Privacy Notice – Services

Identity and contact details of the controller

Risk-X LLP, Risk-X Holdings Ltd, Risk-X (UK) Ltd and Risk X Data Assurance (Pty) Ltd collectively ‘Risk-X’

Atrium Court

100 The Ring

Bracknell

Berkshire

RG12 1BW

UK

 

Paula Pocock

Privacy@risk-x.co.uk

+44 203 040 2990

 

Service that this Data Privacy Notice relates to

This data privacy notice only relates to personal data exchanged via our Audit, Advisory, Assurance, Digital Forensics and Incident Response services.

 

Data that we process

We process the following data for the provision of our services:

 

The data

Privacy Data

Other data

Your contact details

·        Representatives Names

·        Representatives business addresses

·        Representatives telephone numbers (mobile or landline)

·        Representatives email addresses

·        Company Name

The data you share as part of our contract

·        Representatives Names

·        Representatives business addresses

·        Representatives telephone numbers (mobile or landline)

·        Representatives email addresses

·        You may also share bank details if we are setting up direct debits or standing orders or need to refer to a credit reference agency

·        Company Name

·        Company IP Addresses

·        Company specific data that may contain information on individuals as part of the business data transferred for us to perform the services contracted between us

 

Note: Depending on the services that are performed (i.e. penetration testing or forensics) it may be the case that Risk-X gain access to significant volumes of personal data, and this may include special categories of data.  In this case, Risk-X will be a processor and not a controller of data in this regard.  Risk-X will require a data processing agreement to be in place as part of contract, and Risk-X will follow these requirements and be bound by the controller’s data privacy notice.  As we are not the controller of this data it will not be included within this data privacy notice.

 

Purpose of processing

The processing of data and this privacy notice only relates to the services that we provide to you under the contract that you or your company have signed with us:

 

The data

Purpose

Legal Basis

Your contact details

These are processed for you to be able to take out a contract for our services.  These are then processed to enable us to provide payment terms and discuss matters with relevant personnel to be able to fulfil the contracted services agreed.  These will then need to be used for billing purposes.

6.1.b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

The data you share as part of our contract

To allow access to data exchanged between the disclosing and receiving parties to fulfil contractual obligations between the parties / regulators.

6.1.b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Legitimate interests of the controller

The controller is a security company that provides Audit, Advisory, Assurance, Digital Forensics and Incident Response services.  Risk-X is not relying on legitimate interests to process your data in this instance it is purely under contract.

 

Recipients of personal data

While providing the services to you we may process your personal data and share this with the following types of organisations:

 

Type of company

Purpose

Credit reference agencies

If you are a sole trader then your details may be provided directly, otherwise it will be that data of your organisation.  This allows us to check the credit worthiness of your organisation for us to be able to provide payment terms.  These companies will not have access to any report information as this is held under non-disclosure agreements between us.

Our bank

To be able to collect payments by direct debit or standing order if this has been agreed with us.  If you have provided bank details then this will need to be shared with our bank to be able to process payments.  These companies will not have access to any report information as this is held under non-disclosure agreements between us.

Our accountants

To be able to check that all invoices have been paid and to complete our financial accounts our accountants may have access to your contact information only.  They will not have access to any report information as this is held under non-disclosure agreements between us.

Specialist security companies

Where we have agreed that the services require specialist resources to allow delivery to you under contract, we will share the relevant information with these third parties.  You will be informed of the company’s details and they will be subject to the Risk-X data privacy notice and data processing agreements if you request this information.

 

The servers that this data resides on have been encrypted to ensure that the provider of our hosting services does not have access to this data on their hard disks.  However, there may be occasions where data is shared with other organisations for the following purposes:

 

Type of company

Purpose

Penetration testing / security validation

Penetration testing companies during testing the security of this website.  This will be covered by NDA and your data will not be exposed to risk during this process.

Forensic investigation

Should this be necessary then during investigation the company engaged may require access to data.  This will be covered by NDA and your data will not be exposed to risk during this process.

Insurers / solicitors

For the purposes of defending any claim that is brought against us by you we may need to share information with our insurers or legal representatives.

Licensing agencies / auditors

During audit for the commercial licenses we hold our auditors may require onsite review of the data.  Any data that is to be taken offsite and out of our control will be anonymised so that your personal data is not exposed to risk during this process.

Law enforcement or other legal body (ICO etc.)

For the detection and prevention of crime, or to comply with statutory obligations we may be required to share information with law enforcement, government or other legal bodies as required by law.

