Digi United Limited is committed to protecting privacy and complying with the General Data Protection Regulations 2016.
We have identified that we fall within the scope of the GDPR as the Data Processor when supporting our customers IT infrastructure and System, and our customers are the Data Controllers of the data held on the systems we support.
- A Data Controller determines the purposes and means of processing personal data.
- A Data Processor is responsible for processing personal data on behalf of a controller.
This policy sets out the basis by which we carry out and manage our processing activities when supporting our customers IT infrastructure and systems.
As the Data Processor in the performance of the support contracts with our customers (Data Controllers):
1. We will only act on the written instructions of the Data Controller (customer). This written instruction will normally be by raising a service request ticket in our ticketing system via an email or the portal
2. We will ensure that people processing the data have signed a confidentiality agreement and understand their information security and data protection responsibilities
3. We will ensure that we have appropriate information security measures in place for safe and secure processing
4. We will only engage a sub-processor with the prior consent of the Data Controller and a written contract
5. We will assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
6. We will assist the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
7. We will delete or return all personal data to the Data Controller as requested at the end of the contract
8. We will submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the Data Controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.