GDPR Statement

Last Updated: Date 1 September 2018

General Data Protection Regulations (GDPR)

WhosOnLocation’s approach has always been with a strong commitment to privacy, security, compliance and transparency. This approach includes our customers’ compliance with EU data protection requirements, including those set out in the General Data Protection Regulation (“GDPR”), which is enforceable on May 25, 2018.

Please note as part of our GDPR programme we apply GDPR security and privacy principles to all data not just EU personal data. That way, You will be well positioned with data protection regulatory frameworks around the world.

You can download our GDPR Statement here

Definitions

There are several definitions You must be aware of in relation to WhosOnLocation’s compliance with GDPR. The most important is the difference between a ‘Data Controller’ and a ‘Data Processor’. Below we provide You with clarity on both, along with other definitions, as this is extremely important to avoid some ambiguity about responsibilities.

Data Controller

The Data Controller is an individual or legal entity that determines (controls) the purposes and the means of the processing of personal data about a Data Subject (a visitor, employee, or contractor). This determination can be done alone or jointly with others.

If You are a user of our visitor, contractor, employee, or evacuation management services, You, our customer, will be the ‘Data Controller’ and WhosOnLocation will be acting on our customer’s behalf and will therefore be acting as our customer’s “Data Processor”.

WhosOnLocation is also a Data Controller as it collects and processes its customers data for sales, service delivery, invoicing, customer relationship management and direct marketing.

Data Processor

A Data Processor is responsible for processing personal data on behalf of a Data Controller. In the context of our Customers use of our services Data Processor means Us, WhosOnLocation Limited.

As the Data Processor our details are:

WhosOnLocation Limited
Level 2, 181 Vivian Street
Te Aro
Wellington 6011
New Zealand

Legal Registration Identifiers:

  • Company Number: 1504552
  • NZBN Number: 9429035439646

Contact Details

  • Australia: 1300 106 541
  • Canada: (800)-501-1761
  • New Zealand +64 (04) 891 0886
  • United Kingdom: 0808 189 1412
  • United States: (800)-501-1761
  • Global: +64 4 891 0886
  • Email: info@whosonlocation.com

Data Subject

A Data Subject means the ‘visitor’, or contractor, or employee who has data about them  collected and controlled by the Data Controller; (Name, organization, email, mobile, etc.). The Data Controller may capture data from a Data Subject directly, or the Data Subject may submit data to the Data Controller; but in both cases the Data is captured using our application service.

Personal Data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person (Data Subject) who can be directly or indirectly identified in particular by reference to that personal data.

We define the scope of Personal Data, both non-sensitive and sensitive, in relation to its capture and use by the Data Controller below.

In-scope Personal Data (non-sensitive)

The following personal data information from Data Subjects (visitor, employees and contractors) are processed by WhosOnLocation on behalf of the Data Controller:

  • Full Name
  • Email address
  • Cell Phone (Mobile)
  • Phone
  • Title/Position
  • Department
  • Organization
  • Host (who are they visiting)
  • Purpose of visit
  • Car parking information (vehicle registration, car park space)
  • Records of qualifications and certificates
  • ID Verification (ID card type, reference etc.)
  • Date and time a visitor, employee, or contractor entered and departed at the site
  • Location data

In-Scope Personal Data (sensitive)

  • Photo Capture (could identify the ethnicity or religious association of the Data Subject)
  • Need Assistance (identifies whether a Data Subject has a disability)

Note: Custom questionnaires can be enabled by the data controller (Customer) to capture any additional information required. Additional personal information may be collected depending on what the data controller requires in these customer questionnaires.

The rights of the Data Subject when You, our Customer, are the Data Controller

WhosOnLocation has documented and will follow its procedure for responding to GDPR requests to support its Data Controller in the event an individual exercises their Data Subject rights:

Data Subject Right Description How WhosOnLocation Supports this right
The right of access Data Subjects have the right to obtain confirmation that their personal data is being processed, access to their personal data and information on the processing. Data Controllers have access to captured data about any Data Subject via the application’s reporting tools. Data can be exported and shared with the Data Subject on request.
The right to erasure; Personal data shall be erased without undue delay if:

