Commitment to the General Data Protection Regulation (GDPR)
Version: May 2018
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This is a privacy and data protection regulation that will be in force throughout the European Union (EU) and will be enforceable from May 25 2018. All EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed of. This rule clarifies how EU resident’s personal data laws are applied, internally within the EU and worldwide. Any organization that works with EU residents personal data in any manner, irrespective of location, has obligations to protect the data. SOUND4 Ltd. is aware of its role in providing the right procedures and security to support its employees, customers and suppliers and help meet our GDPR obligations.
This new legislation supports and enhances the existing Data protection legislation and privacy as outlined in our Privacy Statement. The present statement, policies and procedures are compliant with the 1995 EU Data Protection Directive (European Directive 95/46/EC)
To make SOUND4 Ltd. compliant with our obligations under the General Data Protection Regulation we have taken the following steps:
We have made sure that decision makers and key people within the company are aware that the law has changed to the GDPR and they all appreciate the impact that this is having on the way we obtain, record, store and distribute individual’s data throughout the company. We have undertaken training throughout the company and will continue to advise our staff on the GDPR and its impact on the policies, procedures, and responsibilities of staff & stakeholders.
- Information that we hold
We document what personal data we hold, where it comes from and who we may share it with. We have implemented and acted upon our information audit to improve our data storage systems and security.
- Communicating privacy information
- Individuals’ rights
We have checked our policies to ensure they cover all the rights individuals have, including how we would delete personal data or provide data electronically and in a commonly used format and have addressed the issues raised.
- Subject access requests
We have updated our policies and have planned how to handle requests for access within the timescales laid out in the regulations and have procedures to provide any additional information.
- Lawful basis for processing personal data
We have identified the lawful basis for our processing activity as outlined in the GDPR; we have produced a Legitimate Interests Assessment and have acted upon it to restrict the contact with individuals on our database. We have also used this information to delete out of date information
We have reviewed how we seek, record and manage consent and have taken steps to implement the changes necessary. We have contacted individuals and where there has been no response or where individuals have requested that their details be removed, and it does not conflict with the legitimate interests, we have removed their data.
We have analyzed our systems and company practices and do not store or collect any data related to any persons below 16 years of age.
- Data breaches
We have put in place procedures to report and investigate a suspected personal data breach and will notify the data subject and any applicable regulator of a suspected breach where we are legally required to do so.
- Data Protection by Design and Data Protection Impact Assessments
We are implementing best practice through the creation and continued use of Privacy Impact Assessments, using the latest guidance from the ICO.
- Data Protection Managers
We have designated a DP Managers to take responsibility for data protection compliance throughout the company. The team have worked on the changes that have taken place and have implemented these changes to update our systems to make them compliant with the new regulations. We are continuing to assess the implications of this change and will review, and if required, enhance our policies and practices to keep up to date with any future changes.
Our company does not operate in more than one EU member state and as such our lead data protection supervisory authority is the Information Commissioner's Office (ICO) in Bulgaria.
Under the GDPR you have the right to:-
Request copies of your data, rectification of your data, erasure of your data, object to us or restrict the processing of your data and where our systems allow give electronic access to copies of your data in a digital format.
You have the right to rectify any errors in information we hold about you and to change or correct any details you have already given us.
Please inform us about changes to your details so that we can keep our records up to date.
You have a right to see a copy of the information we hold about you. Before we agree to this, you must provide us with sufficient irrefutable evidence of your identity and sufficient details of the information you wish to see to enable us to locate it.
You have the right to be removed from any mailing list we hold at any time by contacting us by email: DPO@sound4.com or by post to the Data Protection Officer, SOUND4 Ltd., 65 Alexander Stamboliyski Street, 8000 Burgas, Bulgaria.
We have taken, and will continue to take, steps to ensure that the businesses we work with have suitable security protocols and policies in place to manage and record your data privacy and preferences correctly and that your data is stored securely. The security of your data is paramount.
At SOUND4 Ltd., we strive to deliver outstanding customer service, earning the trust of thousands of users globally. We have made the required operational changes resulting from the new legislation and will continue to make additional changes as required. We will keep our distributors, customers, partners and regulatory authorities up to date with any major changes. We have an internal team dedicated to the full implementation of our obligations, who will continue to refine the policies and procedures and keep the Company and its operations working within the GDPR guidelines.
For the purpose of General Data Protection Regulation (GDPR), the Data Controller is SOUND4 Ltd., whose registered address is: SOUND4 Ltd., 65 Alexander Stamboliyski Street, 8000 Burgas, Bulgaria.
