Page Comparison

Which countries do you store personal data in, or transfer personal data to? Are any transfers of the PI

Our application and data is hosted in AWS in London, UK.

Sub-processors operate data in the following:

United Kingdom of Great Britain and Northern Ireland

United States of America

India

Expand

title	Which Where / which countries do you store personal data in, or transfer personal data to? Are any transfers of the personal information outside of the UK?

outside of the UK?

More information on sub-processors: https://wwwcommonplace.commonplace.is/subprocessorsatlassian.net/l/cp/11d1YW76

Expand

Do you use appropriate legal mechanisms for all international transfers of personal data?

title		Do you use appropriate legal mechanisms for all international transfers of personal data?

We use sub-processors to deliver various parts of our service, some of which are outside the UK. We have a signed contract with every sub-processor, each of which includes Standard Contractual Clauses (SCCs) that are sully GDPR compliant and have been approved by the UK Information Commissioner’s Office (ICO).

More information: https://commonplace.atlassian.net/l/cp/hTQ1VG7K

No. Our local government customers are data controllers and so have access to their own data. We have not had personal data access requests from governments in any other context.

Expand

Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?

title		Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?

More information: https://commonplace.atlassian.net/l/cp/cWvQfw1h

We do not have a Data Protection Officer. Leigh Gordine is our Data Protection Manager.

Expand

Does your organisation have a nominated Data Protection Officer (DPO)?

title		Does your organisation have a nominated Data Protection Officer (DPO)?

More information: https://commonplace.atlassian.net/l/cp/DnNqrb94

Expand

Does your organisation have an up-to-date Data Protection Policy?

title		Does your organisation have an up-to-date Data Protection Policy?

Yes. Our GDPR Compliance Statement details how we comply with GDPR and is available on request from customers@commonplace.is. This includes information on data controllers and processors, sub-processors and data retention.

More information: https://commonplace.atlassian.net/l/cp/kLj7m2Q0

Does your organisation maintain a record of all personal data collection & processing activities?

Yes, we maintain an audit of key events around personal data collection and processing.

Expand

title	Does your organisation maintain a record of all personal data collection & processing activities?

More information: https://commonplace.atlassian.net/l/cp/3N6QRRc2

Yes, see our privacy policy: https://www.commonplace.is/privacy-policy

Expand

Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?

title		Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?

More information: https://commonplace.atlassian.net/l/cp/aZNL5wpE

Expand

Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?

title		Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?

As part of ISO27001 certified ISMS we have a documented Change Management Policy that incorporates information security and data protection elements including DPIAs, including the appointment of new suppliers. A standardised template record is used for operational changes. The development of the Commonplace platform is managed through the development lifecycle.

XXXXX

More information: https://commonplace.atlassian.net/l/cp/GEF1vUvs

Yes, please see details in our https://www.commonplace.is/privacy-policy and our GDPR compliance statement.

Respondents can use their profile: profile.commonplace.is to update their data at any time. This includes all demographic data (except anonymised special category data) and communication preferences. They can also request deletion from here or by emailing support@commonplace.is

Two years after the license ends at the latest, each project is archived and anonymised.

Expand

Can your organisation facilitate an individual's data privacy rights?

title		Can your organisation facilitate an individual's data privacy rights?

More information: https://commonplace.atlassian.net/l/cp/R0PB2KEf

Expand

Does your organisation have a Records Retention Policy?

title		Does your organisation have a Records Retention Policy?

Yes, please see details in our https://www.commonplace.is/privacy-policy and our GDPR compliance statement.Respondents can use their profile: profile.commonplace.is to update their data at any time. This includes all demographic data (except anonymised special category data) and communication preferences. They can also request deletion from here or by emailing support@commonplace.is

Two years after the license ends at the latest, each project dataset is archived and anonymised. It will not be deleted. The archiving process anonymises all data and removes relationships between data and people, but maintains the website as published (with visible status completed / closed) in the interest of public / open data.

More information: https://commonplace.atlassian.net/l/cp/aSNRQm92

We log every data breach or suspected data breach. We track the date, severity and resolution.

Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and if so to what extent. The assessment is broken up into 2 stages: triage and investigation. The purpose of this is to ensure that appropriate mechanisms are in place to identify when a data breach has occurred with a proportional amount of resource. The objectives of this procedure are:

To identify if a data breach has occurred

To identify the nature of the breach (from where it originated and if malicious, erroneous, etc)

To identify the outcome of the breach (what has happened to the data - temporary/permanent loss, erroneous transmission to a trusted supplier, theft, accidental/malicious change)

To identify the categories of data subject affected by the breach (clients, employees, etc)

Expand

Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?

title		Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?

To identify the number of data subjects likely to be affected by the breach

To identify the categories of data affected by the breach

To identify if the data is likely to be used in a manner that could be detrimental to data subjects (risks to rights and freedoms)

To identify the classification of Commonplace in relation to the affected data (Controller or Processor)

To identify if a data breach needs to be reported to the ICO, Data Controllers or Data Subjects.

We also have a guidance document as part of our Information Security Management System.

More information: https://commonplace.atlassian.net/l/cp/qQevr3Wm

Yes. XXXXX

Expand

Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?

title		Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?

More information: https://commonplace.atlassian.net/l/cp/DFkVe71a

Expand

Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?

title		Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?

No.

More information: https://commonplace.atlassian.net/l/cp/s3UCWyCu

Expand

title	Does your organisation process personal data on behalf of another organisation?

Does your organisation process personal data on behalf of another organisation?

Not normally. Occasionally, our customers will ask to upload an existing user database into Commonplace so that these users can be subscribed to receive emails about the Commonplace from our system. In all cases, customers will be asked for confirmation that they have the right to share this data with Commonplace.

We do not process personal data on behalf of any other organisation.

More information: https://commonplace.atlassian.net/l/cp/BJAo0kxx

Expand

title	Who owns the data collected via Commonplace?

Who owns the data collected via Commonplace?

The data will be owned by the customer organisation (or multiple organisations, so long as they are listed on the Team page from the project go live date) and Commonplace as independent controllers.

Further detail is available in our GDPR Compliance Statement.https://commonplace.atlassian.net/l/cp/JFbR22ok

Expand

title	Is your organisation registered with the Information Commissioner’s Office for Data Protection purposes?

https://commonplace.atlassian.net/l/cp/6npzwGTU

Information Commissioner’s

Expand

title	Is your organisation registered with the

Isle of Man Information Commissioner's Office for Data Protection purposes?

Yes. Further information is available in our GDPR Compliance Statement.https://commonplace.atlassian.net/wiki/spaces/IDP/pages/2353102853/Isle+of+Man+Information+Commissioner+s+Office+Registration

Expand

title	Does your organisation have a published cookie policy?

Cookie Policy

Expand

title	What happens to the data at the end of the consultation?

End Of Consultation

Version	Old Version 23	New Version Current
Changes made by	Roxy Sanchez	Benjy Meyer
Saved on	Dec 08, 2022	Sept 23, 2024

Versions Compared

Key