GDPR & Privacy Policy
Learn2Learn.ie GDPR & Privacy Policy Document
**This document is available on our website
Index of contents
- Fair processing policy
- Storage and access policy
- Personal data audit & retrieval process
- Destruction of data
- Employees
Fair processing policy
What data to we collect?
- Name
- Postal address
- Telephone number(s).
- Email address.
- Transcript of the summary details of any contact between you and us.
- Closed circuit video image.
- Credit card data.
- Telephone messages.
- Telephone conversations.
How do we collect it?
All the following data gathered is initiated by you the customer;
- Telephone call.
- Web site contact form.
- In person at our premises or concession stand.
- Inbound electronic mail, social media or IMS.
- SIP voice recorder, voicemail services or answering devices.
- Patrons are required to read and accept the terms of service when booking a service using our online presence. All tick boxes are configured for positive opt in functionality.
Why do we need your data?
- We use your data exclusively to keep you informed about your current contract(s).
- We never disclose your data to third parties without your explicit permission and only then for the purposes of supporting the current contract(s).
- In order to provide a collection and return service your contact details are required. This information may then be shared with a third party courier company to provide the service requested.
- We will never sell your data.
- The nature of our business (service, maintenance) requires that we retain concise details of all interactions with our customers. These details refer to the reports, advice and actions carried out by us. They include requests, instructions and comments made by our customers, suppliers and current and historical clients. They do not include personal preferences, affiliations, belief systems, gender, sexuality or political persuasions of any kind.
- Details of any disputes however arising are retained for a period of seven years. This is in accordance with the statuary requirements.
- Compliance with Revenue, Companies registration office, Central statics office or any other statutory bodies.
Fair processing policy continued
What data do we delete?
- Credit card data;
Our, AIB operated, credit card machine prints two copies of each receipt. The customer copy is transferred to the customer in person, via post or courier where possible. If it is not possible to transfer the customer copy it is destroyed using the destruction of data policy. The merchant copy is attached to a copy invoice and retained for audit purposes.
We do not retain any other record of credit card numbers once the transaction is complete. Each sequential transaction requires repeat acquisition of the data.
- Closed circuit television images;
For insurance purposes our monitoring system records all visitors to our premises. Images are captured at a resolution of 1920 x 1080 with a frame rate of 12 frames per second 16 bit colour. Images are deleted on a rolling FIFO (First In First Out) basis with a 14-day period. In the event of security incident images are downloaded from the CCTV server to portable media for the purposes of a Garda investigation. Media is stored in the H.264 codec.
Images are captured in three primary locations;
- Parking area in front of the building.
- Doorbell
- Reception
On occasion patrons request use of the private WC. In these circumstances a forth image is captured in the hallway outside the WC.
In addition, there are cameras located in all offices, common areas, workshops, rear lane and warehouses. However, there is no public access authorised in these areas.
Voice
- We may on occasion record inbound or outbound telephone conversations for the purposes of training or quality control. These recordings are performed on a local server in the G.729 codec. They are deleted on a FIFO (First In First Out) basis on a 14-day period. We may retrieve certain calls or messages as they relate to a dispute, contract or permission. All parties are made aware of the presence of recording equipment in advance of any interaction.
Storage and access policy
Soft data
Infrastructure
We operate a secure IT infrastructure at our premises with the following security features;
- Up to date firewall.
- Segmented WIFI VLAN with 128-bit WPA and 256-bit AES.
- User level password protected workstations.
- VPN with IPsec.
- Thin client type data store with no personal data stored on workstations.
- Our public office (Reception) workstation has a lock screen timeout of 180 seconds.
On-site storage
All personal data is retained on a NAS (Network Attached Storage) device with the following security measures.
- Raid 5.
- 256bit AES encryption.
- NAS located in a comms rooms rack with a locking front door.
- Comms room is protected by a locking door with self-closing feature.
Off-site storage
We use Dropbox’s cloud business service. This allows for the following backup features;
- Double encryption is deployed.
- All back up sets are first encrypted on site using 256-bit AES.
- Transported via WAN to a fully encrypted cloud folder with 256-bit AES.
- Administrator only access privileges.
Portable devices
- We operate various portable devices from smartphones to laptop computers.
