Information Governance Policy
The General Data Protection Regulation (GDPR) in force as from 25 May 2018 is the new law that introduces a comprehensive approach to data protection, enhances the rights of individuals over their personal data, ensures control over data collection and processing and places a range of new obligations regarding data protection policies and operations in organizations and companies.
This regulation applies to the processing of personal data that belongs to EU residents carried out by the organizations operating both within and outside the EU.
At Digiteum, we strongly believe that new regulations will improve personal data security, ensure better protection of individuals and groups in modern data-driven economies, encourage diligence and responsibility of all concerned parties and create the infrastructure for lawful, fair, relevant and transparent data practices.
Therefore, Digiteum declares commitment to the new regulations and initiates a range of inventory, infrastructure, technology, documentation, operation and policy measures to demonstrate compliance with the GDPR.
Any information that can be used to directly or indirectly identify a natural person – data subject (name, email address, location, etc.) – is considered to be personal data and falls under the GDPR.
Digiteum acts as a data processor, when we collect the personal data (name, email) of www.digiteum.com and www.digiteum.co.uk users who provided their prior consent and the personal data of Digiteum clients’ employees (name, email, title, Skype ID, etc.) required in ongoing collaborations. In other cases, Digiteum acts as a data controller assigning data processing to legally valid, verified data processors.
Use of personal data
Digiteum collects personal data such as name and email address to reply to a user’s query affirmatively submitted on www.digiteum.com and www.digiteum.co.uk, provide requested content or services, conduct marketing activity that individuals willingly expressed interest in via a positive opt-in consent (i.e. subscribing for newsletters). Digiteum does not collect any sensitive personal data.
According to the GDPR, any organization should have, document and be able to validate a lawful basis for using personal data. Digiteum confirms all the personal data obtained and further processed is collected by means of genuine opt-in consent created according to the standards of the GDPR.
We regularly review and update our consents and related terms. We make it easy for individuals to withdraw their consent at any time with no penalties and provide clear instructions on how to do so.
Please, email us at email@example.com to withdraw your consent. We will act on your withdrawal request as soon as possible.
In certain circumstances, Digiteum collects personal data from the individuals in direct contract relationship with the company (Digiteum partners, clients, clients’ employees). In such cases, contract relationship becomes the lawful basis of data processing.
Digiteum adheres to core data protection principles and is committed to transparently, lawfully and fairly process personal data, ensure its correctness, integrity and security and address the rights of data subjects with respect and responsibility. Compliant to the GDPR, Digiteum guarantees the fulfilment of these individual rights.
Right to be informed
We openly and transparently inform individuals on our identity and contact details, a point of contact assigned for data protection, lawful basis for personal data collection and the types and sources of data collected as well as other details associated with data processing and protection procedures.
Right of access
Individuals can request to confirm that their personal data is stored with us and access their personal data to ensure the lawfulness of data collection and processing. We fulfill this request free-of-charge in the shortest time possible, but no longer than one month from the request receipt.
Right to rectification
Individuals can request to rectify their personal data if they find it incomplete or incorrect. We have procedures in place to fulfill such requests and reply to the individual’s query in the shortest time possible, but no longer than one month from the request receipt.
Right to erasure
Individuals can request to erase the personal data we store with us. We have procedures in place to fulfill such requests and reply to the individual’s query in the shortest time possible, but no longer than one month from the request receipt.
Right to restrict processing
Individuals can request to restrict the processing of their personal data. We have procedures in place to fulfill such requests and reply to the individual’s query in the shortest time possible, but no longer than one month from the request receipt.
However, we reserve the right to lift the restriction in case the processing of certain data is legally necessary, according to the GDPR. In this case, we priorly inform the individual of the case and explain why we have to lift the restriction.
Right to portability
Individuals can request to obtain their personal data they store with us and further reuse for other purposes. We have procedures in pace to fulfill such requests and provide individuals with their personal data in the assigned format in the shortest time possible, but no longer than one month from the request receipt.
Right to object
Individuals can object the processing of their personal data for marketing, scientific, research, or other legitimate purposes. We have procedures in pace to fulfill such requests and stop processing individual’s personal data upon request.
Rights related to automated decision making including profiling
We do not perform automated decision making including profiling.
Please, email us at firstname.lastname@example.org and send your request regarding the rights listed above.
At Digiteum, we take the GDPR with full responsibility, make necessary steps to prepare the company and implement the regulations, document these steps when it’s needed and introduce technical and organizational measures to comply with the new law.
Digiteum may use the services of data processors, for example, when we communicate with our clients via email or send newsletters to our subscribers. In these cases, we chose to work only with reliable trusted third-party services that comply with the new law and openly demonstrate their commitment.
To store clients’ employees’ data, we use remote cloud solution provided by Microsoft Corporation and rely on Office 365 as our communication means. Microsoft Corporation is compliant to the GDPR and ensures all the services provide adequate data protection and security. You can learn more here.
To store the data collected on consent-based mode via www.digiteum.com and www.digiteum.co.uk, we use Zoho CRM. Zoho CRM is committed to protect user’s rights and privacy and takes necessary measures to comply with the GDPR. You can learn more here.
Either Digiteum acts as a processor or a controller, we make the records on the purposes and means of processing personal data when it’s necessary.
We regularly review the records to make sure our processing activities are relevant, up-to-date and valid. In order to maintain consistent commitment within the company, we perform audits and trainings to make sure fair data processing practices are observed by all staff members.
We adhere to the principle of “data protection by design and default,” which means that we enhance the importance of introducing privacy-first measures at the very start of any project/activity/interactions with any user, website visitor, client of organization in general.
In order to enforce data protection principles within the company, we regularly assess and analyze our data processing activities as a part of data protection impact assessment (DPIA). Even though, Digiteum’s activity and data processing are not considered high risk and do not directly require introducing systematic DPIA practices, neither assigning a Data Protection Officer (DPO), we take extra effort to monitor risks and make sure our data practices are secure and align with the GDPR.
The nature of Digiteum activity and data processing does not imply the necessity of signing up to any code of conduct or certification related to data protection, nor does the GDPR claims it obligatory. However, Digiteum does consider working towards complying with the approved codes of conduct that cover relevant data processing activities.
At Digiteum, we understand the importance of integrity, availability and confidentiality of personal data. Therefore, we assign personal data processing only to the trusted services which guarantee security of all the procedures and operations. Both Office 365 and Zoho CRM implement necessary security measures such as encryption, robust data security policies, controls and systems for data safety, integrity and confidentiality. You can learn more about Microsoft Office 365 data security here and Zoho CRM data security here.
Digiteum does not transfer personal data outside the EU unless it’s made on behalf of Digiteum by one of data processors - Zoho CRM of Microsoft Corporation. In these cases, Zoho CRM may transfer data to the US, which is recognised by the European Commission as the third country that provides adequate protection. Microsoft Corporation may store personal data over the data centers around the globe provided that all the data centers meet stringent security requirements, including the EU-U.S. Privacy Shield Framework and Swiss data protection law. You can find out more about Microsoft Corporation data transfer security here.
Personal data breach
At Digiteum, we have strict breach recognition, investigation and reporting procedures. Taking into consideration the GDPR provisions and the risks of personal data breaches, we make the best efforts to report any security breach within 24 hours and further fix the problem within the next 12 hours after reported.
These terms may fluctuate depending on the severity of the breach. However, we commit to inform relevant authorities and affected individuals not later than within 72 hours after the detection of a high-risk breach.