Alotech Group, Inc., and its subsidiaries (collectively, “CallCenterStudio”) have been fully
compliant with The General Data Protection Regulation (GDPR) since 2018. This version is
valid from 09.06.2023.
Compliancy & Certifications
● ISO/IEC 27001:2022 : Information Securtiy Management Systems
● ISO 9001:2015 : Quality Management Systems
● ISO 10002:2018 : Customer Satisfaction Management System
● PCI-DSS Alotech I CallCenterStudio compliance
The General Data Protection Regulation (GDPR) was approved by the European Commission (EC) on 27 April 2016 and becomes law on 25 May 2018. It replaces the previous EC legislation which dealt with data protection which was the Data Protection Directive of 1995. The GDPR represents a major shift in the way that data protection is regulated in EU law. It is important to note that the reform of the EU regulatory framework on data protection occurred against the backdrop of similar reform processes undertaken by other international organisations that have been influential in the field.
The story of the GDPR’S birth is long and often difficult to follow. At the same time, it is both fascinating and instructive, not just in terms of showing how data protection has developed within the EU but also in terms of the insights it provides on the mechanics of the EU legislative process more generally. It demonstrates the complexities of that process, as well as the growing significance of data protection in economic, social and political terms and the strengthening of the fundamental right to data protection in the EU legal order.
The GDPR document itself is eighty-eight pages long and consists of two main parts:
One of the major differences between the GDPR and the previous law is that the GDPR is a Regulation rather than a Directive. This means that it automatically becomes law in each of the countries that make up the European Union without each of these countries needing to create their own, individual laws (in contrast with the previous Directive where, in each of the member states, a separate Data Protection Act had to be passed by the relevant state legislative body to enact it). It concerns the personal data of EU citizens wherever that data is held. This means that if your organisation is not based in the European Union but has customers (or suppliers or other parties) in Europe and you process their data, the GDPR applies to you.
If you do experience a breach of personal data, you have no choice but to tell the relevant supervisory authority about it. There are some caveats on that which we will come to later, but keeping a serious data breach to yourself is no longer an option.
But the mainstay of what the GDPR is about is forcing organisations to take the protection of the personal data of EU citizens seriously.
The fines for violating the GDPR are very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages. GDPR’s goal is to protect all natural persons’ personal data from privacy and data breaches.
Any information related to a natural person or ‘data subject’, that can be used directly or indirectly to identify the person is called personal data. The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. e session identifier becomes personal data.
The GDPR refers to sensitive personal data as “special categories of personal data”. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
All companies/organisations processing personal data of data subjects residing in the European Union, regardless of the company’s location are regulated. Two important players in GDPR world are the following:
The most important consequence of being a controller or a processor is legal responsibility for complying with the respective obligations under data protection law. The GDPR applies to both Data Processors and Data controllers, although it applies to them in different ways.
It is important to know that if you are subject to GDPR or not. Territorial Scope is the first place to make sure your company is subject to GDPR. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
The General Data Protection Regulation is placing power back in the hands of the individual and is forcing millions of small business owners across the EU to revisit their approach to marketing, the way in which they manage their data processing, document their marketing systems and processes.
The primary motivations behind the GDPR are: The EU has given people more power over how their personal data is used, taking into account that companies providing Search engine services as well as companies in social networks are changing access to people’s data for the use of their products.
Data Protection Statement for Alotech Group of Companies
The controllers as per the EU General Data Protection
Regulation (“GDPR”) are:
Alotech Group of Companies:
ALOTECH İLETİŞİM TEKNOLOJİLERİ TİC. A.Ş / TURKEY
Dumlupınar Mahallesi Yumurtacı
Abdi Bey Caddesi Nuhoğlu
Yenitepe Projesi No:4
A Blok Daire 207, 34720
General Manager: Mr. Cenk SOYAK
ALOTECH İLETİŞİM TEKNOLOJİLERİ TİC. A.Ş
(Technopark Office – Branch office)
YTÜ Davutpaşa Kampüsü Teknoloji Geliştirme Bölgesi
Ar-Ge 1 Binası, B Blok Zemin Kat No: 2 Esenler,
34220 İstanbul, Türkiye
Locations: United States of America
(Subsidiary Office of ALOTECH İLETİŞİM TEKNOLOJİLERİ TİC. A.Ş)
Call Center Studio, Inc.
651 N Broad Street, Suite 206
Middletown, 19709, New Castle
General Manager: Mr. Cenk SOYAK
Call Center Studio, Inc.
