This Policy describes the type of information we may collect from you or that you may provide (“Personal Information”) in the “SecuriGo” mobile application (“Mobile Application”) and any of its related products and services (collectively, “Services”), and our practices for collecting, using, maintaining, protecting and disclosing that Personal Information.
By accessing the Mobile Application and Services, you acknowledge that you have read, understood and agree to be bound by the terms of this Policy. If you do not agree to the terms of this agreement, you must not accept this agreement and may not access and use the Mobile Application and Services.
This Policy does not apply to the practices of companies that we do not own or control.
2. Automatic Collection of Information
When you use the Mobile Application, our servers automatically record information that your device sends. This data may include information such as your device’s IP address and location, device name and version, operating system type and version, information you search for in the Mobile Application, access times and dates and other statistics.
Information collected automatically is only used to identify potential cases of abuse and establish statistical information regarding the usage of the Mobile Application and Services. This statistical information is not otherwise aggregated in such a way that would identify any particular User of the system.
3. Collection of Personal Information
Users of the Mobile Application are employees of SecuriGroup. Your name and email address which have been obtained as part of your onboarding process will be used to create your account.
Third parties such as clients may be granted access to the Mobile Application. The third party would be required to provide their name and email address in order for an account to be created.
We receive and store any information you knowingly provide to us when you fill any forms in the Mobile Application or use specific features. When required, this information may include the following:
- Account details (such as username, unique user ID, password etc.)
- Contact information (such as email address, phone number etc.)
- Basic personal information (such as name, place of work etc.)
- Sensitive personal information (such as ethnicity, medical information etc.)
- Geolocation data of your device (such as latitude and longitude)
- Certain features on the mobile device (such as gallery)
4. Use and Processing of Collected Information
The Mobile Application is used to obtain and send administrative information to the necessary persons within the business to fulfil your request.
We will process (collect, store and use) the information you provide in a manner compatible with the GDPR. We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. We are required to retain certain information in accordance with the law. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.
5. Your Rights as a Data Subject
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
Right of access - you have the right to request a copy of the information that we hold about you.
Right of rectification - you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten - in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right to restriction of processing - where certain conditions apply to have a right to restrict the processing.
Right of portability - you have the right to have the data we hold about you transferred to another organisation.
Right to object - you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling - you also have the right to be subject to the legal effects of automated processing or profiling.
Right to judicial review: in the event that the organisation refuses your request under rights of access, we will provide you with a reason as to why.
6. Disclosure of Data
We will share your personal information with subsidiaries of SecuriGroup Limited as appropriate in order to respond to your queries or requests.
We may pass your data on to third-party service providers contracted by SecuriGroup in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and only use them to undertake a service on behalf of SecuriGroup. When they no longer need your data to fulfil this service, they will dispose of it in line with our procedures. If we wish to pass your sensitive data on to a third party, we will only do so once we have obtained your consent, unless we are legally required to do so otherwise.
7. Security of Data
All employees are responsible for ensuring that any personal data that SecuriGroup holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by SecuriGroup to receive that information and has entered into a confidentiality agreement.
All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy. All personal data will be treated with the highest security.
8. Data Retention
SecuriGroup shall not keep personal data in a form that permits identification of data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.
SecuriGroup may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.
The retention period for each category of personal data will be set out in the Retention of Records Procedure along with the criteria used to determine this period, including any statutory obligations SecuriGroup has to retain the data. SecuriGroup’s data retention and data disposal procedures will apply in all cases.
Personal data must be disposed of securely in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thereby protecting the 'rights and freedoms' of data subjects. Any disposal of data will be done in accordance with the Secure Disposal or Re-Use of Equipment Procedure.
9. Data Transfers
Under the EU GDPR, all exports of data from within the European Economic Area (EEA) to non-EEA countries (referred to in the GDPR as ‘third countries’) are unlawful unless there is an appropriate “level of protection for the fundamental rights of the data subjects”.
Under the UK GDPR, all exports of data from within the UK to other countries (third countries) are unlawful unless there is an appropriate "level of protection for the fundamental rights of the data subjects".
The transfer of personal data outside of the EEA and/or UK is prohibited unless one or more of the specified safeguards, or exceptions, apply:
9.1 An Adequacy Decision
Under the EU GDPR, the European Commission can and does assess third countries, a territory and/or specific sectors within third countries to assess whether there is an appropriate level of protection for the rights and freedoms of natural persons. In these instances, no authorisation is required.