SOUND4 Ltd. is registered with the Republic of Bulgaria Information Commissioner’s Office – Registration Number 423684.
For more information regarding the SOUND4 Ltd. implementation of GDPR please contact: DPO@sound4.com or by post to the Data Protection Officer, SOUND4 Ltd., 65 Alexander Stamboliyski Street, 8000 Burgas, Bulgaria.
Data Protection Policy
|Policy Title||GDPR Data Protection Policy|
|Policy Number, Revision & Draft Date||GDPR-DPP, 01, 25/05/2018|
|Purpose||To provide guidelines for the correct recording, processing, storage and distribution of personal data|
|Regulatory Reference||Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016|
|Effectivity from Date and Approval||11/04/2018, Unauthorized copy|
This document provides the policy framework through which effective management of Data Protection can be achieved. The purpose of this policy is to ensure that the Company (SOUND4 Ltd.) and its staff comply with the relevant regulations and provisions of the General Data Protection Regulations when processing personal data. The policy and subsequent procedures are designed to ensure that the personal data is accurate, fairly obtained or given and subsequently stored in a secure format and location. Any genuine infringement of the regulations will be treated seriously by the Company and may be considered under the Company disciplinary procedures. This policy applies regardless of where the data is held.
The Company is required to adhere to the principles of data protection as laid down by the regulations. In accordance with those principles personal data shall be:
1.1. Processed fairly and lawfully;
1.2. Processed for specified purposes only;
1.3. Adequate, relevant and not excessive;
1.4. Accurate and up to date;
1.5. Not kept longer than necessary;
1.6. Processed in accordance with data subject rights;
1.7. Processed and held securely;
1.8. Not transferred outside Europe without adequate protection;
1.9. Available for review upon request;
1.10. Removable upon request, if certain criteria are met;
1.11. Controlled and breaches of that data are dealt with correctly.
2. Related Documents
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons (EU residents) with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Computer Misuse Act 1990.
The Payment Card Industry Data Security Standard.
3. Responsibility & Applicability
3.1. SOUND4 Ltd. responsibilities
As the Data Controller the Company and its directors are responsible for establishing policies and procedures in order to comply with the requirements of the relevant regulations.
3.2. Data Protection Manager Responsibilities. The Data Protection Manager holds responsibility for:
3.2.1. The Company Data Protection Notification. Details of the notification are published on the Information Commissioner’s website. Anyone who is, or intends, processing personal data for purposes not included in the notification should seek advice from the Data Protection Manager.
3.2.2. Drawing up guidance, giving advice and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of information.
3.2.3. The appropriate compliance with data subject access rights and ensuring that data is released in accordance with data subject access legislation.
3.2.4. Ensuring that any data protection breaches are recorded, resolved and reported appropriately in accordance with the guidance from the Information Commissioner’s Office.
3.2.5. Investigating and responding to complaints regarding data protection including requests to remove or stop processing personal data.
3.3. Staff responsibilities Staff members who process personal data about other staff members, customers and suppliers or any other individual must comply with the requirements of this policy and its related documentation. Staff members must ensure that:
3.3.1. All personal data is kept securely.
3.3.2. No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party.
3.3.3. Personal data is kept in accordance with the Company data protection policy.
3.3.4. Any queries regarding data protection, including data subject access requests and complaints, are promptly directed to the Data Protection Manager.
3.3.5. Any data protection breaches are swiftly brought to the attention of the Data Protection Manager and they support the Data Protection Manager in resolving the breaches.
3.3.6. Where there is uncertainty around a Data Protection matter, advice is sought from the Data Protection Manager.
3.3.7. Staff who are unsure about who are the authorized third parties to whom they can legitimately disclose personal data should seek advice from the Data Protection Manager.
3.4. Third-Party Data Processors Where external companies are used to process personal data on behalf of the Company, responsibility for the security and appropriate use of that data remains with the Company. Where a third-party data processor is used:
3.4.1. A data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data.
3.4.2. Reasonable steps must be taken that such security measures are in place;
3.4.3. A written contract establishing what personal data will be processed and for what purpose must be set out.
3.4.4. A contract outlining both parties responsibilities under the General Data Protection Regulations, must be signed by both parties. For further guidance about the use of third-party data processors please contact the Data Protection Manager.
