Skynamo and General Data Protection Regulation
Version 3.2. Date 23 August 2018
Purpose of this document
This discussion document explores the application by Skynamo of the GDPR legislation and details the steps we have taken, and are planning to take, to ensure our current and continued observance of this legislation.
The Skynamo Software collects and processes Personal Data on behalf of Customers. Skynamo will be acting as a Data Processor in relation to the personal data it collects and in providing our services.
Skynamo believes that organisational compliance is a business process and must be continually addressed. It is not a ‘once and done’ box to be ticked, but a commitment to meet. Therefore, this document is an organic one that will change over time as we improve our understanding of how GDPR impacts our internal processes and those of our customers.
The purpose of this document is only to provide information on how the GDPR will apply to the Personal Data processed by Skynamo and is not intended to be contractually or legally binding in any way whatsoever, nor is it intended to constitute legal advice on your company’s compliance with the GDPR. Whilst Skynamo makes reasonable efforts to update the information included in this document, it makes no representations, warranties or guarantees that the content in the document is accurate, complete or up to date.
You are currently reading V3.2 of this document and it is subject to change without notice.
Please send any comment, questions or queries to email@example.com.
What is GDPR?
The General Data Protection Regulation (EU) 2016/679 is a regulation in EU law which addresses data protection and privacy for all individuals within the European Union. This regulation came into effect on 25 May 2018.
There are seven key principles under the GDPR with which organisations must comply. These principles are:
1. Lawfulness, fairness and transparency;
2. Purpose limitation;
3. Data minimisation;
5. Storage limitation;
6. Integrity and confidentiality (security); and
These key principles govern how organisations collect and process Personal Data. The GDPR also gives individuals certain rights over their Personal Data, it sets out when organisations may transfer Personal Data outside of the EU, and sets out how data controllers appoint and contract with data processors.
Essentially, the GDPR requires any entity that processes Personal Data to ensure that:
• the data is kept in a manner that is safe from unauthorised breaches;
• individuals have access to their data and can change or delete their data from the system should they wish to;
• there is a specific person appointed to make sure that the entity complies with the GDPR; and,
• entities are accountable in the way that they deal with individuals’ Personal Data.
How the Skynamo Business is set up in the EU
Skynamo (Pty) Ltd is a limited liability company incorporated according to the laws of South Africa with registration number 2012/052717/07 (“Skynamo South Africa”).
Skynamo Ltd is a limited liability company incorporated according to the laws of the United Kingdom with registration number 11039559 and ICO registration reference ZA358748 (“Skynamo UK”).
Skynamo South Africa contracted Skynamo UK to market and sell its software product in the UK and licenced it accordingly. Therefore, Skynamo UK’s and its Value Adding Resellers in the EU’s clients’ data is stored and processed by Skynamo South Africa and other sub-processors such as Amazon, SendGrid and Fabric.
In the provision of its service, Skynamo South Africa makes use of “sub-processors” to store and process Personal Data. Skynamo ensures that it includes appropriate GDPR compliant data processing provisions in its contracts with sub-processors. Clients will be notified if Skynamo South Africa appoints a sub-processor. As provided for in the GDPR, clients have the right to object to the appointment of a sub-processor.
Current list of sub processors:
Why does Skynamo store and process Personal Data?
Skynamo is a field sales management platform and mobile sales app for sales managers and field sales reps. It tracks and analyses sales rep activities and provides sales history, stock, pricing and promotional information so that reps can make smarter decisions and sell more. To offer this service, Skynamo needs access to each client’s sales reps’ personal information.
Duration of the Processing:
The duration of data processing shall be for the term agreed upon by the client.
Nature and purpose of the Processing:
The scope and purpose of processing of the end users’ Personal Data is to facilitate the provision of Skynamo’s services and the use of the Skynamo software.
Types of Client Personal Data:
The Personal Data processed includes e-mail, live GPS tracking, documents and other data in an electronic form provided in the context of Skynamo’s services, which shall not include any ‘Special Categories’ of data.
Skynamo processes and stores the following levels of Personal Data as a service to our clients:
• Users’ Personal Data (names, contact numbers and monitoring of location)
• Contact persons of users’ customers (although customers are usually businesses, the customers’ contact information will usually contain the details of a contact persons e.g. name, contact number and e-mail of the store manager).
Categories of Data Subjects:
Data subjects include the client’s representatives and end users including employees, contractors, collaborators, and client’s customers. Data subjects may also include individuals attempting to communicate or transfer personal information to users of Skynamo’s services. The data subjects exclusively determine the content of data submitted to Skynamo.
Legal Basis for Processing
Data Controllers must have a legal basis for processing Personal Data and must satisfy itself that it has such an appropriate legal basis for processing. As required by the GDPR, Skynamo will only process customers’ Personal Data in accordance with the customer’s documented instructions.
