Data Protection Policy
This policy will come into effect on May 25, 2020.
Banan ITS provides technology services to businesses. Although we don’t have a commercial relationship directly with individuals, we do hold what could be considered “personally identifiable information” about the employees of our clients, and that data is within the scope of the GDPR. This article details the data we hold, who has access, the measures we take to protect it, and how we get rid of it when it’s no longer of use.
Who do we keep data on?
For clients on our ongoing support plans we hold data about each named employee on the account, in addition to any other people involved in the provision of the service (for example, an account management contact who works in a remote office and is not covered under the support plan).
For all the other services we provide (including SaaS subscriptions, Enterprise services, projects, event support) we only hold data for the people involved in the service provision.
We also hold data on people who’ve contacted our new business team with an interest in our services.
The people we hold data on are the “Data Subjects”, using the terminology of the GDPR. In our relationship with our clients we act as “Data Processors” and the client is the “Data Controller”.
Data Categories
We group the people about whom we hold data by their company, and by their job function (specifically we categorise people as “Tech Contacts” and/or “Operational Contacts” and/or “Accounts Contacts” and/or “New Business Contacts”). As detailed above, for each person we mark data “Default” (name and email) and “Additional” and handle each differently.
Who Has Access
By default, our Operations, Infrastructure and Senior Management teams have access to the information about all people across clients.
Individual members of our support, enterprise and projects teams have access granted to each client (and by extension all their employees) when they are onboarded on to that client’s support team, or when they start a project for them, unless outlined previously that special access requirements are needed.
Our Accounts team has access to all people categorised as “Accounts Contacts”.
Breach Notification
Our incident management procedure includes notifying the tech and operational contacts at our clients within 72 hours of a breach, and its potential impact.
Banan ITS