General Data Protection Regulation (GDPR) Policy
This policy was last modified on 5 August 2018.
Updates to this Policy are listed at the end.
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.
The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The regulation contains provisions and requirements pertaining to the processing of personally identifiable information (personal data) of individuals inside the European Union and applies regardless of an operation’s location and the data subjects’ citizenship. Controllers of personal data must put in place appropriate technical and organisational measures to implement the data protection principles. (See Policy 1)
Handling of personal data at all stages of the process must provide effective safeguards to protect data. (See GDPR Policies 2,3 and 4 below)
Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to appoint a data protection officer (DPO), who is responsible for managing compliance with the GDPR. (See GDPR Policy 5 below)
The highest-possible privacy settings are to be used by default. (See GDPR Policies 6 and 7 below)
No personal data may be processed unless it is done under a lawful basis specified by the regulation or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. (See GDPR Policy 8 below)
Data protection also requires safeguards to protect data from unauthorised access and to ensure personal data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. (See GDPR Policies 9 and 10 below)
Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to see their personal data or revoke consent under certain circumstances at any time. (See GDPR Policies 11 and 12 below)
Erasure of personal data does not imply erasure of all data relating to that data subject. Erasure of personal data ensures an individual’s data is de-identified or cannot be isolated. Some data may still be required to be kept for historical, analytical or legislative requirements. (See GDPR Policies 13 and 14 below)
A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing (see Policies 15 and 16), and state how long data is being retained (see GDPR Policy 17 below).
Sharing of personal data with any third parties or outside of the EU data is to be disclosed. (See GDPR Policies 18, 19 and 20 below)
Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy. (See GDPR Policy 21 below)
Know1 Pty Ltd (including WIKID POWER and DQ) strive to be compliant with GDPR and have instigated the following policies and actions.
- Know1 Pty Ltd (including WIKID POWER and DQ) are to be organisationally and technically compliant with GDPR
- Sub-contractors are required to be compliant with GDPR.
- Website plug-ins and modules are only used if compliant with GDPR.
- GDPR testing of requests for data and de-identification have been conducted and passed.
Data Protection Officer (DPO)
- The DPO is the Managing Director.
Security and Encryption
- Websites are secured and encrypted at the Secure Sockets Layer (SSL).
- Personal data collection code / programs / modules / forms are additionally encrypted.
- Consent to collect personal data is required as a mandatory check prior to data collection.
- Measures are taken to ensure personal data is secure from unauthorised access.
- Consent to make personal data available publicly requires explicit consent.
- The process to request and export data has been implemented.
- The process to erase personal data has been implemented.
- When personal data is erased, all other data is kept as a record for historical and reporting purposes. For instance
a. a test result is kept, but de-identified against any individual.
b. de-identified demographics are kept with test results to analyse population patterns
- In place of personal identifiers, replacement identifiers may be installed such a number.
Basis of Data Collection
- The legal basis for the collection of personal data is as a paid or free requested service.
- Although there is a legal basis to collect personal data – to fulfil contractual obligations with a data subject – compliance with GDPR is still implemented.
- Personal data collected is retained until requested or required otherwise. Whilst stored and retained, it is still subject to all GDPR and other legislative requirements for data protection.
Sharing of Personal Data
- Sharing of personal data may be within or outside the EU and is to be in accordance with the GDPR requirements and this policy.
- Data may be shared for research purposes in accordance with GDPR and this policy.
- Data may be shared with third parties to deliver contractual services in accordance with GDPR and this policy.
Breaches of Protection
- Data protection breaches that have an adverse effect on user privacy will be reported to affected users within 72 hours.
Please contact us with any questions regarding this document.
- 5 August 2018: We have updated our General Data Protection regulation Policy. Please read this Policy carefully.