Data Protection Policy

Policy last updated: 1st November 2021

Introduction

This Policy sets out the obligations of Net4 Limited, a company registered in England under number 11371379, whose registered office is at 115 Eastbourne Mews, London, UK W2 6LQ (“the Company”) regarding data protection and the rights of data subjects; staff, clients, business contacts, partners (“data subjects”) in respect of their personal data under Data Protection Law. This Policy sets the Company's obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

Definitions

Consent

Means the consent of the data subject which must be a freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them.

Data Controller

Means the natural or legal person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, the Company is the data controller.

Data Processor

Means a natural or legal person or organisation which processes personal data on behalf of a data controller.

Data Subject

Means a living, identified, or identifiable natural person about whom the Company holds personal data.

Personal Data

Means any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to their identity.

Personal Data Breach

Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Scope

The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

The Company's Data Protection Officer is Alex Taylor. The Data Protection Officer is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/or guidelines.

All managers are responsible for ensuring that all employees, agents, contractors, or other parties working on behalf of the Company comply with this Policy.

The Data Protection Principles

All personal data must be:

  • Processed lawfully, fairly, and in a transparent manner in relation to the data subject;
  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
  • Accurate and, where necessary, kept up to date;
  • Kept in a form which permits identification of data subjects for no longer than is necessary;
  • Processed in a manner that ensures appropriate security of the personal data.

The Rights of Data Subjects

The GDPR sets out the following key rights applicable to data subjects:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure (also known as the ‘right to be forgotten’)
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights with respect to automated decision-making and profiling

Data Subject Access

Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.

Employees wishing to make a SAR should do so using a Subject Access Request Form, sending the form to the Company's Data Protection Officer at info@net4connect.com

Responses to SARs must normally be made within one month of receipt, however, this may be extended by up to two months if the SAR is complex and/or numerous requests are made.

Personal Data Collected, Held, and Processed

The following personal data is collected, held, and processed by the Company:

Type of DataPurpose
NameIdentification
Customer NameCustomer Contact for Delivery, Subscription Information, Support Information, Billing and Alerting
Customer Email AddressCustomer Contact for Delivery, Subscription Information, Support Information and Billing
Customer AddressCustomer Contact for Delivery, Subscription Information, Support Information and Billing
Customer Billing DetailsCredit Card Details for Billing
Alternative Contact DetailsAlternate Contact details for Support and Alerting
Other Captured DataAnonymized - DeviceID, Network Interface ID, other

Data Security

Transferring Personal Data and Communications

The Company shall ensure that the following measures are taken:

  • All emails containing personal data are encrypted using TLS 1.2+ over GMAIL
  • All emails containing personal data must be marked with a “confidential” label
  • Personal data may be transmitted over secure networks only
  • Personal data may not be transmitted over a public wireless network unless using encryption
  • All personal data to be transferred physically shall be transferred in a suitable container marked “confidential”

Storage

  • All electronic copies of personal data should be stored securely using passwords and data encryption
  • All hardcopies of personal data should be stored securely in a locked box, drawer, cabinet, or similar
  • All personal data stored electronically will be backed up
  • No personal data should be stored on any mobile device without formal written approval

IT Security

  • All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols
  • Under no circumstances should any passwords be written down or shared
  • All software shall be kept up to date with security patches
  • No software may be installed without prior approval of the IT Department

Data Breach Notification

All personal data breaches must be reported immediately to the Company's Data Protection Officer.

If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects, the Data Protection Officer must ensure that the Information Commissioner's Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.

Implementation of Policy

This Policy shall be deemed effective as of 1st November 2021. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

Policy Approved by:
Alex Taylor, CEO

Date: 1st November 2021