  • the personal data is no longer necessary to achieve the purposes for which it was collected or otherwise processed;
  • the Data Subject withdraws consent;
  • the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
  • it was unlawfully processed (i.e. otherwise in breach of the GDPR);
  • it has to be erased in order to comply with a legal obligation; or
  • it is processed in relation to the offer of information society services to a child
Data controllers (or WhosOnLocation on the data controllers behalf) will be able to delete specific records from their live instance either in bulk or record by record. There is a setting to enable “auto removal of records after x number of days” to automatically remove all visitor information after a certain length of time has passed. Once a record is removed from their live instance, it will no longer be available to be reported on or be visible to anyone with access to their WhosOnLocation account
The right to object; Data Subjects have the right to object to the processing of personal data on grounds of the Data Subject’s situation.
  • WhosOnLocation, as the Data Processor, only perform very high-level metrics on visitor information such as total numbers processed over what time period. Personal data is not processed and used for profiling, direct marketing or research and statistic purposes.
  • However, if a data subject wishes to exercise its right to object, WhosOnLocation or its data controllers can perform the “Right to Erasure” process above to permanently delete the personal data so it won’t be further processed.
  • Data Controllers can also show a waiver (optionally with signature required) to visitors who You require consent from.
The right to rectification; The Data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Data Controllers (customers) can rectify personal data stored within the application.
The right to restrict processing; Allowing site administrators to enable an option for visitors to “Do not remember me” during the sign in process. This will prevent the returning visitor feature for this visitor’s subsequent visits.
The right to data portability; The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided Data Controllers have access to captured data about any Data Subject via the application’s reporting tools. Data can be exported and shared with the Data Subject on request.
The right not to be subject to automated decision-making including profiling. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. WhosOnLocation as a data processor does not perform automated decision-making including profiling but data controllers can set up rules that consists of conditions that when met can trigger an action based on the rule being met. There is a reliance on the data controller to ensure any automated individual decision making they perform are in accordance to the GDPR’s requirements

 

Lawfulness processing and Consent

GDPR specifies the need to have consent obtained before using personal information for specific purposes.

WhosOnLocation does not collect personal information directly from the Data Subjects. It only processes information on behalf of the data controller. The requirement of gaining consent is the responsibility of the data controller. The data controller must ask for the Data Subject’s consent prior to collecting any personal information.

WhosOnLocation’s customers (data controllers) decide under what circumstances require a waiver (or Privacy Statement) to be acknowledged prior to signing into a location. Once signed in, if a Data Subject (visitor, contractor, or employee) has signed a waiver, the waiver can be shared with that Data Subject if the Data Controller applies ‘sharing’ settings. The Data Controller can also access a report on specific Data Subject and provide this information to the Data Subject on request.

Processing of special categories of personal data

WhosOnLocation (as the Data Processor) does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, health data, sexual orientation data, or trade union membership, for the purpose of uniquely identifying a natural person. However we may process biometric data if the Data Controller captures it as part of their use of the application but only where the Data Subject has given explicit approval prior to such data being captured and processed or any other circumstance permitting such processing under Article 9 of the GDPR.

Personal Data Breach Notification

The GDPR requires the data processor to notify the personal data breach to the data controller without undue delay and to the supervisory authority not later than 72 hours after having become aware of the personal data breach unless it is unlikely to result in a risk to the rights and freedoms of natural persons.

WhosOnLocation’s Information Security and Privacy Incident Management process has been updated to ensure that in an event of a data breach, the data controller and supervisory authority are notified within the required period.

The notification will contain relevant information including the nature of the personal data breach and likely consequences of the personal data breach, etc.

Transfer of Personal Data to a third country

International transfers and processing of personal information must fulfil requirements laid down in the GDPR. Data transfers to countries whose privacy arrangements (laws, regulations, official compliance mechanisms) are compliant with GDPR do not require official authorisation or specific additional safeguards.

WhosOnLocation’s server regions are in United States, United Kingdom, Australia, Canada and New Zealand.

The European Commission has recognised Canada (commercial organizations), New Zealand, the US (limited to the Privacy Shield framework) as providing adequate protection.

The UK government has committed itself to ‘maintaining the stability of data transfer between the EU Member States and the UK’ after Brexit, in its White paper.

Data Protection by design and by default

The GDPR specifies the requirement to implement appropriate technical and organisational measures to ensure compliance with GDPR and protect the rights of the Data Subjects.

  • WhosOnLocation adheres to security guidelines and standards defined under OWASP and Sarbanes-Oxley Act (SOX).
  • 3rd Party Penetration tests and vulnerability scans are routinely run by both WhosOnLocation customers and an independent third party on behalf of WhosOnLocation.
  • For physical data hosting, WhosOnLocation chooses data hosts who have ISO 27001 certification.

The GDPR specifies the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, considering the nature, scope, context, purposes of processing and the risk to the rights of freedoms of natural persons.

WhosOnLocation takes technical and organisational security measures such as, but not limited to:

  • Secure Application Development in accordance with OWASP guidelines
  • 3rd Party Penetration tests and vulnerability scans
  • Controls Audit
  • Physical Security
  • Security awareness training for all WhosOnLocation staff.
  • Access Controls
  • Password Management System
  • Information Security Policies
  • Encryption of Data in Transit
  • Information Security and Privacy Incident Management
  • Staff Vetting
  • Human Resource Security
  • Event Logging, Alerting, and Auditing
  • Media Engagement Strategy
  • Contractual Agreements and SLAs
  • Hardening of Systems, Network Devices and Applications
  • Backup and Restore
  • Media Sanitization and Disposal

WhosOnLocation is also implementing an ISO 27001 information security management system (ISMS) and expects to be certified in late 2018 early 2019.

