1.1 When operating in the UK and the EU, Authentix, Inc. (“Authentix”) must comply with local data protection laws. Data protection laws in the UK and the EU set a high standard for the protection of personal data and they define personal data widely. Breaches of such laws present a risk, not only of high penalties and other severe enforcement action but they could also have a significant impact on the reputation of Aut hentix. Following t his policy will help ensure that Aut hentix satisfies the requirements of such laws.
1.2 Under the General Data Protection Regulation (“GDPR”), which is the primary data protection law in the UK and the EU, “personal data” means any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly (in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. IP address, device ID or URL), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).
1.3 Authentix processes various personal data in the course of its business, including data of its employees and data relating to representatives, employees and contractors of its clients. Although personal data does not include data relating to corporations, it includes data relating to the representatives of those corporations even if they are acting in a professional capacity. As an example, data which relates to the use of Authentix products by a third-party investigator (an “Investigator”) who is appointed by Authentix or our client constitutes personal data of the Investigator. A corporate email address (e.g. firstname.lastname@example.org) also qualifies as personal data.
1.4 This policy sets out the rules governing the handling and use of personal data by employees of Authentix. Compliance with data protection laws requires the support of all employees. Authentix will take action to enforce this policy, including by taking disciplinary action when warranted. Employees will also be required to take part in training in relation to this policy.
1.5 The Authentix General Counsel (the “Policy Owner”) has responsibility for the overall monitoring and implementation of this policy. If you have any questions about this policy or if you are concerned that this policy is not being followed, please contact the Policy Owner.
1.6 This policy may be updated from time to time to reflect changes in Authentix’s practices, data protection laws and/or guidance relating to data protection.
1.7 This policy should be read together with other policies of Authentix relating to protection of personal data and IT systems, as established and maintained by Authentix from time to time.
2. PRACTICAL DO’S AND DON’TS FOR EMPLOYEES
2.1 Respect and give effect to the rights of data subjects (individuals):
2.1.1 If you receive a request from anyone (whether a client or an employee) for a copy of the information which we hold about them tell your manager immediately. We may need to comply with such a request or forward it to a client within a very short period of time. However we would also need to make sure that when disclosing such data, we have a right to disclose it, we do not disclose information which relates to third parties, and we disclose the data only to the right person. Exemptions may also apply to certain information, for example information which is legally privileged;
2.1.2 When a request relates to data which Authentix processes on behalf of a client, Authentix needs to promptly inform the client about the request and assist the client to respond to it. In such cases, Authentix would not respond to the request directly;
2.1.3 If you are asked over the phone for information which relates to an individual, make a written note of the request which should include the name and contact details of the person making the request, and a description of the information they are asking for. The time for dealing with the request starts to run even if the request is not made in writing, therefore make sure you provide the note to your manager immediately. Do not provide any personal data over the phone;
2.1.4 Individuals have other rights apart from the right to access their personal data. In certain circumstances, they may require us to correct inaccurate data we hold about them, request the erasure of their data, and object to certain uses of their data (for example for marketing). We would need to take action quickly in all of these cases therefore you should report these requests in the same way as set out in the paragraphs above;
2.1.5 Do not respond to a request unless you have been authorised to do so by your manager;
2.1.6 More information about the rights individuals have in respect of their personal data and how to give effect to those rights can be found in section 6 of this policy.
2.2 Only process personal data in accordance with the reasonable expectations of the individual(s) to whom it relates and in the manner explained to them in the notices Authentix provides to them. These can be found here. You should familiarise yourself with these notices and check them when you have any doubts. More information about this requirement can be found in section 4 of this policy.
2.3 When Authentix processes personal data on behalf of a client, the data must only be processed in accordance with the instructions of and/or as authorised by the client.
2.4 Keep personal data secure and immediately report potential security incidents:
2.4.1 You must report potential security issues immediately to your manager. It may not be immediately obvious that a security incident has occurred therefore you should report any suspicions, so that they can be investigated;
2.4.2 Security incidents are not limited to cases where data has been accessed by an unauthorised third party but they include cases where data is lost, corrupted or are temporarily unavailable;
2.4.3 Authentix must act fast when it discovers a security incident so that it can mitigate its effects and remedy it. We may also have an obligation to inform our clients, individuals whose data is affected and the relevant authorities within 24 – 72 hours (depending on our legal and contractual obligations);
2.4.4 Do not send information to any person except in accordance with Authentix’s approved standard procedures. Check with your manager if you have been asked to or think that there is a need to share data other than in accordance with our standard procedures;
2.4.5 Only send personal data securely. When you need to send information, even internally to another employee, which contains personal data of a sensitive nature (e.g. financial details) or which contains a large amount of personal data, make sure it is adequately secured, for example, by means of encryption and/or password protection.
