GDPR (General Data Protection Regulations) went live on the 25th of May 2018. Vercom S.A. in obliged to implement any relevant and essential changes for its applications, as well as its websites, until this day. The text below lists and describes all the actions that were and will be undertaken by the company in order to be consistent with the regulations, as well as information for users in their context.

What actions are being undertaken by Vercom in order to be consistent with GDPR?

Vercom S.A. have set an aim of meeting all GDPR requirements concerning personal data protection of application users, website visitors and people receiving e-mail or SMS messages.

Here are this we did, or that are subjects to change in the near future:

  • get familiar with the full text of the regulations (COMPLETED);
  • attend trainings in matters of law (COMPLETED);
  • conscript a data protection specialist (COMPLETED);
  • warranty that Vercom’s users and subscribers personal data are well protected (COMPLETED);
  • draw up a list of all website sections that must be changed in order to be compatible with the regulations (COMPLETED);
  • implement essential changes in our Privacy Policy, terms of service provision, documents concerning safety and protection (COMPLETED);
  • draw up a register of all areas of data processing, personal data collection and applications that must be changed in order to be compatible with the regulations (COMPLETED);
  • make all essential changes in applications in order to ensure compatibility of all users with GDPR while executing services (COMPLETED);
  • make all essential change on the website in odert to ensure that all GDPR regulations are obeyed (COMPLETED);
  • apply pseudonymisation for the purpose of protection of users data, which do not need to be stored in their original form (COMPLETED);
  • implement information security management system based on ISO27001 (COMPLETED);
  • educate our users in matters of electronic communication with clients on the basis of GDPR (COMPLETED).

What is Vercom’s role in data protection?

Vercom declares itself as:

  1. data administrator in relations to users (clients) and Vercom’s mailing list subscribers;
  2. processing entity (processor) in relations to data entities, that personal data were sent to Vercom and used in messages send by users (admins) in matters of provided services.

This means that as a company we supervise a few matters:

  • Vercom is obliged to inform its users and subscribers of mailing lists in case, when a third party participates in personal data processing.
  • Vercom is obliged to promptly inform data’s administrator (user) in case when a person from his/her potential mailing list contacts Vercom with a request to cease data processing.
  • Vercom openly informs about a „right to be forgotten” and a „right to access, amend and update data” at a special request. As a user or Vercom’s mailing lists subscriber you can request an amendment or removal of personal data. Detailed instruction on how to exercise those rights can be found below in a policy compliance with GDPR section such as Adequacy, Accuracy and Limitation. Vercom will deal with every GDPR violation reported to rodo@verom.pl.

What is GDPR?

General Data Protection Regulation (GDPR) was introduced by the European Union in order to regulate the way of personal data processing. It aims to improve EU citizens data protection.

Why did the need for GDPR arise?

EU regulations concerning personal data protection were not changed for over twenty years. There are at least two reasons because of which EU’s legislative body decided to improve the aforementioned regulations:

  • Technological progress has a global range – personal data processing is so common in today’s, online world, that existing laws became outdated;
  • Attempt to meet EU citizens’ needs – according to Eurobarometer 75% of people from 2011 survey want to exercise the so called right to be forgotten. However 90% of people think, that regulations concerning personal data protection should be standardized (source).

What kind of information is protected?

GDPR’s aim is to protect natural persons and their rights. It does not protect businesses, entities or organizations and the processing of their data.

The regulations protect personal data processing, such as name, age, address, phone number, but also indirect identifications, which have an influence on their identity, including psychological, mental, physical, genetic, economic, cultural and social identity. In general it protects all information based on which it is possible to identify a person.

What is „processing”?

„Processing” refers to collection, registration, organisation, structuration, adaptation or modification of data, as well as to search, consultation, use, reveal by transmission, export or disclosure in any other way, adaptation or linkage, restriction, removal or destruction of personal data, in compliance with Art. 4 paragraph 2 of GDPR.

What are the legal foundations of data processing?

In order to safely and legally process personal data in light of GDPR, it is essential to obey a few regulations such as: compliance with the law, honesty, transparency, adequacy, relevance, limitation, accuracy, storage constraints, integrity and confidentiality.
Read the text below to find out what Vercom does to obey these rules and what you should or should not do to use our services in compliance with GDPR.

Legality, honesty and transparency

As a company that processes data, Vercom makes sure that its actions are kept transparent and compliant with the regulations, when users’ and subscribers’ data are being processed. All Vercom users and subscribers upon registration receive information that their personal data will be processed as described in Terms & Conditions of Use and Privacy Policy.

As an administrator of data that you entrust us, you should make sure that your actions are transparent and that the purpose of their processing in legal. This means that reasons’ validity for personal data processing of EU citizens needs to be proven every-time. In compliance with GDPR’s accountability principle you should be able to easily describe the whole collection process of personal data, that you want to process.

Adequacy, relevance, limitation

As a personal data processing entity, Vercom processes only data essential to realization of aims, which were appointed by our services’ users (data administrators). We do not collect nor process any sensitive data, such as race, ethnicity, political views, religious or world-view beliefs etc.

Vercom processes its users personal data when they have a registered account with its service (test account or actual account) or until a personal data removal request, from our database, is filed in, unless it is required by a warranty period or other legal regulations.

Vercom processes its subscribers personal data since the sign up to one of our mailing lists until a personal data removal, from personal lists, request is filed in.

Upon resignation from Vercom’s services or mailing lists subscription, a user has a right to demand an immediate removal of his/her data from applications list and addresses lists (in compliance with “the right to be forgotten”). Users and mailing lists subscribers also have a right to look over, update and amend their personal data in their account and e-mail subscribers mailing lists.

How can Vercom users amend or delete their personal data from the service?

As a Vercom user you can change your name, surname, e-mail address and password at any given time after you log into your account. In order to do this login to the panel. In case of problems contact our technical support team – rodo@vercom.pl

Service users can also request the removal of their data by contacting our technical support team – rodo@vercom.pl

How can Vercom mailing list subscribers amend or delete their personal data?

As a Vercom mailing list subscriber, you can change your personal data on the subscribers list by clicking on a special link placed in every message.

You can also unsubscribe from any list by clicking a link located at the bottom of every message. If you want to be removed from all mailing lists, answer to any of the messages and inform that you want to be removed from all of Vercom’s mailing lists.

Accuracy

As a user or Vercom mailing lists subscriber you have a right to amend your personal data that are being processed by Vercom. Privacy Policy details how to request changes or where to implement them personally.

As a data administrator you have to make sure that all processed data are up-to-date. Personal data that are inaccurate or outdated should be delated or changed immediately.

Storage constraints

Vercom keeps each user’s personal data no longer that it is necessary to achieve aims, for which the personal data are being kept. Thereby each personal data owner can request his/her data to be kept for processing for a specified period of time.

As a data administrator, you have to make sure that you do not keep personal data longer that it is necessary to achieve aims, for which the personal data are being kept.

In case of cold e-mail campaigns, data of people who do not respond, for a longer time than it is expected, should not be processed. Namely, data should be removed one month after first attempt of contact with the person to whom the data belongs. This means that database will always be up-to-date.

Integrity and confidentiality

As a company that processes data, Vercom processes users personal data in a way that ensures right personal data security. More information on data processing can be found in our document concerning security. As data administrator you are obliged to care for safety of personal data that is being processed. Never share personal data, which you process, with third parties. Unless you received a consent form people to whom the data belongs.

Last update: 24th of April 2018