Openmind Networks Limited
Privacy Policy

PRIVACY POLICY

1. Introduction
   • This is the Privacy Policy of Openmind Networks Limited, which is referred to as the “Company”, “us” or “we” throughout this Privacy Policy. This Privacy Policy provides details of the way in which we Process Personal Data in line with our obligations under Data Protection Law.
   • Capitalised terms used in this Privacy Policy are defined in the Glossary in Annex I.
2. Background and Purpose
   • The purpose of this Privacy Policy is to explain what Personal Data we Process and how and why we Process it. In addition, this Privacy Policy outlines our duties and responsibilities regarding the protection of such Personal Data. The manner in which we Process data will evolve over time and we will update this Policy from time to time to reflect changing practices.
   • In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Policy by reference into various points of data capture used by us e.g. application forms etc.
3. Openmind as a Data Controller
   • Openmind will act as a Data Controller in respect of Personal Data provided to us by various individuals in connection with the operation and administration of Openmind. Such individuals will generally include the following:
     • customers;
     • employees/staff; and
     • third party suppliers
   • Personal Data is processed by Openmind for the following purposes:

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity	Lawful basis for processing
To manage our relationship with our staff (employees and contractors) to include: For general business purposes, such as payroll activities, performance management, making business travel arrangements and/or improving products and services To comply with any legal requirement, such as record-keeping and reporting, honouring contractual obligations and/or healthcare obligations. To facilitate communication with you and your nominated contacts in an emergency and protecting the health and safety of staff and others. For the operation of a CCTV system	Performance of a contract with you Necessary to comply with a legal obligation Necessary for our legitimate interests (to keep our records updated)
To manage our relationship with our clients and our suppliers	Performance of a contract Necessary to comply with a legal obligation Necessary for our legitimate interests (e.g. to keep our records updated)
To administer and protect our business (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) Necessary to comply with a legal obligation
To deliver relevant content and advertisements to our clients and measure or understand the effectiveness of the advertising we serve to them	Necessary for our legitimate interests (to study how clients use our products and services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our products and services, marketing, customer relationships and experiences	Necessary for our legitimate interests (to define types of clients for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about products and services that may be of interest to you	Necessary for our legitimate interests (to develop our products and services and grow our business)

 

• Legal Bases
  • Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
  • Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
  • Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

4. Openmind and Data Processors

Openmind willl engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of Openmind and gives rise to a Data Controller and Data Processor relationship, Openmind will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.

5. Record Keeping

As part of our record keeping obligations under Art. 30 GDPR, Openmind retains a record of the Processing activities under its responsibility. This comprises the following:

Art. 30 GDPR Requirement	Openmind’s Records
Name and contact details of the Controller	Openmind Networks Limited with its registered office at 4 Westland Square, Pearse Street, Dublin 2.
The purposes of the Processing	See Section 3 of this Privacy Policy.
Description of the categories of data subjects and of the categories of Personal Data.	See Annex II of this Privacy Policy.
The categories of recipients to whom the Personal Data have been or will be disclosed.	See Section 9 of this Privacy Policy.
Where applicable, transfers of Personal Data to a third country outside of the EEA.	See Section 10 of this Privacy Policy.
Where possible, the envisaged time limits for erasure of the different categories of data.	See Section 12 of this Privacy Policy.
Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).	See Annex III of this Privacy Policy.

 

6. Special Categories of Data

Openmind processes Special Categories of Data (“SCD”) in certain circumstances, such as the ordinary course of employee administration. Openmind shall Process such SCD in accordance with Data Protection Law.

7. Individual Data Subject Rights
   • Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):
     • The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
     • The right of access to Personal Data;
     • The right to rectify or erase Personal Data (right to be forgotten);
     • The right to restrict Processing;
     • The right of data portability;
     • The right of objection; and
     • The right to object to automated decision making, including profiling;
   • These Data Subject Rights will be exercisable by you subject to limitations as provided for under Data Protection Law. You may make a request to Openmind to exercise any of the Data Subject Rights by contacting, in the case of employees (past or present), Openmind’s Human Resource Department and in the case of customers, the VP of Operations for Openmind. Your request will be dealt with in accordance with Data Protection Law.
8. Data Security and Data Breach
   • We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. For more information on security measures see Annex III.
   • The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by Openmind will be dealt with in accordance with Data Protection Law and Openmind’s Data Breach Procedure.
9. Disclosing Personal Data
   • From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data).
   • We may also disclose Personal Data to: (a) selected third parties including in the case of employees/ contractors, finance auditors to ensure legal compliance and (b) service providers, such as, in the case of employees/ contractors, our payroll provider, benefits providers etc.
10. Data Transfers outside the EEA

From time to time, Openmind may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Ireland. If such transfer occurs, Openmind will ensure that such processing of your Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Model Contractual Clauses (as published by the European Commission) or ensuring that the recipient is Privacy Shield certified, if appropriate. If you require more information on the means of transfer of your data or would like a copy of the relevant safeguards, please contact Openmind’s VP of Operations or in the case of employees/ contractors, please contact the HR department.

11. Monitoring

We may record telephone calls with employees so that Openmind can:

• improve the standard of service that Openmind provide by providing employees with feedback and training, where applicable;
• address queries, concerns or complaints;
• prevent, detect and investigate crime, including fraud and money laundering, and analyse and manage other commercial risks; and
• comply with Openmind’s legal and regulatory obligations.

