DATA SECURITY POLICY
This Policy is a policy of personal data protection within the meaning of the GDPR – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repeal of Directive 95 / 46 / EC (“GDPR”) (OJ EU L 119, p. 1).
Fully-Verified ensures compliance of Fully-Verified’s contractors’ and other subjects conduct with this Policy in an appropriate scope when personal information is transferred to them by Fully-Verified.
- Protection of personal data in Fully-Verified – general principles
- Pillars of personal data protection in Fully-Verified:
- Legality – Fully-Verified cares for the protection of privacy and processes data in accordance with the law;
- Security – Fully-Verified ensures an appropriate level of data security by constantly taking action in this area;
- Rights of the Entity – Fully-Verified enables persons whose data it processes to exercise its rights and implements these rights;
- Accountability – Fully-Verified documents how it fulfills its obligations to be able to demonstrate compliance at any time.
Fully-Verified processes personal data respecting the following principles:
- based on the legal basis and in accordance with the law (legalism);
- fairly and honestly (reliability);
- in a transparent manner for the data subject (transparency);
- for specific purposes and not for “spare” (minimization);
- no more than necessary (adequacy);
- with care for the correctness of data (correctness);
- no longer than necessary (temporality);
- ensuring adequate data security (security).
The system of personal data protection in Fully-Verified consists of the following elements:
- Data inventory. Fully-Verified monitors the data in its possession and verifies them;
- Record. Fully-Verified maintains a register of processing activities for data of which it is an controller and a register of processing activities categories for data that have been entrusted to it;
- Legal basis. Fully-Verified provides, identifies and verifies the legal grounds for data processing;
- Handling of individual rights. Fully-Verified fulfills the information obligations towards persons whose data it processes, and ensures the service of their rights, implementing the requests received in this regard, including:
- Information obligations. Fully-Verified provides legal persons with the required information when collecting data,
- Ability to make requests. Fully-Verified verifies and ensures the possibility of effective implementation of each type of request by itself and its processors,
- Handling of requests. Fully-Verified supports the requests of persons whose data concern using the contact point on the website www.fully-verified.com The handling of each request is documented for exercising the rights of the data subject.
- Procedure for reacting to violations. Fully-Verified uses its own documented procedures to respond to data breaches and register any violations.
- Minimization. Fully-Verified has principles and methods of managing the minimization (privacy by default), including:
- data adequacy management principles;
- principles of regulation and management of data access;
- rules for managing the period of data storage and verification of further suitability;
- Security. Fully-Verified ensures an adequate level of data security, including:
- carrying out impact assessments on data protection where the risk of violation of the rights and freedoms of persons is high,
- adapting data protection measures to the risks identified,
- managing the IT system with a basic policy,
- applying procedures to identify, assess and report identified data breaches to the Data Protection Authority.
- The processor. Fully-Verified selects the data processing entities for the benefit of the data subjects, based on their reliability, the level of data security provided, and the certificates and reputation transferred.
- Data export. Fully-Verified has strict rules of verifying whether it does transfer personal data to third countries, ie entities processing data on behalf of Fully-Verified are required to obtain written consent for further data entrustment, so that Fully-Verified can verify the safety of such operations in advance.
- Authorization. Fully-Verified authorizes employees to process the personal data in the most efficient and secure way possible. The scope of authorizations is not greater than that necessary for the employee to perform his duties.
- Privacy by design. Fully-Verified manages any changes affecting privacy. To this end, the procedures for launching new projects and investments in Fully-Verified take into account the need to assess the impact of changes on data protection, ensuring privacy (including compliance of processing goals, data security and minimization) already at the design stage of change, investment or at the beginning of a new project.
Any contacts regarding personal data can be made via e-mail to the address [email protected]. Issues regarding personal data are settled on an ongoing basis and without delay.
- Registry of Personal Data Processing Activities
- The Registry is a form of documenting data processing activities, acts as a data processing map and is one of the key elements enabling the implementation of the fundamental principle on which the entire personal data protection system is based – accountability principles.
