Data protection policy
Physical Security In order to prevent theft of data or information from premises:
- Adiuvo uses shutters on all doors and windows with a key holder policy in place which includes replacing locks and updating codes within 12 hours of when key holders leave or when broken windows, doors or locks are reported.
- All sensitive data and systems are stored in or behind secured doors in a secured facility.
- Adiuvo has internal and external CCTV for the prevention and detection of physical access to data.
Employee training
Adiuvo staff have all completed and passed internal academy online training.
Data controller
Our Data Controller is Colin Stokes (Managing Director) of Adiuvo and he is responsible for your personal data.
What information do we hold?
Adiuvo has reviewed what personal and sensitive data it holds about individuals which amounts to basic contact details including name, address, maintenance issues regarding that address and phone and email information.
How do we hold the information?
Our Cloud-Based System: To process callers’ requests, we store information on our cloud-based system, which is securely housed on Amazon Web Services (AWS) servers within Europe. AWS provides robust security measures, including 99.999999999% (11 nines) durability, multi-region redundancy, encryption at rest and in transit, and compliance with international standards. AWS's infrastructure is designed to meet the requirements of the most security-sensitive organizations, with rigorous physical and network security measures in place.Please see the following links for details and further information: https://aws.amazon.com/s3/security/
Our Call and Conversation Recordings: We use Talkdesk for call and conversation recordings. Talkdesk records are stored on AWS servers and managed through their secure infrastructure. The recordings are transferred directly to our AWS S3 bucket, ensuring data security and compliance. Talkdesk allows us to configure retention policies and access controls to manage these recordings effectively.Please see the following links for details and further information:
https://support.talkdesk.com/hc/en-us/articles/210267373--Preferences-Call-Recording
https://support.talkdesk.com/hc/en-us/articles/115000496943--Storage-and-Retention-Custom-Storage
https://support.talkdesk.com/hc/en-us/articles/204370739--Storage-and-Retention-Call-Voicemail-and-Screen-Recording-Retention-Policy
Where does the data come from?
The source of this information is either collected from your interactions with us such as when online forms are completed, our AI service tools used, or through correspondence with us. Information is also collected from callers when they contact us in order for us to provide maintenance assistance or from access to clients’ systems should they provide it (which will be subject to their own Data Protection Policy).
How do we use your data?
The data we collect from you could be used for a wide variety of reasons which include:
- the need for us to use your data for administrative purposes as part of our service delivery;
- the need for us to process your data;
- to keep you informed about developments, news by email or by phone;
- for assessment and improving the services we offer;
- to perform our contract with you;
- to perform and pursue our legitimate interest (for example to prevent fraud and to give you the best possible customer service);
- to comply with a legal obligation that we are subject to;
- to use analytics to improve our website, products/services, customer relationships and experiences and to measure our effectiveness.
Who do we share the information with?
The contact details and information regarding maintenance issues provided by you as described above are the only data we share with a third parties (contractors or emergency services or OpenAI as the case may be) and is done so expressly to organise the assistance of a caller’s request. Adiuvo maintains a register of the details relating to each third party for regulatory and monitoring purposes and maintains an Outsourcing and Supplier Policy & Procedure. Details of the aforementioned register are available on written request. This enables us to meet our obligations and to ensure that all outsourced functions are handled according to our own strict procedures and protocols. The data protection and other laws of other countries to which data is shared may not be as comprehensive as those in the UK or the EEA. In such instances, we shall take steps to seek protection of your data at an equivalent level of protection as if it is in the UK or EEA.
Notifying individuals their information is being shared
Callers are advised by means of a pre-recorded connection message that we will provide their data in the form of the contact details described above to third parties and that all calls are being recorded. To the extent that a caller proceeds then this is deemed acceptance of the fact that data will be shared.
On what lawful basis do we hold the information?
In the first instance, callers contact us for assistance and as part of the provision of assistance data is requested, provided and held and utilised as described under the terms of this policy. Persons may also use our website too and their interactions, as part of the provision of our services, means the provision of data to us.