In addition, Openmind monitor electronic communications between Openmind and employees (for example, emails) to protect the employees, the business and IT infrastructure, and third parties including by:

• identifying and dealing with inappropriate communications; and
• looking for and removing any viruses, or other malware, and resolving any other information security issues.

The use of CCTV involves Processing of Personal Data. The purpose of Openmind’s CCTV system is to protect against crime, including theft, to ensure the security of Openmind’s staff and property, and the health and safety of our staff and customers.

Openmind ensures that the use of CCTV is in line with the requirements under Data Protection Law.

Access to the CCTV systems and recorded material is strictly restricted to authorised colleagues, security colleagues and members of the management teams.

12. Retention of Personal Data

Openmind will keep Personal Data for as long as is necessary for the purposes for which Openmind collects it. This mean Openmind will retain Personal Data for so long as we have a relationship with the individual to whom the Personal Data relates. Once this relationship comes to an end Openmind will retain such Personal Data for a period of time that allows it to: (a) comply with legal record retention requirements; (b) defend or bring legal claims; (c) maintain records for business analyses and audit; and (d) address complaints and other issues regarding its business.

Where Openmind holds Personal Data to comply with a legal or regulatory obligation, Openmind will keep the information for at least as long as is required to comply with that obligation. In some cases a retention period will apply once the initial purpose has ceased e.g. payroll files are required to be kept for current year plus 6 years.

Where Openmind holds Personal Data in order to provide a product or service, Openmind will keep the information for at least as long as Openmind provides the product or service, and for a number of years thereafter.  The number of years varies depending on the nature of the product or service provided.

Openmind endeavours to ensure that Personal Data will only be kept which is relevant and not excessive to achieve the purposes for which it is being held.

13. Further Information/Complaints Procedure

For further information about this Privacy Policy and/or the Processing of your Personal Data by or on behalf of Openmind please contact the HR department for employees and while you may make a complaint in respect of our compliance with Data Protection Law to the relevant country’s Data Protection Commission, we request that you contact the HR department in the first instance to give us the opportunity to address any concerns that you may have. For customers, please contact the VP of Operations for Openmind.

Date: 25 May 2018

 

ANNEX I

Glossary

In this Privacy Policy, the terms below have the following meaning:

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller.

“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Act 2018, once enacted and any other laws which apply to Openmind in relation to the Processing of Personal Data.

“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.

“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:

• a name, an identification number;
• details about an individual’s location; or
• any other information that is specific to that individual.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.

“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.

ANNEX II

Types of Personal Data

Categories of Data Subject	Type of Personal Data
Staff (current and past employees and contractors)	Personal details: Name, employee identification number, work and home contact details (email, phone numbers, physical address), language(s) spoken, gender, date of birth, social security number, next of kin, disability status, emergency contact information and photograph.   Documentation required under immigration laws: Citizenship, passport data, details of residency, licences, work permits, etc.   Compensation, Benefits and Payroll: Base salary, bonus, benefits, compensation type, pay grade, salary step within assigned grade, details on stock options, stock grants and other awards, currency, pay frequency, effective date of current compensation, salary reviews, banking details, working time records (including vacation and other absence records, leave status, hours worked and department standard hours), pay data, national insurance or other number, marital/civil partnership status, domestic partners and dependents.   Position: Description of current position, job title, management category, job code, job function(s) and sub-function(s), company name, branch/unit/department, location, employment status and type, terms of employment, employment contract, work history, hire/re-hire and termination date(s) and reason, length of service, retirement eligibility, promotions and disciplinary records, date of transfers, and reporting manager(s) and supervisors information.   Talent Management Information: Details contained in letters of application and resume/CV (previous employment background, education history, professional qualifications, language and other relevant skills, certification, certification expiration dates), information necessary to complete a background check, details on performance management ratings, development programs planned and attended, e-learning programs, performance and development reviews, willingness to relocate or driver’s license information.   Company Secretarial Records: Details of any shares of common stock or directorships.   System Access Data: Information required to access company systems and applications.   Special Categories of Personal Data: We may also collect certain types of Special Categories of Personal Data where required or permitted by local law, such as health/medical information, place of birth, trade union membership information, religion, and race or ethnicity.
Customers	Name, phone number and email address of individuals. Data is held where an issue arises within our customers network. It is then deleted from Openmind’s system. Other customer data such as email addresses of key contacts, is kept in order to fulfil (contractual) business relations with our customers.
Suppliers	Personal Details where applicable eg bank details of an individual rather than a company. These are stored in the performance of a contract.

 

ANNEX III

IT Security Measures

1. We have two separate environments that have distinct ways to access data:

• Cloud Based (files and email) is provided by Google, the Google Account is protected by password and a second layer exists called 2-step verification, which sends a single-use code to the person’s phone to enter when they sign-in.
• In relation to the local files, inside the company they can be only accessed by password authentication and outside the company the access needs to go through a VPN protected by public key authentication that is only assigned to some users and their respective work machine.

2. Openmind Networks also has an IT policy, which should be read in conjunction with this. This outlines the security measures, which our employees are expected to take when carrying out their tasks.