GDPR Statement from Active Network Systems Limited
This Statement applies to suppliers, customers and subcontractors, to address the Q&A requests required by partners for GDPR related procedures and is available on Active Network Systems’ website (www.ans-ltd.co.uk/gdpr). It outlines how we collect and use personal information and how we meet our obligations as a data controller and as a data processor. You can contact firstname.lastname@example.org for any questions relating to our GDPR Policies.
Is Active Network Systems a Data Controller or Data Processor?
We can be either or both depending on the type of transaction we are performing. Under Article 28 of the GDPR, Active Network Systems is defined as ‘data controller’ for personal data that customers provide for certain transactions; e.g. when we set up an account and/or when we process orders for delivery to our customers’ premises.
As ‘data controller’ we may collect contact details, payment details and company details which will be used to transact orders, confirm credit, take payment, deliver goods etc, as required to fulfil our legal and contractual obligations processing the account and orders. This information will only be used by staff who have the business need to access the data and will only be shared with those third parties who enable us to perform our obligations (e.g. credit agencies and delivery companies. It will be secure in our online and offline systems and will be retained for a maximum of seven years in order to enable us to comply with our legal obligations, after which time it will be destroyed.
Our sub-contractors or GDPR ‘data processors’ are governed by an agreement that ensures they are also compliant with GDPR and that the data is dealt with accordingly.
Active Network Systems is defined as a ‘data “processor’ for personal data provided for certain transactions;
e.g. when we ‘drop ship’ orders to our customers’ own end user customers, when we transact licensing agreements or request special bid pricing. As ‘data processor’ we may collect end user names, addresses and other contact details which may be passed on to our subcontractors e.g. delivery companies and vendors), as required to enable us to carry out contractual commitments to customers.
This data will only be used by staff who have the business need to access the data, will only be shared with third parties to enable us to perform our obligations, e.g. vendors for licenses and delivery companies for deliveries, will be secure in our online and offline systems and will be retained for a maximum of seven years in order to enable us to comply with our legal obligations, after which time it will be destroyed.
Our subcontractors or GDPR ‘sub processors’ is governed by an agreement that ensures they are compliant with GDPR and that the data is dealt with accordingly.
Does Active Network Systems have a Data Protection Officer (DPO)?
We are not required to have a Data Protection Officer under the GDPR. However we have a Privacy Officer as part of the management team who reports to company Directors. Our Privacy Officer is available via the email@example.com email address.
The Privacy Officer is responsible for overseeing Active Network Systems is meeting its obligations to Data Protection laws and regulations, including GDPR. The Privacy Officer is also a point of contact for Data Privacy related queries from staff, customers and suppliers and other third parties and the contact point for Data Access Requests and Data Breaches.
What personal data do we collect?
When customers register with Active Network Systems, for either a trade account or to receive marketing information by post, phone or email, we will collect some or all of the following personal data: Name, Email address, fax number, postal address, business contact and billing information, transaction and credit card details (during transactions) and preferences on what marketing information, if any, they might like to receive and how they would like to receive them.
When customers order from Active Network Systems we collect additional information such as payment details – including credit card numbers where relevant – end users’ details to enable direct ship / drop ship – including name, address and contact details and end users’ details to enable license registration. Active Network Systems does not collect any “Special Category Data” as defined by the GDPR for any interactions with customers or suppliers.
How do we use this data?
When registering with Active Network Systems customers will be asked for consent for us to use personal data
for the purposes listed below:
- To enable us to confirm business details when setting up an account, for legal, financial and
contractual purposes so that we may provide commercial services to our customers.
- To carry out basic checks for due diligence when setting up accounts to ensure all details are
genuine and correct and to avoid fraudulent use of data.
- To allow us to comply with legal requirements placed upon us.
- To send you tailored communications by post, fax and/or email about new products, promotions,
news items, event details, special offers or other useful items of interest.
When purchasing from Active Network Systems we will request and use customer and sometimes end user data
for the purposes listed below:
- To enable delivery of goods directly to our customers.
- To enable delivery of goods to our customers’ end users, including via sub-contractor delivery
- To facilitate the purchase of software licensing.
- To enable special bid pricing requests.
