GDPR.
The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018.
For useful information from the Information Commissioner, please see their website at https://ico.org.uk.
As a Data Processor, we hold and process personal data on behalf of our customers.
We have carried out a comprehensive Data Protection Impact Assessment (DPIA) of the GDPR requirements and the impact on our platforms.
We have carried out staff training, reviewed and analysed all the data we hold and have worked hard to implement the required changes. We are working with our customers to implement the changes they require to comply with the regulations.
Eagle Eye is proud to be fully certified to the International Standard ISO27001:2022. This standard provides for specific operational controls around how we manage the confidentiality, integrity and accessibility of all the information we use every day, in whatever format it is stored. We have implemented Privacy by Design into our development processes and continue to engrain GDPR into our ISO controls.
We store all our UK-based customer data in data centres in the UK, and we do not share your data with anyone or send any data outside the UK. We only process personal data in a manner as required for the permitted purposes of our contractual agreements.
GDPR requirements
This is not the comprehensive list of the GDPR requirements, for these, please refer to your GDPR specialist, and further information can be found at the ICO website ico.org.uk. We have outlined the major changes that will impact our systems and services that you may be using.
Consent
You must gain the correct positive opt-in consent from your customers, this can be very useful in building trust and engagement with your customers. If you use our systems, we can extend the consent and privacy policy pages to your new requirements, please contact us for further information at GDPR@eagleeye.com.
Right of Access or Subject Access Request (SAR)
You must be able to provide your customers with the personal data you hold on them. You may have data in many places, and if you use our systems or we process data on your behalf, we will need to provide you with the data we hold. When you receive an access request, please email our customer service desk at support@eagleeye.com, we will then work with you to provide you all the data we hold in a safe and secure format.
Right to Rectification
You must be able to rectify your customer's personal data you hold on them. You may have data in many places, and if you use our systems or we process data on your behalf, you will need to update the data we hold. You can do this via the existing user interfaces we provide or the API’s you are using. If you are unsure of how to do this, please contact our customer service desk at support@eagleeye.com.
Right to Erasure, also known as Right to be Forgotten
You must be able to erase your customer’s personal data you hold on them. The rules around erasure are more complicated, and you need to understand them. You may have data in many places, and if you use our systems or we process data on your behalf, we will need to provide you with the data we hold so you can be sure this is data you wish to erase. When you receive an erasure request, please email our customer service desk at support@eagleeye.com, we will then work with you to ensure we are only erasing the data you explicitly require erasing.
Right to restrict processing
GDPR gives your customers the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data. You may have data in many places, and if you use our systems or we process data on your behalf, we will need to provide you with the data we hold so you can be sure this is data you wish to restrict.
When you receive a restrict processing request, please email our customer service desk at support@eagleeye.com, we will then work with you to ensure we are implementing the changes you explicitly require.
Contracts
GDPR states that whenever a data controller uses a data processor, there must be a written contract in place to ensure both parties understand their responsibilities. As a data processor, we can only act on the written instructions of the data controller. GDPR gives processors responsibilities and liabilities in their own right, and processors, as well as controllers, may now be liable to pay damages or be subject to fines or other penalties. If you have any questions about our contractual relationships, please contact us at GDPR@eagleeye.com.
Data Retention
GDPR introduces the concept that personal data should be held for no longer than is necessary for the purposes for which the personal data are processed. This means that as a Data Controller, you will need to have business decisions and rules in place for the retention of personal data. As the data processor, we will act on your written business requirements. Please contact us at GDPR@eagleeye.com to discuss your individual requirements.
Data Breach
In the unlikely event of a data breach, we, acting as the data processor, will promptly notify you, the data controller, that the breach has taken place. You, in turn, will notify the ICO. Please contact GDPR@eagleeye.com for further information.