- Portable devices do not store personal data.
- Each device connects to the office network using a secure VPN (IPsec).
- Each device is controlled under a remote administration policy which provides for remote deletion of all log on data.
- Each device stores log on data in an encrypted folder.
- An audit log is retained for all devices connecting to the network. This log details user authentication, inbound IP address, date stamp for connection, date stamp for disconnection, location data and total payload.
- Each device employs a 6-digit pin with a lock screen timeout of 15 seconds.
Hard data
Document storage
All hard data is stored in level arch files, cabinets or banker’s boxes. We have a central records room. This room is located on site. The room is protected by a locked door with self-closing feature. There is only one access point to the room. The public have no access to this room.
Paperwork in the following forms are retained;
- Supplier invoices.
- Customer invoices.
- Outbound marketing material.
- Inbound marketing material.
- Legal documents.
- Any document pertaining to compliance requirements with Revenue, Companies registration office, Central statics office or any other statutory bodies for the prevailing compliance period.
This is not an exhaustive list.
Personal data audit & retrieval process
All staff receive continuous training in the handling, acquisition and retrieval of personal data.
A custom designed relational database is deployed to manage all soft personal data. It has the following features;
- Datasets are in the .db form and allow for incremental updates.
- Daily checksum calculations confirm integrity of dataset
- Each record requires a mandatory automatically generated unique ID.
- All entry fields are searchable independent of one another.
- Data is acquired from the data store in real time, no local caching is possible.
- All printed materials relating to each record display the unique ID.
- Hard copies are stored in a contagious manner ordered by date of acquisition.
We have developed the following processes to retrieve single datasets. The nature of our data store facilitates these processes in a timely manner and well within the mandated 30-day period.
Personal data request process;
Step 1. Verify the bona fides of the applicant using the unique data on file.
Step 2. Input the search parameters into the database (name, address, phone number, email etc.).
Step 3. Export results to a CSV (Comma Separated Values) spreadsheet.
Step 4. Generate a PDF document from a prescribed template detailing each field in easy to read clear text using the CSV file.
Step 5. Deliver the PDF to the applicant.
Step 6. Confirm receipt.
Personal data update or correction process;
Step 1. Verify the bona fides of the applicant using the unique data on file.
Step 2. Request written details (Email, postal service) of the changes required from the applicant.
Step 3. Input the search parameters into the database (name, address, phone number, email etc.) for the relevant dataset.
Step 3. Make all amendments requested to all relevant datasets.
Step 4. Export the new results to a CSV (Comma Separated Values) spreadsheet.
Step 4. Generate a PDF document from a prescribed template detailing each field in easy to read clear text using the CSV file.
Step 5. Deliver the PDF to the applicant.
Step 6. Confirm receipt and request verification of accuracy.
Personal data ‘right to be forgotten’;
Step 1. Verify the bona fides of the applicant using the unique data on file.
Step 2. Input the search parameters into the database (name, address, phone number, email etc.) for the relevant dataset.
Step 3. Export the results to a CSV (Comma Separated Values) spreadsheet.
Step 4. Carry out the deletion function of the database (requires administrator level privileges).
Step 5. Repeat step 2 to verify all data has been deleted.
Destruction of data
Soft data
- Encrypted backup sets are updated on an incremental basis each day. A verbose set is created every 14 calendar days. The old backup set is deleted during the over write process.
- EOL life hardware is formatted, defaulted and recycled under the WEEE regulations.
- In the event of a contract cessation and termination of service with cloud-based providers all files are deleted, all indexes removed, and accounts deleted.
Hard data
- All documents no longer required are shredded in a machine compliant with current regulations.
- Shredded materials are deployed as packing or recycled.
Employees
- All staff are required to read, understand and accept the company training manual in advance of commencing employment.
- The manual includes a copy of the company privacy policy.
- Training is provided on an ongoing basis to all staff members in the acquisition, processing, editing and deletion of personal data in compliance with the company privacy policy.
- All staff payment information is retained in a secure online banking system operated by AIB. Access is only available to administrator level privileges with triple security features.
- We do not retain any hard or soft copies of employee financial details on site.
- The company does not employ the use of biometric data to provide access, time keeping, security or log on details.
- Portable devices are issued with user level authentication.
E&OE