- Fully-Verified maintains a Data Processing Data Record in which it reviews and monitors the manner in which it uses personal data.
- The Registry is one of the basic tools enabling Fully-Verified to settle most of the data protection obligations.
- Registry of Personal Data Processing Activities Categories
- Fully-Verified documents the legal grounds for data processing for particular processing activities in the Registry of Personal Data Processing Activities Categories.
- By indicating the general legal basis (consent, contract, legal obligation, vital interests, public task / public authority, legitimate purpose of Fully-Verified), Fully-Verified describes the basis in a clear way when it is needed. For example, for consent, indicating its scope when the law is the basis – indicating a specific provision and other documents, eg a contract, administrative agreement, vital interests – indicating the categories of events in which they materialize, a legitimate goal – pointing to a specific goal, e.g. self-marketing, redress.
- Fully-Verified implements methods of managing consents that allow registration and verification of the consent of the person to process its specific data for a specific purpose.
- The manner of handling the rights of an individual and fulfilling information obligations
- Fully-Verified cares about the readability and style of information provided and communication with persons whose data it processes.
- Fully-Verified cares for keeping the legal deadlines for the performance of obligations towards data subjects.
- Fully-Verified introduces adequate methods of identification and authentication of persons for the purposes of the implementation of individual rights and information obligations.
- In order to exercise the rights of the given person, Fully-Verified provides procedures and mechanisms to identify the data of that person processed by Fully-Verified, integrate those data, introduce changes to them and delete them in an integrated manner.
- Fully-Verified documents the handling of information obligations, notifications and requests of persons by means of entry reports.
- Fully-Verified defines lawful and effective means of performing information obligations.
- Fully-Verified informs data subjects about:
- the extension of over one month deadline for considering the request of that person;
- the processing of its data when collecting data from that person.
- the processing of its data when collecting data about that person indirectly from it.
- the planned change of the purpose of data processing.
- rectification, deletion or limitation of data processing (unless it will require a disproportionately large effort or will be impossible).
- the right to object to the processing of data at the latest at the first contact with that person.
- Fully-Verified informs the person without undue delay about the breach of personal data protection, if it may cause a high risk of violating the rights or freedoms of that person.
- Natural person’s requests
In implementing the rights of data subjects, Fully-Verified introduces procedural guarantees to protect the rights and freedoms of third parties. In particular, when reliable information is received that the execution of a person’s request for a copy of the data or the right to transfer the data may adversely affect the rights and freedoms of others (eg rights related to the protection of other people’s data, intellectual property rights, trade secrets, personal rights, etc.), Fully-Verified may ask the individual to clarify doubts or take other lawful steps, including refusal to comply.
Fully-Verified informs the requestor that it does not process data concerning it, if such a person has made a request regarding its rights.
Fully-Verified informs the requestor, within one month of receiving the request, of refusing to consider the request and the rights of the data subject and gives a thorough, lawful explanation of such refusal.
At the request of persons regarding access to its data, Fully-Verified informs the requestor whether it processes its data and informs the person about the details of processing, in accordance with art. 15 GDPR (the scope corresponds to the information obligation when collecting data), and also gives the person access to data concerning him / her.
Fully-Verified corrects incorrect data at the requestor request. Fully-Verified has the right to refuse to rectify the data, unless the requestor in a reasonable manner shows the irregularity of the data which he or she demands to be rectified. In case of data rectification, Fully-Verified informs the requestor about the recipients of the data at the request of that person.
Fully-Verified complements and updates data at the request of a requestor. Fully-Verified has the right to refuse to supplement the data if the supplement would not be compatible with the purposes of data processing (e.g. Fully-Verified does not have to process data that is unnecessary to Fully-Verified). Fully-Verified may rely on a statement of the requestor regarding the data to be completed, unless this is insufficient in the light of the procedures adopted by Fully-Verified (eg regarding obtaining such data), the law or grounds to consider the statement unreliable.