We will keep data for the duration of our joint relationships in accordance with legal requirements and be destroyed after such requirements are met. For example, on expiry of a contract data will be retained for seven years and then destroyed.
Who has access to personal data?
At Active Network Systems we take care to ensure personal data is only accessible by those with a business need. For example, when setting up an account, the data used for that purpose is only accessible to employees involved in that process.
With whom do we share personal data?
Active Network Systems only shares information with third parties as required to enable us to comply with the law, to setup and transact business or to deliver products to customers or customers’ customers, as follows:
- Credit agencies in order to confirm credit status of our customers.
- Credit card companies for the purpose of taking credit card payments.
- Vendors for the purpose of completing software licence purchase and renewals.
- Vendors for the processing of special bid pricing requests
- Vendors for direct ship to customers or their end users.
- Delivery companies in order to deliver goods to our customers or their end users.
We may pass your marketing information to an authorised marketing agency, only in the event that they are acting directly for Active Network Systems and this data will be destroyed immediately following that specific Active Network Systems’ activity.
In each case, our sub processors will be obliged to follow GDPR and other relevant privacy regulations and guidelines in order to safeguard this data. The data will not be passed outside the European Economic Area as per the GDPR regulation without prior consent or special measures being in place.
How are corrections of data carried out?
Active Network Systems regularly confirms personal contact details and marketing preferences with partners, following which confirmation is sent to confirm the details. This information may be updated at any time by contacting Active Network Systems by phone, to an account manager or to the Privacy Officer.
If you believe we have any incorrect personal information about you, or if anything changes, you may request to see this data, which we will provide within 30 days at no charge.
Any relevant changes in your personal data should be notified to Active Network Systems via your usual contact or to the firstname.lastname@example.org address.
Does Active Network Systems have a central repository of data processing activities?
Yes, Active Network Systems maintains a GDPR compliant data processing repository. It is reviewed and updated
on an ongoing basis as required.
How does Active Network Systems manage Storage and Security of data including personal data?
Active Network Systems takes great care to keep data secure, with both physical and electronic processes
in place and management procedures ensure data is protected.
We use encryption where possible, for example when taking credit card orders. Data is physically stored in the UK at Active Network Systems’ facilities and is not passed outside the EEA.
Precise location of the data and backups is confidential in order to maintain data security. If you need more information please contact the email@example.com email address.
What is Active Network Systems’ Data Retention Policy?
Data including personal data is kept for up to seven years to enable management of accounts, requests, compliancy requirements and legal requirements, after which time it is destroyed.
Personal data relating to prospective employees who are not successful candidates will be kept for 12
months and then destroyed.
Electronic data is removed through standard deletion and overwriting processes to ensure restoration is not
possible and is authorised via the management process with compliance checks.
How does Active Network Systems manage Data Access Requests?
Data Access Requests are monitored, logged and managed via this management process. The Privacy Officer is part of this management process and is responsible for managing it to completion.
How does Active Network Systems manage Data Breaches?
Should a data breach occur that would be logged and managed by the management system described above. The Privacy Officer is responsible for ensuring the correct processes and procedures are followed and documented, including reporting to any relevant third party.
Data breaches are understood by all staff and management and processes are in place to identify and report them through the management system. Training of all staff includes this subject and other GDPR related responsibilities. Internal tracking and audits are carried out to ensure compliance by staff on all data privacy related matters.
Does Active Network Systems train staff on Data Privacy?
All staff are trained on Data Privacy and GDPR on an ongoing basis. For example prior to May 25th 2018 all staff have been trained on the company and individual requirements and responsibilities.
All staff are aware of, and agree, to the lawful requirement placed up on them individually and the company.
Training is delivered by various internal and external parties and is under the direction of the Privacy Officer. Refresher courses are run on an ongoing basis as new staff join, regulation changes are made or to reinforce as required.
Is Active Network Systems registered under the DPA?
Yes, Active Network Systems is registered under the Data Protection Act 1988 and complies with DPA and GDPR guidelines.
How are changes to this statement & policy managed?
Active Network Systems may make occasional changes to this policy in order to ensure compliance and best practice. The latest version of this document will be available at www.ans-ltd.co.uk/gdpr and the date will reflect when the latest changes were made.
Who is the Active Network Systems contact for Data Privacy?