Hibyee Software Private Limited (A2z Onlinee), in 2023, constituted a dedicated cross-functional compliance team and laid out the roadmap to GDPR compliance in response to a clear mandate from our Partners and Customers.
What is GDPR?
TThe General Data Protection Regulation (GDPR), which officially took effect on May 25, 2018, gives people of the European Union (EU) control over their personal information and upholds strict protocols for organizations that collect and process this information.
The GDPR lays down seven core principles. They are:
Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
The Data We Collect
According to the GDPR, a data controller is the entity that determines reasons as to why and how personal data is processed. The "why" and "how" that the personal data should be handled are decided by the data controller. Only on behalf of the Controller is the data processor handle processing of personal data. Depending on origin the transaction originated, A2Z Online either operates as a data controller or a data processor.
The transactions that originating on the A2z Onlinee platform (website, app), A2z Onlinee is data controller. When processing data for its partners who are data controllers, A2z Onlinee is acting as a data processor. The data controllers specify what kinds of data that the data subject required, i.e. the customer. As the data processor, we process data based with the requirements stated by the data controller.
This data can be of three types:
A. Personal Information (PI): That can identify a person. An email address, a phone number, an ID card number, a picture, etc.
B. Non-Personal Information (non PI): Such as the first name, last name, and device details, etc.
C. Sensitive Personal Information (SPI): Such as biometrics, genetic data, sexual orientation, race, and ethnicity, etc. Explicit Consent from Data Subjects
We have enabled explicit consent, which must be obtained from customers before processing their information, to make sure that they are aware of why all of the information is being collected. Additionally, our privacy policy clearly states the "what," "why," and "how" of processing customer personal data.
Data Subject Rights
A2z Onlinee has implemented processes to acknowledge and respect Data Subject Rights. Emailing us at "info@A2zOnlinee.com" will allow a data subject to request to exercise their rights. The verification authority to validate the customer's request for a data subject right is determined based on the transaction's origin since A2z Onlinee is both a data controller and a data processor (processing data at the direction of data controllers).
Data Subject Rights consist of:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights related to automated decision-making and profiling
Data Management
A. Data Storage and Security: A2z Onlinee is hosted on AWS, and industry standard procedures for managing data at rest and in transit have been put in place.
B. Data retention: A2z Onlinee maintains data of all transactions that are enabled on its own platform and the ones enabled on partners' widgets and apps. The retention period is defined in accordance with the business and legal needs. We however understand and appreciate the needs to provide flexibility to Data controllers to define data retention period for their own customers. Such provisions are agreed and defined In the contract between the Partners (Data Controller) and A2z Onlinee (Data Processor).
Based on the requirements of the partner, the timeframes might be specified in the contract. The partner may decide to request the deletion of their data from our cloud-based servers. The partner may submit a request to have all data deleted upon the termination or expiration of the contract by sending us an email at "info@A2zOnlinee.com". Before processing the request, we validate it and, if necessary, seek the partner for confirmation. Customers of A2z Onlinee may also request the deletion of their credentials by sending an email to "info@A2zOnlinee.com". Within 15 days of receiving the customer's request, the information is deleted after it has been verified.
C. Data Breach Management: To maintain the highest standards of data management and privacy practices, we continually monitor and upgrade our systems and processes. In the unlikely event of a data breach, we intend to notify our partners (Data Controllers) as well as the data subject (where A2z Onlinee is the Data Controller) as soon as we become aware of such breach and no later than 24 hours.
Our commitment to world-class standards, A2z Onlinee has taken steps to be General Data Protection Regulation (GDPR) compliant in order to meet the world class standards for Data Privacy and Data Security. A2z Onlinee is also ISO 27001:2013 complaint. A2z Onlinee is dedicated to infosec and data privacy and is committed to aligning with global best practices in data compliance. In order to do this, the company has a dedicated team working on these requirements.