UPZELO LIMITED – DATA PROTECTION POLICY.
In the course of undertaking its business activities, Upzelo collects, receives and processes information a) about its customers, being organisations who use the services of Upzelo (“Customers”) and b) about the customers and clients of its Customers (“Clients”). Upzelo is legally responsible for ensuring that this information (“personal data”) is held and processed in accordance with the law and with individuals’ rights.
This Policy sets out how Upzelo complies with the key rules governing the use of such data, including the requirements of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”). For the purposes of this Policy, “Data Protection Legislation” shall be taken to mean UK GDPR, the Data Protection Act 2018 and any UK law concerning the protection of personal data, including any legislation which supplements or replaces UK GDPR and the Data Protection Act 2018 and laws relating to E-Privacy.
Words and phrases, such as “data controller” and “data processor” as used in this Policy shall have the meanings given to them in UK GDPR.
Upzelo believes it is principally a “data processor” for personal data it holds and, with its Customers agreement, is required to hold that data for the Customer’s purposes. It also processes data of Clients through their registration to the Customer and the data provided by the Customers about their Clients. However, Upzelo may also collect and hold such personal data itself, at which time it would be a “data controller”.
Upzelo also processes the personal data of employees or appointed agents or consultants to Upzelo who in effect work as part of Upzelo and the term “employee” will be used to refer to such persons.
This Policy does not document every part of Data Protection Legislation which may be relevant, but focuses on the key parts applicable to Upzelo and its aim is to make Upzelo compliant and to eliminate so far as is reasonably possible potential Data Protection Legislation breaches by Upzelo and any harm or loss to Customers, Clients or the employees of Upzelo.
Upzelo may review and amend this policy from time to time as it thinks fit, and will review it on at least an annual basis.
Under Data Protection Legislation, Upzelo is responsible for ensuring that personal data is held and processed in accordance with the data protection principles within the Data Protection Legislation. In summary, these principles are that personal data:
should be processed lawfully, fairly and in a transparent manner;
should be collected for specified, explicit and legitimate purposes, and must be processed in accordance with those purposes;
should be adequate, relevant and limited to what is actually necessary for the legitimate purpose for which it is collected;
must be accurate and kept up to date;
will be stored for no longer than is necessary and in a form that permits identification of data subjects;
must be processed in a lawful manner; and
shall be subject to appropriate security and safety measures.
For the purposes of Data Protection Legislation, “processing” includes collecting and storing personal data.
When processing personal data, under Data Protection Legislation, Upzelo may only process where one or more lawful grounds apply.
Having consider the Data Protection Legislation and the business activities of Upzelo, Upzelo has concluded that is processing of personal data in undertaking its business activities is lawful on the following grounds:
the processing is necessary for the performance of a contract to which the data subject, being a Customer, is party or will be. Upzelo’s ‘Subscription Agreement’ is its direct contract created online with a Customer.
the processing is necessary for the purposes of the legitimate interests pursued by Upzelo as instructed by its Customers on agreed terms in providing its services to Customers to help the Customers retain the Clients. Providing such services for its Customers would not be possible without Upzelo processing the Customer’s and the Client’s personal data, reviewing and evaluating the information to assist the Customer in retaining its Clients.; and
separately, Upzelo processes employee’s personal data for the purposes of their salaries, bonuses, pensions and their employment records generally.
As a result, Upzelo’s management has reasonably concluded that the legal basis for it processing personal data will be individual consent, except where this is otherwise necessary and that such consent is given by:
the Customer executing the Subscription Services Agreement in which Data Protection Legislation binding provisions and safeguards will be agreed; and
the Client executing its agreement in whatever form with the Customer in which Upzelo will require the Customer to obtain the positive consent of the Client to allow Upzelo to hold and process the Client’s personal data.
Upzelo is required to maintain a record of its processing of personal data activities containing specified information. To enable Upzelo to comply with this requirement it will:
ascertain what personal data is held by Upzelo and which employees may have access to it or involvement (for the purposes of providing Upzelo’s services to the Customer);
analyse what personal data may be transferred on by Upzelo or processed for Upzelo by a third party, for what reason and identifying such person or organisation (“Data Processors”);
have each Data Processor comply with the Data Protection Legislation provisions in respect of a data processor as regards (among other things), the categories of processing carried out for Upzelo; what procedures are in place to test and maintain accuracy of the personal data; and whether the personal data controlled or processed by the Data Processor is (or may be) transferred to a third party processor or transferred outside the European Economic Area.
