On 25th May, 2018, a significant piece of European privacy legislation came into force, impacting every business and organisation that holds and processes personal data.
We’re fully committed to high standards of information security, privacy and transparency.
Introduction to GDPR
The EU General Data Protection Regulation replaces The Data Protection Act 1998, as introduced by the 1995 EU Data Protection Directive. It has been designed to harmonise data privacy laws across Europe to protect the data privacy of all EU citizens and means that businesses need opted-in permission from consumers to use their data, as opposed to the current opt-out model.
GDPR also changes the way companies can process personal data to ensure it is handled lawfully, consensually and in a transparent manner and only ever used for specific purposes as highlighted to the individual and that once that purpose is fulfilled, the data should be deleted.
Impact
During the order process, our service proactively collects contact information and other details from customers and passes that data directly on to our clients.
Data Collected
The personal data we collect during the course of an order can be the user’s name and email address.
As a fully-managed service provider, our service therefore falls into two categories. We’re both a ‘data controller’ (also called data exporter) and ‘data processor’ (data importer) as we collect and process data for customers who pay for our services.
As a data processor we are responsible for processing personal data (such as names and email addresses) on behalf of a controller (eg: Venue or Establishment).
Customer names and email address fall under scope of GDPR, however it is the responsibility of the Data Controller to ensure that their use of their data is GDPR-compliant.
Additionally, our systems can be used to identify key user detail such as location and IP address and, if the user is returning to the site, the software can also identify them and retrieve any previous order data.
Customer Opt-in
The information we capture is volunteered by the user. As legitimate interest, users place orders with the expectation that their data will be used only by representatives of the establishment they are ordering from to contact them about their order or regarding COVID-19 track and trace and nothing else.
Each Data Controller (eg: Establishment or Venue) is responsible for their own implementation of GDPR on behalf of their customers.
The Data Controller needs to ensure that they have obtained the required consent to retain and use the individual’s details.
If the Data Controller has obtained the required consent from the customer to use their details within their systems, then they can be used within the system.
However, it is our recommendation that a Data Controller always seeks independent advice to ensure that they are using their data in a GDPR-compliant way.
We do not process personal data for any other purpose than what was consented to, or what falls under a legitimate business interest.
GDPR Compliance
We’re committed to data protection and compliance with all statutory, regulatory and contractual requirements.
We’ve worked to protect the interests, property and information of both our own company and those of our clients against threats or loss.
We’ve reviewed our policies and procedures to ensure we maintain compliance with the new regulations.
We have followed the guidelines for the Data Protection Impact Assessment (DPIA) process to help identify and minimise the data protection risks, as per Article 35 of the GDPR.
Our assessment has concluded that, our data is unlikely to result in a high risk to the rights and freedoms of natural persons.
We do not “perform high risk processing" such as systematic and extensive evaluation of personal aspects; processing on a large scale of special categories; nor systematic monitoring of a publicly accessible area on a large scale.
All of our suppliers are required to comply with GDPR.
FAQ
This is to help customers to understand our commitment to data privacy and in particular how we are GDPR-compliant.
Storage
Where is our data and applications stored?
The data centres for our software are located within the European Economic Area (EEA), in Ireland.
The data centres are GDPR-compliant. All data is stored using industry standard security and transmitted with strong encryption in place.
Our application systems are hosted and data is stored on Amazon Web Services servers within the EEA, in Ireland.
Is that data ever moved out of the European Economic Area (EEA)?
All data remains in European data centres (as per above) and is processed by our staff operating inside the EU.
Do you ever transfer data between data centres outside of the EU?
No, we do not.
Do you always inform me when my data is transferred?
If we were to transfer data outside of Europe, we would inform you prior to proceeding.
How long do you hold data for?
All data remains archived in perpetuity unless a specific request is made to delete it from our production servers. We will ensure that personal data is deleted upon request, subject to back-ups being maintained as per current laws. A record of deletions is also maintained in the event of a requirement to restore data from the back-up.
Processing
Is data processed outside the EU?