1 East Erie St. Suite 525 PMB
4651, Chicago, IL, 60611
Representative of Call Center Studio Inc.:
Representative of Call Center Studio S.R.L: Mr. Cenk SOYAK
Bucharest Sector 4, Strada PANSELELOR,
No. 6, O CAMERĂ, Block 142, Staircase 2,
Floor 4, Apt. 76, Bucharest, Romania
Trade Register: J40/15090/2021
Data Protection Officer of Call Center Studio Inc.:
Path Düsseldorf GmbH
Certified DPO: Kemal Hakan Hasserbetci
Lise-Meitner Strasse No: 6
40878 Ratingen, Germany
E-Mail: firstname.lastname@example.org & email@example.com
General Manager: Kemal Hakan Hasserbetci
HRB 74806 Düsseldorf
Steuer Nr.: 147/5857/1411
What is GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) was approved by the European Commission (EC) on 27 April 2016 and becomes law on 25 May 2018. It replaces the previous European Commission legislation which dealt with data protection, which was the Data Protection Directive of 1995, and one of the major differences between the GDPR and the previous law is that the GDPR is a Regulation rather than a Directive. This means that it automatically becomes law in each of the countries that make up the European Union without each of these countries needing to create their own, individual laws (in contrast with the previous Directive where, in each of the member states, a separate Data Protection Act had to be passed by the relevant state legislative body to enact it).
The GDPR document itself is eighty-eight pages long and consists of two main parts:
(The Recitals are important because they provide additional
details and insight into the purpose and functions of the
GDPR concerns the personal data of EU citizens wherever that data is held. This means that if your organisation is not based in the European Union but has customers (or suppliers or other parties) within it whose data you hold, the GDPR applies to you.
Leading on from this, it means that if your organisation doesn’t look after that data in the
way the GDPR requires, your organisation may be subject to the penalties that the
Regulation allows. If you do experience a breach of personal data, you have no choice but
to tell the relevant supervisory authority about it. Keeping a serious data breach to
yourself is no longer an option. But the mainstay of what the GDPR is about is forcing
organisations to take the protection of the personal data of EU citizens seriously.
We hereby thank and appreciate you for visiting our website and your interest in our services we offer all around the world including EU, US, Middle East & APAC. The websites and our unique offerings are designed and done available by the companies in Alotech group of companies as mentioned above.
As a matter of fact, that We use your personal information only to manage your customer account / profile, to provide the services you order, to keep you informed about our services, in case you have consented. The protection, confidentiality and integrity of your personal information is very much important to each member of our organisation.
Our Data Protection Notice clarifies a unique approach to any Personal Data which may be collected from you by us and the purpose of processing your Personal Data as a data Controller of our clients and 3rd party partners and as a data processor of clients’ customers. As a Data Processor, we process End customer Data of our clients on behalf of our clients who are named as Data Controllers in GDPR. The personal data transferred from sender to receiver in general might be named as all electronic data, messages sent by clients and received by Alotech group of companies. Some of your personal Data either is processed by us and or by our processors and sub processors.
In our platform called Call Center Studio designed and offered to our clients, some available embedded services also include processing of personal data on behalf of our clients who are data controllers of their end customers, related with applications and tools where CCS platform offers. As we are not acting as Data Controller of the hosted data, and we are only the one named Data Processor according to GDPR and our clients called Data Controller define the purposes of the processing.
We make a commitment to ensure that personal data of our website visitors are processed in line with GDPR, and domestic laws and all visitors conduct themselves in line with this, and other related policies. Where third parties process data on behalf of us, we will ensure that the third party takes such measures in order to maintain our commitment to protecting data. In line with GDPR, we understand that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.
“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.
“Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).
“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
This website is not designed or intended for use by children under the age of 16. We do not knowingly collect any Personal Data from anyone under the age of 16 without the prior, verifiable consent of a parent or guardian. Such parent or guardian may have the right, upon request, to view the information provided by the child and require that it be deleted. Moreover, all minors should seek their parent’s or guardian’s permission prior to using or disclosing any Personal Data on this website or online resource.
Personal Data: Any kind of information can be personal data provided that it relates to an identified or identifiable person. Personal data covers information pertaining to the private life of a person, which also includes professional activities, as well as information about his or her public life. Under EU law, information contains data about a person if
Data Subject: Under EU law, natural persons are the only beneficiaries of data protection rules (Article 1) and only living beings are protected under European data protection law (Recital 27. See also Article 29 Working Party (2007), Opinion 4/2007 on the concept of personal data, WP 136, 20 June 2007, p. 22.) The General Data Protection Regulation (GDPR) defines personal data as any information relating to an identified or identifiable natural person.
Both types of information are protected in the same manner under European data protection law. Direct or indirect identifiability of individuals requires continuous assessment, “taking into consideration the available technology at the time of the processing and technology developments”. (General Data Protection Regulation, Recital 26.)
The GDPR stipulates that a natural person is identifiable when he or she “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person” (General Data Protection Regulation, Art. 4 (1)
Data Subject Rights
Data Subject Rights in general: Every data subject has the right to information about processing of his or her personal data by a data controller, with limited exceptions.