Article 6 of the GDPR allows the following as legal bases for processing Personal Data. At least one of these must apply whenever an entity processes Personal Data:
1. Consent: the data subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
2. Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
4. Vital interests: is necessary in order to protect the vital interests of the Data Subject or of another natural person;
5. Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Skynamo personnel will not process customer data without authorisation. Personnel is obliged to maintain the confidentiality of any customer data and this obligation continues even after they have stopped working with Skynamo.
Data Privacy Contact
Skynamo has appointed a Data Protection Officer (“DPO”) to oversee Skynamo’s data protection program and ensure that Skynamo is GDPR compliant.
Name and contact info: Wim Morris, firstname.lastname@example.org
The duties of the DPO are to:
• inform and advise Skynamo and its employees of their data protection obligations
• monitor compliance with the GDPR
• provide advice about the data protection impact assessment and monitor its performance
• cooperate with the supervisory authority
• act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, about any other matter.
Technical and Organisation Measures
Skynamo has implemented and will maintain appropriate technical and organisational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction.
As part of our continuous focus on improvement and security, Skynamo South Africa has contracted external consultants to navigate us through our ISO27001 certification. This included the formalisation of our Information Security Policy and processes.
Access and Erasure
In terms of the GDPR, data subjects have the right to access, amend and erase their Personal Data being processed. These requests must be directed and complied with by the Data Controller – who, in Skynamo’s case, is the client.
Skynamo South Africa operates as a Data Importer and Processor and will, therefore not deal with these requests directly. All such requests will be directed to the Data Controller (i.e. our client). Skynamo as Data Processor will, however, assist the Data Controller by appropriate technical and organisational measures to fulfill its obligations in this regard.
Our legal team is always updating our legal documentation to reflect any product changes and to include the mandatory processor provisions required by Article 28 of the GDPR.
Internal and external education
Skynamo trains all employees regarding their data protection responsibilities. We are developing online training programs to ensure that all employees are up to date on the latest requirements and developments to be continuously compliant.
Clients’ obligations in respect of GDPR when using the Skynamo Software
Most of our customers are employers whose employees use the Skynamo Software. As the Software will collect employees’ Personal Data, our customers, as Data Controllers, must ensure that their processing complies with the seven data protection principles listed above, including the issuing of privacy notices which cover the processing of personal data via the Skynamo Software.
In terms of GDPR, employers have to provide their employees with information that explains how they process their employee’s personal data. This is most often done by means of a “Privacy Notice”.
What information should you include in your employee privacy notice?
• Your contact details, as Data Controller;
• If you have a representative, the identity and details of the representative;
• If you appoint a data protection officer, the contact details of the Data Protection Officer;
• A description of the personal data that will be collected;
• The reason for collecting and processing this Personal Data;
• The legal basis on which you collect and use the Personal Data;
• Who this Personal Data will be shared with;
• Will the Personal Data be transferred outside of the European Economic Area? If so, details about the security measures and safeguards that are in place to enable this transfer to lawfully take place and to protect the security of the Personal Data. You will have to provide detail / information on how the Data Subject (your employee) can obtain a copy of or access these safeguards;
• How long will you keep the Personal Data for?
• What rights do employees have in respect of their Personal Data?
Are you GDPR certified?
No, as far as we are aware one cannot be GDPR certified. There is no audit and certification body but if this happens we will seek certification.
How are you protecting your customers’ data?
We are in the continuous process of improving our GDPR compliance and protect our clients and their users’ data by Design and Default.
Where is the data stored?
The data of Skynamo UK’s clients is stored on AWS infrastructure in Ireland or another location in the EEA as agreed to with our customer, but can be accessed from South Africa if a support query is lodged based on the specific Personal Data.
What process did you follow to get ready for GDPR?
Skynamo appointed a Data Protection Officer, contracted legal advice and implemented procedural and architectural changes as needed and continues to do so.
Is your data encrypted when sending orders via email?
No. Emails are transmitted via secure protocols and are safe in transit, but any recipient (intentional or not) will be able to read the email.
Can you switch the GPS off because surely that is not GDPR compliant?
No. GPS tracking is a critical element of the Skynamo service. The use of a live tracking service is not prohibited by the GDPR. The GDPR only prohibits the collection of inappropriate or excess data.
How does Skynamo obtain the Personal Data it processes?
The Personal Data which Skynamo processes is inputted by Clients or Users on the Software and is also collected automatically whilst Users use the Software.
What is the retention period generally for the Personal Data Skynamo stores?
As required by our clients.
Is the Personal Data Skynamo holds shared with third parties?
As explained above, the Personal Data which Skynamo processes is only shared with the sub-processors which Skynamo appoints. The Personal Data is not shared with any other third parties which are not involved in the processing of the Personal Data.
Can customers or Users delete the Personal Data?
Yes, all data can be deleted from the Software and from our databases upon the instructions of our customers.
Disclaimer: This discussion document is neither a magnum opus on EU data privacy and data protection laws nor does it constitute legal advice regarding your company’s compliance with EU data protection laws like the GDPR. Instead, it provides background information to help you better understand how Skynamo is addressing GDPR. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this document as legal advice, nor as a recommendation of any legal understanding.