Data Protection Policy and Privacy Notice
IAM Inventories is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using our software, then you can be assured that it will only be used in accordance with this privacy statement.
IAM Inventories may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from January 2019 and was last updated in November 2019.
What we collect: We choose to use legitimate interest as the legal basis for processing signed-up customer data, and use a consent basis for gathering and processing new/prospect data.
The lawful basis under which IAM Inventories operates for processing customer data is one of “contractual necessity”, whereby processing personal data is necessary in order that you can enter into a contract with IAM Inventories. Our Service requires you to actively submit information in order for you to benefit from specific features (such as receiving an inventory report). You will be informed at each information collection point what information is required and what information is optional. Some of this information may be personal (information that can be uniquely identified with you, such as your full name, address, email address, phone number etc.). We only collect such information when you choose to supply it to us.
We will also collect and store the following information as it relates to your use of IAM Inventories Services:
- Name and job title
- Contact information, including email address
- Demographic information, such as postcode
- Other information relevant to customer surveys and/or offers
Where IAM Inventories receives any personal data (as defined by the General Data Protection Regulation) (“the Act”)) from a Client, IAM Inventories shall ensure that it fully complies with the provisions of the Act and only deals with the data to fulfil its obligations under the contract.
What we do with the information we gather: We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:
We process the information for customer day-to-day commercial requirements.
Internal record keeping.
- We may use the information to improve our products and services.
- We may periodically send emails about new product features, updates or other information which we think you may find interesting using the email address which you have provided.
- From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, or mail. We may use the information to customise the website according to your interests.
We also store your information on a Customer Relationship Management (CRM) database, which may be held outside of the EEA (European Economic Area). The CRM system we use is a certified member of The EU-US Privacy Shield Framework. This framework provides EU and US companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The GDPR does not require that personal data of EU citizens remain exclusively in the EU, but it does have some requirements for such transfers, and as such the CRM system we use is fully GDPR compliant.
Security: IAM Inventories takes your privacy very seriously. IAM Inventories does not sell or rent your contact information to other marketers without your permission. We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online, in person, via email or telephone conversation.
Right of access: IAM Inventories has an established process to recognise and respond to individuals’ requests to access personal data. Requests for personal data should be made via email to firstname.lastname@example.org, clearly stating the individual’s full name, email address and account name, so the user and account can be clearly identified. The information will be provided electronically and free of charge within 10 working days.
Data portability: PDF reports created via out third-party inventory report provider are freely available and accessible for customers and users to access at any time.These reports can be downloaded and stored as required.
Requests for account data stored with IAM Inventories should be made via email to email@example.com clearly stating the individual’s full name, email address and account name, so the user and account can be clearly identified. The information will be provided electronically in a structured, commonly used and machine readable format, free of charge within 30 working days.
Access to customer content: As an inventory report provider our third party company store information in the cloud using Amazon Web Services (AWS) servers. AWS does not access any third-party data or content except as necessary to provide IAM Inventory with Inventory Services reports. AWS does not access IAM Inventories or our third-party provider’s content for any other purpose.
AWS does not know what content IAM Inventories or our third-party provider has chosen to store on AWS and cannot distinguish between personal data and other content, so AWS treats all customer content the same. In this way, all content benefits from the same robust AWS security measures, whether this content includes personal data or not. AWS simply makes available the computer, storage, database and networking services selected by our third-party provider with best-in-class security measures applied to the cloud infrastructure provided by AWS.
Our third-party provicer does not access IAM Inventories customer data except as necessary to provide that us with technical support and to help with any account issues, where access to the account is required to carry out that support. IAM Inventories and our third-party provider implements appropriate technical and organisational measures to protect personal data from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.
When a IAM Inventories customer uses the services of IAM Inventories, they are agreeing to supply and add information relating to their property portfolio including but not limited to: landlord name, property address, landlord email address, landlord telephone number, tenant name, tenant email address, tenant telephone number and property photographs. This information has a specified, explicit and legitimate purpose. IAM Inventories will not process this data for any other purpose and it will not be passed to any third parties. IAM INventoris customers are ask for this data at any time, and can ask to delete specific information as required or delete their third-party Inventory Report provider account if required.
IAM Inventories customers should make sure they have the necessary robust data controller procedures in place for GDPR purposes, and inform their customers where and how their data is processed. (See GDPR section)
Customer data retention and deletion: If an IAM Inventories customer decides to end their subscription to IAM Inventories services, the third-party inventory reporting account will be disabled after a 60 day notice period. Users in that account will no longer be able to gain access to the account and reports beyond this point. In case a customer decides to reactivate their account and wants to access their account history, IAM Inventories will give permission to the third-party provider to store the account data (reports, photographs, property addresses, landlord and tenant details) securely for a period of 12 months and then IAM Inventories will delete the data permanently from IAM Inventory records and third-party servers. Alternatively, reports and photos can be retained for view access only with the Hibernate Plan. Please contact IAM Inventories for more information.
IAM Inventories has effective processes to identify, report, manage and resolve any personal data breaches.
Our third-party inventory report provider controls its own AWS access keys and determines who is authorized to access their AWS account. AWS does not have visibility of access keys, or who is and who is not authorized to log into an account. They monitor and control use, misuse, distribution or loss of access keys.
In the event that a data breach does occur and is likely to result in adversely affecting individuals’ rights and freedoms, we will inform any affected customers immediately and notify the ICO of a breach within 72 hours of becoming aware of it. We will also keep a record of any personal data breaches, regardless of whether we are required to notify.