2.4.6 Do not leave unattended confidential documents or documents containing personal data during the day (including in your work area or by the printer) and securely lock up such documents at the end of the day;
2.4.7 Lock your computer screen when you leave your desk;
2.4.8 Where your work involves using your personal device(s), make sure you comply with Authentix’s Bring Your Own Device policy and do not use personal email addresses;
2.4.9 Use shredding and confidential waste disposal when getting rid of physical documents containing personal data;
2.4.10 Think before sending any data, especially before forwarding email chains. Consider if the whole email chain needs to be forwarded. Do you need to CC everyone in the email?
2.4.11 Comply with the other polices of Authentix relating to protection of personal data and IT systems as established or maintained by Authentix. at all times in the course of your work.
2.5 Do not record more personal data than Authentix needs in accordance with Authentix’s approved standard procedures.
2.6 Do not record or use any special category data and/or data relating to criminal offences:
2.6.1 Authentix only needs this type of data in exceptional cases and therefore generally prohib its the recording and/or use of such data unless its collection and use has been specifically authorised by the General Counsel;
2.6.2 Special category data includes data relating to health, sex life or sexual orientation, race or ethnicity, religious or philosophical beliefs, political opinions, trade union membership, and genetic and biometric data;
2.6.3 Criminal offences data includes data about criminal convictions, allegations of criminal offences and criminal proceedings;
2.6.4 You should inform your manager right away if you discover that special category or criminal offences data is being held or used by, or on behalf of, Aut hentix;
2.6.5 Where, in specific cases, the collection and use of such data has been authorised by the General Counsel, such data requires a higher degree of protection than other data.
2.7 Make sure (double check) that any personal data you record is accurate and keep it up to date when you become aware that it has changed.
2.8 Where Authentix processes personal data on behalf of a client, the data must be retained and deleted only in accordance with the client’s instructions. When the contract with the client terminates, Authentix must return the data to the client and/or delete all copies of it, as instructed by the client.
2.9 When sending any marketing information:
2.9.1 Do not send such information to anyone unless you obtain approval from
2.9.2 Marketing information includes promotional material of any kind (e.g. email, telephone, post, SMS, instant message), even if it forms a small part of a service communication;
2.9.3 It is important to ensure that we do not send marketing information to anyone who has requested us not to send them such information (unsubscribe requests);
2.9.4 Unsubscribe requests may be made by any means including clicking an unsubscribe link included in a marketing email or informing an Authentix employee over the phone; and
2.9.5 Deal with unsubscribe requests promptly by flagging the relevant individuals as “No Marketing” on the relevant databases.
3. AUTHENTIX’S OBLIGATIONS
3.1 Authentix’s obligations under data protection laws vary depending on the role which
Authentix plays when carrying out an activity which involves using personal data.
3.2 When administering contracts with clients, promoting Authentix’s products, managing those products, and providing analysis, risk scores, trends reports and insights to clients, Authentix is a controller of the data processing it carries out for these purposes. This includes the processing of personal data of authorised users of our services. Authentix is also a controller of personal data relating to its own employees.
3.3 Authentix is a processor of personal data relating to representatives, employees and contractors of its clients, when it processes personal data shared by them through their general use of Authentix’s products and services. This means that we process this data on behalf of our clients and our clients are the controllers of this data. Examples include contact details of client’s investigators and consumers and their device location.
3.4 All personal data must be kept secure and must only be used in compliance with data protection laws, regardless of whether Authentix is a controller or a processor. However, Authentix’s role as a controller or a processor has an impact on the specific obligations which apply to it. As examples:
3.4.1 Where Authentix is a controller, it determines the purposes for which the data is used. It is responsible for providing privacy notices to individuals, dealing with requests from individuals exercising their rights, determining the appropriate retention periods, and notifying security incidents to the relevant supervisory authorities, among other obligations;
3.4.2 Where Authentix is a processor, it must only process personal data as instructed by the client, therefore the client provides privacy notices to individuals, decides how to deal with requests from individuals, determines when data should be deleted, and reports security incidents to the relevant supervisory authorities. However, this means that we must quickly notify the client (and we have strict obligations to do so) if we receive any requests from individuals or if we discover that personal data has been affected by a security incident, in time for the client to comply with its own legal obligations.
4. RIGHT TO BE INFORMED
4.1 Employees should always consider the use personal data from the individual’s point of view (i.e. the employee or the client’s representative). The primary consideration should be how the individual reasonably expects Authentix to process their data.