 

These recipients are covered within the Non-Disclosure Agreement between the parties.

 

Details of transfers to third countries

To deliver the services to you there may be a requirement to use specialist companies that are based outside of the UK.  In this regard, Risk-X is relying on the legal derogation that any transfer would be necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request.  Risk-X will assess these companies and ensure that they meet the same requirement and safeguards as you would expect from Risk-X in the UK.

 

For internal companies in the group our platforms are shared between our UK and South African company.  While there should be no transfers outside of the EEA where the platform is hosted this could occur.  However, all IT solutions in use by the company are administered and controlled in the UK.  All safeguards that are in place for UK staff are the same as those for our South African staff.  As such all technical and organisational controls are the same and will be fully enforced in all locations.

 

Retention period of your data

Your data will be retained for the following time periods:

 

Purpose

Retention period or how we calculate the retention period

Your contact details

This will be retained for the lifetime of the contract between us and if possible, this will be removed at the end of the contract.  However, if this is part of reports or evidence provided to you or us this will be retained for the lifetime of the contract plus six years to be able to defend any insurance claims against us so we can prove what advice has been given.

The data you share as part of our contract

This will be retained for the lifetime of the contract between us plus six years to be able to defend any insurance claims against us so we can prove what advice has been given.

Your rights

Under the General Data Protection Regulation, you have rights, and our objective is to enable these appropriately.  Your rights in relation to this service are as follows:

 

Purpose

Legal Basis

The right to be informed

We will publish this notice on our website, will also include this as part of our contract with you and any reports we deliver to you.  This notice will serve as our information to you on your rights and how we use your data

The right of access

You have the right to know what information we hold on you for this service and this can be accessed via request to us, please contact us and we can provide this once we have established your identity.

The right to rectification

If any of the information that we hold upon you is inaccurate then please let us know and we will rectify this.

The right to erasure

Your contact data will be removed if no contract occurs between us, and if possible, at the end of the contract.  However, if this data is part of reports, the report information itself or evidence provided to us this will be retained for the lifetime of the contract plus six years and there is no right to erasure.

The right to restrict processing

You have the right to ask us to stop processing your data for a given time and we have the right to restrict processing if the need arises.  This will either be because you ask us to, or there is a dispute between us in relation to the contract.  We will inform you if we restrict processing your data for any time, the reason behind this and any effects that this will have upon you.

The right to data portability

Data that is non- sensitive will be exchanged via email between us.  Any sensitive or confidential data will be exchanged via the Risk-X portal.  The Risk-X portal is what enables your data portability as this allows the upload and download of data that is shared between us.  Formats of data are limited to those commonly used and agreed between us by contract.

The right to object

You have the right to object to the processing that we undertake.  Please see the section ‘Your right to complain’ below for instructions on how to do this.

Rights in relation to automated decision making and profiling

Automated decision making is only used by credit reference agencies to provide information to us on our ability to extend payment terms to you.  If credit reference agencies are used we will tell you which agencies these are and provide their privacy notices at the time of processing.  You have the right to object to this process and the decision or outcome of the processing.  We are more than happy to review these decisions manually with you and take any other information into account at that time when deciding.  This is only relevant if you are a sole trader and your data is processed directly, as this would normally relate to your business details only.

Right to withdraw consent

The information that is exchanged between the parties is completed under contract.  As such there is no ability to withdraw consent for this service, as consent is not our legal basis for processing for this service.

 

Your right to complain

You have the right to complain – although we should be complying with our obligations so that you don’t have to!  However, if you feel that you need to then we would ask you to complain to us in the first instance:

 

Paula Pocock

Privacy@risk-x.co.uk

+44 203 040 2990

 

However, you always have the right to complain to our supervisory authority.  We are based in the UK and our Supervisory Authority is the UK Information Commissioners Office, and more information can be found here:

 

  • https://ico.org.uk/concerns/

 

Statutory or contractual data processing

Data is processed by Risk-X for services that we provide as part of a contractual requirement.

 

Automated decision making

Automated decision making is only used by credit reference agencies to provide information to us on our ability to extend payment terms to you.  If credit reference agencies are used we will tell you which agencies these are and provide their privacy notices at the time of processing.  You have the right to object to this process and the decision or outcome of the processing.  We are more than happy to review these decisions manually with you and take any other information into account at that time when deciding.  This is only relevant if you are a sole trader and your data is processed directly, as this would normally relate to your business details only.

 

Version

3rd May 2018