal policy will apply in all cases.
10.4 Personal data should be disposed of securely in accordance with the principle of the GDPR and processed in an appropriate manner to maintain security.
Any disposal of data will be done in accordance with the secure disposal policy.
11.1 The Salesken will establish a data inventory and data register with data flow process as part of its approach to address risks and opportunities throughout its privacy risk assessment activity. Company data inventory and data flow determines:
11.2 The Salesken is aware of any risks associated with the processing of particular types of personal data.
11.2.1 The organization assesses the level of risk to individuals associated with the processing of their personal data. Data protection impact assessments (DPIAs) (DPIA Procedure) are carried out in relation to the processing of personal data by Company, and in relation to processing undertaken by other organizations on behalf of Salesken.
11.2.2 Salesken shall manage any risks identified by the risk assessment in order to reduce the likelihood of a non-conformance with this policy.
11.2.3 Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, Salesken shall, prior to the processing, carry out a DPIA of the impact of the envisaged processing operations on the protection of personal data. A single DPIA may address a set of similar processing operations that present similar high risks.
11.2.4 Where, as a result of a DPIA it is clear that Salesken is about to commence processing of personal data that could cause damage and/or distress to the data subjects, the decision as to whether or not Salesken may proceed must be escalated for review to the GDPR Owner.
11.2.5 The GDPR Owner shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, escalate the matter to the supervisory authority.
11.2.6 Appropriate controls will be selected and applied to reduce the level of risk associated with processing individual data to an acceptable level, by reference to organizations documented risk acceptance criteria and the requirements of the GDPR.