Upzelo recognises that personal data should not be held longer than is necessary. In general terms, very little physical hard copy personal data is held at all, and if so it is for a variety of periods of time depending upon the nature and type of the matter concerned. Such physical information – and thus the hard copy personal data within it – will be kept by Upzelo for six years and then destroyed as such minimum period of time is required from tax and regulatory rules, guidance, codes and good industry practice, in addition to the fact that six years is often the limitation period in relation to claims. Upzelo’s public liability insurers also require it.
As regards personal data in electronic digital form, the same principles apply. Digital personal data is securely encrypted and password-protected using one of the leading tailored IT software systems and Upzelo will keep abreast of technological developments.
Upzelo will ensure that all Customers receive, in their Subscription Services Agreement with Upzelo, full notice and details required under the Data Protection Legislation containing information about how the Customer’s personal data (and that of the Clients) will be used. It will also contain a tick box under which they give Upzelo consent to use their personal data to send them Upzelo’s marketing and promotional information.
Upzelo will ensure that the terms of the Subscription Services Agreement will also contain clear instructions to the Customers that their specific contracts with their Clients shall contain suitable, adequate and appropriate express positive consent being given by the Consumer at sign up/registration stage to their personal data (and any special data) being passed to, held and processed by Upzelo as the platform and service provider for the Customer.
Upzelo engages third party PR and marketing agencies to promote Upzelo, including through printed matter and by email sent to individuals. Upzelo is aware of the individual’s consent, whether Customer or otherwise, that it needs to do this. All such recipient databases containing those individuals who have consented to receiving such information will be held by the third party agency and in addition any emails sent out will include the appropriate notices concerning continuing consent.
Upzelo does not intend to sell or pass to a third party any personal data for the purposes of that third party’s advertising to individuals.
The information in the Subscription Services Agreement and registration with Upzelo’s platforms will include, amongst other things:
Upzelo’s details;
details of the purposes for which Upzelo holds and processes personal data and the legal basis for that processing;
the likely recipients of personal data;
the period of time for which Upzelo intends to hold the data; and
any supplementary information required by the Data Protection Legislation.
Upzelo will review this information in its Subscription Services Agreement and website registration processes annually and will amend it to reflect any changes in Data Protection Legislation or in Upzelo’s practice.
Upzelo will keep this approach under review – including taking into account any guidance produced by ICO and industry standards set by appropriate bodies.
This Policy will be available upon request to all and placed on the Upzelo website and platform.
Data subject access requests:
Individuals are entitled to access their personal data held by Upzelo on request. The response Upzelo gives to a data subject access request must also include certain other information, such as the purposes of the processing; the recipients (or categories of recipient) to whom the personal data has or will be disclosed; and individuals’ rights to have their data corrected, deleted or to restrict the processing of their data.
Upzelo has noted that, under Data Protection Legislation, the information must be provided to individuals free of charge and within one month of the request.
Upzelo will maintain a record of data subject access requests.
Right to be forgotten
Under the Data Protection Legislation, individuals have the general right to require Upzelo to erase all data held in respect of them in various circumstances. The circumstances include if the individual withdraws consent to processing the data, the retention no longer being necessary for the original purpose for which it was collected and there is no other legitimate ground to justify the processing. However, Upzelo need not delete the data if an exception applies, including that the processing is necessary to comply with a legal obligation.
Upzelo considers it unlikely that any individual will seek to exercise this right and has decided to review any request, and take advice, should the situation arise. However, the starting assumptions will be i) is the data is still necessary to be retained for the applying period with regard to the legitimate reason exception as described (and for the reasons given) above?; and ii) for the establishment, exercise or defence of legal claims in the future, whether by or against Upzelo.
Right to rectification
Individuals have the right to have incorrect personal data about them corrected without undue delay. Upzelo endeavours to have its data as up to date and correct as possible and to comply with the expectations of the ICO. Where an error is discovered, Upzelo already corrects this as soon as possible.
Right to data portability
Individuals have the right, in certain circumstances, to access their data in machine-readable format and, where technically possible, to have their data transferred directly from Upzelo to another data controller. Upzelo has decided to take no action in relation to data portability at the current time but will monitor the situation and take advice should this become necessary in future.
System perimeter security will be secured using an advanced Firewall device setup to prevent non-essential access via port access restrictions. All data is stored on secure servers provided by AWS (Amazon Web Services) – please refer to https://aws.amazon.com/security/. The Firewall provides an Intrusion Prevention System, logging all activity.
Upzelo will have up to date device and server security. Endpoint devices are protected with TLS 1.2 (SHA256) protocol security software which includes protection for the following:
data controls – prevents the flow of sensitive data outbound;
device controls – prevents access to ROMS, USB and Wi-Fi;
anti-virus – protects the device from malicious content and files types including Malware, Phishing and Viruses;
web controls – prevents access to websites classified as potentially dangerous and/or offensive; and
‘Windows’ updates – device operating systems (i.e. ‘Windows’) will be kept patched up to date using the ‘Windows Update Service’.
