GeniusTags LTD. needs to gather and store certain information about individuals. These can include clients, suppliers, business contacts, employees, projects beneficiaries, projects vendors, and other people the organization has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
This data protection policy ensures that GeniusTags LTD.:
The Data Protection Act 1998 describes how organizations — including GeniusTags LTD.— must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
GeniusTags was keen on achieving GDPR compliance since the early founding of the company. For that, GeniusTags worked on implementing the guidelines and instructions of GDPR by:
The practices that GeniusTags implements to achieve GDPR compliance are clarified in this document.
This policy applies to:
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:
This policy helps to protect GeniusTags LTD. from some very real data security risks, including:
Everyone who works for or with GeniusTags LTD. has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
about them (also called ‘subject access requests’).
utilizes the Microsoft Azure cloud services for the storage, processing and
protection of all the data it stores on its systems. As per the Microsoft Azure
SLA, it is ensured that all data stored is
completely isolated and protected and that no 3rd parties have access to that data. Other than that, GeniusTags shares none of the data it stores on its systems with any third party.
Occasionally, GeniusTags may run promotional campaigns, in which some statistical information may be mentioned about the client’s projects and success stories. GeniusTags always obtains permissions prior to any use of data in such a way.
There are two classes of data that GeniusTags stores in its possession: project data and client staff data. Project data is the data that the client submits to GeniusTags to assist in the use of GeniusTags systems; this data includes: information about projects, beneficiary information, vendor information, product information and invoice information. Client staff data is the data that live on GeniusTags system that belong to the client staff that use the GeniusTags systems; client staff data include their names, phone numbers and emails.
GeniusTags ensures the protection and safe storage of both data classes and contractually guarantees the following rights to the client:
The rights mentioned here are either offered as features built into GeniusTags systems or by means of formal requests that the client may submit to exercise any of their privacy rights.
GeniusTags collects anonymous information about the use and utilization of its systems for optimization and performance improvement purposes. This information does not reveal the identity of any of the users that use the system, nor does it contain any details that may jeopardize the identity of any stakeholders related to the system.
Among the key principles and factors in the design of all GeniusTags systems is security. All GeniusTags systems implement measures that ensure highest levels of data and information protection and safety. The measures implemented include:
Further, the data that is stored and processed by GeniusTags systems is handled and protected to ensure its safety. Among the measures taken to protect data are:
Meaning, that only the client can have access to that data.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.
When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
When data is stored electronically, it must be protected
from unauthorized access, accidental deletion and malicious hacking attempts:
In addition to using data to offer the services directly provisioned to the client, GeniusTags may use the data stored in its possession for three reasons: analyze the data to improve and optimize the system performance, introduce updates and bug fixes, and release new features and functionalities. The data used for these purposes is usually not the data that the data owner chooses to encrypt and conceal. However, in the event that encrypted data is needed for the mentioned reasons, GeniusTags informs the data owner about that.
Prior to processing client data, GeniusTags performed a data protection impact assessment
that addressed the following:
When a GeniusTags worker, team or any other entity is awarded access to data, they’re made aware of the importance of protecting the data in their possession. Further, data processors are provided with instructions on how to maintain the integrity of the data as well as protecting it against potential breaches. Among the instructions given to data processors are:
The law requires GeniusTags LTD. to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort GeniusTags LTD. should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
confirming a customer’s details when they call.
GeniusTags LTD. holds about them. For instance, via the company website.
Access to data storage sources is restricted to a predefined list of people in the company, with predefined permissions and predefined activities that they can do with the data. These people are in charge of disclosing specific portions of data upon the formal approval of the data protection officer. This ensures that unauthorized people cannot reach data storage sources, preventing potential breaches.
Records of data access are maintained internally and are controlled and updated by the data protection officer.
When a data set is to be accessed by any person, the person needs to make a formal request to the data protection officer. In the formal request, the person needs to list the reasons and motivations for accessing the data as well as how the data will be used. The officer reviews the request details, and then based on the contractual commitments of GeniusTags with the data owner, the officer approves the disclosure of the requested data set to the person requesting the access.
circumstances, the Data Protection Act allows personal data to be disclosed to
law enforcement agencies without the consent of the data subject.
Under these circumstances, GeniusTags LTD. will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
GeniusTags implements a procedure that regularly scans for potential data breaches and explores ways of preventing those from happening. In the event of a data breach that has a risk on data owners, the company is committed to announcing that breach and communicating it with:
When data breaches occur, the company follows an internal procedure to investigate the reasons that caused the breach and implement measures to prevent similar breaches in the future.
GeniusTags LTD. aims to ensure that individuals are aware that their data is being processed, and that they understand:
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.
Additionally, the company’s office in the UK is responsible for addressing data protection- related matters.