Data subjects shall have the right to access their own data and obtain certain information about the processing. they have their data rectified by the controller processing their data. If the data are inaccurate, the controller erase their data, as appropriate, if the controller is processing their data illegally, they have the right to temporarily restrict processing, they have their data ported to another controller under certain conditions. Additionally, data subjects shall have the right to object to processing on: grounds relating to their particular situation he uses of their data for direct marketing purposes.
Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, that have legal effects or that significantly affect them. Data subjects also have the right to obtain human intervention on the part of the controller, express their point of view and contest a decision based on automated processing. If you have given us your consent, you can revoke it at any time with effect for the future.
You can contact your local supervisory authority at any time with a complaint. Your local supervisory authority depends on your state of residence, your work, or the alleged infringement. A list of supervisory authorities (for the non-public sector) and their addresses can be found. at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Data protection principles
All personal data obtained and held by us will:
In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:
We process personal data of our users only insofar as this is necessary to provide a functioning website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies to cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.
We use the personal information as collected during your visit to our websites to make using them as convenient as possible for you and to protect our IT systems against attacks and other unlawful activities.
In case you share additional information with us – for example, by filling out a registration form, contact form we will use that information for the designated purposes. we use personal data to the extent that we are legally obliged to do so.
Your personal data will not be passed to third parties for purposes other than those mentioned. We will only pass on your personal data to third parties if:
the processing is necessary to protect legitimate interests and there is no reason to believe that you have an overriding interest worthy of protection in not disclosing your data.
Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) as legal basis.
In the processing of personal data necessary for the performance of a contract of which the data subject is a party, Art. 6 para. 1 lit. b GDPR as legal basis. This also applies to processing operations required to carry out pre-contractual actions.
Insofar as processing of personal data is required to fulfil a legal obligation that is subject to our company, Art. 6 para. 1 lit. c GDPR as legal basis. If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first interest, Art. 6 para. 1 lit. f GDPR as legal basis for processing.
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage is deleted. It may also be stored if provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the standards mentioned expires unless there is a need for further storage of the data for conclusion of a contract or fulfilment of the contract.
Regarding Processing of data outside the EU / the EEA, your data will in part also be processed in countries outside the European Union (“EU”) or the European Economic Area (“EEA”), which may have a lower data protection level than European countries. In such cases, we will ensure that a sufficient level of protection is provided for your data, e.g. by concluding specific agreements with our contractual partners (copy available on request), or we will ask for your explicit consent to such processing.
Regarding use of Data Marketing, we never sell or transfer your Personal Data to any non-affiliated entity for their own direct marketing use unless we provide clear notice to you and obtain your explicit consent. If you would like more information about this practice and your choices to opt out of having this information, see our cookies policy.
We keep records of its processing activities including the purpose for the processing and retention periods in our HR Data Record. These records will be kept up to date so that they reflect current processing activities.
Access to data
Our visitors have a right to be informed whether we process personal data relating to them and to access the data that we hold about them. Requests for access to this data will be dealt very carefully and based on the GDPR.
Our visitors can inform us immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. We will take immediate steps to rectify the information.
We adopt procedures designed to maintain the security of data when it is stored and transported.
Personal data relating to our visitors should not be kept or transported on laptops, USB sticks, or similar devices.
We store your IP address and the name of your Internet service provider for seven days. This is for security reasons; in particular, to prevent and detect attacks on our websites or attempts at fraud.
Deleting your personal data
IP address of our visitors, which we store for security purposes, will be deleted after seven days. We delete your personal information as soon as the purpose that it was collected for and, processed has been fulfilled.
International data transfers
We do not transfer any personal data which has been collected in EU to any recipients outside of the EU through the Call Center Studio Platform.
Personal Data Breach notification
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of the Company becoming aware of it and may be reported in more than one instalment.
Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.
If the breach is sufficient to warrant notification to the public, we will do so without undue delay.
Provision of the website and creation of log files When you visit our website
When you access our website, information of a general nature is automatically collected by means of a cookie. This information (in the form of server log files) includes the type of web browser, the operating system used, the domain name of your internet service provider and similar information. This is exclusively information which does not allow any conclusions to be drawn about your person.
This information is technically necessary in order to correctly deliver the content you have requested from websites and is mandatory when using the internet. They are processed in particular for the following purposes:
Whenever you visit our websites, we keep some information about the browser and operating system you are using; the date and time of your visit; the usage of features on the website; how often you visit individual websites; the names of the files you access; the amount of data transferred; the Web page from which you accessed our website; whether by clicking links on our websites or entering a domain directly into the input field of the same tab (or window) of the browser in which you have our websites open.
According to GDPR, IP addresses are considered personally identifiable information (PII) and we are using Google Fonts embedded on our site. Our website stores the fonts on Call Center Studio’s assigned server on cloud and loads it locally as Google is not involved in the loading process and the IP address is transmitted to Google, basically meaning our website can host the fonts locally without violating GDPR.
