1. Guideline Objective

The purpose of this guideline is to outline the directives to be followed while using resources owned by Fadata. Fadata provides own and partner computer devices, networks, services, and other systems to meet missions, goals, complete projects and initiatives. Access to these resources are granted as a job-related tool or privilege and employees, contractors, and authorized users must manage their usage responsibly to maintain the confidentiality, integrity, and availability of all information assets while performing the assigned duties.
Although this guideline cannot address every possible scenario, employees and contractors are expected to operate at all times in a manner consistent with the rules set out in this guideline with reasonable judgment.

Fadata will review this guideline at minimum on annual basis and reserves the right to amend it at its sole discretion. Requests for amendment or supplement to this guideline must be made in writing and in detail to the guideline owner. Information Security has the authority to approve them.

2. Owner

The Acceptable Use Guideline has been prepared by Information Security and approved by the authorized member of the security team.

3. Scope

The guideline covers all IT resources and services used by Fadata employees, including storing and processing information, being stored on computers, received physically or electronically, created, processed, or transmitted across networks, printed out, written down, spoken in conversation or otherwise disclosed, assessed, or transformed. This is applicable to all Fadata related activities both on-site and off-site.

All employees, contractors, consultants, temporary and other workers at Fadata, including all personnel affiliated with third parties connecting to Fadata network must adhere to this guideline.

The Information Security Department must approve exceptions to this guideline in advance.

4. Risk
4.1 Inherent Risk Breach in the confidentiality, integrity and availability of information stored, processed or transmitted by Fadata information systems due to inappropriate use of corporate information assets. This risk may significantly affect the business and may lead to financial loss.
5. Classification – Public

Can be shown outside Fadata. This document may be disclosed to any external party without the permission of the document owner. Document is published on Fadata webpage.

6. Data Subject Rights

How Fadata will respond to data subject requests.

Fadata is aware that the General Data Protection Regulation (GDPR) – which came into force on 25th May 2018 – broadens the rights of individuals from those outlined in the Data Protection Act 1998. The new regulation ensures that data subjects are better able to understand, manage and control how their personal data is being processed by organisations.
This process looks at how we will respond to and act upon three of those rights specifically, in relation to the data processing we undertake for marketing purposes:
Table of Data subject rights applicability to specific legal base.

Right to be forgotten (aka Right to erasure):
Data subjects can request the deletion of their personal data, where there is “no compelling reason for its continued process” (i.e. this could be where the individual has withdrawn their consent, or their personal data is no longer relevant to what it was originally obtained for).

We can easily achieve this deletion from our marketing platform, HubSpot, which will remove the individual and all their related data from the system. We will communicate – within one business week – any request for deletion with Equinet, our marketing partner (and Data Processor), to ensure that any data related to the same individual might be removed from their data system also.

Conscious of the need to respond without “undue delay”, we are committed to actioning any such request within two weeks (14 days) after confirming the identity of the requestor, which falls well within the stipulated one month under GDPR.

Right to Object processing
Data subjects can always use their Right to object to processing for the purposes of direct marketing. This will automatically trigger right to be forgotten.
Right to object to processing for the purpose of direct marketing is an absolute right.

Right to access
The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63). It is understood that in order to comply with this right to access Fadata must provide the individual requesting access to their data, both confirmation that their data is being processed and access to their personal data.

Again, conscious of the fact that the new Regulation states that information must be provided without delay and within at least one month of receiving the request, Fadata will seek to action any subject request for access within a 14-day time period.

We will ensure that the information is in a format that will be easy for that individual to use and understand (for example, we can download a .csv file exported straight from our marketing platform, HubSpot, which will detail all data related to a specific contact).

We understand that in most circumstances, organisations must provide subjects with a copy of the information they request free of charge. However, Fadata acknowledges that we are permitted to charge a “reasonable fee” (based on the administrative cost of providing the information) when a request is manifestly unfounded, excessive or repetitive.

Right to data portability
Data subjects have the right to demand a copy of their data in a common format (for example, .csv file) so that they might move it to another Data Controller of their choice.

We do not particularly anticipate many such requests under this right with regard to our marketing data processing, where they do arise though we will seek to comply similarly to the above. That is to say all information regarding a data subject will be exported from the HubSpot platform, again as a .csv file, and then transferred to the individual accordingly within the 14 day time period we aim to achieve.

Right of rectification
Data subjects have the right to rectify the data we hold if it is deemed inaccurate. Validation of the statement will be required.

Fadata will complete the request within one calendar month. Limit start as soon as the request is received.

Right to be Informed
Data subject right to be informed is covered by Fadata data privacy program. You can learn more at https://www.fadata.eu/privacy-notice

Right to Restrict Processing
Data subjects have the right to restrict processing in regard to Direct Marketing. Validation of the statement will be required.

Fadata will complete the request within one calendar month. Limit start as soon as the request is received.

Right related to automated decision making including profiling
Fadata does not use such techniques.