Countries that are members of the EEA but not of the EU are accepted as having met the conditions for an adequacy decision.
A list of countries that currently satisfy the adequacy requirements of the Commission are published in the Official Journal of the European Union: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
Under the UK GDPR, the ICO and the Secretary of State for Digital, Culture, Media and Sport can award adequacy decisions to countries that meet the UK’s standards for data protection. No authorisation is required for transfers to these countries. The UK has awarded adequacy decisions to the EEA and all countries that the EU has awarded adequacy decisions as of 1 January 2021.
9.2 Binding Corporate Rules
SecuriGroup may adopt approved binding corporate rules for the transfer of data. This requires submission to the ICO and/or relevant supervisory authority for approval of the rules that SecuriGroup is seeking to rely upon. Binding corporate rules will not be valid if the protections set out in the rules cannot or will not be applied in the recipient state.
9.3 Standard Contractual Clauses
SecuriGroup may adopt approved standard contractual clauses for the transfer of data. If SecuriGroup adopts the standard contractual clauses approved by the relevant supervisory authority, there is an automatic recognition of adequacy, provided appropriate measures are taken to ensure the contract clauses can and will be applied within the recipient state.
In the absence of an adequacy decision, binding corporate rules and/or model contract clauses, a transfer of personal data to a third country or international organisation shall only take place on one of the following conditions:
The data subject has explicitly consented to the proposed transfer, after having been informed of the risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subjects request.
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
The transfer is necessary for important reasons of public interest.
The transfer is necessary for the establishment, exercise or defence of legal claims.
The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
10. Push Notifications
We offer push notifications to you which you may voluntarily subscribe to at any time. To make sure push notifications reach the correct devices, we use a third-party push notifications provider who relies on a device token unique to your device which is issued by the operating system of your device. While it is possible to access a list of device tokens, they will not reveal your identity, your unique device ID, or your contact information to us or our third-party push notifications provider. If, at any time, you wish to stop receiving push notifications, simply adjust your device settings accordingly.
11. Geolocation Data
When using some services within the Mobile Application, geolocation data may be tracked if authorised by the user. The Mobile Application will only track geolocation data in certain circumstances when using specific features within the Mobile Application.
Geolocation data is collected via some forms within the Mobile Application which will convert your location into text. In this instance, the user is asked for permission to use geolocation and will only collect this for the singular instance that it has been approved.
There are other features within the Mobile Application that requires a longer-term tracking of geolocation. We will initially ask you for permission to track your location and tracking will stop when the app has been closed or the feature you are using has been ended by you.
12. Data Breach or Security Incident
In the event of a personal data breach or security incident, we will notify the data controller without undue delay. These contact details are recorded in the Internal Breach Register and Data Breach Incident Form. SecuriGroup provides the controller with all details of the breach.
The breach notification is made by email and telephone, with a confirmation of receipt of this information made by email.
SecuriGroup determines if the supervisory authority and/or the ICO needs to be notified in the event of a breach. SecuriGroup assesses whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach, by conducting a data protection impact assessment against the breach.
If a risk to data subject is likely, SecuriGroup reports the personal data breach to the supervisory authority and/or the ICO without undue delay, and not later than 72 hours. If the data breach notification to the supervisory authority and/or the ICO is not made within 72 hours, SecuriGroup’s Data Protection Officer submits it electronically with a justification for the delay. If it is not possible to provide all of the necessary information at the same time, SecuriGroup will provide the information in phases without undue further delay.
If the personal data breach is likely to result in high risk to the rights and freedoms of the data subject, SecuriGroup notifies those/the data subjects affected immediately in accordance with the Data Protection Officer’s recommendations.
13. Acceptance of this Policy
You acknowledge that you have read this Policy and agree to all its terms and conditions. By accessing and using the Mobile Application and Services you agree to be bound by this Policy. If you do not agree to abide by the terms of this Policy, you are not authorised to access or use the Mobile Application and Services.
In the event that you wish to make a complaint about how your personal data is being processed by us, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and SecuriGroup’s Data Protection Officer.
15. How to Contact Us
If you have any questions regarding the processing of your data, this Privacy Notice or would like to raise any concerns, please contact our Data Protection Officer using the contact details below.
349 Bath Street
|VERSION||DATE||REVISION AUTHOR||SUMMARY OF CHANGES|
|Samantha Lang||Risk Manager||Samantha Lang||Initial publication|
|Samantha Lang||Risk Manager||28/10/2021|