The processing of your personal data is based on our legitimate interest from the aforementioned purposes for data collection. We do not use your data to draw conclusions about you personally. The recipients of the data are only the Data Controller and, if applicable, the contract processor.
The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user’s IP address must be kept for the duration of the session.
Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
For these purposes, our legitimate interest in the processing of data pursuant to Art. 6 para. 1 lit. f GDPR.
The data will be deleted when it is no longer necessary for the purpose of its collection. In the case of collecting the data for providing the website, this is the case when the respective session is completed.
In the case of storing the data in log files, this is the case after no more than seven days. An additional storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no contradiction on the part of the user.
Whenever you visit our websites, we store certain information about the browser and operating system you are using; the date and time of your visit; the status of the interaction (e.g. whether you were able to access the website or received an error message); the usage of features on the website; any search phrases you entered; how often you visit individual websites; the names of the files you access; the amount of data transferred; the Web page from which you accessed our website; and the Web page you visited after visiting our website, whether by clicking links on our websites or entering a domain directly into the input field of the same tab (or window) of the browser in which you have our websites open. In addition, we store your IP address and the name of your Internet service provider for seven days. This is for security reasons; in particular, to prevent and detect attacks on our websites or attempts at fraud.
Using the information contained in cookies enables us to make it easier for you to navigate our web pages and to display them correctly.
The data processed by cookies are for the purposes mentioned in order to safeguard our legitimate interests as well as third parties according to Art. 6 para. 1 sentence 1 lit. f GDPR required.
Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or always a hint appears before a new cookie is created. However, disabling cookies completely may mean that you cannot use all features of our website.
We will never pass the data collected by us to third parties or make any connection with personal data without your permission.
What personal information do we collect?
We require certain personal information in order to provide you with this service. You enter some of this data in our websites and or directly by email, fax or by Post. If you become our partner or customer, then we will create an account in our files.
We receive some of your personal information indirectly from your devices by recording how you interact with our services (such as through cookies) and we also obtain your data as you share using the following omni channels:
Fax, email, Telephone, social network, CCS website,
As a matter of fact, that we process the following details you shared with us under your permission:
Our website has a contact form available, which can be used as electronic contact. If you enter your Data, the data entered in the input mask will be transmitted to us and saved.
At the time of sending the message, the following data is also stored:
(1) Time to fill out the form
(2) User Agent of the sender
(3) Date and time
For the processing of the data in the context of the sending process your consent is obtained and referred to this privacy statement.
Alternatively, contact via the provided email address is possible. In this case, the user’s personal data transmitted by e-mail will be stored.
In this context, there is no disclosure of the data to third parties. The data is used exclusively for processing the conversation.
Legal basis for the processing of the data is in the presence of the consent of the user Art. 6 para. 1 lit. a GDPR.
The legal basis for the processing of the data transmitted in the course of sending an email is Article 6 (1) lit. f GDPR. If the e-mail contact aims to conclude a contract, then additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.
The processing of the personal data from the input mask serves us only to process the contact. In the case of contact via email, this also includes the required legitimate interest in the processing of the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the input form of the contact form and those sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the relevant facts have been finally clarified.
The additional personal data collected during the sending process will be deleted at the latest after a period of seven days.
Opposition and removal possibility
The user has the possibility at any time to revoke his consent to the processing of the personal data. If the user contacts us by email, he may object to the storage of his personal data at any time. In such a case, the conversation cannot continue.
All personal data stored in the course of contacting will be deleted in this case.
Questions and complaints
If you have any questions or concerns about the way we use your personal information, please contact our Data Protection Officer: Mr. K. Hakan Hasserbetci, GDPR@callcenterstudio.com
DPA (Data Processing Agreement)
This Alotech Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Alotech on behalf of Customer.
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an Order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
We periodically update these terms. If you have an active Alotech subscription, we will let you know when we do via email (if you have subscribed to receive email notifications via the link in our Agreement) or via in-app notification.
The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.
Alotech Group of Companies are committed to protecting the personal data of its employees, customers, suppliers and other stakeholders and to ensuring its compliance with all relevant legislation. As part of its business, Call Center Studio relies upon a number of third party organisations to assist in providing a high level of service to its customers, in reaching new markets, and in looking after its employees, amongst a wide range of other activities.
The European Union (EU) General Data Protection Regulation (GDPR) places obligations on a controller of personal data to ensure the protection of that data when they are processed by a third party i.e. a processor. In forming a controller/processor relationship, the GDPR is quite specific about the fact that a contractual agreement must be in place between the two parties, and that it should specify key items of information about the personal data involved and how it is processed.