User access to Upzelo’s systems will be controlled with a best practice “strong” password policy, which includes password complexity and renewal period rules. Access to application software will be controlled with two factor authentication rules.
Upzelo will use Google Workspace, supplied and provided by Google (please refer to https://gsuite.google.co.uk/intl/en_uk/security/?secure-by-design_activeEl=data-centers) Email Security’ which gives extensive email security measures. These include:
targeted threat protection – sandbox for both email attachments and URLs within emails providing additional protection from Ransomware style attacks and other types of malicious threats;
attachment management – this prevents the flow of dangerous file types;
anti-virus, phishing, malware and spoofing emails are trapped at the gateway before reaching endpoint devices; and
strong anti-spam protection following rules based policies.
The employees all have responsibility to ensure that in performing their duties they do not endanger the safety and security of personal data Upzelo holds and processes and at all times act in an appropriate manner concerning the Data Protection Legislation generally and their individual obligations.
Upzelo gives all employees a Privacy Notice which covers not only the Privacy Notice required by the Data Protection Legislation as regards Upzelo’s use of their own personal data, but also the obligations of Upzelo which they must uphold and adhere to. A ‘Do’s and Don’ts’ list is also given to employees. All employees must be aware and cognisant of personal data security and confidence and this will be reinforced by training.
All Upzelo employees will undertake mandatory formal training on data protection (and other issues) at suitable intervals and other training as Upzelo considers appropriate.
Upzelo will undertake Data Protection Impact Assessments (as defined in the Data Protection Legislation) (“DPIA”) as and when appropriate.
Upzelo shall ensure that it has a written contract which meets the requirements of the Data Protection Legislation in place with each data processor to which it may pass personal data to be processed. In particular, Upzelo will expect each data processor to guarantee that it will meet the requirements of the Data Protection Legislation and will protect clients’ and other individuals’ rights.
Before engaging a new data processor, Upzelo will check that:
the geography and location of the data processor and where the personal data will be processed;
the data processor has appropriate technical and organisational measures in place to keep personal data secure; and
the data processor’s staff who will be engaged in processing personal data in relation to the scheme are subject to a duty of confidentiality and are aware of data protection matters and their obligations.
Upzelo will seek appropriate assurances from each data processor as to the security arrangements it has in place. This may take the form of:
for an existing data processor, a short summary of its key data security measures;
for a new data processor, before entering into a new contract, a short statement of its key data security measures; and
subsequent confirmation from each continuing data processor every 36 months of what, if any, changes there have been to its security arrangements.
Upzelo recognises that its data processors may wish to sub-contract some services, which may include sub-contractors processing data on behalf of the data processor. Upzelo will ensure that its contract with a data processor wishing to do this will contain provisions concerning sub-contracting which meet the requirements of the Data Protection Legislation.
Upzelo takes seriously the need to deal with any data breach swiftly and appropriately to minimise or eliminate risk of detrimental impact on any data subjects. For this purpose, a data breach may include (but is not limited to) unauthorised disclosure of or access to personal data; or accidental or unlawful destruction of personal data; or loss or alteration of personal data.
Upzelo shall require its employees and its data processors to report data breaches or complaints to Upzelo’s data privacy manager promptly and to assist Upzelo in ensuring compliance with the requirements of the Data Protection Legislation.
On being notified of a data breach or complaint, the Upzelo data privacy manager will as soon possible notify Upzelo’s senior management and Upzelo shall initially deal with it through the process outlined in Upzelo’s GPDR Complaints Policy.
Notwithstanding the initialisation of the procedure outlined in Upzelo’s GDPR Complaints Policy, in any event where a data breach has occurred, Upzelo shall consider whether it is necessary or appropriate to notify the Information Commissioner’s Office (“ICO”) or the affected individual in the event of a data breach, and will take professional advice as a matter of urgency where required.
Upzelo will maintain a record of any data breaches and complaints and action taken in relation to each breach and complaint in inventory form.
Upzelo will act reasonably in assisting data controllers of information it holds and its appointed sub-processors in investigating and resolving any breaches of this Policy or the Data Protection Legislation generally and will review, update and amend this Policy (and others) in the light and context of any breaches or issues arising.
Upzelo has considered the sections under Data Protection Legislation to carry out a data protection impact assessment (“DPIA”) in certain circumstances.
Under the Data Protection Legislation, organisations are required to undertake a DPIA “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.”
Upzelo does not believe that at the present time the nature of its processing is such that there is likely to be a high risk to the rights and freedoms of individuals and it has concluded that it is not necessary for it to undertake any DPIAs at the present time.
Dated: 10th February 2022