Data Protection

Which countries do you store personal data in, or transfer personal data to? Are any transfers of the PI outside of the UK?

Our application and data is hosted in AWS in London, UK.

Sub-processors operate data in the following:

• United Kingdom of Great Britain and Northern Ireland

• United States of America

• India

More information on sub-processors: https://www.commonplace.is/subprocessors

Do you use appropriate legal mechanisms for all international transfers of personal data?

We use sub-processors to deliver various parts of our service, some of which are outside the UK. We have a signed contract with every sub-processor, each of which includes Standard Contractual Clauses (SCCs) that are sully GDPR compliant and have been approved by the UK Information Commissioner’s Office (ICO).

More information: https://commonplace.atlassian.net/l/cp/hTQ1VG7K

Has your organisation been subject to any personal data access requests from governments or other authorities in the last 24 months?

No. Our local government customers are data controllers and so have access to their own data. We have not had personal data access requests from governments in any other context.

More information: https://commonplace.atlassian.net/l/cp/cWvQfw1h

Does your organisation have a nominated Data Protection Officer (DPO)?

We do not have a Data Protection Officer. Leigh Gordine is our Data Protection Manager.

More information: https://commonplace.atlassian.net/l/cp/DnNqrb94

Does your organisation have an up-to-date Data Protection Policy?

Yes. Our GDPR Compliance Statement details how we comply with GDPR and is available on request from customers@commonplace.is. This includes information on data controllers and processors, sub-processors and data retention.

More information: https://commonplace.atlassian.net/l/cp/kLj7m2Q0

Does your organisation maintain a record of all personal data collection & processing activities?

Yes, we maintain an audit of key events around personal data collection and processing.

More information: https://commonplace.atlassian.net/l/cp/3N6QRRc2

Has your organisation defined and documented the lawful basis of each instance of personal data collection or processing?

Yes, see our privacy policy: https://www.commonplace.is/privacy-policy

More information: https://commonplace.atlassian.net/l/cp/aZNL5wpE

Does your organisation conduct a Data Protection Impact Assessment (DPIA) for all processing that is likely to result in a high risk to individuals?

As part of ISO27001 certified ISMS we have a documented Change Management Policy that incorporates information security and data protection elements including DPIAs, including the appointment of new suppliers. A standardised template record is used for operational changes. The development of the Commonplace platform is managed through the development lifecycle.

XXXXX

More information: https://commonplace.atlassian.net/l/cp/GEF1vUvs

Can your organisation facilitate an individual's data privacy rights?

Yes, please see details in our https://www.commonplace.is/privacy-policy and our GDPR compliance statement.

Respondents can use their profile: profile.commonplace.is to update their data at any time. This includes all demographic data (except anonymised special category data) and communication preferences. They can also request deletion from here or by emailing support@commonplace.is

Two years after the license ends at the latest, each project is archived and anonymised.

More information: https://commonplace.atlassian.net/l/cp/R0PB2KEf

Does your organisation have a Records Retention Policy?

Yes, please see details in our https://www.commonplace.is/privacy-policy and our GDPR compliance statement.

Respondents can use their profile: profile.commonplace.is to update their data at any time. This includes all demographic data (except anonymised special category data) and communication preferences. They can also request deletion from here or by emailing support@commonplace.is

Two years after the license ends at the latest, each project dataset is archived and anonymised. It will not be deleted. The archiving process anonymises all data and removes relationships between data and people, but maintains the website as published (with visible status completed / closed) in the interest of public / open data.

More information: https://commonplace.atlassian.net/l/cp/aSNRQm92

Does your organisation have robust detection, investigation and reporting procedures in place for personal data breaches, including maintaining a record of all personal data breaches?

We log every data breach or suspected data breach. We track the date, severity and resolution.

Upon becoming aware of a security incident an assessment must be made to understand if a data breach has occurred, and if so to what extent. The assessment is broken up into 2 stages: triage and investigation. The purpose of this is to ensure that appropriate mechanisms are in place to identify when a data breach has occurred with a proportional amount of resource. The objectives of this procedure are:

• To identify if a data breach has occurred

• To identify the nature of the breach (from where it originated and if malicious, erroneous, etc)

• To identify the outcome of the breach (what has happened to the data - temporary/permanent loss, erroneous transmission to a trusted supplier, theft, accidental/malicious change)

• To identify the categories of data subject affected by the breach (clients, employees, etc)

• To identify the number of data subjects likely to be affected by the breach

• To identify the categories of data affected by the breach

• To identify if the data is likely to be used in a manner that could be detrimental to data subjects (risks to rights and freedoms)

• To identify the classification of Commonplace in relation to the affected data (Controller or Processor)

• To identify if a data breach needs to be reported to the ICO, Data Controllers or Data Subjects.

We also have a guidance document as part of our Information Security Management System.

More information: https://commonplace.atlassian.net/l/cp/qQevr3Wm

Does your organisation have a process for notifying the relevant Authority and all relevant parties (e.g. data controllers) when a breach occurs?

Yes. XXXXX

More information: https://commonplace.atlassian.net/l/cp/DFkVe71a

Has your organisation suffered a security incident that led to a Personal Data breach in the last 6 months?

No.

More information: https://commonplace.atlassian.net/l/cp/s3UCWyCu

Does your organisation process personal data on behalf of another organisation?

Not normally. Occasionally, our customers will ask to upload an existing user database into Commonplace so that these users can be subscribed to receive emails about the Commonplace from our system. In all cases, customers will be asked for confirmation that they have the right to share this data with Commonplace.

We do not process personal data on behalf of any other organisation.

Who owns the data collected via Commonplace?

The data will be owned by the customer organisation (or multiple organisations, so long as they are listed on the Team page from the project go live date) and Commonplace as independent controllers.

Further detail is available in our GDPR Compliance Statement.

Is your organisation registered with the Information Commissioner’s Office for Data Protection purposes?

Yes. Further information is available in our GDPR Compliance Statement.