It is a requirement of all existing and new contractual agreements between Clients of Alotech group of companies and their third parties where personal data is shared or processed, that specific information is detailed, and data protection-related contract terms are included. The contract must be legally binding on the processor for it to be compliant.
Information to be specified according to the following information about the processing of personal data must be included in each contract for it to be GDPR-compliant:
Contractual Terms to be Included according to requirements that the controller specify a set of minimum terms related to data protection in the contract.
Letter to Subprocessor about its Readiness for the GDPR and details of processing that includes the following:
Security measures need to be defined and to be implemented based on the following factors:
– GDPR Access Control Policy
– GDPR Breach Notification Policy
– GDPR Records Retention and Protection Policy
– GDPR Use of Encryption and Encryption Management Policy
– GDPR Subject Access Request Policy
– GDPR Data Subject Rights Policy
– Information Security Policy
– GDPR Data protection Impact Assessment Policy
– Data Protection Anonymisation and Pseudonymisation Policy
Alotech group of companies define rules to access to various systems, facilities, equipments and information according to business and security requirements. The basic principle is that access to all systems, networks, services and information is forbidden, unless expressly permitted to individual users or groups of users. There should be a user registration procedure for each system and service. Access to all physical areas in the organisation is allowed, except to areas for which privilege must be granted by the authorised person (item “Privilege management”). We define various user profiles with access rights using the terminology of “Name of system, network, service and corresponding user rights with job titles.
We classify the privilege management based on the methodology underlying “who is authorised for accepting or declining access rights as well as form of authorization process.
Regular review of access rights is implemented based on the name of system, network service, physical area for the intervals for regular reviews. As strongly stated in GDPR, each review has to be recorded.
Change of status or cancellation of contract is one of the key elements in access control policy. Whenever any change in employment or cancellation of employment occurs, Responsible person must definitely inform the persons who approved privileges for the employee.
In case of termination on contract of an employment, contracts must immediately be removed or changed by the responsible person.
Technical installation/implementation of the allocation or removal of access is carried out by assigned responsible persons.
User Password monitoring and management is another important key element needs to be considered as rules:
Breach notification policy is one of the Organisational measures where Alotech group of companies met and implemented.
According to article 33:
1.In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4.Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
5.The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
According to article 34:
1.When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
2.The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
4.If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
The controller retains overall responsibility for the protection of personal data, but the processor has an important role to play to enable the controller to comply with its obligations; and this includes breach notification. Indeed, Article 28(3) GDPR specifies that the processing by a processor shall be governed by a contract or other legal act. Article 28(3)(f) states that the contract or other legal act shall stipulate that the processor “assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor”.
Article 33(2) GDPR makes it clear that if a processor is used by a controller and the processor becomes aware of a breach of the personal data it is processing on behalf of the controller, it must notify the controller “without undue delay”. It should be noted that the processor does not need to first assess the likelihood of risk arising from a breach before notifying the controller; it is the controller that must make this assessment on becoming aware of the breach. The processor just needs to establish whether a breach has occurred and then notify the controller. The controller uses the processor to achieve its purposes; therefore, in principle, the controller should be considered as “aware” once the processor has informed it of the breach. The obligation on the processor to notify its controller allows the controller to address the breach and to determine whether or not it is required to notify the supervisory authority in accordance with Article 33(1) and the affected individuals in accordance with Article 34(1). The controller might also want to investigate the breach, as the processor might not be in a position to know all the relevant facts relating to the matter, for example, if a copy or backup of personal data destroyed or lost by the processor is still held by the controller. This may affect whether the controller would then need to notify.
The GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay”. Therefore, the EDPB recommends the processor promptly notifies the controller, with further information about the breach provided in phases as more details become available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours.
As is explained above, the contract between the controller and processor should specify how the requirements expressed in Article 33(2) should be met in addition to other provisions in the GDPR. This can include requirements for early notification by the processor that in turn support the controller’s obligations to report to the supervisory authority within 72 hours.
Where the processor provides services to multiple controllers that are all affected by the same incident, the processor will have to report details of the incident to each controller.
A processor could make a notification on behalf of the controller, if the controller has given the processor the proper authorisation and this is part of the contractual arrangements between controller and processor. Such notification must be made in accordance with Article 33 and 34 GDPR. However, it is important to note that the legal responsibility to notify remains with the controller.
Alotech Group of Companies collects and stores records of many types and in a variety of different formats.
It is important that these records are protected from loss, destruction, falsification, unauthorised access and unauthorised release and a range of controls are used to ensure this, including backups, access control and encryption.
Alotech Group of Companies also has a responsibility to ensure that it complies with all relevant legal, regulatory and contractual requirements in the collection, storage, retrieval and destruction of records based on the European Union General Data Protection Regulation (GDPR) and its requirements concerning the storage and processing of personal data.
This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Alotech Group of Companies systems.