4.2 When acting in its capacity as a controller, Authentix must inform individuals that it holds their data and what it will use the data for. This is done by means of privacy notices (sometimes referred to as privacy policies or fair processing notices).
4.3 Clients and their representatives are provided with a privacy notice when they visit the Aut hentix webpage. W here personal data is obtained from third parties , for example, where a client provides us with data relating to its authorised users, Authentix must provide those individuals a privacy notice within 1 month from when it obtains the data or, if sooner: (i) when it first communicates with those individuals; or (ii) when it discloses their data to a third party.
4.4 Thereafter, Authentix must abide by that privacy notice for as long as it holds the
data, and it can only use the data in a different way in exceptional circumstances:
4.4.1 In most cases, the individual’s consent would need to be obtained before carrying out a processing activity which is not described in the notice;
4.4.2 In some cases where Authentix reasonably considers that the new processing is compatible with the purposes of processing which were included in the notice, Authentix may carry out the new processing after notifying the individual about the new processing and its assessment of compatibility (giving the individual the opportunity to object);
4.4.3 In limited circumstances, a legal exception may apply, for example, where Authentix is required to disclose data by a court order;
4.4.4 The General Counsel should be consulted if a processing activity which is intended to be carried out is not covered by the privacy notice given to the individuals concerned.
4.5 If you are involved in recruitment or in designing client journeys, it is crucial that you consider what information needs to be given to individuals about the processing of their data and how this information will be given to them in a timely manner. Privacy notices may be given by various means, for example, in hard copy along with other documents (such as in a welcome pack), by means of on-site notices, email, or link to a webpage where the individual is online, provided that the user can easily access the notice at the time.
4.6 Data protection law specifically lists the information which must be included in privacy notices, and requires that the information is clear and easily understandable. If you need to develop a privacy notice, contact the General Counsel.
4.7 Where Authentix is a processor, Authentix must only process data as instructed by the controller, who would have decided how the data will be used and provided a privacy notice to the individuals to whom the data relates.
5. DATA PROTECTION PRINCIPLES
5.1 Authentix must process personal data in accordance with the data protection laws and rights of individuals and, where it processes data as a controller, it must ensure personal data is:
5.1.1 processed lawfully, fairly and transparently;
5.1.2 obtained for specific, explicit and legitimate purposes only;
5.1.3 adequate, relevant and not excessive in relation to the purposes for which is it used (and is not used for unconnected purposes, unless individuals have been informed of such unconnected purposes – for more information, see section 4.4 above);
5.1.4 kept accurate and up-to-date (and, if inaccurate, then it is either erased or rectified immediately);
5.1.5 not kept for any longer than is necessary for the purposes for which it is used; and
5.1.6 kept secure to prevent unauthorised processing by a third party and accidental loss, damage or destruction, using appropriate technical or organisational measures.
5.2 Authentix also has an overarching obligation of accountability, which means that Authentix must not only comply with its obligations under data protection laws, but it must be able to show that it has considered its obligations and made informed decisions about how to meet those obligations. Therefore:
5.2.1 It is essential that if you are contemplating any use of personal data which is not in accordance with our approved procedures, you contact the General Counsel before you carry out that activity;
5.2.2 The General Counsel will advise you on what further steps may need to be taken before you carry out the activity and will also keep a record of the decision made with respect to the use of the personal data and compliance with data protection laws.
5.3 You should contact the General Counsel if you have any questions about how these principles impact your work.
5.4 Lawfulness, fairness and transparency
5.4.1 The data protection laws require that personal data must be processed “lawfully, fairly and in a transparent manner”.
5.4.2 Authentix must have a legal basis for using personal data. Consent is one such legal basis but there are others, such as that: (a) Authentix needs to use the data to fulfil its legal obligations; or (b) the use of the data is in Authentix’s legitimate interests and does not unduly prejudice the individual’s rights.
5.4.3 Authentix must be clear and transparent with individuals about why their personal data is being used, how it is being used and on what basis the processing is taking place. This requires the giving of privacy notices as explained in section 4.
5.4.4 In addition, Authentix must also ensure there is no unjustified adverse effect on the individuals as a result of the processing (e.g. overly intrusive processing relative to the purpose) because such processing would be unfair, even if individuals have been informed about it.
5.5 Accuracy, Adequacy, Relevance and Proportionality
5.5.1 Personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
5.5.2 Employees must make sure any personal data processed by them over the course of their employment is adequate, relevant and proportionate for the purpose for which it was obtained.
