The European Union (EU) established a new rule known as the “General Data Protection Regulation” on April 8, 2016. (GDPR). It supersedes the EU Data Protection Directive and applies to all EU member countries, eliminating the need for national law. After four years of debate and changes, the legislation goes into force on May 25, 2018, putting the EU at the forefront of data protection norms.

It provides EU citizens more control and authority over personal data. Organizations that manage statistics on EU individuals will be required to follow data and privacy guidelines under this bylaw. Msinfoworld has acknowledged and updated all of the essential requirements of GDPR as part of its basic policies.

The EU Data Protection Directive, enacted in 1995, was a tremendous step toward protecting the personal information of EU residents, but there were inconsistencies that made it difficult for enterprises to operate in several states because it was not standardised throughout all member states. The GDPR tackles this shortcoming by specifying particular data protection requirements that must be met by all data controllers, regardless of location. The GDPR’s ultimate goal is to make regulation simple for data controllers all around the world to follow while also maximising data protection for EU people.

Personal data is defined in Article 4 of the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that natural person’s physical, physiological, genetic, mental, economic, cultural, or social identity.”

Article 5. Principles governing personal data processing:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and, where necessary, kept up to date;
5. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
7. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The controller shall be responsible for, and be able to demonstrate compliance with the principles.

Article 6. GDPR Lawfulness of processing:

In order to process personal data under the GDPR, there must be a legitimate legal basis. According to Article 6 of the GDPR, there are six available permissible bases for processing:

• Consent: The data subject has provided explicit, unambiguous consent for the processing of their personal data for a specified purpose.
• Contract: processing is required for the fulfilment of a contract with the data subject or to initiate contract negotiations.
• Legal obligation: processing is required to comply with a legal obligation. 
• Vital interests: processing is required to protect the vital interests of a data subject or another individual.
• Public task: processing is required to perform a task in the public interest or in the exercise of official authority vested in the controller.
• Legitimate interests: processing is required for the purposes of the controller’s or a third party’s legitimate interests, unless such interests are overridden by the data subject’s interests, rights, or freedoms.

This GDPR policy assures that Msinfoworld:

• Complies with data protection act and best practises
• Protects the rights of its employees, clients, vendors, suppliers and partners 
• Is transparent about how it maintains and processes individuals’ data
• Shields itself from data protection risks such as breaches of confidentiality, failure to provide choice, and adverse publicity

  The GDPR policy applies to:

• The head office of Msinfoworld
• All branches of Msinfoworld
• All brands of Msinfoworld
• All staff and volunteers of Msinfoworld
• All contractors, suppliers and other people working on behalf of Msinfoworld

The General Data Protection Regulation (GDPR) enter into force on May 25, 2018, replacing the Data Protection Act of 1998. It applies to both data controllers and data processors, who are in charge of data protection on a daily basis.

Below definitions of GDPR terms used in this document that may be useful:

• Data Controller (Controller): A legal person, public authority, agency, or other body that, alone or in collaboration with others, sets the aims and means of personal data processing.
• Processor: A natural or legal person, public authority, agency, or other body that processes personal data on the controller’s behalf.
• Data subject: An identifiable natural person is one who can be identified, directly or indirectly.
• Personal data: Any information relating to an identified or identifiable natural person (data subject),
• Sensitive Personal Data: Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that may be deemed sensitive under applicable law is referred to as “sensitive Personal Data.”

The GDPR applies to personal data, which means any information belonging to an identifiable person who can be identified directly or indirectly, particularly through the use of an identifier. This definition includes a broad range of personal identifiers, such as name, identification number, location data, or online identity, reflecting changes in technology and the way organisations collect information about people.

Msinfoworld uses personal information to:

• Provide B2B lead generation and demand generation services to its clients
• Maintain its own accounts 
• Manage and support its employees
• Manages its internal process like payroll with suppliers and vendors

The company processes personal information about customers, clients, advisers, other professional experts and employees.