According to principles underlined below, we have adopted when taking into consideration of record retention and protection policy:
We categorised the record as underlined below:
Each record category has the following information:
Each Group of companies separately focus on the following key parameters in the policy:
Encryption and Encryption Management is one of the key organisational measures which a group of companies has implemented.
We established the rules for acceptable use of encryption technologies. This policy applies to individuals responsible for the set up or maintenance of Alotech encryption technology. Those responsibilities in the GDPR training program, have been given to all personnel of a group of companies by appointed Data Protection Officer.
According to agreed policy, below will summarise the key elements of it.
o The type, strength, and quality of the encryption algorithm required for various levels of protection.
o Key lifecycle management, including generation, storing, archiving, retrieving, distributing, retiring, and destroying keys.
o Transferred electronically over public networks.
o Stored on mobile storage devices.
o Stored on laptops or other mobile computing devices.
o At rest.
According to GDPR, Data Subjects of Alotech group of companies have an absolute right to receive confirmation that an we process their personal data and also right to access that data so that they may be aware of it and are able to verify the lawfulness of the processing. The process is called a subject access request.
Alotech group of companies as the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
Alotech group of companies as the controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
Alotech group of companies as the controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If Alotech group of companies as the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically, they shall be machine-readable. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icon.
According to Article 15 (Right of Access by the Data Subject),
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
In order to reply to a request for access and to ensure that none of its aspects might be disregarded, it is necessary first to understand the structure of Art. 15 and the constituent components of the right of access stipulated in this Article.
Art. 15 can be broken down into eight different elements as listed in the table below:
|1.||Confirmation as to whether or not the controller is processing personal data concerning the requesting person||Art. 15(1), first half of the sentence|
|2.||Access to the personal data concerning the requesting person||Art. 15(1), second half of the sentence (first part)|
Access to the following information on the processing:
(a) the purposes of the processing;(b) the categories of personal data;(c) the recipients or categories of recipients; (d) the envisaged duration of the processing or the criteria for determining the duration;(e) the existence of the rights to rectification, erasure, restriction of processing and objection to processing; (f) the right to lodge a complaint with a supervisory authority; (g) any available information on the source of the data, if not collected from the data subject;
Art. 15(1), second half of the sentence (second part)
|4.||Information on safeguards pursuant to Art. 46 where the personal data are transferred to a third country or to an international organisation|
|5.||The obligation of the controller to provide a copy of the personal data undergoing processing||Art. 15(3), first sentence|
|6.||Charging of a reasonable fee by the controller based on administrative costs for any further copies requested by the data subject|
Art.15(3), second sentence
|7.||Provision of information in electronic form||Art. 15(3), third sentence|
|8.||Taking into account the rights and freedoms of others||Art. 15(4)|
Data Subject Rights is one of the key organisational measures which a group of companies has implemented. Alotech group of companies processes many types of data for HR purposes concerning job applicants, employees, former employees, workers and contractors for various reasons. It is fully aware of its obligations under the General Data Protection Regulation (GDPR) to process data lawfully and to ensure that the rights of data subjects, as set out in GDPR, are observed correctly.
Under GDPR, you have the following rights in relation to your data:
Data Subjects have the right to be informed how the Alotech group of companies processes their data and the reasons for the processing. In order to provide this information to them, Alotech group of companies has a privacy notice to explain what data we collect about them, how we collect and process it, what we process it for and the lawful basis which permits us to process it.
Alotech group of companies also has a separate privacy notice applicable to job applicants, available at no cost if requested.
If Alotech group of companies intends to use data already collected from them for a different reason than that already communicated, they will be informed of the new reason in advance.
Data Subjects have the right to access their personal data which is held by the Alotech group of companies.
One of the fundamental principles underpinning data protection is that the data Alotech group of companies processes about them will be accurate and up to date. They have the right to have their data corrected if it is inaccurate or incomplete.
If they wish to have their data rectified, they should do so by completing the Data Rectification Form.
Alotech group of companies will respond to a data rectification request within one month. Where the data rectification request is complex, Alotech group of companies may extend the timescale for response from one month to three months. If this is the case, Alotech group of companies will write to you within one month of receipt of the request explaining the reason for the extension.
If the response to your request is that Alotech group of companies will take no action, they will be informed of the reasons for this and of their right to complain to the Information Commissioner and to a judicial remedy.
Where any data which has been rectified was disclosed to third parties in its unrectified form, Alotech group of companies will inform the third party of the rectification where possible. Alotech group of companies will also inform them of the third parties to whom the data was disclosed.
Data Subjects have the right to have their data deleted and removed from our systems where there is no compelling business reason for Alotech group of companies to continue to process it.
They have a right to have their data deleted in the following circumstances:
If you wish to make a request for data deletion, you should complete the Data Deletion Request form. (Please request if needed)
Upon receipt of a request, Alotech group of companies will delete the data unless it is processed for one of the following reasons:
Where their request is not complied with because of the one of the above reasons, they will be informed of the reason. Where their request is to be complied with, they will be informed when the data has been deleted.