No, we do not have operations centres outside of Europe.
Are your overseas operations centres GDPR-compliant?
Any overseas operations centres would need to comply with GDPR, however, we do not have any overseas operations centres
Do you have a Data Protection Officer?
We aren’t required to appoint a DPO under the GDPR, however we have decided to do so voluntarily. We understand that the same duties and responsibilities apply had we been required to appoint a DPO. We support our DPO to the same standards.
The Data Protection Officer is responsible for matters relating to GDPR. You can get in touch by post or email.
Can I audit your security and technical measures on the protection of data?
If you would like to audit our security and technical measures on the protection of data, please contact our Data Protection Officer.
Do you currently adhere to Binding Corporate Rules?
We do not transfer personal data outside of the European Economic Area (EEA).
Security
What data controls and risk management processes do you have in place?
- All transmissions to and from our software provider use well configured, strong encryption via TLS 1.2 or higher. All communication between our software provider and our servers use strong encryption over TLS 1.2 protocol.
- Our cloud providers are certified in the international standard ISO/IEC 27001:2013. By achieving compliance with this globally recognized information security controls framework, audited by a third-party, AWS has demonstrated a commitment to protecting sensitive customer and company information.
- Our servers are securely hosted by AWS. They are one of the most respected data centre facility providers in the world. They leverage all of the capabilities of their facilities including physical security and environmental controls to secure their infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorised entry.
- We currently use several of the security features available from our cloud provider to help us handle security directly on the system, including:
- Rigid security groups to limit remote access to servers
- DDOS detection and automatic blocking of sources generating unexpected traffic
- Strong password policy.
- Our team treats stored customer data with the highest level of security and care. Each piece of customer data is treated as personal and in need of standardised protection. Our software employs security policies which ensure the safety of the data storage and transmission.
- Our software connections are encrypted with 256bit SSL protocol. There is no expiration date on the stored data. The data will remain on their servers unless requested for it to be removed.
- We train our users to be aware of phishing attacks, we use a password policy that enforces complex passwords and we use the role system to give access to administrators only to the information they require.
How do you manage the version release process on your platform to ensure an adequate level of data protection?
We use version control software, continuous integration (CI) and deploy to testing and staging environments before deploying to live. The staging site is a replica of the live environment and we run thorough testing processes around data security.
As part of the development process we undertake a thorough review of the code in an effort to identify weaknesses that could be exploited.
We regularly run internal software vulnerability checks using automated products, and ensure patches are developed and delivered in a timely manner.
Who can access my data, under what circumstances, and what can they see? Is this access tracked?
We run a role-and-permission-based system to control access to your data.
- Commercial team – has access to all data in order to manage the day-to-day service in terms of maintaining quality assurance, KPIs, business performance and general adherence to standard operating procedures.
- Technical team – has access to all data to be viewed only in relation to troubleshooting or technical development.
All system access is tracked and stored in database logs. As part of their contracted terms of employment, all personnel sign a confidentiality clause and have regular and robust training procedures to ensure data protection awareness and compliance.
Do you have a security breach notification process in place?
We have a Security Incident Response procedure available upon request.
- Making sure that all staff understand how to identify and report a suspected or actual security incident.
- Advising the Incident Response Lead of an incident when they receive a security incident report from staff.
- Investigating each reported incident.
- Gathering, reviewing and analysing logs and related information from various central and local safeguards, security measures and controls.
- Documenting and maintaining accurate and detailed records of the incident and all activities that were undertaken in response to an incident.
- Reporting each security incident and findings to the appropriate parties. This may include the acquirer, card brands, third party service providers, business partners, customers, etc., as required.
- Assisting police and legal personnel during the investigation processes. This includes any forensic investigations and prosecutions.
- Resolving each incident to the satisfaction of all parties involved, including external parties.
- Initiating follow-up actions to reduce likelihood of recurrence, as appropriate.
- Determining if policies, processes, technologies, security measures or controls need to be updated to avoid a similar incident in the future. They also need to consider whether additional safeguards are required in the environment where the incident occurred.