At request, Fully-Verified deletes personal data of a requester if:
- The data are not necessary for the purposes for which they were collected or processed for other purposes;
- the consent for their processing has been withdrawn, and there is no other legal basis for the processing;
- the requestor has submitted effective objection to the processing of such data,
- the data was processed unlawfully;
- the necessity of removal results from the legal obligation.
Fully-Verified limits data processing at request when:
- the requestor questions the correctness of the data – for a period allowing to check their correctness,
- the processing is unlawful or unnecessary, and the data subject opposes the removal of personal data, requesting instead to limit their use,
- Fully-Verified no longer needs personal data, but it is needed by the data subject to determine, assert or defend claims,
- the requestor has objected to the processing for reasons related to its special situation – until it is determined whether Fully-Verified has legally justified grounds overriding grounds of objection.
During processing restriction, Fully-Verified stores the data but does not use or transmit it without the consent of the data subject, unless to establish, investigate or defend claims, or to protect the rights of another natural or legal person, or because of important public interest considerations. Fully-Verified informs the person before revoking the processing limit.
At request, Fully-Verified may issue in a PDF file containing requestor’s personal data, processed on the basis of the requestor’s consent or to conclude or perform the contract concluded with it, in Fully-Verified’s IT systems.
Fully-Verified cares about minimizing data processing in terms of:
- the adequacy of the data for purposes,
- Minimizing scope of processing.
Fully-Verified verifies the scope of acquired data, the scope of their processing and the amount of data processed in terms of adequacy for purposes of processing as part of the implementation of the GDPR. Fully-Verified periodically reviews the amount of data processed and the scope of its processing at least once a year.
Fully-Verified applies restrictions on access to personal data: legal, technical and organizational. Fully-Verified updates the access rights for changes in the composition of staff and changes in the roles of persons, as well as changes in the processing entities. Fully-Verified periodically reviews established system users and updates them at least once a year.
Fully-Verified implements life-cycle data protection mechanisms in Fully-Verified, including verification of the further suitability of the data in relation to the dates and control points indicated in the Registry. Data whose scope of use is limited with the passage of time are removed from Fully-Verified’s production systems, as well as from handheld and main files. Such data may be archived and be stored on back-up systems and information processed by Fully-Verified. Procedures for archiving and using archives, creating and using backup copies take into account the requirements of control over the data life cycle, including data deletion requirements.
Fully-Verified provides a level of security corresponding to the risk of violation of the rights and freedoms of individuals as a result of the processing of personal data.
- Risk analysis and adequacy of security measures
Fully-Verified carries out and documents the adequacy analysis of personal data security measures. For this purpose:
- Fully-Verified ensures an appropriate state of knowledge on information regarding security, cybersecurity and business continuity – either internally or with the support of specialized entities;
- Fully-Verified analyzes risks of violation of the rights or freedoms of individuals for data processing activities or categories of data. Fully-Verified analyzes possible situations and scenarios of personal data breach taking into account the nature, scope, context and purposes of processing, the risk of violation of the rights or freedoms of individuals with varying likelihood of occurrence and the severity of the threat;
- Fully-Verified determines the organizational and technical security measures that can be applied and assesses the cost of their implementation. In this Fully-Verified determines the suitability and applies such measures and approach as:
- encryption of personal data,
- other cyber-security measures consisting of the ability to continually ensure the confidentiality, integrity, availability and resilience of processing systems and services,
- measures to ensure business continuity and to prevent the consequences of disasters, i.e. the ability to quickly restore the accessibility and access to personal data in the event of a physical or technical incident.
- Impact assessment for data protection
Fully-Verified evaluates the effects of planned processing operations for the protection of personal data where, in accordance with the risk analysis, the risk of violating the rights and freedoms of persons is high. Fully-Verified applies the impact assessment methodology adopted at Fully-Verified.
Fully-Verified applies security measures established as part of risk analyzes and the adequacy of security measures and impact assessments for data protection. Personal data security measures are part of information security measures and provide cyber security in Fully-Verified and are described in more detail in the procedures adopted by Fully-Verified for these areas.