Where the data which is to be deleted has been shared with third parties, Alotech group of companies will inform those third parties where this is possible. However, where this notification will cause a disproportionate effect on the Company, this notification may not be carried out.
They have the right to restrict the processing of your data in certain circumstances. Restricting Alotech group of companies from processing your data means that Alotech group of companies will continue to hold the data but will stop processing it.
Alotech group of companies will be required to restrict the processing of their personal data in the following circumstances:
If they wish to make a request for data restriction, they should complete the Data Restriction Request form.
Where data processing is restricted, Alotech group of companies will continue to hold the data but will not process it unless:
Where the data to be restricted has been shared with third parties, Alotech group of companies will inform those third parties where this is possible. However, where this notification will cause a disproportionate effect on the Company, this notification may not be carried out.
Where Alotech group of companies is to lift any restriction on processing, they will be informed in advance.
Data Subjects have the right to obtain the data that Alotech group of companies processes on them and use it for their own purposes. This means they have the right to receive the personal data that they have provided to Alotech group of companies in a structured machine readable format and to transmit the data to a different data controller.
This right applies in the following circumstances:
Where a request for data portability is received, Alotech group of companies will respond without undue delay, and within one month at the latest. Where the request is complex or Alotech group of companies receives a number of requests, Alotech group of companies may extend the timescale for response from one month to three months. If this is the case, Alotech group of companies will write to you within one month of receipt of the request explaining the reason for the extension.
Where Alotech group of companies is to comply with your request, they will receive the data in a structured and machine readable form. They will not be charged for the provision of this data. Upon request, Alotech group of companies will transmit the data directly to another organisation.
If the response to their request is that Alotech group of companies will take no action, they will be informed of the reasons for this and of their right to complain to the Information Commissioner and to a judicial remedy.
The right to portability is different from the right to access. Although both involve a right to access your personal data, the personal data to be accessed is not the same. The right to access your data under the right to portability includes only personal data as described above. Access to data under the right of access includes all personal data relating to you, including that which has not been provided to Alotech group of companies by you.
Data Subjects have a right to object to the processing of your data in certain circumstances. This means that they have the right to require Alotech group of companies to stop processing their data. In relation to their employment with the Company, they may object to processing where it is carried out:
Where they object to processing, Alotech group of companies will stop the processing activity objected to unless:
Alotech group of companies can demonstrate compelling legitimate reasons for the processing which are believed to be more important than your rights or the processing is required in relation to legal claims made by, or against, the Company.
If the response to their request is that Alotech group of companies will take no action, they will be informed of the reasons.
Rights in relation to automated decision making
They have the right not to have decisions made about them solely on the basis of automated decision making processes where there is no human intervention, where such decisions will have a significant effect on them. However, Alotech group of companies does not make any decisions based on such processes.
Alotech group of companies currently make decisions about them using automatic system involving no human intervention. They have the right not to have decisions made about them solely on the basis of automated processes where there is no human intervention.
However, Alotech Group of companies may carry out automated decision making with no human intervention in the following circumstances:
In circumstances where we use special category data, for example, data about their health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership Alotech group of companies will ensure that one of the following applies to the processing:
Alotech group of companies handles sensitive clients information on daily basis. Sensitive Information must have adequate safeguards in place to protect them, to protect clients privacy, to ensure compliance with various regulations and to guard the future of the organisation.
Group of companies commits to respecting the privacy of all its customers and to protecting any data about customers from outside parties. To this end, management are committed to maintaining a secure environment in which to process client information so that we can meet the commitments.
Employees handling Sensitive client data should ensure:
We each have a responsibility for ensuring our company’s systems and data are protected from unauthorised access and improper use.
Information security policy covers the following:
A Data Protection Impact Assessment (DPIA) is a process whereby potential privacy issues and risks are identified and examined from the perspective of all stakeholders and allows the University to anticipate and address the likely impacts of new initiatives and put in place measures to minimise or reduce the risks. As the use of technology and the collection and storage of personal data grows, the need to ensure that it is properly managed and maintained increases.
It is a requirement of GDPR that a Data Protection Impact Assessment (DPIA) is carried out in certain circumstances. This section will explain when a DPIA has to be done, how it should be carried out, and what should be taken into consideration as part of the process. The impact assessment covers not only the protection of personal data but broader privacy of individuals and therefore could also be referred to as a Privacy Impact Assessments (PIA).
The procedures in this section are designed to minimise the risk of harm that can be caused by the use or misuse of personal information by addressing data protection and privacy concerns at the design and development stage of a project. Conducting a DPIA should benefit the University by managing risks, avoiding unnecessary costs, avoiding damage to reputation, ensuring legal obligations are met and improving the relationship with stakeholders.
