Version 1.0. – 21.6.2018
It is a priority for Sensa to comply with all legislation and rules to ensure integrity, confidentiality and safety of personal data. Sensa ensures the safety of personal data by, amongst others, implementing and complying with procedure rules on information management and centralized access controls. In addition, Sensa is certified based on ISO 27001:2013 on information security management system.
How does Sensa process personal data?
Sensa‘s role when processing personal data is subject to the task carried out each time. To the most part Sensa processes personal data as a so-called data processor on behalf of its clients.
Where Sensa is reselling services and/or licenses from third parties to its clients, such third parties can also process data as data processors in accordance with data protection legislation on behalf of the client, without Sensa being an intermediary in relation to such processing. That can for example apply in the events where client is provided with a software license from a third party which also hosts personal data on behalf of the client.
In other instances, Sensa can process personal data as a so-called data controller.
As a service provider for clients
Sensa’s processing of personal data is mainly carried out on behalf of clients which Sensa has entered into IT related service agreements with. In such events Sensa operates as a data processor on behalf of its clients. The clients are data controllers based on data protection legislation, but data controllers bear the main responsibility for the processing of personal data.
The data controller is responsible for entering into data processing agreements with the service providers which process personal data on its behalf, in addition to ensuring lawful processing of such data and complying with requests from data subjects. When a client signs a data processing agreement with Sensa, Sensa will only process personal data on behalf of the client in accordance with instructions provided on the basis of that agreement, unless legislation or instructions from supervisory authorities instruct Sensa otherwise.
Correspondence with clients
Sensa acts as a data controller when processing data which the company possesses in relation to correspondences with clients in relation to ongoing or prospective business relationships. In such events Sensa processes contract details which the client has provided Sensa with, or which are public such as on the client‘s website or in a telephone directory, in particularly name, phone number and e-mail address.
The purpose of this processing is first and foremost to verify services the client has requested, maintain and ensure safe correspondence with the client, to be able to send messages to the client in relation to the services purchased from Sensa, and as applicable in relation to payments for the services. The processing is thus based on Sensa‘s agreement with the client, or the latter‘s requests to enter into such an agreement.
Sensa‘s correspondence with the clients’ representatives can also take place for marketing purposes, where Sensa sends the clients, or others who have registered on Sensa‘s mailing list, in accordance with the electronic communication legislation. The recipients of such e-mails have the opportunity to opt out of such communications by contacting Sensa or by clicking on „opt out of mailing list“ in received e-mail from Sensa. The processing which is carried out for marketing purposes is based on Sensa‘s legitimate interests.
Sensa‘s service providers
When Sensa purchases services from a supplier or a service providers, where such parties require access to personal data or they must otherwise process personal data, Sensa will make sure that such a third party, acting as a data processor, can ensure the safety of the personal data processed and that a data processing agreement is entered into with such a third party.
If the service provider may need access to personal data which Sensa is processing as a data processor on behalf of its client (acting as a controller), based on a data processing agreement, Sensa will ensure to obtain a consent from the client for the use of such a sub-processor, before any work commences. Such sub-processor must be bound by the same data protection obligations as Sensa based on the data processing agreement Sensa has entered into with the client in question.
At and by Sensa‘s offices, as well as in Sensa‘s machine rooms, an electronic surveillance is carried out by surveillance cameras for security- and property protection purposes. Material collected by electronic surveillance is not transferred to third parties, unless to the police in case of suspicion of a punishable crime and it is required to investigate the case on the basis of such material.
Sensa acts as a data controller in relation to processing concerning electronic surveillance and such processing is based on Sensa‘s legitimate interests.
To comply with legislation, regulations, regulatory acts or court decisions
Sensa is mindful of complying in all aspect with legislation when processing personal data, including where the company is legally required to process or store personal data. In such instances Sensa only processes the data it needs to comply with such obligations, such as based on the bookkeeping act.
Sensa may also be legally obliged to submit supervisory authorities with personal data in the event such submission is required based on legislation, regulatory acts or a court order. This could apply in relation to submission of data to supervisory authorities on the ground
of legitimate petition thereof, such as to the police, the national computer security incident response team (CERT-IS), the Directorate of Internal Revenue or the Financial Supervisory Authority. In the event Sensa concludes that the petition shall be directed at the data controller, Sensa will communicate with the controller in relation to the receipt of the petition and its handling, unless legislation, regulatory acts or court order instruct otherwise.
Clients can also, in certain instances, bind Sensa to comply with legislation, even if the legislation itself does not directly apply to Sensa. That is however always subject to an agreement between the parties and shall be clearly stated in clients‘ service- og processing agreement with Sensa.
Sensa may also process contact details for representative of suppliers or service providers and such processing is based on an agreement between Sensa and the parties such representatives are presenting.
