GDPR Operation Method

GDPR Operation Method

GDPR Operation Method

May 2018

 From 25th May 2018, new rules come into effect governing how the personal data of EU Citizens can be stored and processed. These rules are the General Data Protection Regulations (GDPR). Our policy can be found on our website. http://teneo-translations.com.

GDrive/Teneo/GDPR

Sub Folders contain compliance documentation relating to Teneo clients where detailed compliance documentation has been provided. They also contain correspondence files relating to GDPR compliance for Teneos contracted data processor suppliers.

ICO – Information Commissioner’s Office – Registration complete – documented and stored

  1. Technical Measures – Art 28 (1)

Server/G Drive (on site):

  • Teneo staff access the Teneo server situated within a locked room within 34 Howard Close, Waltham Abbey.
  • The shared drive – G drive – is a closed network with 2 stage security
  • Back-up is carried out twice daily. One back up is incremental, and the other is a full back up. Both back-ups are to separate devices.
  • Closed network back-up allows immediate access to client data
  • Data restoration is tested and attainable
  • A Router Firewall – Draytek 2830 – is in place and data access is controlled through active directory security groups, with access to folders being granted to those with relevant permissions
  • Strong passwords are in place with the minimum standard being – 8 characters, with at least 1 upper case and 1 lower case letter and 1 special character
  • Special access privileges are reviewed annually

VPN access to the G Drive from off-site:

  • Traffic is encrypted by default

Centric Solutions – provide technical support for Teneo

Organisational Measures – Art 28 (1)

Teneo has implemented organisational measures as follows:-

  • An initial Privacy Impact Assessment has been carried out and a Privacy Impact Assessment document is in place
  • All future changes to technology or process involving personal data will be subject to an impact assessment
  • Event logs, personal data and sensitive information is maintained on servers, workstations and laptops that are maintained in password protected form, on a secure server
  • Where personal details and sensitive information is shared with a sub-processor, for the purposes of delivery of translations, information is transferred to that sub-processor without identifying personal data
  • Teneo offices are situated within 34 Howard Close and are locked at all times unless in use
  • Lockable cabinets are used to store paper based records
  • Password policy enforces changing administrator passwords at least every 60 days to a complex password
  • Appropriate retention and discovery measures are in place for paper based records
  • Hard copy files containing personal data are retained for a limited period and then destroyed by shredding
  • Soft copy files containing personal data are retained where there is a contractual relationship, legitimate business interest or with consent

VPN:

  • Accessing the VPN via a public Wifi connection is prohibited
  • Accessing the VPN through a trusted private Wifi connection is permitted
  1. Lawfulness of Processing – Art 6

Teneo will process personal data as follows:

  • Where a contract exists or has existed between Teneo and a current client or supplier, the contractual relationship forms the lawful basis for processing that client’s and their employees’ data
  • Where data has been provided or obtained in the course of a legitimate business interest enquiry and the subject has engaged with Teneo on the basis of their business interest in Teneo’s ‘translation services’
  • Where Teneo relies on legitimate interest to legally justify direct marketing, it has carried out the legitimate interest ‘balance test’
  • Where a subject has requested Marketing Information or subscribed to a Newsletter
  • Where consent to processing personal data is received in response to a GDPR notice. We request a positive opt in for data processingLawfulness of processing, consent and withdrawal of consent:
  • Where Consent is requested it is documented
  • The request for consent is prominent and separate from our terms and conditions
  • We ask people to positively opt in
  • We don’t use pre-ticked boxes or any other type of default consent
  • We specify why we want the data and what we’re going to do with it
  • We name our organisation and any third party controllers who will be relying on the consent
  • We tell individuals they can withdraw their consent and make it easy for individuals to withdraw their consent at any time, and publicise how to do so
  • We act on withdrawals of consent as soon as possible. Personal data is erased/destroyed (such that it cannot be recovered or reconstructed) forthwith
  • Our Data Subject Access and amendment and deletion Processes are notified as follows:-
  • When personal data is collected at Pre-Course Questionnaire stage the following notification is given:-

Your personal details will not be given to any third parties without your consent, other than as stated above.