The term project is used in a broad and flexible way and means any plan or proposal. Examples of the types of projects that need a DPIA are:
When does a DPIA need to be done?
A DPIA should be done as part of the initial phase of a project to ensure that risks are identified and taken into account before the problems become embedded in the design and causes higher costs due to making changes at a later stage. Also if there is a change to the risk of processing for an existing project a review should be carried out. In the context of this guidance a project could include the development or enhancement of any activity, function or processing such as a system, database, programme, application, service or scheme. The time and effort put into carrying out the DPIA should be proportionate to the risks.
A DPIA does not have to be conducted as a completely separate exercise and it can be useful to consider privacy issues in a broader policy context such as information security. The DPIA does not necessarily need to start and finish before a project can progress further but it can run alongside the project development process.
The GDPR requires that a DPIA is carried out in the following cases:
It is the responsibility of the person leading the project to carry out a DPIA. As part of the process the Data Protection Officer must be consulted but it is not the Data Protection Officer who carries out the DPIA.
If your project includes the use of any personal data then you should start by completing the screening questions on the DPIA form. If the answer to all these questions in ‘No’ then the remainder of the assessment does not need to be completed but the results from the screening questions should be sent to the Data Protection Officer for recording.
If the response to any of the screening questions is ‘Yes’ you should go on to complete the remainder of the impact assessment form. Guidance notes are included at the end of the form to help the user ensure that the assessment is properly completed.
The assessment template is split into 8 sections:
Further information about building privacy into a project during the design stage please see section 12 on Data Protection by Design and by Default.
Once the risks are identified and outcomes and actions agreed it is important that that person leading the project ensures that the necessary actions are implemented. As the project develops and is embedded the privacy risks should continue to be assessed to ensure that adequate protections remain in place.
Once the DPIA process has been completed the outcomes will be recorded in a register maintained by the Data Protection Officer. The register will record each risk, explain what action has been taken or will be taken and identify who is responsible for approving and implementing the solution.
Alotech Group of Companies is fully committed to protecting the personal data of its customers, employees, suppliers, and other stakeholders in accordance with the requirements of the European Union General Data Protection Regulation. We take the privacy of personal data very seriously and have initiated a variety of methods and controls to ensure we know what data we collect and hold and that we protect that data appropriately.
As part of this commitment, Alotech Group of Companies ensures that all business activities and projects that involve the use of personal data are subject to a data protection impact assessment. The purpose of this assessment is to ensure that our use of personal data is fully understood that the risks to that data are carefully examined and that all appropriate measures are put in place to protect it throughout its lifecycle.
In Data Protection Impact Assessment, we define and underline the following elements:
Alotech group of companies provided a guidance for establishing and maintaining pseudonymization and encryption of personal data.
“Pseudonymization” means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Anonymization” means processing personal data with the aim of IRREVERSIBLY preventing the identification of the individual to whom it relates. Data can be considered anonymized when it does not allow identification of the individuals to whom it relates, and when it is not possible for an individual to be identified from the data by any further processing of that same data, or by processing that same data together with other data which is available or likely to be available. For most companies complete anonymization is not feasible.
The purpose of anonymizing personal data is to make it impossible to identify an individual in the anonymized data set even with the aid of the original data, thus anonymized data is not considered personal data. It is important to note that there is no prescriptive standard for anonymization within EU legal frameworks, so the choice of using appropriate anonymization methods rests with the Data Protection Officer.
Alotech group of companies have decided when pseudonymization and anonymization techniques were appropriate for particular data processing activities. The following is the methods to be considered as the degree of risk and the intended use of data:
Pseudonymizing is meant to enhance privacy by replacing identifying fields within a data record by one or more artificial identifiers, or pseudonyms. As such, pseudonymization reduces, but does not completely remove, the ability to link a dataset with the identity of a data subject.
We established the appropriate pseudonymization methods such as:
The purpose of this questionnaire is to understand your level of competence in various data protection-related areas. This will help us to assess whether your organisation has been compliant with the GDPR or partially compliant.
Date of Assessment:
Name of The Organization:
Country of Registration:
Product(s) or service(s):
Applicable Data Protection Law:
Compliance level definitions:
You have no knowledge or experience in this area, and it is not part of your role.
0 % – 25 % of GDPR Compliance completed
25 % – 75 % of GDPR Compliance completed
75 % – 90 % of GDPR Compliance completed
90 % – 99.999 % of GDPR Compliance completed
CallCenterStudio hosts Service Data primarily in Google data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant.Privacy Resource Center | Google Cloud .
Google Data Center services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Data and Security – Data Centers – Google .
Data Hosting Location
CallCenterStudio leverages Google data centers in the United States, Europe, and Asia Pacific. Cloud Compliance & Regulations Resources | Google Cloud