Versions Compared

Version Old Version 26 New Version Current
Changes made by

Roxy Sanchez

Benjy Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Which countries do you store personal data in, or transfer personal data to? Are any transfers of the PI

Our application and data is hosted in AWS in London, UK.

Sub-processors operate data in the following:

  • United Kingdom of Great Britain and Northern Ireland

  • United States of America

    • India
    Expand
    titleWhich Where / which countries do you store personal data in, or transfer personal data to? Are any transfers of the personal information outside of the UK?
    outside of the UK?

    More information on sub-processors: https://www.commonplace.is/subprocessorsMore information: https://commonplace.atlassian.net/l/cp/11d1YW76

    Expand
    Do you use appropriate legal mechanisms for all international transfers of personal data?
    titleDo you use appropriate legal mechanisms for all international transfers of personal data?

    We use sub-processors to deliver various parts of our service, some of which are outside the UK. We have a signed contract with every sub-processor, each of which includes Standard Contractual Clauses (SCCs) that are sully GDPR compliant and have been approved by the UK Information Commissioner’s Office (ICO).

    More information: https://commonplace.atlassian.net/l/cp/hTQ1VG7K

    Expand
    titleHas your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?

    Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?

    No. Our local government customers are data controllers and so have access to their own data. We have not had personal data access requests from governments in any other context.

    More information: https://commonplace.atlassian.net/l/cp/cWvQfw1h

    Does your organisation have a nominated Data Protection Officer (DPO)?

    We do not have a Data Protection Officer. Leigh Gordine is our Data Protection Manager.
    Expand
    titleDoes your organisation have a nominated Data Protection Officer (DPO)?

    More information: https://commonplace.atlassian.net/l/cp/DnNqrb94

    Expand
    Does your organisation have an up-to-date Data Protection Policy?
    titleDoes your organisation have an up-to-date Data Protection Policy?

    Yes. Our GDPR Compliance Statement details how we comply with GDPR and is available on request from customers@commonplace.is. This includes information on data controllers and processors, sub-processors and data retention.

    More information: https://commonplace.atlassian.net/l/cp/kLj7m2Q0

    Expand
    titleDoes your organisation maintain a record of all personal data collection & processing activities?

    Does your organisation maintain a record of all personal data collection & processing activities?

    Yes, we maintain an audit of key events around personal data collection and processing.

    More information: https://commonplace.atlassian.net/l/cp/3N6QRRc2

    Expand
    Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?
    titleHas your organisation defined and documented the lawful basis of each instance of personal data collection or processing?

    Yes, see our privacy policy: https://www.commonplace.is/privacy-policyMore information: https://commonplace.atlassian.net/l/cp/aZNL5wpE

    Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?

    As part of ISO27001 certified ISMS we have a documented Change Management Policy that incorporates information security and data protection elements including DPIAs, including the appointment of new suppliers. A standardised template record is used for operational changes. The development of the Commonplace platform is managed through the development lifecycle.
    Expand
    title Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?

    XXXXX

    More information: https://commonplace.atlassian.net/l/cp/GEF1vUvs

    Can your organisation facilitate an individual's data privacy rights?

    Yes, please see details in our https://www.commonplace.is/privacy-policy and our GDPR compliance statement.
    Expand
    title Can your organisation facilitate an individual's data privacy rights?

    Respondents can use their profile: profile.commonplace.is to update their data at any time. This includes all demographic data (except anonymised special category data) and communication preferences. They can also request deletion from here or by emailing support@commonplace.is

    Two years after the license ends at the latest, each project is archived and anonymised.

    More information: https://commonplace.atlassian.net/l/cp/R0PB2KEf

    Yes, please see details in our https://www.commonplace.is/privacy-policy and our GDPR compliance statement.

    Respondents can use their profile: profile.commonplace.is to update their data at any time. This includes all demographic data (except anonymised special category data) and communication preferences. They can also request deletion from here or by emailing support@commonplace.is

    Two years after the license ends at the latest, each project dataset is archived and anonymised. It will not be deleted. The archiving process anonymises all data and removes relationships between data and people, but maintains the website as published (with visible status completed / closed) in the interest of public / open data.
    Expand
    Does your organisation have a Records Retention Policy?
    titleDoes your organisation have a Records Retention Policy?

    More information: https://commonplace.atlassian.net/l/cp/aSNRQm92

    Expand
    Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?
    titleDoes your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?

    We log every data breach or suspected data breach. We track the date, severity and resolution.

    Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and if so to what extent. The assessment is broken up into 2 stages: triage and investigation. The purpose of this is to ensure that appropriate mechanisms are in place to identify when a data breach has occurred with a proportional amount of resource. The objectives of this procedure are:

    • To identify if a data breach has occurred

    • To identify the nature of the breach (from where it originated and if malicious, erroneous, etc)

    • To identify the outcome of the breach (what has happened to the data - temporary/permanent loss, erroneous transmission to a trusted supplier, theft, accidental/malicious change)

    • To identify the categories of data subject affected by the breach (clients, employees, etc)

    • To identify the number of data subjects likely to be affected by the breach

    • To identify the categories of data affected by the breach

    • To identify if the data is likely to be used in a manner that could be detrimental to data subjects (risks to rights and freedoms)

    • To identify the classification of Commonplace in relation to the affected data (Controller or Processor)

    • To identify if a data breach needs to be reported to the ICO, Data Controllers or Data Subjects.

    We also have a guidance document as part of our Information Security Management System.

    More information: https://commonplace.atlassian.net/l/cp/qQevr3Wm

    Expand
    titleDoes your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?

    Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?

    Yes. XXXXX

    More information: https://commonplace.atlassian.net/l/cp/DFkVe71a

    No.
    Expand
    Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?
    titleHas your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?

    More information: https://commonplace.atlassian.net/l/cp/s3UCWyCu

    Not normally. Occasionally, our customers will ask to upload an existing user database into Commonplace so that these users can be subscribed to receive emails about the Commonplace from our system. In all cases, customers will be asked for confirmation that they have the right to share this data with Commonplace.

    We do not process personal data on behalf of any other organisation.
    Expand
    Does your organisation process personal data on behalf of another organisation?
    titleDoes your organisation process personal data on behalf of another organisation?

    More information: https://commonplace.atlassian.net/l/cp/BJAo0kxx

    Expand
    Who owns the data collected via Commonplace?
    titleWho owns the data collected via Commonplace?

    The data will be owned by the customer organisation (or multiple organisations, so long as they are listed on the Team page from the project go live date) and Commonplace as independent controllers.

    Further detail is available in our GDPR Compliance Statement.

    More information: https://commonplace.atlassian.net/l/cp/JFbR22ok

    Expand
    titleIs your organisation registered with the Information Commissioner’s Office for Data Protection purposes?

    https://commonplace.atlassian.net/l/cp/6npzwGTU

    Information Commissioner’s Yes. Further information is available in our GDPR Compliance Statement.
    Expand
    titleIs your organisation registered with the
    Isle of Man Information Commissioner's Office for Data Protection purposes?

    More information: https://commonplace.atlassian.net/l/cp/6npzwGTU/wiki/spaces/IDP/pages/2353102853/Isle+of+Man+Information+Commissioner+s+Office+Registration

    Expand
    titleDoes your organisation have a published cookie policy?

    Cookie Policy

    Expand
    titleWhat happens to the data at the end of the consultation?

    End Of Consultation