We respect your privacy rights and will provide you with reasonable access to any Personal Data that we hold about you.

If you wish to access, update, correct or delete any Personal Data or Information we hold about you, you may Contact us, and at your request we will have any reference to you deleted from our database.

When any personal data is collected, the following notification is made:-

* Your Personal Contact Information will only be used to enable us to communicate to you the services and information that we consider will be of benefit to you. We will never pass on your details to any other Company/Companies.

We respect your privacy rights and will provide you with reasonable access to any Personal Data that we hold about you.

If you wish to access, update, correct or delete any Personal Data or Information we hold about you, you may Contact us, and at your request we will have any reference to you deleted from our database.

 Lawfulness of processing categories are recorded in Salesforce (Client Relationship Management system) and are as follows:

  • Consent to Contact – GDPR notice
  • Vital Contact (staff and sub-processors (with consent))
  • Active Client – legitimate business interest or contractual relationship
  1. Legal Data Transfer – Art 44
    Teneo transfers client’s personal data to a ‘Third country’ on the occasion that a sub-processor is in a Third country when data is transferred
  • Data is transferred on the basis of an adequacy decision
  • data is transferred on the basis of consent from the data subject
  • If data is transferred this is on the basis of a contract between the data subject and Teneo’s client and on the basis of conclusion or performance of a contract for services in the interest of the data subject, between Teneo and Teneo’s client

“Third country means any country outside EU/EEA, except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries.

  1. Contract Compliance – Art 28 (3)

As processor, Teneo will:

  • give a data controller sufficient guarantees of GDPR compliance
  • act on the written instructions of a controller
  • ensure security of processing by compliance with technical and organisational measures
  • ensure people processing data are subject to a duty of confidence
  • engage sub-processors with the prior written consent of the controller
  • allow a data controller subject access, and data subjects to exercise their rights under GDPR
  • delete or return all personal data (as requested) at the end of the provision of services
  1. Processing Records – Art 30 (2)
  • We keep a record of the name and contact details of clients and if appropriate the client’s DPO
  • We keep a record of the categories of processing carried out on behalf of each client
  • We keep a record of, where applicable, transfers of personal data to a third country or an International Organisation
  • We keep a record of the general description of the technical and organisational security measures described previously
  • We are prepared to make these records available to the supervisory authority on request
  1. Data Protection Officer – Art 37

Responsibility for GDPR Compliance – Rob Sandys – Teneo Translations UK Ltd

33-35 Howard Business Park, Howard Close, Waltham Abbey EN9 1XE

  1. Sub Processing – Art 28 (2)
  • We obtain contractual authority to appoint any active sub-processor(s)
  • If required by the client we provide assurances that the controller will be given the opportunity to object to any intended changes concerning the addition or replacement of the sub-processor(s)
  • As necessary for delivery of the services we provide, we will impose the same contractual terms agreed with our client, on any active sub-­processor(s)
  • We confirm that at the end of the provision of services the sub-processor will erase all personal data
  • We confirm that sub-processors’ have a process in place to notify us of a Data Breach
  • We have documented any Cloud Service Provider contract where personal data is processed
  • We have recorded all compliance assurances as appropriate
  1. Breach Notification – Art 33 (2)“Personal Data Breach” means a breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Processor Personal Data transmitted, stored or otherwise processed.
  • We confirm that we will notify the client without undue delay after becoming aware of a personal data breach
  • Members of staff report data breaches direct to the DPO
  • All breaches reported by 3rd party processors are recorded on a data breach form by the DPO
  • We have a process to notify the ICO of a breach within 72 hours of becoming aware of it, even if we do not then have all the details
  • We know what information we must give the ICO about a breach
  • We have a process to inform affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms
  • We document all breaches, even if they don’t all need to be reported