Data Security

Synertec have numerous procedures and protections in place in order to maintain the highest level of data security for our customers.

Synertec are a Processor, with each customer being a Controller for their own data.

General

1. The Processor shall put in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data having regard to the specific requirements set out in this Agreement, the state of technical development and the level of harm that may be suffered by the Controller and/or by a Data Subject whose Personal Data is affected, by such unauthorised or unlawful processing or by its loss, damage or destruction.

2. Other than as required by the contracted service and permitted by this Agreement, the Data Processor shall not under any circumstances (save as required by law) share, disclose or otherwise reveal Customer Data (in whole or in part) to any individual, business or other organisation (third party) not directly involved in delivery of the contracted service without the explicit written consent of the Controller.

3. The Processor shall notify the Controller promptly (and in any event no later than two (2) working day after discovery) of any untoward incidents or activities that suggest non-compliance with any of the terms of this Agreement. This includes ‘near miss’ situations even if no actual damage to or loss or inappropriate disclosure of Customer Data results.

Physical

4. The Processor shall ensure that all Customer Data is physically protected from accidental or deliberate loss or destruction arising from environmental hazards such as fire or flood.

5. The Processor shall ensure that all Customer Data is held on premises that are adequately protected from unauthorised entry and/or theft of Customer Data or

any IT equipment on which it is held by, for example, the use of burglar alarms, security doors, ram-proof pillars, controlled access systems, etc.

IT Systems

6. The Processor shall hold electronically-based Customer Data on secure servers unless otherwise agreed in writing.


7. Customer Data will, under no circumstances, be stored on portable media or devices such as laptops or USB memory sticks or CD-ROM except where requested by the Controller, and only then once agreed in writing and subject, at a minimum, to those constraints detailed in clause 11.3.


8. The Processor shall ensure that:

  • All portable media used for storage or transit of Customer Data are fully encrypted to a minimum standard of AES (256-bit)
  • Portable media are not left unattended at any time (e.g. in parked cars, in unlocked & unoccupied rooms, etc.)
  • When not in use, all portable media are stored in a locked area and issued only when required to authorised and named employees, with a record kept of issue and

return


9. The Processor shall not allow employees to hold Customer Data on their own personal computers.


10. The Processor shall ensure adequate back-up facilities to minimise the risk of loss of or damage to Customer Data and that a robust business continuity plan is in

place in the event of restriction of service for any reason.


11. The Processor shall not transmit Customer Data by email except as an attachment encrypted to 128 bit or better AES standards unless emailing non encrypted

email is essential for delivery of the contracted service or is required by the Controller and has been agreed in writing.


12. The Processor shall only make printed paper copies of Customer Data if this is essential for delivery and support of the contracted service.


13. The Processor shall store printed paper copies of Customer Data in locked cabinets when not in use and shall not remove from premises unless it is essential for

delivery of the contracted service. Any printed paper copies that do leave the premises will be enclosed and sealed in an envelope and handed over to Royal Mail or other Downstream Access provider for delivery to the recipient specified by the Controller.

Secure Destruction

14. The Processor shall ensure that Customer Data held in paper form (regardless of whether as originally provided by the Controller or printed from the Processor’s IT systems) is destroyed using a cross cut shredder or subcontracted to a confidential waste company that complies with DIN 66399 P-3 standard (or better).

15. The Processor shall ensure that electronic storage media used to hold or process Customer Data is destroyed using a Department of Defence approved degausser

device or overwritten using software that sanitises to Gutmann standards.


16. In the event of any bad or unusable sectors that cannot be overwritten, the Processor shall ensure complete and physical destruction of the media itself.

17. The Processor shall on request provide the Controller with copies of all relevant overwriting verification reports and/or certificates of secure destruction of Customer Data at the conclusion of the contracted service.

Heading
Heading

Subject matter and nature of the Processing

The subject matter of the Processing is communications with the Controller’s customers, suppliers, staff, etc in the support of business operations.

The nature of the Processing is sending letters, electronic communications or any other service described within the service agreement between the Parties to the Controller’s customers, suppliers, staff, etc as required by the Controller.

Purpose of Processing

The purpose of the Processing is to provide the agreed/contracted service to the Controller.

Duration of the Processing

For so long as is required to deliver the agreed/contracted service and a valid Data Processing Agreement remains in effect.

Categories of Data Subjects

The Personal Data to be processed concern the following data subjects:

Employees of the Controller

Customers of the Controller

Parent, carer and advocates of customer of the Controller

Suppliers of the Controller

Type of Personal Data

The Personal Data to be processed include some or all of the following types of data:

Name

Address

Date of Birth

Identification numbers

Email Address

Phone numbers (mobile or other)

Bank Details

Vehicle Registration Numbers

Salary

Taxation documents

Financial status

Special categories of data

The personal data to be processed concern the following special categories of personal data:

None

Definitions

Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing, all have the meanings given to them in the Data Protection Legislation.

Confidential Information any information or combination of information that contains details about an organisation or an individual person that was provided in an expectation of confidence. This includes for example, non-personal corporate or technical information that is commercially sensitive, drafts of documents that are not ready for publication, restricted information and documents, etc. as well as personal data.

Customer Data any Personal Data (including special category Personal Data) and Confidential Information processed by the Processor on behalf of the Controller or in connection with, the provision of the contracted service. This includes all information supplied to the Processor by the Controller and any additional information that the

Processor obtains during the term of the contract and shall apply equally to original Customer Data and all back-up and/or copies printed out but excludes any Personal Data to the extent that a specific contracted service requires the Processor to process such Personal Data as a controller.

Data Protection Legislation all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).

UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

Get in touch

Want to learn more about us?

Call 01823 652360 or message us

and see how Synertec delivers Complete Document Control

Scroll to Top