GDPR / Data Handling Procedures
Policies for data handling concerning individuals rights under the GDPR
The right to be informed
Our privacy policy must include information on what personal data is processed and why, along with details of any third parties that information is shared with, in an easy to understand language for the end user.
The following information must be maintained on the privacy policy and be available at the time the data is obtained:
● Servu contact details
● Purpose of the processing and the lawful basis for the processing
● The legitimate interests of the controller or third party, where applicable
● Categories of personal data
● Any recipient or categories of recipients of the personal data
● Details of transfers to third country and safeguards
● Retention period or criteria used to determine the retention period
● The existence of each of data subject’s rights
● The right to withdraw consent at any time, where relevant
● The right to lodge a complaint with a supervisory authority
● The source the personal data originates from and whether it came from publicly
accessible sources
● Whether the provision of personal data is part of a statutory or contractual requirement
or obligation and possible consequences of failing to provide the personal data
● The existence of automated decision making, including profiling and information about
how decisions are made, the significance and the consequences
The right of access
Individuals are able to access a large portion of their stored information via the Servu platform, if they have created an account with a set password. This includes (but is not limited to) historic order data, address data, contact information. There is the ability for a user to export all held information on themselves as a spreadsheet.
People without an accessible account and people wanting information that is not available via the website will need to submit information requests via the Contact page on Servu or by asking their dedicated account manager.
General user and related information will be provided by Servu free of charge, however requests for excessive data or repeat requests will be subject to charge in proportion to the administrative costs incurred by Servu. In extreme cases the request may be refused.
Within 28 days of the request, Servu must have either:
-
Provided the data requested
-
Requested an administration fee
-
Communicated a refusal of the data
The right to rectification
For the most part users are able to self-rectify data via the Servu website. When this is not possible, contacting Servu directly will be necessary at which point our systems will be updated by staff.
Requests for data rectification can only be invoked by the individual or registered guardian of the individual which the data pertains to. The identity of this individual must be confirmed either over telephone or by direct email before requests are escalated.
Where possible, systems are in place to automatically update recipients of individual data when said data changes.
The right to erasure
Individuals may request for their data to be erased from Servu's systems via the Contact page on Servu.
Erasure of details related to order information will be handled on a per-case basis, due to Servu needing to retain and process records related to financial transactions.
Data erasure can requested by any individual user, but only invoked by the administrator of the system. The administrator invokes this by contacting Servu via their account manager.
Individuals must be advised that transactional data can only be anonymised and it's at Servu's discretion to do so, due to our lawful basis for processing data.
Any data erasures need to be authorised by management and then submitted to IT within 14 days of submission to allow ample time for the request to be processed.
The right to restrict processing
Individuals can request for processing restrictions to be put in place for them by contacting Servu.
We endeavour to restrict processing of data wherever possible, however, any information related to financial processing may not be able to be restricted. Not all restrictions will be technically possible.
Any processing restrictions need to be authorised by management and then submitted to IT, within 14 days of submission to allow ample time for the request to be processed.
The right to data portability
Individuals may request an export of all held personal data via the Servu platform. This export is in the format of a spreadsheet split into categories of data.
The right to object
Individuals have the right to object to the processing of their personal data. To do so would mean opting out of using the Servu platform. To exercise the right to object, individual users should contact the administrator of the platform at their company (contact details are published in the help section of the Servu site) to discuss making arrangements to be excluded from the scheme.
Administrators should then notify Servu account managers, who can suspend or erase user data on a case by case basis.
The right not to be subject to automated decision-making including profiling
Servu does not use any personal data for automated decision making or profiling.