Keeping our clients’ personal data secure is our number one priority. We implement a number of processes within our software and other systems to ensure we are meeting the highest standards of data protection designed specifically to meet the challenges set by our operating markets.
Data Protection processes that are central to our solutions include:
- Our servers are held in ISO27001 data centres to ensure optimal security
- We use permission level access to ensure users can only see data that is appropriate to their role
- Our solutions are accessed via 256 bit encrypted URLS that are salted with 6 or 7 sources unique to each client, giving each customer their own customised security
The General Data Protection Regulations (GDPR) that came into effect on 25th May 2018, requires all companies that collect data on EU citizens to protect the personal information belonging to those individuals and to have verified proof of such protection.
Controllers and processors
The GDPR applies to both controllers and processors of data.
Controllers determine why and how personal data is processed. Processors act on the controller's instructions to process data. SeaPlanner and SitePlanner are data processors.
There are specific legal obligations on both controllers and processors:
- Controllers must specifically ensure that contracts with processors comply with the GDPR; and
- Controllers and processors have separate, but explicit, requirements to maintain records of personal data and processing activities;
- Processors are also legally responsible and liable for any security breaches.
We provide our clients with best practice guidelines to help them, as data controllers, stay compliant with data protection regulations.
GDPR rights for Individuals
The right to be informed
Individuals have the right to know how their personal data is going to be processed. The GDPR promotes transparency over processing. As part of this aim, data controllers are required to make privacy notices understandable and accessible and to include in them (amongst other things) details of the controller, the source of the data and the legal basis for the processing, the recipients of the data, data transfers made outside the EU, and the retention period data is held.
The right of access (subject access request)
Individuals have the right to obtain confirmation that their data is being processed, access to their personal data, and other information, such as that provided in a privacy notice.
The maximum amount of time allowed to deal with a subject access request has been reduced from 40 to 30 days under the GDPR, and the right to charge a subject access fee has been removed, unless the request is unfounded, excessive or repetitive.
The right to rectification
Individuals have the right to have inaccurate or incomplete personal data rectified. This must also include personal data which is shared or given to third parties.
The right to erasure
Individuals have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Again, this must also include personal data which is shared or given to third parties.
There are some exceptions to the right to erasure, such as where data is held to comply with a legal obligation.
The right to restrict processing
Individuals have the right to restrict the processing of personal data. In these circumstances the personal data can be stored but not processed.
The right to data portability
Individuals have the right to obtain and reuse their personal data across different services. It allows them to move, copy or transfer personal data. Personal data must be provided in a structured commonly used machine-readable format (such as.csv).
The right to object
Individuals have the right to object to the processing of personal data. Processing must stop immediately unless there are 'compelling' legitimate grounds for the processing, or if processing is for the establishment, exercise or defence of legal claims.
Rights in relation to automated decision making and profiling
Individuals have the right to ensure that safeguards are in place to protect against the risk of damaging decisions being taken without human intervention. This also extends to the safeguarding of personal data used for profiling purposes.
Accountability and governance
The GDPR contains the principle of accountability, which requires that appropriate governance measures are in place. Organisations therefore need to:
- Implement measures that meet the principles of data protection
- Document policies and procedures in relation to the storage and processing of personal data
- Implement technical and organisational measures to ensure and demonstrate compliance
- Appoint a data protection officer where necessary
SeaRoc Group shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.