3.5. Contractors and Short-Term Staff The Company is responsible for the use made of personal data by anyone working on its behalf. Managers who employ contractors or short-term staff must ensure that they are appropriately vetted for the data they will be processing. In addition, managers should ensure that:
3.5.1. Any personal data collected or processed in the course of work undertaken on the Companies behalf is kept securely and confidentially.
3.5.2. All personal data is returned to the Company on completion of the work, including any copies that may have been made. Alternatively, that the data is securely destroyed and the Company receives notification in this regard from the contractor or short-term member of staff.
3.5.3. The Company receives prior notification of any disclosure of personal data to any other organization or any person who is not a direct employee of the contractor.
3.5.4. Any personal data made available by the Company, or collected in the course of the work, is neither stored nor processed outside Bulgaria unless written consent to do so has been received from the Company.
3.5.5. All practical and reasonable steps are taken to ensure that contractors and short-term staff do not have access to any personal data beyond what is essential for the work to be carried out properly.
3.5.6. A contract outlining both parties’ responsibilities under the General Data Protection Regulations, must be signed by both parties.
4. How the Company uses Personal Information and what Personal Information is Recorded
4.1. Order Information. To process your order, we require your name, billing address, phone number, email address. We use this information to process your order and, if any questions should arise, to contact you about your order. If we need to contact you, we will contact you via email first. If unsuccessful (or time is critical), we will try to contact you by phone.
4.2. Information From Registration Forms
Our site's on-line forms require you to give us contact information (like your name, email address, organization name, quote address and phone number). Contact information from the registration forms is used to answer questions, send you information or brochures about the Company and its services, quote you pricing and to send occasional newsletters. You may opt-out of receiving mailshots by using the tick-boxes described below. We may also later use the information to contact you regarding the quote, brochure or information supplied to you.
4.3. Our online forms may ask you for contact information (like email address). Contact information is used to make improvements to our web sites, and to build up bodies of knowledge about effective Internet marketing.
4.4. When additional information is requested, we will try to let you know at the time of collection how we intend to use the personal information you provide, such as respond to your inquiry, accept an order, conduct a survey or allow you to access specific information such as account information, etc. We do our best to maintain the accuracy of any personal information you do supply to us.
4.5. You can help us update and maintain the accuracy of any personal information you supply by notifying us of any changes to your address, title, phone number or e-mail address.
4.6. Information Automatically Logged. We use your IP address to help diagnose problems with our server and to administer our Web site. We also use this information to help us to make using our web site easier and more enjoyable.
4.7. In almost all cases, when you go to a web site, web servers log your interaction with the site in something called a log file. Standard log files like ours contain basic information like what time what pages were viewed, and the IP address of the visitor. We use this information to analyze trends, administer the site, track user's movements, and gather broad demographic information for aggregate use. We make no effort to identify IP addresses with individual users.
4.8. The Company is responsible for, and may use, personal information as follows:
4.8.1. to maintain our business relationships;
4.8.2. to process orders and provide agreed goods and services;
4.8.3. for invoicing, processing payments, account set up and maintenance;
4.8.4. to communicate, including to respond to information requests and enquiries submitted and/or to obtain feedback on our products and services;
4.8.5. for record keeping, statistical analysis and internal reporting and research purposes;
4.8.6. to ensure data security;
4.8.7. to notify about changes to our products and services;
4.8.8. to decide on and notify about price changes;
4.8.9. to monitor the quality of our products and services;
4.8.10. for logistical purposes, including to plan and log delivery information;
4.8.11. to investigate and resolve any complaints that are made;
4.8.12. to provide evidence in a dispute;
4.8.13. as we may otherwise consider necessary to obtain credit references, credit checks and for debt collection, fraud detection and prevention and risk management purposes;
4.8.14. to answer your questions;
4.8.15. to send you newsletters and mailshots on SOUND4 Ltd. products and services, either by post, fax or email;
4.8.16. to contact you if you have requested pricing or brochures, or if you have received a quotation from us.
4.9. Sharing your information or allowing your information to be used by other companies. Your information will not be shared with individuals or other companies except in the following circumstances:
4.9.1. To third parties that are involved in the processing of your order, for delivering specific services to you (for example, the financial institution that issued your credit card or the courier that delivers your order).
4.9.2. Where we forward your information to one of our distributors so that they can handle your enquiry.
4.9.3. Where you have asked us for information on products and/or services which we cannot provide, we may forward your information to other companies in order that they can help you. This is an unusual situation and usually, we will notify you of this.
4.9.4. Where SOUND4 Ltd. is sold to, or buys, another company, your information will be shared with this company.
4.9.5. In some circumstances, for email contact and notifications, a third party processor may be used for the distribution. In these circumstances we would only use a highly reputable company with a proven track record, robust privacy policies and security procedures in place.