This information may include: 

• The person’s name 
• Office addresses 
• Email addresses 
• Phone numbers 
• Any other information relating to the person
• Social interest and purchasing habits

Msinfoworld does not process any sensitive information, which may include:

• Details about physical or mental health
• Religious or other beliefs 
• Racial or ethnic origin
• Membership in a trade union

Obligations as the data controller:

While handling personal information of a Data subject, when processing on data will be done by another party, Msinfoworld acts as the data controller and will therefore comply with the following obligations:-

• Controllers are responsible for GDPR compliance and must only select processors who can provide “sufficient guarantees” that GDPR standards will be implemented and data subjects’ rights will be maintained. (We check all the GDPR compliance and policies implemented by the parties before selecting them for data processing)
• When a data controller employs a data processor, a documented contract must be in place with clear understanding of the goal. (We sign NDAs and MOAs with the parties in order to carry out processing tasks)
• The data controller must ensure written contracts between data controllers and processors comply with GDPR. (proper SOW is prepared wherever necessary)
• Contracts must include the following information:-
  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subject
  • The controller obligations and rights
  • The processor obligations
• Contracts should state that nothing in the contract relieves the data processor of its own direct responsibilities and liabilities under the GDPR. Data controllers must record and report any serious data breaches to the Information Commissioner’s Office (ICO). Controllers have a legal obligation to give effect to data subjects’ rights.

Obligations as the data processor:

When Msinfoworld processes personal data on behalf of its clients, the company functions as the data processor and the client as the data controller. As a result, Msinfoworld will comply with the following GDPR duties as a data processor:

• The data processor must have adequate security measures in place for processing personal data. (We have IT infra policies and procedures In place, to handle the data processing with the assurance of the security of data)
• The data processor must only act on the data controller’s documented instruction unless required by law to act without such instruction. (We strictly abide to the contract terms in order to process the personal data)
• The data processor must ensure that the people processing the data are subject to a duty of confidence. (All the staff in Msinfoworld has to undergo compulsory GDPR and compliances training modules along with other corporate trainings like Ethical Code of Conduct and Data Security modules, to make them aware about the best practices of handling data)
• The data processor will only engage a sub-processor with the data controller’s prior consent and a written contract. (While processing data, Msinfoworld do not engage any sub-processor, entire processing is done in-house)
• The data processor is required to keep records of personal data and data processing activities. (We strictly follow this as per GDPR terms of Data Retention)
• If the data processor becomes aware of a breach of personal data, it must notify the data controller. (We have process in placed to immediate report to the controller in such cases, However so far, there is not even a single data breach incident at Msinfoworld)
• The processor must assist the data controller in granting subject access and allowing data subjects to exercise their GDPR rights. (We take all the measure to allow data subjects to exercise their GDPR rights)

Sharing Personal Information:

The organization may be required to share the personal information it processes with the individual as well as other organisations. Where this is required, the organisation must comply with all requirements of the GDPR.

When appropriate, the company will share information with:

• Suppliers
• Service providers 
• Local and central government
• Financial organisations
• Business associates and professional advisers 
• Family, associates, and representatives of the individual whose personal data is being processed
• Regulatory and Examining bodies
• Current, previous, or potential employers

Personal data transfer to another country:

Personal information may need to be transferred internationally on occasion. When this information is required, it is only shared inside the European Economic Area (EEA). Any transfers will be carried out in complete conformity with the GDPR.

Retention of personal data:

Personal data must not be retained for any longer than is required for the purpose for which it is processed, according to the General Data Protection Regulation (GDPR). This also implies that there is a time limit on how long consumers’ data can be preserved. Despite the fact that there is no time limit.

Msinfoworld keeps the data records for no longer than 2 years. However, it varies based on the type of data and client’s need. Retention of such data in Msinfoworld is decided based on the client’s requirement of requesting the old data.

Company may preserve data for longer, if it deems it has a genuine interest/reason to do so.

Everyone who works for or with Msinfoworld has accountability for ensuring that data is gathered, stored, and managed lawfully, especially in light of GDPR. Individual data must be handled and treated in accordance with the GDPR policy and data protection principles by all team members who handle it.

Each member must keep records of its processing activities, which must include: 

• Purposes of the processing; 
• Categories of data subjects and personal data processed; 
• Categories of recipients with whom the data may be shared; 
• Information about Cross-Border Data Transfers; 
• The Relevant data retention periods; and 
• Security measures put in place in relation to the processed data

These details must be supplied to data protection authorities upon request.

In Msinfoworld, the only people who should be able to access the data protected by this policy are those who require it for their work.