Secure disposal
- After 3 years, personal information (which is only held electronically) will be expunged. This, we believe, is the correct period of time to allow for any disputes to arise or to allow access of the same. After this period has elapsed the records and data we hold will still include the details of requests and actions but with no name or phone number data ascribed to it. The address and maintenance information will remain in order so that we can statistically model the remaining data for improvement and reporting purposes but without any connection to an individual.
- The above deletion process is completed via a process of overwriting all personal information including all backups immediately.
- Call recordings are deleted after 6 months in their entirety automatically and therefore cannot be accessed from that time.
- OpenAI will retain data for a maximum of 30 days after which it will be deleted except where OpenAI is required to retain copies under applicable laws in which case OpenAI will isolate and protect data from any further processing except to the extent required by law.
- Third parties are instructed to keep all information for 12 months electronically to allow for any discussions regarding services carried out and on the expiry of this period of time third parties are instructed to delete said information accordingly from all mediums of recording.
Data protection impact assessment
Although we do not believe scope of captured information will change significantly we will use a DPIA to identify and mitigate against any risks should new requirements occur
International data access
Adiuvo have an administration department and team based in India (this as an adiuvo owned company, not an outsource), this team accesses our data held on European AWS servers to provide reporting to our clients and assistance to our Property Management teams.
OpenAI Ireland Limited will process data provided to it by Adiuvo that originates in the EEA. To the extent that OpenAI Ireland Limited transfers data to other OpenAI affiliates in jurisdictions that do not provide the same level of data protection it will do so on the basis of intra-group agreements that incorporate appropriate transfer mechanism provisions to protect data.
OpenAI OpCo LLC will process data provided to it by Adiuvo in accordance with the terms of the Data Protection Act 2018.
Data breach response plan
The company has 72 hours to report the breach to the Data Protection Commissioner’s Officer although it will be our aim to notify clients within 24 hours. Our Data Breach plan should personal information have been exposed include; threat isolation, forensic investigation, engaging legal counsel, PR communications and media outreach.
Website
Our Website includes a suitable Privacy Statement. We only collect cookies for visitor Analytics and the terms of our Cookie Policy are contained in the Privacy Statement.
Subject access request
Adiuvo have a dedicated procedure for handling subject access requests and request refusals. Where a data subject exercises their Right of Access, we provide them with the following information;
- The purposes of the processing;
- The categories of personal data concerned;
- The recipients or categories of recipients to whom the personal data has/will be disclosed;
- Whether the personal data has/will be transferred to a third party country or international organisation(s);
- Pursuant to the above, the right to be informed of the appropriate safeguards used;
- The envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period;
- The existence of the right to request rectification or erasure of personal data;
- The existence of the right to restrict processing of personal data or to object to such processing;
- The right to lodge a complaint with the Data Protection Commissioner;
- Where the personal data was not collected directly from the data subject, information as to the source;
- The existence of automated decision-making (including profiling) and details of the logic involved, as well as any significant/envisaged consequences of such processing; and
- The fact that Adiuvo will put in place a process in place for rectifying inaccurate personal data and/or completing incomplete personal data completed (including supplementary statements)
Right to erasure
Our procedures also include the Right to Erasure. Where a data subject exercises their Right to Erasure, we shall attend to the request subject to consideration of the following matters before we comply:
- that the data subject withdraws consent on which the processing is based.
- whether the personal data has been unlawfully processed.
- whether the personal data has to be erased for compliance with a legal obligation.
- whether the personal data has been collected in relation to the offer of information society services.
- whether the data subject objects, on the grounds relating to their particular situation, to processing of data concerning them which is based on points (e) or (f) of Article 6(1).
- whether the data subject objects to the processing of data pursuant to data being processed for direct marketing purposes.
Where the accuracy of the personal data is contested by the data subject, Adiuvo will restrict processing for a period to enable verification of the accuracy of the personal data and where a data subject has obtained restriction of processing they will be informed in writing before the restriction is lifted. In addition to the terms of our policy above, we shall also discard all data unless a good business or legal reason exists to maintain that data. GDPR DPP v2.0 (01/7/24).