|What personal Data does Osis hold?||Personal or Business contact details|
Osis holds the personal contact details of people and organisations that have made enquiries online or otherwise contacted us with respect to our services
Osis holds the transaction records that are stored on our websites as a result of purchases being made on those sites. These do not include credit card or other financial information apart from amounts paid and the form of payment (credit card, Paypal etc.). Names, addresses and email details are stored along with transaction dates, amount paid and status (failed, error, completed etc.) of the transaction.
|Where is data held?||Our Office|
We hold any or all of the above data on hard drives in our registered office. The hard drives are not accessible by unaithorised persons and are password protected.
We use Stripe Payments to process transactions on our websites. Stripe’s services in Europe are provided by a Stripe affiliate—Stripe Payments Europe Limited (“Stripe Payments Europe”)—an entity located in Ireland. In providing Stripe Services, Stripe Payments Europe transfers personal data to Stripe, Inc. in the US. To ensure the adequate protection of personal data, Stripe have certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework. Their Privacy Shield Policy is available here: https://stripe.com/privacy-shield-policy. They claim to be fully GDPR compliant.
Backups of our databases including any or all of the above data are uploaded to Dropbox servers. File data in transit between Dropbox clients (backup apps on our websites) and
the hosted service is encrypted via SSL/TLS. Dropbox’s Legal, Trust, and Privacy teams have carefully analysed the GDPR and are undertaking the necessary steps to ensure that they comply.
Dropbox claim they will meet the requirements of the GDPR by 25 May 2018 (https://www.dropbox.com/en_GB/security/GDPR).
Our websites are hosted with Siteground who are GDPR compliant as a data processor. Their Data Processing Agreement can be seen here: https://www.siteground.co.uk/term/297.htm?scid=2&lang=en
|Who is the data shared with?||No personal data is shared by Osis without the explicit consent in writing from all parties|
|How long do we need to keep personal data?||Contact details are held as long as they may be required in order to facilitate business between Osis and 3rd parties, unless their deletion is requested. Transaction data will not be held longer than 7 years.|
|Our compliance through documented activity||Osis GDPR Compliance Audit taken 24 May 2018. Documented online at https://docs.google.com/spreadsheets/d/1aMOLcjubuef78DJuNEd2PI1wBr3iZ20NgS9buTV5Ah4/edit?usp=sharing|
|Osis privacy notes in line with GDPR||The Osis Privacy Statement is on our website at https://accounts.osisdesign.co.uk/privacy-policy/|
|Subject access request procedure||Parties may request access and or deletion of their personal data by emailing firstname.lastname@example.org. We will comply within 30 days.|
|Consent used to obtain personal data||All personal data we hold of 3rd parties has been obtained through either explicit consent via a web form tickbox or similar device; or by implied consent whereby a business or other transaction is the purpose of the communication and associated transfer of personal information.|
|Process for notification of data breach||We will endeavour to notify all affected individuals of any data breach involving personal or sensitive data within 24 hours of our first awareness of the breach. Individuals will be notified via email. We will endeavor to minimise where at all possible any harful effects of such a breach.|
|Who responsible for process||The person resonsible for this process is Shannon Ribbons, the Director of Osis Design.|
|Effective date||This policy was created on 23 May 2018|
|Latest update: 26 May 2018|