Subcontractors: IAM Inventories uses a number of third party subcontractors to assist with the provision of its service. Our subcontractors do have access to customers’ content, but only where it is required to assist with technical and support issues. IAM Inventories only uses subcontractors that we trust and we use appropriate contractual safeguards which we monitor to ensure the required standards are maintained.
These pieces of information are used to improve services for you through, for example:
- Enabling a service to recognise your device so you don’t have to give the same information several times during one task
- Recognising that you may already have given a username and password so you don’t need to do it for every web page requested
- Measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast
- We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website. You can manage these small files yourself and learn more about them through Internet browser cookies – what they are and how to manage them.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Controlling your personal information
You may choose to restrict the collection or use of your personal information.
The lawful basis under which IAM Inventories operates for processing data is firstly one of “contractual necessity”, whereby processing personal data is necessary in order that you can enter into a contract with IAM Inventories. When a new account sets up in IAM Inventories an email address is required to activate the account. By submitting your personal data, you are consenting to receiving email communications from IAM Inventoreis regarding software and product updates. However you can opt-out of receiving further email communications at any time, by using the opt-out option in the emails you receive.
IAM Inventories also processes data on a “legitimate interests” basis, where we use customer data in ways that customers would reasonably expect, that are non- intrusive and which have a minimal privacy impact.
We will not sell, distribute or lease your personal information or the data you add to your IAM Inventories account to third parties under any circumstances.
You may request details of personal information which we hold about you under the General Data Protection Regulation. If you would like a copy of the information held on you please contact us on the address below, or email firstname.lastname@example.org
Personal data: Any personal data provided to IAMinventories will be held strictly in accordance with the GDPR Regulations.
Data controller: A data controller is an inventory clerk who is directly employed by a client. The clerk is responsible for handling that personal data and responsible if the data is passed to a third party (eg estate agent).
If a data breach occurs the clerk is responsible as the data controller and may have to report the breach to the ICO within 72 hours.
Data processor: A data processor is an inventory clerk who is given data not directly by the client but by a company a client has employed (eg estate agent). In this case, the client would be the data controller and the clerk the data processor. If the clerk sends the personal information to the wrong person and a breach occurs they would need to inform the Data Controller of the breach and possibly report it to the ICO within 72 hours.
Other organisations: We must ensure that any organisation who we pass personal data to and receive personal data from are GDPR compliant. It is recommended that we sign an agreement regarding the processing and breach reporting procedures with them.
Data storage: We must have a legal reason to store personal data otherwise we require consent. By consent, we will collect any personal data when you register to use our services as an individual. If data is provided by a third party we will be the data processor.
If the information relates to addresses then we will store information by address. We must delete the personal data if we do not have a legal basis or consent to store it. If there is a legal claim then we have a legal basis to store the information. If we store personal data we must have a retention period clearly stated and obtain consent.
Data must only be stored digitally on telephones or electronic items such as tablets or laptops which are password protected or encrypted.
Subject action requests: Must be processed within 30 days for no fee.
New systems: We must carry out a risk assessment of any new/existing data systems that may risk the rights and freedoms of individuals and design new systems to be private and secure.
HR and Personnel: The same processing factors must be considered when processing employee personal data. Standard data under contract in article 6 and special category data must only be processed with consent under Article 9.
Legal basis for processing data: Article 6 To process personal data one condition from Article 6 must apply.
- Consent (Individual has given clear consent for you to process their personal data for a specific purpose).
- Contract (Necessary for a contract you have with the individual)
- Legal obligation (To comply with the law, not including contractual obligations)
- Vital interests (Protecting someone’s life) CCTV?
- Public task (Task in the public interest or a clear basis in law. Public authorities)
- Legitimate interests (Processing data in ways you would reasonably expect with minimal privacy impact on individuals rights and freedoms)
Special Category Data – Sensitive Data
- Racial ethnic origin
- Political Opinion
- Religious or philosophical beliefs
- Trade union membership
- Genetic Data
- Biometric Data
- Sex life
- Sexual orientation
We will only share your data with our employees or subcontractors instructed by us to carry out any work in relation to your request. We will not use your data for any other purposes.
To process special category data we must have a condition under article 6 above and article 9 below
- Vital interests (Protecting someone’s life)
- Obligation underemployment, collective agreement, social security or social protection law
- Not for profit bodies (Carrying out legitimate activities within safeguards in place. Consent required for disclosure outside the organisation)
- Already made public
- Legal claims
- Substantial public interest
- Public health
- Archiving (In the public interest)
In most cases to process Special Category Data, we will need to use Consent as the other conditions do not generally apply.
- Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in
- Consent cannot be inferred from silence, pre-ticked boxes or inactivity
- Consent can be withdrawn at any time in writing either by email or letter
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing (inaccurate, unlawful, legal claim)
- The right to data portability (you return data after use on paper/memory stick etc.)
- The right to object (legitimate interests, research purposes – expect public task)
- The right not to be subject to automated decision-making including profiling
Our company is registered with the Information Commissioners Office and our registration number is ZA606170.
Data breaches: If a data breach occurs, we must ensure that every effort is made to rectify or mitigate the loss immediately.
All people concerned must be notified about the breach of their data within 24 hours.
Data breaches must be reported to the ICO within 72 hours only where it is likely to result in a risk to the rights and freedoms of an individual – if it could result in:
- Damage to reputation
- Financial loss
- Loss of confidentiality
- Any other significant economic or social disadvantage
Serious breaches phone 0303 123 1113
Email Data Protection Act (GDPR not available yet) security breach notification form to email@example.com
Date: 30th April 2019
Copyright © 2019 Carole Stacey | IAM Inventories Contact: firstname.lastname@example.org