In addition, Sensa may process limited contact details, first and foremost name of individuals visiting Sensa‘s offices, such as meeting guests. The processing of such data is based on the company‘s legitimate interests, including for security purposes so that Sensa has information on who are in the office building in case of a security event.
Safety of personal data
The safety of personal data is always a priority in Sensa‘s operation.
To ensure the safety of personal data Sensa has implemented a security policy, carried out risk assessments which undergo periodic reevaluation and implemented number of security measures to minimize all risk to data. Such security measures are both of technical and organizational nature to protect personal data from destruction, accidental alteration, unauthorized disclosure, copying, use or transfer. Amongst the measures Sensa has implemented are the following:
· Sensa‘s certification based on ISO/IEC 27001:2013 on information security management system, to ensure confidentiality, correctness, completeness and availability of data,
· employees and contractors’ signing of confidentiality obligation,
· implementation of procedural rules and processes regarding the safety of personal data and the processing of data breaches,
· access controls to systems and premises,
· supervision and security services to monitor premise and machine rooms,
· data processing agreements with suppliers and other services providers working for Sensa, and
· providing training to employees about legitimate and secure processing of personal data.
By internal auditing Sensa ensures that the above listed security measures are complied with and that they are sufficient and reliable.
In the event of a data breach Sensa follows the company‘s procedure rules and as applicable instructions which the client may have provided to the company. In most instances Sensa processes personal data as a processor on behalf of its clients. If the data breach concerns data belonging to a client, Sensa is responsible for notifying the client about the data breach, unless the parties have specifically agreed otherwise. It is then up to the client to evaluate whether the data breach must be notified to the Data Protection Authority, and as applicable to the data subjects.
Where Sensa processes data as a controller the company ensures that it follows legislation, procedural rules and processes concerning a notification to the Data Protection Authority and as applicable to the data subjects.
For how long time does Sensa retain personal data?
Sensa is first and foremost processing personal data as a data processor on behalf of its clients. It is thus the clients‘ responsibility to ensure that personal data is not retained for a longer time then necessary. Sensa‘s data processing agreements with clients shall govern the retention time of such data. As a general rule, Sensa does however not delete any personal data unless the client has specifically instructed Sensa to do so in writing.
When Sensa processes personal data as a data controller it only processes the data as long as it is necessary for the purposes for which the personal data is processed, as described above, or as long as Sensa‘s legitimate interests call for such retention, for example to make a claim or defend a claim. In general personal data is retained for the duration of the contractual relationship but limited data about the client‘s transaction history is retained for unlimited time based on Sensa‘s legitimate interests. Specific legislation can also call for specific retention time which Sensa must comply with, such as concerning the retention of bookkeeping data which must be retained for seven years. All material collected by the use of electronic surveillance is deleted after 90 days, unless legislation permits or calls for longer retention time.
What are the individuals‘ rights?
On the basis of data protection legislation individuals have the right to:
· access their personal data, including to obtain information on whether and what personal data is being processed, for what purposes and for how long time the data is retained
· have their data transferred in a structured, commonly used and machine-readable format to themselves or another service provider
· demand rectification of inaccurate personal data concerning them and/or the deletion of the data
· object or restrict the processing of their personal data
· withdraw a consent they have provided about the processing of their data
It is however important to note that there can be exemptions from these rights, such as if the data concerns personal data about a third party. Requests from individuals must thus be processed and evaluated at each time, taking into consideration the scope of the request, the data in question and the purpose for which the data has been processed by the controller.
Requests from individuals concerning these rights based on the data protection legislation shall always be directed to the data controller.
In the event Sensa receives a request from an individual concerning a processing that is based on a data processing agreement where Sensa acts as a data processor on behalf of
a client, acting as a data controller, Sensa will advise the individual in question that he/she shall turn to the data controller regarding the processing of the request.
Once Sensa receives a request it shall be directed to Sensa‘s security officer (see the chapter on inquiries in this Policy). Delivered requests will be responded to within 30 days from receipt of the request. In case of unreasonable or unfounded request, Sensa reserves the right to charge a moderate fee for the handling of the request. Sensa will notify the individual in question of such intention before the processing of the request commences.
Inquiries and complaints to the Data Protection Authority
Requests concerning personal data matters shall be directed to Sensa‘s security officer, at firstname.lastname@example.org.
Sensa has also appointed a data protection officer whose role is, amongst others, to monitor Sensa‘s compliance with legislation and rules on data protection in its operation and to be a contact person towards the Data Protection Authority and clients concerning matters involving the company‘s processing of personal data. Sensa‘s data protection officer is subject to confidentiality obligation about his/her work. The data protection officer‘s e-mail address is email@example.com.
In the event a dispute arises between a client and Sensa, in the client‘s opinion, regarding the processing of the client‘s personal data, the client is entitled to send a complaint to the Data Protection Authority, Rauðarárstíg 10, 105 Reykjavík. For further information see the authority‘s website, www.personuvernd.is