Data Protection Officer (DPO)

The GDPR requires that you appoint a representative in the EU.

WhosOnLocation has appointed a DPO who will be responsible for setting up policies, reviewing Data Protection Impact Assessment reports, monitoring compliance with the GDPR, and all tasks listed in Article 39.

Contact:
The Data Protection Officer
WhosOnLocation Limited
Email: dpo@whosonlocation.com

Data Protection Representative (EU)

The GDPR specifies Under Article 27 of the General Data Protection Regulation (GDPR), an organisation with no establishment in the European Union, and which processes the personal data of people inside the EU, must appoint a Data Protection Representative in the Union to allow individuals and local data protection authorities to have a contact in the EU.

Whosonlocation Limited, which processes the personal data of individuals in the European Union, in either the role of ‘data controller’ or ‘data processor’, WhosOnLocation has appointed a DPR Group as its Data Protection Representative for the purposes of GDPR. DPR Group are based in Ireland and gives us Contact locations in all 28 EU member states. The contact details for DPR Group HQ are:

DPR Group

Office 29, Clifton House
Fitzwilliam Street Lower,
Dublin, Ireland
contact@dpr.eu.com

If you want to raise a question to Whosonlocation Limited, or otherwise exercise your rights in respect of your personal data, you may do so by:

  • sending an email to DPR Group at datainquiry@dpr.eu.com quoting <Whosonlocation Limited> in the subject line or;
  • by contacting us on our online webform at dpr.eu.com/datarequest or
  • by mailing your inquiry to DPR Group at the most convenient of the addresses below:
Country Address
Austria DPR Group, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Belgium DPR Group, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
Bulgaria DPR Group, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
Croatia DPR Group, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Cyprus DPR Group, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
Czech Republic DPR Group, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic
Denmark DPR Group, Lautruphøj 1-3, Ballerup, 2750, Denmark
Estonia DPR Group, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia
Finland DPR Group, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
France DPR Group, 72 rue de Lessard, Rouen, 76100, France
Germany DPR Group, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
Greece DPR Group, 24 Lagoumitzi str, Athens, 17671, Greece
Hungary DPR Group, EMKE Building, Rákóczi Út 42, Budapest, 1072, Hungary
Ireland DPR Group, Phoenix House, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Italy DPR Group, BPM 335368, Via Roma 12, 10073 , Turin, Italy
Latvia DPR Group, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
Lithuania DPR Group, Vilniaus g.31, Vilnius, LT- 01402, Lithuania
Luxembourg DPR Group, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
Malta DPR Group, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
Netherlands DPR Group, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
Poland DPR Group, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
Portugal DPR Group, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
Romania DPR Group, World Trade Centre, Piata Montreal no 10, Entrance F, 1st Floor, Sector 1, Bucharest, 11469, Romania
Slovakia DPR Group, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
Slovenia DPR Group, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
Spain DPR Group, Puerta de las Naciones, Ribera del Loira 46, Madrid, 28042, Spain
Sweden DPR Group, S:t Johannesgatan 2, 4th floor, Malmo, SE – 211 46, Sweden
United Kingdom DPR Group, BPM 335368, 372 Old Street, EC1V 9AU, London, United Kingdom

 

PLEASE NOTE: when mailing inquiries, it is essential that you mark your letters for ‘DPR Group’ and not ‘Whosonlocation Limited’, or your inquiry may not reach us. Please refer clearly to Whosonlocation Limited in your correspondence.

On receiving your correspondence, Whosonlocation Limited is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.

If you have any concerns over how DPR Group will handle the personal data we will require to undertake our services, please refer to our privacy notice at https://www.dpr.eu.com/legal-privacy.

Third Party Subprocessors and Subcontractors

WhosOnLocation Limited (“WhosOnLocation”) uses certain subprocessors, subcontractors and content delivery networks to assist it in providing the WhosOnLocation Services as described in the Master Subscription Agreement (“MSA”).

WhosOnLocation maintains an up-to-date list of the names and locations of all sub-processors used for hosting or other processing of Service Data, which is available to our Customers and can be found here. The list also may be obtained by contacting dpo@whosonlocation.com.

How WhosOnLocation helps You meet your GDPR Compliance

WhosOnLocation offer several settings to help your organization meet its GDPR (General Data Protection Regulation) compliance. We have given you the tools to meet these standards through a combination of existing and new features.

Learn more in our Helpdesk

Our Commitment to Security and Privacy

Fulfilling our privacy and data security commitments is important to us. We are committed to:

  • Continuing to invest in our security management program
  • Making sure we have the appropriate contractual terms in place
  • Product offerings that include new tools for data portability and data management

We’ll update customers on any changes to our Privacy Policy.

For more information or any questions please email dpo@whosonlocation.com

GDPR Statement.pdf

© WhosOnLocation 2018