Fully-Verified uses its safety procedures to identify, assess and report identified data breaches to the Data Protection Authority within 72 hours of the establishment of the infringement.
- Fully-Verified always verifies the entities that process data for Fully-Verified to ensure that the processors provide sufficient guarantees to implement appropriate organizational and technical measures to ensure security and implementation of individual rights.
- Fully-Verified only entrusts personal data to a future processor for further processing after concluding a contract for entrusting personal data for processing.
- Fully-Verified requires from the processors to conclude a contract with subcontractors to entrust data with the content corresponding to the template adopted by Fully-Verified
- Fully-Verified registers cases of transmission of the data outside the European Economic Area.
- To avoid unauthorized data export, in particular in connection with the use of publicly available cloud services (shadow IT), Fully-Verified periodically verifies the behavior of users and, where possible, provides equivalent solutions to data protection law.
- Fully-Verified manages changes affecting privacy in such a way as to enable adequate security of personal data and minimize their processing.
- To this end, the principles of project and investment management by Fully-Verified refer to the principles of personal data security and minimization, requiring an impact assessment on privacy and data protection, consideration and design of security and minimization of data processing from the beginning of the project or investment.
- Contact Privacy Notice
This notice explains how Fully Verified processes client’ (hereinafter “you”) personal data in relation to the provision of the Fully Verified demo if you ask to see our platform in action or you register for a Fully Verified account. The controller of personal data is Fully Verified OÜ, registry code 14455170, address Männimäe, 74626 Kuusalu vald, Estonia (hereinafter “ Fully Verified”, “we” or “us”). Please note that the end users’ personal data processing during the identity verification procedure is regulated under a Data Processing Agreement. Processed personal data We collect specific personal data about clients who request a call or a meeting via our website. We collect your name, telephone number and e-mail address. We also ask you to describe your business and how we can help you. Therefore, we process anything personal data you submit through the form and ask you not to disclose any excessive personal data. When registering to use our platform, we ask for your name, email, company name, address, city, country, company number, VAT number. Purposes of personal data processing We will use the personal information clients provide to enable us to contact the client and demonstrate the functionality of our platform, create client accounts and respond to your requests. We may also ask for feedback regarding our platform and send you updates regarding our new features. When registering to use our platform, we ask for your contact details to generate a client agreement and invoices. Legal basis The processing is necessary to take steps at the request of the data subject prior to entering into a contract. The legal basis for processing your client account information is fulfilment of contract. The legal basis to send you notices about updates and new features of the product is legitimate interest. Storage of personal data We have taken necessary technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss or alteration and against the unauthorized disclosure, abuse or other processing in violation of applicable law. The information you provide is stored on our own or one of our business partners’ secure servers within the EU. Retention Typically, we store clients’ contact data for 6 months after your request for a demo or end your subscription. We erase personal data after the above described storage period or when you request us to erase your personal data. Disclosure to recipients We may disclose your personal data to third-party subprocessors if it is necessary in order to provide the demo or the service. Our subprocessors must guarantee the same level of data protection. Certain employees of our group companies have access to personal data to the extent necessary for the performance of their work duties. Rights in relation to personal data
- Right to access. You may get information regarding your personal data;
- Right to data portability. You have the right to receive your personal data from us in a structured, commonly used and machine-readable format and to independently transmit those data to a third party;
- Right to erasure. You the right to have personal data we process about you erased from our systems if the personal data are no longer necessary for the related purposes;
- Right to rectification. You have the right to correct any personal data that we process.
To exercise any of the abovementioned rights, the client should contact our support. We will respond to your requests within 30 days. Electronic communication We may send you emails to notify you about updates and new features. You may opt out from our emails by clicking “Unsubscribe”. Dispute resolution If you have questions, please feel free to contact us at [email protected]. Disputes relating to the processing of personal data are settled through our customer support. The supervisory authority is the Estonian Data Protection Inspectorate ([email protected]).