The Data Privacy Policy is to ensure the protection of Personally Identifiable Information (PII) and user data privacy at an appropriate level in cloud environments. This document applies to the public cloud services provided by Netspective Communications LLC, as well as to all public cloud service providers who process PII under the responsibility of Netspective Communications LLC. The intended users of this document are the top management and individuals responsible for public cloud service providers in Netspective Communications LLC. [FII-SCF-009-DCH-13]
Protection of Personally Identifiable Information in Cloud Environments
The Data Privacy Officer (DPO) at Netspective Communications LLC has the responsibility of coordinating all activities necessary to ensure the proper application of this policy. In Netspective Communications LLC, the Information Security manager (ISO Management representative) fulfills the role of a data privacy officer.
Information collection, use, sharing and disclosure [FII-SCF-009-DCH-14]
Information collection
- To perform business activities and fulfill contractual demands in cloud environments, the DPO must ensure that the public cloud service providers, owned or outsourced by Netspective Communications LLC, are only permitted to collect the following types of Personally Identifiable Information:
- First name, Middle Name, Last Name
- Email ids
Information use and sharing
- The DPO must ensure that public cloud service providers, owned or outsourced by Netspective Communications LLC, process Personally Identifiable Information (PII) only for the following purposes:
- Purposes defined in the contract with the public cloud service customer.
- Technical purposes required to fulfill the customer’s contract.
- Collected as a means of “know your customer” – customer details.
- Netspective Communications LLC will share PII submitted to it with the following third parties, only to the extent necessary to perform business activities and/or fulfill contractual demands:
- Customers.
- Law enforcement.
- Netspective Communications LLC will not provide PII submitted to it to any third party for direct marketing or advertisement purposes unless there is express consent from the PII principal / PII controller.
Information disclosure
-
The DPO may disclose Personally Identifiable Information (PII) to the following entities:
- Employees, suppliers, or subcontractors of Netspective Communications LLC.
- Members of Netspective Communications LLC’s group of companies.
- Law enforcement.
-
Disclosure of any personal information held by Netspective Communications LLC to entities not listed above can only occur after obtaining consent from the information owner or upon a legally binding request made by a law enforcement authority, as long as the legal request allows for notification disclosure. The notification will be carried out according to the terms defined in the contract.
-
In the event of a PII disclosure resulting from an incident, the DPO will promptly report the notification to the PII principal and PII controller, either by phone or in person.
-
The DPO must record any PII disclosure in the [registry of PII disclosure]. This document should include details such as the disclosed PII, the responsible party, the recipient, and the time of disclosure. If the disclosure is mandated by law, the record must also include the legal reference authorizing the disclosure.
-
PII principal’s access to and control over information
-
The DPO must ensure that public cloud processors, owned or outsourced by Netspective Communications LLC, offer the following capabilities to PII principals and/or PII controllers for accessing and controlling their PII in a timely manner:
- Unique identification and authentication credentials to access relevant PII.
- Privacy settings to enable control over the publication of their information.
- Editing functionalities to allow inclusion, correction, updating, and exclusion of information.
-
The specific requirements for implementation alternatives are described in the contract.
-
Regarding privacy and editing capabilities, the public cloud processors must provide warnings to PII principals and/or PII controllers regarding potential impacts on product or service performance when using these capabilities.
-
Information location, storage, transfer and access [FII-SCF-003-BCD-11.2]
-
Information location
-
Netspective Communications LLC may store the PII submitted to them in the following locations:
- [US servers - where PII may be stored, including those related to subcontractors and third parties].
-
The DPO has the responsibility of ensuring that information about these locations is included in the contract terms presented to the public cloud service customer.
-
Information storage
-
The protection of PII submitted to Netspective Communications LLC, all assets used for storing PII must utilize encryption solutions. In cases where these solutions are not available, the use of an unencrypted asset must be authorized by the DPO and documented.
-
The DPO is responsible for ensuring that the use of hard copy materials containing PII, such as printed reports, is restricted.
-
Information transfer over public networks
-
The DPO is responsible for ensuring that the transfer of PII submitted to Netspective Communications LLC through public data-transmission networks includes encryption of the PII prior to transmission.
-
Information access
-
Only employees of Netspective Communications LLC will have access to PII that is reasonably necessary for the performance of activities related to the purposes stated in clause 4.1.2 of this policy. The owner of each business process related to these purposes is responsible for defining the PII that may be accessed by their employees.
-
Access to PII by subcontractors can only be granted after acceptance by the public cloud service customer. The DPO must inform the public cloud service customer about the countries where the subcontractor may process PII data and the obligations imposed on the subcontractor to ensure compliance with the public cloud service customer and PII processor.
-
The DPO is responsible for ensuring that all individuals within Netspective Communications LLC who have access to PII sign a non-disclosure agreement before being granted access to PII data.
-
-
Information retention and disposal [FII-SCF-009-DCH-18]
-
The DPO is responsible for ensuring that all PII is retained only for the necessary duration to achieve its intended purpose.
-
In relation to information systems acquisition, development, and maintenance, requirements must be established to ensure the timely deletion of temporary files and documents created during regular operations once they are no longer needed. The DPO is responsible for reviewing the requirements of information systems to ensure their inclusion.
-
-
Logging, monitoring and compliance verification [FII-SCF-007-MON-01]
-
The DPO is responsible for ensuring that logs related to PII data are maintained, monitored, and reviewed. This is done to verify whether any changes have been made to the data, identify any unusual behavior in the handling of PII, and take appropriate corrective actions if errors are identified. The DPO must be informed about the results of the review.
-
The DPO must ensure that the business unit acting as the public cloud processor or subcontractor, who is performing this activity on behalf of the Netspective Communications LLC, provides the cloud service customer with all relevant information in a timely manner. This enables the cloud service customer to verify if the operation is compliant with all the requirements defined in this policy.
-
Managing records kept on the basis of this document
| Record name | Storage location | Person responsible for storage | Controls for record protection | Retention time |
|---|---|---|---|---|
| Customer Personal Information | Database | Rinshad | CEO | We are archiving the record, not deleting it. |
| Employee Personal Information | HR Department | Sarji Mohammedali | Sarji Mohammedali | We are archiving the record, not deleting it. |
| Netspective Communications LLC Business Information | GIT | Shahid N. Shah | Shahid N. Shah | We are archiving the record, not deleting it. |
| Health Information of Employees | Not applicable | Not applicable | Not applicable | |
| Legal Informations | CEO | CEO | We are archiving the record, not deleting it. | |
| legal strategies | CEO | CEO | We are archiving the record, not deleting it. | |
| Intellectual Property of Netspective Communications LLCs | CEO | CEO | We are archiving the record, not deleting it. | |
| Financial Information(Netspective Communications LLC/Employee/Customer) | CEO | CEO | We are archiving the record, not deleting it. |
Validity and document management
- This document is valid as of today.
- nqspDocumentOwneris the owner of this document and must check and, if necessary, update it at least once a year.
- When evaluating the effectiveness and adequacy of this document, the following criteria should be considered:
- The number of incidents related to unauthorized access to PII.
Error Login
Error Login →
- Previous versions of this policy must be stored for a period of 5 years, unless specified otherwise by a legal or contractual requirement.