4.9.6. Unless required by law.
4.10. Protecting your privacy, if you wish Options exist that allow you specifically to opt-out of receiving any mailshots from the Company.
4.11. If you do opt to receive one of our email newsletters or other online publications, these will always contain information on how you may apply to stop receiving them.
4.12. By ticking the box, you agree to the conditions listed. If you uncheck the box, you will not be contacted by SOUND4 Ltd. for any reason and we may not be able to trade with you.
5. Data Subject Access Requests
The Company is required to permit individuals (Data Subjects) to access their own personal data held by the Company via a data subject access request. Any EU Citizen may exercise this right and should do so in writing to the Data Protection Manager, a charge may be made for this request.
5.1. The Company aims to comply with a data subject access request as quickly as possible but will ensure that it is provided within the 40-calendar day limit as set out in the regulations.
5.2. Individuals will not be entitled to access information to which any of the exemptions in the regulations apply. However, only those specific pieces of information to which the exemption applies will be withheld and determining the application of exemptions will be made by the Data Protection Manager.
5.3. The Company has the right to ask for enough information to judge whether the person making the request is the individual to whom the personal data relates. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.
5.4. Before responding to a subject access request, the Data Protection Manager may be required to ask for information that allows for the accurate retrieval of the specific personal data covered by the request.
6. The Right to Erasure
The regulations introduce a right for individuals to have personal data erased; this is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your personal information where there’s no compelling reason for us to keep using it or its use is unlawful. This is not a general right to erasure; there are exceptions, e.g. where we need to use the information in defense of a legal claim. Individuals have the right to have their data ‘erased’ in certain specified situations - in essence where the processing fails to satisfy the requirements of the GDPR. The right can be exercised against controllers, who must respond without undue delay (and in any event within one month, although this can be extended in difficult cases). The Company aims to comply with an individual’s right to erasure of the data we store about them if this does not conflict with the legal basis for processing and Legitimate Interests Assessment. The right applies in the following cases:
6.1. When the data is no longer necessary for the purpose for which it was collected or processed.
6.2. Individuals can require data to be ‘erased’ when there is a problem with the underlying legality of the processing or where they withdraw consent.
6.3. To processing based on legitimate interests - if the individual objects and withdraws consent to processing and the Data Controller cannot demonstrate that there are overriding legitimate grounds for the processing.
6.4. When we have processed the personal data for direct marketing purposes and the individual objects to that processing.
6.5. When the data retained is otherwise unlawfully processed (i.e. in some way which is otherwise in breach of the GDPR).
6.6. Where we have to erase the data to comply with a legal obligation;
6.7. In addition to creating the right to be forgotten, Article 17 restricts the use of people’s personal data to the original purpose it was collected it for. If you want to process or use it in any other way, you must get the data subject’s fresh, clear consent.
6.8. Where the Data Controller has made personal data public, and where it is obliged to erase the data, the Data Controller must also inform other controllers who are processing the data that the data subject has requested erasure of the data. The Company has an obligation to take reasonable steps to achieve this but it may not be possible to erase all available data in the public domain.
6.9. Right to restriction of processing. This right gives an individual an alternative to requiring data to be erased; and it also allows the individual to require data to be held in limbo whilst other challenges are resolved.
6.9.1. The individual can require the Data Controller to ‘restrict’ processing of the data whilst complaints (for example, about accuracy) are resolved, or if the processing is unlawful but the individual objects to erasure.
6.9.2. Measures will be taken to make the data unavailable to users and to make sure that no further processing can be allowed to take place with the data.
7. Legal basis for processing and Legitimate Interests Assessment
The terms of the legal basis we rely on to process your personal information, and the Legitimate Interests Assessment details are as follows:
7.1 The contacts on the Company database are business customers with an interest in a niche market of radio and television broadcast products. The majority of these customers have come to us through the exchange of business cards at trade shows and have always had the option of unsubscribing from our emails. The radio broadcast industry works over long timescales, with a new radio license for a station issued for 8-10 years. So, we’ve used a timescale of 9 years to assess whether someone who wasn’t a customer and has had a quote/proforma from us in the past might still be interested. We will keep Company-based personal details in the following circumstances:
7.1.1. If the person has an account with us. This means that they’ve purchased from us in the past and have a commercial interest in our products.
7.1.2. If the person has had a quote from us in the last 9 years (this also invokes the lawful basis of ‘Contracts’ for data processing).
