Data protection guidelines
This Datahive 360 Data Protection Guideline (the “DDPG”) forms an informative product specific document. It contains general information on data protection and can assist you with the data protection compliant use of the Datahive 360 products and services. The DDPG does not form any sort of legal advice provided by Datahive 360. Please consult with your own legal counsel on your individual circumstances of data processing and specific legal questions you may have.
References to Datahive 360 herein refer to Datahive 360, datahive360.com, affiliates, subsidiaries, partners and designees of Datahive 360.
Questions regarding this guideline should be directed to the following address:
P.J. Oudweg 4
1. Processing of personalized data
2. Special categories of personal data or criminal data
Please be aware that Datahive 360 is not intended to process special categories of personal data (“sensitive data”) or personal data relating to criminal convictions and offences (“criminal data”). Sensitive data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
When processing such personal data stricter requirements and limitations apply (see Art 9 and 10 GDPR). Please note that processing of sensitive and criminal data might be an issue for customers who are companies from the health industry sector, political parties or entities of religious communities. Thus, you may consult with your legal counsel before processing such personal data.
3. Roles and responsibilities in the terms of GDPR
When using Datahive 360 for your own marketing purposes you will in general be the controller in the terms of the GDPR. As such, you have inter alia the responsibility to assess the lawfulness of all processing activities and adhere to certain documentation requirements (e.g. keeping a record of all processing activities).
Furthermore, you have to ensure that all data subjects are informed about your processing activities in a transparent manner (Art 13, 14 GDPR). This may include informing them about processing of personal data for marketing purposes where data was originally collected for other purposes (e.g. online shop customers).
When you are processing personal data as an agency on behalf of your clients (i.e. their customer’s data) as part of your services, you will be the processor in terms of the GDPR. As processor you are obliged to enter into a data processing agreement with the controller (Art 28 GDPR) and ensure an adequate level of data security by implementing appropriate technical and organizational measures.
A combination of personal data is a particular form of processing that must be legitimate and transparent.
4. Legal grounds for processing
The processing of personal data is only permitted when it can be based on one of the legal grounds listed in Art 6 GDPR. For marketing purposes typically the data subject’s consent or the controller’s legitimate interest can serve as legal ground for the processing. For sensitive or criminal data other legal grounds apply (Art 9, 10 GDPR).
Please note that special requirements may apply to the processing of personal data in relation to children (e.g. Art 8 GDPR).
When acting as controller you are responsible to show a correct legitimate legal ground for each processing activity.
5. Requirements for a valid consent
For a valid consent data subjects must be transparently informed about inter alia (i) what data will be processed (ii) by whom, (iii) the purposes of the processing, and (iv) the right to withdraw their consent at any time with effect to the future. Additional, active consent may be required e.g. for marketing activities, cookies or newsletter registrations. If consent is not obtained in a valid form (e.g. initial consent does not cover marketing or analysis purposes) the processing activity may be unlawful and subject to sanctions.
6. Documentation requirements
Datahive 360 enables you to collect and report data from various services. As such, DataHive 360 only processes personal data already provided by other services used by you. It should be ensured that existing documents (e.g. privacy notices, records of processing activities, consent forms) are updated to include the purposes pursued within Datahive 360 (i.e. marketing analysis).
7. Data subject rights
Data subjects have specific rights regarding their personal data like access, correction, deletion, objection etc (see Art 15 – 22 GDPR). As controller you are responsible to ensure that data subject request exercising these rights can be fulfilled in due time and in compliance with the applicable data protection provisions.
With respect to Art 22 GDPR, Datahive 360 does not currently allow for automated individual decision-making processes. Should Datahive 360 enable such features in the future we will notify you accordingly.
8. Personal data warning and connected services
When you intend to configure data connectors that may process personal data, you are likely to receive a notification outlining additional information regarding a data protection friendly use of these connectors and if consent of the data subject is likely to be necessary. Additional features to anonymize or pseudonymize personal data will be made available and it is within the controller’s responsibility to apply them. More information on anonymization and pseudonymization features can be obtained by contacting Datahive 360’s support team at firstname.lastname@example.org.
As customer you are responsible to only use such services that are compliant with data protection laws. When connecting custom databases or third party services with generic APIs, special caution is necessary to only process such personal data that has been obtained lawfully and for the intended purpose.
Datahive 360 gives you the tools to select privacy friendly settings and process personal data only on a need-to-know basis (see point 9 below). The connectivity page of the connected service contains links to the websites of the connected service. It is recommended to follow the privacy guidelines published there as well.
9. Technical and organizational measures for data security
Datahive 360 assists you with the implementation of appropriate technical and organizational measures for data security (see Art 32 GDPR). You may use the following features to add to a data protection friendly use of the platform:
- User access restrictions,
- Usage logs,
- Configuration of data retention schedules, and
- Pseudonymisation or anonymization of data.
10. Use access restriction and roles
In accordance with the principles of integrity and confidentiality access to personal data shall be restricted and secured to prevent unauthorized disclosure or use of personal data. Within Datahive 360 appropriate user roles and access authorization should be set up to limit access to personal data to persons on a need-to-know basis (when sharing personal data with your employees as well as third parties).
Further, personal data will only be processed for the purpose they were collected for unless processing is necessary for compliance with a legal obligation. A compatibility test according to Art 6 (4) GDPR must be conducted in such a case.
11. Usage logs
In order to maintain the security, confidentiality and functionality of Datahive 360, activities and interactions with the product and the contained data are recorded in a usage log. This usage log may contain personal data of users such as usernames, IP addresses, timestamps and actions taken. Additionally, cookies are placed when using Datahive 360 (i.e. when used by your employees) for these purposes and the functionality of the browser session. The use of usage logs also requires a legal ground and legitimate purpose for processing (e.g. investigate unauthorized data accesses or data protection incidents). Also, you may have to inform your employees and customers of such processing activities.
Datahive 360 does not have access to this usage logs unless you require our further assistance within the service contract and provide us with this information (such access may require further data protection measures).
12. Retention schedules
Datahive 360 will allow you to adjust data retention periods and set up regular deletion schedules. In accordance with data protection principles, storage of the data should be limited to the legitimate purposes. In this respect it may be helpful to use deletion schedules, defining the relevant timing for deletion, and to only retain anonymized summaries where possible.
Log files are generally kept for a period of three months. Beyond this time period log files will only be stored for the purpose of investigating irregularities or security incidents in our system.
13. Pseudonymization and anonymization of data
Besides the deletion of data, pseudonymization and anonymization may add further to the minimization of personal data. We recommend reviewing the pseudonymization and anonymization options when configuring connectors featuring personal data as they come available.
14. Confidentiality and data secrecy
Independent of their role as controller or processor, employers must impose data secrecy obligations on their employees (Art. 28 (3) lit b), 29, 32 (4), GDPR; in The Netherlands: art. 47 AVG). Device management policies restricting data access or transfers as well as prohibitions on mobile data storages and mobile access can further reduce the risk of a breach of confidentiality. Employee trainings on data protection increasing the employees’ data protection awareness may form an integral part of a company’s internal compliance efforts.
15. Transfer of personal data
When you transfer personal data to another (group) entity acting as controller this also requires a legal ground as described above. Additionally such transfers to non-EEA countries which do not have an adequate level of data protection may require additional measures to ensure data protection compliance (e.g. conclusion of EU Standard Contractual Clauses).
For any questions or remarks regarding this Data Protection Guideline please contact us at the following address:
P.J. Oudweg 4
Chamber of Commerce registration number: 39075117