• Data is not shared informally among employees.
• We train all employees to understand their responsibilities when collecting data.
• We use domain environment to give appropriate permissions in order to access data.
• Data is evaluated on a regular basis and restructured if it is discovered to be out of date. If it is no longer required, it is deleted and discarded.
• Data is only stored on protected servers, and is uploaded to cloud computing services, which are in compliant to GDPR.
• All servers and systems are protected by permitted security software and firewall.
• Timely backup and checks are done to ensure the safety and accuracy of the data.
•  The data protection representative handles data protection questions from staff and anyone else covered by this policy.
• Contracts with third parties and processors who may handle sensitive data for the organisation are evaluated and reviewed.
• Data protection statements are authorized and updated as needed when attached to communications such as emails.
• GDPR rules are followed in all our marketing campaigns.

People with key areas of responsibility:
The board of directors is ultimately accountable for ensuring that Msinfoworld meets its legal obligations.

The Data Protection Officer is responsible for:

• Reviewing all data protection measures and related strategies
• Keeping the board informed of data protection duties, risks, and issues.
• Providing data security training and information to those covered by this policy.
• Reviewing and approving any contracts or agreements with third parties who may handle sensitive data for the organisation.
• Receiving and responding to data privacy inquiries from personnel and anyone else protected by this policy.

The IT Admin is responsible for:

• Ensuring that software services used for data storage fulfil the relevant security standards.
• Conducting regular inspections and scans to ensure that security hardware and software are in good working order.
• Evaluating any third-party services that the organisation may use to store or handle data. For example, cloud computing services.
• Handling the domain environment and implementing the Microsoft Security baseline on all machines in the organisation.

Individuals have the following rights under the GDPR:

1. The right to be informed; 
2. The right of access; 
3. The right to correction; 
4. The right to erasure;
5. The right to limit processing;
6. Data portability rights;
7. The right to object; 
8. Rights concerning automated decision-making and profiling

The right to be informed
We are obliged to offer ‘fair processing information’. The following information must be provided:

• Purpose of processing and legal basis for processing
• Any recipient or groups of receivers of personal data
• Data retention periods 
• Data subject rights 

The right of access
Individuals have the right to access their personal information and further information. The right to access allows individuals to be informed of and verify the legality of the processing. Information must be delivered without delay, and no later than one month after the request is received. Where requests are complex or numerous, the company will be permitted to extend the period of compliance by two months.

The company must verify the identification of the individual making the request.

The right to correction
Individuals have the right to have incorrect or incomplete personal data corrected.
A rectification request must be responded to within one month. If the request is difficult, it can be prolonged by two months.

The right to erasure
The right to erasure allows an individual to request that personal data be deleted or removed if there is no compelling cause for its ongoing processing.

The right to limit processing
Individuals have the right to ‘block’ or inhibit personal data processing. When processing is restricted, the company may save the personal data but not process it further. The company can keep only enough information about the person to guarantee that the restriction is followed in the future. Company will also delete the data if the subject requests to do so.

Data portability rights
Individuals have the right to data portability, which allows them to obtain and reuse their personal data across multiple services. It enables them to effortlessly move, copy, or transfer personal data from one IT environment to another in a safe and secure manner, without interfering with usability. The personal data must be provided by the company in a structured, generally used, and machine-readable format. This should allow other data controllers to use the information. The information must be provided at no cost.

The right to object
Individuals have the right to object to the following types of processing:

• Processing based on legitimate interests 
• Direct marketing (including profiling)

Individuals must file an objection based on “grounds relevant to his or her own circumstances.”
The company must stop processing personal data unless it can demonstrate compelling legitimate reasons for processing and individual permits to process further.

Rights concerning automated decision-making and profiling
The GDPR includes requirements for automated decision-making (making a decision exclusively through automated means without human intervention) and profiling (automated processing of personal data to analyse certain aspects of an individual).
Organizations can only make this type of decision if it is: required for the entrance into or fulfilment of a contract; or authorised by Union or Member state law applicable to the controller; or based on the individual’s explicit permission.
Msinfoworld confirms that no automated decision making or profiling is used in its processing activities.

Subject access Requests
Subject access requests from individuals should be made by email, addressed to the data processing office at dpo@msinfoworld.com The DPO will aim to deliver the relevant data within 30 days, however the period may be extended to 60 days, depending upon the request and complexity of the request.
The DPO will always confirm the individuality of the individual making a subject access request before passing over any information.

In case of any comments, queries or concerns about any of the information in this Policy, or any other issues relating to the Processing of Personal Data carried out by us, or on our behalf, please use the contact form at https://www.msinfoworld.com/contact-us-2/  

The Company has appointed a Data Protection Officer who may be contacted at dpo@msinfoworld.com