1.1 This policy describes Unit4's approach within the Unit4 group to the collection, storage, processing and removal of all data relating to Unit4 customers ("Customer Data"), whether or not those customers are past, current or prospective and whether individuals, sole traders, partnerships or companies ("Customers").
1.2 This policy is designed:
(a) to reduce the risk to Unit4 in handling and processing Customer Data (i.e. reducing the risk that data is lost, including as a result of theft);
(b) to establish auditable and demonstrable controls over Customer Data;
(c) to ensure compliance with statutory principles, including that Customer Data:
(i) is not retained for longer than is considered necessary to fulfil the purpose for which it was collected; and
(ii) is not processed for any purpose(s) other than those for which it was collected; and
(d) to establish a common approach across the Unit4 group companies, giving of course where necessary priority to the local legislation in the different countries.
2.0 WHO DOES THIS POLICY APPLY TO?
2.1 This policy applies to all Unit4 employees, consultants, workers and temporary staff who are involved in collecting, processing and using Customer Data.
2.2 It is important that all individuals follow and comply with this policy in order to provide assurances to Customers that Unit4 takes appropriate steps when handling Customer Data.
2.3 You should review existing Customer Data records. If you currently have any Customer Data you must discuss it immediately with your manager to determine if it should be removed from Unit4's systems.
2.4 If you have any concerns or questions relating to this policy, you should speak to either your local quality manager (where applicable) or the Corporate Legal Department in Sliedrecht, The Netherlands.
3.0 WHEN SHOULD CUSTOMER DATA BE COLLECTED?
3.1 It is Unit4's policy that obtaining Customer Data, especially “live data”, should be a “last resort” and Unit4 should not obtain or hold Customer Data unless it is vital to resolving a support or technical issue or executing an agreement with the Customer or is required for product development, verification and/or validation.
3.2 It is Unit4's policy that "sensitive personal data" (that which relates to an individual's racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health or condition, sexual life or the commission or alleged commission of any offence or proceedings for any actual or alleged offence, the disposal of such proceedings or the sentence of any court in such proceedings) should be avoided. Where this type of data is collected it should be clearly marked “Sensitive”.
4.0 I NEED TO COLLECT CUSTOMER DATA – HOW SHOULD I COLLECT IT?
4.1 If you need to collect Customer Data to assist in the resolution of a support or technical issue or execute a support agreement, you must collect the Customer data directly from the Customer and not from a third party (unless approved by the Customer). Practical points you should comply with in this area are as follows:
(a) where possible you should request that the Customer submits only "test data" (i.e. not "live data"). The type of data being supplied being clearly indicated as “Test Data” or “Live Data”. You must gain e-mail or an alternative form of written confirmation from the Customer that the Customer Data is "test data". If such written confirmation cannot be attained, you must assume that the Customer Data is "live data". You should - where practically possible - never accept data with live personal bank accounts or credit card details and you should - where practically possible - request the Customers to scramble or remove such data before giving it to us.
(b) you must tell the Customer about:
(i) the purpose(s) for which Unit4 is collecting and will use their data;
(ii) the identity of your Unit4 company as the 'data processor' for statutory purposes and how they may contact your Unit4 company;
(iii) how their data will be stored by Unit4;
(iv) their right to access copies of their data and to have their data corrected if necessary; and
(v) their right to request at any time that Unit4 ceases using their data.
(c) where the Customer is providing Customer Data electronically, you must try to arrange that the Customer submits such data via:
(i) secure ftp (file transfer protocol) methods – support desk and
Technical Services have appropriate means of providing when required;
(ii) removable media e.g. CD/DVD/hard drive/tape media sent by secure or registered post; and/or
(iii) encrypted email where other methods above are not available, or for urgency on behalf of the Customer;
(d) you must seek permission from either your local quality manager (where applicable), your company manager or the Corporate Legal Department in Sliedrecht, The Netherlands prior to accepting known "live data"; and
(e) you should consider whether you will need to transfer the Customer Data to other companies within the Unit4 group (for example, in order to fulfil their order or service request). Where you need to transfer the data within the Unit4 group or outside of the European Economic Area, you should explain this to the Customer at the time of data collection and gain their consent to such transfer. Sensitive personal data (as described in Paragraph 3.2) must never be transferred outside of the European Economic Area. When new data transfer requirements are raised new authorization must be obtained from the Customer.
4.2 It is important to remember that once Customer Data has been collected, it should only be retained by Unit4 for as long as there is a business need to retain it or as required under any applicable data retention periods. If you have any questions relating to these data retention periods, please contact your local quality manager (where applicable) or the Corporate Legal Department in Sliedrecht, The Netherlands.
5.0 I HAVE COLLECTED CUSTOMER DATA, ARE THERE ANY RESTRICTIONS ON HOW I CAN USE IT?
5.1 Yes. Customer Data must:
(a) only be accessed and used where you have an authorized business need todo so;
(b) not be:
(i) used for electronic direct marketing (for example, by e-mail, fax,
telephone and/or SMS) without having previously gained the
Customer's consent to such use;
(ii) used for your own personal purposes; or
(iii) shared with a third party (unless approved by the Customer).
5.2 When you have a business need to access and use Customer Data, you must:
(a) only use Customer Data for the purpose for which it was collected; and
(b) seek the consent of the Customer if you need to use the Customer Data for a new purpose.
6.0 I NEED TO TAKE CUSTOMER DATA OUT OF THE OFFICE, CAN I DO THIS?
6.1 It is Unit4's policy that Customer Data (whether "live data" or "test data") must not be taken out of the office/off-site on laptops, memory sticks, USB sticks, CD or other storage media without the prior written permission of both the Customerand your manager. This consent must be sought in addition to your obligations under paragraph 3 above.
6.2 Where you have gained consent, you must ensure that:
(a) the Customer Data and the storage media on which it is held is not left in an unlocked car or unattended in a place where it could be viewed or removed by others; and
(b) any and all security systems on the storage media on which the Customer
Data is held (such as password protection) are activated.
7.0 I NO LONGER NEED TO RETAIN THE CUSTOMER DATA, WHAT SHOULD I DO?
7.1 All Customer Data is to be deleted or returned to the Customer immediately following completion of the purpose for which it was collected unless Unit4 is:
(a) expressly asked to keep it by the Customer; or
(b) required to keep it in accordance with any applicable data retention periods. If you have any questions relating to these data retention periods, please contact your local quality manager (where applicable) or the Corporate Legal Department at Sliedrecht, The Netherlands.
7.2 Any Customer Data retained by Unit4 must only be stored in locked machine rooms (preferably in safes) and must not - where practically possible - be stored on Unit4 laptops or other mobile storage media.
8.0 I HAVE RECEIVED A MESSAGE FROM A CUSTOMER REQUESTING A COPY OF THEIR DATA HELD BY Unit4, WHAT SHOULD I DO?
8.1 Where a Customer requests a copy of their Customer Data, you must escalate any such request immediately to your local quality manager (where applicable) or the Corporate Legal Department in Sliedrecht, The Netherlands.