7.1.3. If the person has had a proforma from us in the last 9 years (this also invokes the lawful basis of ‘Contracts’ for data processing).
7.1.4. If the person has provided us with their details (either as a business card or badge-scan) at a trade show or business meeting in the last 5 years. We have a record of the source of this data and can use it to evidence a legitimate interest in the Company.
7.1.5. If the person is from a business supplier to the Company.
7.1.6. If the person is a ‘marketing’ contact: either a business supplier interested in us, or an editor with a professional interest in our Company and our products.
7.1.7. If the person does not live in the Bulgaria or Europe.
7.2. Purpose Test: The interests are legitimate for us in terms of continuing business with a customer, or a person who has asked for a quote/proforma, or who has contacted us at a trade show. Because the customer is a business customer, this is also legitimate for them, since contact with the Company is part of their normal day-to-day business activity.
7.4. Balancing Test: This is the act of considering the interests of the Company versus those of the customer and considering the relationship with the client. In the cases above, the customer’s business is reliant on the information and products that we’re providing. Usually we’re working closely with customers. None of the data is particularly sensitive and there would be an expectation from them that the data that they receive from us is appropriate and timely. Their personal data is never sold on, so they would never receive inappropriate content or marketing from sources that they’re unaware of, or not interested in. There is always an option to opt-out of emails and communications that are sent.
8. Information Security
The objective of the Company Information Security Policy is to ensure that all data and information contained in the information systems, on which the Company depends, are adequately protected. Achieving this depends on staff working diligently in accordance with these policy guidelines.
8.1. The Company Information Security Policy requirements and recommendations are to:
8.1.1. Ensure that all persons referred to within section 3, (Responsibility and Applicability) understand their own responsibilities, for protecting the confidentiality and integrity of the data that they handle.
8.1.2. Ensure that all information and information systems under the Company control are protected to the appropriate level.
8.1.3. Ensure that all users are aware of, and comply with, this policy including sub-policies and all current and relevant Bulgarian and EU legislation.
8.1.4. Provide a safe and secure information systems environment for all staff and any other authorized users.
8.1.5. Protect the Company from liability or damage through the misuse of information or information systems.
8.1.6. Ensure that all confidential information is protected from unauthorized access.
8.1.7. Ensure that appropriate measures are be taken to manage risks to the availability of information
8.1.8. Ensure that information is disposed of in an appropriately secure manner when it is no longer relevant or required.
8.2. Storage Criteria for Electronic Data
8.2.1. All internal data is protected by hardware firewalls and filters, dedicated anti-virus and intrusion scanning and an enhanced Windows domain security policy.
8.2.2. Any customer data taken off site is securely protected with 256-bit AES: XTS HMAC-SHA-512 encryption.
8.3. Web Data Security
8.3.1. The company web site has security measures in place to protect the loss, misuse, and alteration of the information under our control.
8.3.2. The Company is committed to taking reasonable steps to protect the individual identifying information that you provide. We employ powerful 128-bit encryption technology and Secure Socket Layers (SSL) in all areas where your personal identity is required. When our registration/order form asks users to enter sensitive information (such as credit card number), that information is encrypted.
8.3.3. While on a secure page, such as our payment form, the lock icon on the bottom of Web browsers such as Netscape Navigator and Microsoft Internet Explorer becomes locked, as opposed to un-locked, or open, when you are just 'surfing/browsing'. This is your assurance that our site is authentic and that we're employing SSL security.
8.3.4. You can check this security protection setting within your browser. To ensure you have the most protection available, be sure to download the latest version of today's most popular browsers. For more information, contact your browser's publisher.
8.4. Web Site External Links
Our Web site may provide links to third party sites (Manufacturers websites for example). Please be aware that the Company is not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects personally identifiable information. This privacy statement applies solely to information collected by this site.
9. Data Protection breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. Where a Data Protection breach occurs, or is suspected, it should be reported immediately in accordance with the Data Security Breach Incident Management Procedure which states:
9.1. Confirmed or suspected data security breaches should be reported promptly to the Data Protection Manager as the primary point of contact either by email or post.
9.2. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.
9.3. The Data Protection Manager must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it.
10. Updating this Policy
Queries regarding this policy or the implications of our implementation of the General Data Protection Regulations, should be directed to the Data Protection Manager by email: DPO@sound4.com or by post to the Data Protection Manager, SOUND4 Ltd., 65 Alexander Stamboliyski Street, 8000 Burgas, Bulgaria.