5.5.3 Employees should also make sure any personal data they process is accurate and kept up-to-date and that every reasonable step has been taken to ensure that any personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. More information about an individual’s rights to rectification and erasure can be found in section 6 of this policy.
5.6.1 Information security is a key to compliance with the data protection laws and concerns keeping the personal data secure. This means Authentix must ensure (and ensure that any third parties to whom personal data is disclosed ensure) that the personal data is processed and kept in a manner with appropriate security, using appropriate technical or organisational measures.
5.6.2 The obligation of security includes protecting against unaut horised or unlawful use of the data, and accidental loss, destruction or damage of / to the data.
5.6.3 In addition to complying with this data protection policy, all employees must therefore comply with the applicable policies established and maintained by Aut hentix’s Information Security Department, at all times , when using Authentix’s IT systems.
5.6.4 A “personal data breach” is broadly defined under data protection laws and includes any incident that leads to the accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to, personal data. A personal data breach may therefore be the result of accidental or deliberate causes, and it is not limited to the confidentiality of the data but also includes its integrity and availability.
5.6.5 In the event of a personal data breach, all employees must comply with the Data Security Breach Procedure (as may be updated from time to time).
6. DATA SUBJECT RIGHTS
6.1 Individuals have a number of rights in relation to their personal data. For example, individuals may request errors/inaccuracies in their personal data be corrected, they may request access or copies of their personal data, that certain processing activities are not carried out (or are restricted in certain circumstances), to have their personal data deleted and/or destroyed or they can request to receive any personal data, which has been provided or transferred to a third party.
6.2 If you receive a request from any individual (whether a client’s representative, an employee or any third party) in respect of their data protection rights, either verbally or in writing, you should immediately notify the General Counsel, before responding or disclosing any information. Such request may be made in writing, but it may also be made verbally. The request does not need to be in any particular form and it does not need to refer to data protection or data protection laws to be considered valid.
6.3 Where it acts as a controller, Authentix must respond to any requests received from individuals regarding their data protection rights within one month from when the request is receiv ed. This timescale applies regardless of the method of communication used. It is therefore critical that you consult the General Counsel immediately in order to ensure compliance with the data protection laws.
6.4 Where Authentix acts as a processor, it is the client’s obligation to respond to the request and the time period for the client to respond starts to count from when Authentix receives the request. Authentix must not respond directly but it needs to (i) notify the client without delay and (ii) provide reasonable assistance to the client.
6.5 You should inform the General Counsel that a request has been received by sending an email, together with a copy of the request sent by email/post or fax, to [insert relevant email address here]. In your email, you should confirm the date on which the request was received (which should be the same date as when you send your email to the General Counsel). If the request was received in hard copy, please ensure the physical copy is sent to the General Counsel as soon as possible.
6.6 If the request is made verbally, you should:
6.6.1 note down the name and contact details of the requester, together with details of the request;
6.6.2 let the individual know you will inform the General Counsel and that the General Counsel will be in touch as soon as possible to acknowledge receipt and ask for further details if required; and
6.6.3 email your note to the General Counsel, marked as “urgent”.
6.7 Following notification to the General Counsel, the General Counsel will contact the requester to acknowledge receipt and respond accordingly after carrying out an assessment to determine whether the legal requirements to fulfil the request are satisfied. As part of this process, the General Counsel may need to verify the identity of the requester (or the third party making the request on an individual’s behalf) and may require further details from the requester (e.g. to clarify scope of the request).
6.8 The General Counsel may nominate employees to provide additional support to deal with and respond to any requests made. If an employee is nominated, they must communicate with the requester and act only when instructed to do so by the General Counsel.
7. WORKING WITH SUPPLIERS/VENDORS
7.1 Authentix must ensure personal data is used in accordance with data protection law even where it appoints third parties to process the data on its behalf (processors), and it is required to only use service providers with whom it has an appropriate contract.
7.2 You should therefore only use service providers who have been previously approved by Authentix. Employees should consult their manager if they are unsure whether Authentix has a pre-existing relationship with a service provider.
8. INTERNATIONAL TRANSFERS
8.1 Authentix may need to transfer personal data outside the UK and the EU. Transfers of personal data to any location outside of the UK and the EU are generally prohibited unless Authentix has taken specific measures required by law to ensure that the data remains protected.
8.2 Transferring any personal data from one country to another, including by providing someone in a different country with access to the data, must be approved in advance by the General Counsel to ensure that the transfer does not cause a breach of data protection law.
9. SUPERVISORY AUTHORITIES
9.1 The UK and each EU country have its own supervisory authority responsible for the enforcement of data protection laws.
9.2 If you receive any correspondence from such an authority, it should be immediately forwarded to the General Counsel.