Data Protection Policy
Policy information
Organisation, scope and contact
This policy applies to all parts of Opendium Limited, hereafter referred to as Opendium, a company registered in England and Wales with company number 5465437.
Opendium is registered with the Information Commissioner's Office as a data controller with registration number ZA264193.
Opendium's data protection officer is Stephen Hill, Technical Director.
Data protection queries should be submitted by email to dataprotection@opendium.com.
Operational date
This policy is in effect from May 4th 2023 until it is replaced. Replacement policies will be published on the Opendium web site from time to time.
Authorship and approval
This policy was prepared by Stephen Hill, Technical Director and approved by the board on May 4th 2023.
Introduction
Opendium needs to gather and use certain information about individuals. They include customers, users of customers' systems, suppliers, business contacts, employees and other people that Opendium has a relationship with or may need to contact.
This policy describes how these personal data must be collected, handled and stored to meet the company's data protection standards and to comply with the law.
Why this policy exists
This data protection policy ensures that Opendium:
- Complies with data protection law and follows good practice.
- Respects and protects the rights of individuals.
- Is open about how it stores and processes individuals' data.
- Keeps data secure.
Definitions
- Opendium - Opendium Limited is a company registered in England and Wales with company number 5465437.
- Data subject - A natural person to which data relates.
- GDPR - Regulation (EU) 2016/679 (General Data Protection Regulation).
Groups of data subjects
Opendium interacts with people and processes their data for a number of distinctly different reasons. For the sake of clarity, we have divided these into different groups and the remainder of this document is divided up such that each group of data subjects only needs to read the sections that apply to them. In some cases a data subject may be a member of more than one group. The groups are defined as follows:
- Visitors to websites owned or operated by Opendium.
- Individuals with whom Opendium has a direct relationship.
- Individuals who have been referred by a third party.
- Users of online safety and network security systems that are supplied by Opendium.
- Users of other systems that are supplied by Opendium.
Website visitors
Who?
This section of the data protection policy applies to visitors to websites that are owned or operated by Opendium.
What?
Data about a subject's browsing habits within our websites may be collected through the use of cookies and log files. Log files typically contain the data subject's IP address and web addresses that the data subject has requested.
Data subjects may submit additional information to the web site by means of forms, such as "contact us" and "request a demo". Data subjects who have contacted us via one of these methods are considered to have a direct relationship with Opendium and their data is therefore also covered by the "Direct relationship" policy.
Why?
The legal basis for processing these data is given by Article 6, Paragraph 1(f) of GDPR - "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
Cookies are used to enhance the user experience on our web site and we collect log files for fault finding, to improve performance and to analyse trends.
We work with third parties to collect user data for purposes of conversion tracking and serving ads targeted to users’ interests. Users can opt out of some of those third parties’ interest-based advertising through the Do Not Track functionality in their web browser or by setting their Twitter tracking/advertising preferences and following the Google Analytics opt-out instructions.
We will not facilitate the merging of personally-identifiable information with non-personally identifiable information collected through the website without the data subject's express consent. We may make use of the Google Analytics "Demographics and Interest Reports" feature.
Data subjects may submit additional information to the web site by means of forms, the reasons for which are described by the forms themselves.
Log file data are collected in accordance with Recital 49 of GDPR. Such data are exempt from the Right to Erasure (Article 17) requests as per Article 17, Paragraph 3(e).
We may utilise third party data processors, these data may be kept indefinitely and may be shared with law enforcement organisations upon request.
Your rights
Data subjects have the following rights with regard to their data. To exercise any of these rights, contact dataprotection@opendium.com by email.
- Right of access, rectification and erasure of their personal data.
- The right to request restriction of the processing of their data or to object to its processing.
- The right to lodge a complaint with a supervisory authority.
Direct relationship
Who?
This section of the data protection policy applies to individuals with whom Opendium has a direct relationship. This may include, but is not limited to, customers, suppliers, business contacts and employees. Individuals who have made enquiries regarding Opendium's products or services, or with whom Opendium has negotiated a business transaction (whether or not the negotiation was successful), are considered to have a direct relationship.
What?
We may process the following personal data:
- Names
- Contact details (email addresses, telephone numbers, street addresses, etc.)
- The data subject's relationship with our customers and other organisations, such as job title
- Notes
- Emails
- Telephone call recordings
Why?
The legal basis for processing these data is given by Article 6, Paragraph 1(f) of GDPR - "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
We may use these data to:
- Send marketing to the data subject regarding our products or services. Note that after an enquiry regarding our products and services, for a period of 6 months following a data subject's last communication we may send follow up communications until such a time as a definite outcome is reached (i.e. either an order is placed, or the data subject informs us that they are no longer interested), and these communications are considered to be an ongoing business negotiation rather than marketing.
- Negotiate a contract regarding our products or services.
- Contact the data subject regarding our products or services.
- Carry out obligations arising from any contracts between ourselves and the data subject themselves or organisations with which the data subject is involved.
- Send the data subject communications that they have requested.
- Carry out business with the data subject or organisations with which the data subject is involved.
- Process a job application.
We may utilise third party data processors, but we will not share these data with other third parties except with the data subject's permission. These data may be kept indefinitely and may be shared with law enforcement organisations upon request.
- After an enquiry regarding our products and services, for a period of 6 months following a data subject's last communication we may send follow up communications until such a time as a definite outcome is reached (i.e. either an order is placed, or the data subject informs us that they are no longer interested). Communications during this period are considered to be an ongoing business negotiation rather than marketing.
- This limitation does not apply to generic contact addresses such as "itmanager@example.com".
Your rights
Data subjects have the following rights with regard to their data. To exercise any of these rights, contact dataprotection@opendium.com by email.
- Right of access, rectification and erasure of their personal data.
- The right to request restriction of the processing of their data or to object to its processing.
- The right to lodge a complaint with a supervisory authority.
Referrals
Who?
This section of the data protection policy applies to individuals who's personal data has been passed to Opendium by a third party in the interests of negotiating a business transaction between Opendium and the data subject. If an individual expresses an interest in our products or services, they will be considered to have a direct relationship with Opendium and therefore their data will also be covered by the "Direct relationship" policy.
What?
We may process the following personal data:
- Names
- Contact details (email addresses, telephone numbers, street addresses, etc.)
- The data subject's relationship with our customers and other organisations, such as job title
- Notes
- Emails
- Telephone call recordings
Why?
The legal basis for processing these data is given by Article 6, Paragraph 1(f) of GDPR - "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
We may use these data to:
- Contact the data subject regarding our products or services
- Carry out obligations arising from any contracts between ourselves and organisations with which the data subject is involved.
- Send the data subject communications that they have requested.
- Carry out business with the data subject or organisations with which the data subject is involved.
We may utilise third party data processors, but we will not share these data with other third parties except with the data subject's permission. These data may be kept indefinitely and may be shared with law enforcement organisations upon request.
Your rights
Data subjects have the following rights with regard to their data. To exercise any of these rights, contact dataprotection@opendium.com by email.
- Right of access, rectification and erasure of their personal data.
- The right to request restriction of the processing of their data or to object to its processing.
- The right to lodge a complaint with a supervisory authority.
Online safety users
Who?
Opendium supplies online safety systems to a variety of organisations, such as schools. This section of the data protection policy applies to individuals who's data are processed by Opendium online safety products. This generally includes, but is not limited to: staff, students and visitors of organisations that use Opendium online safety products.
We are not the controller of the data that are collected by online safety systems. The controller for these data is likely to be the organisation that operates the online safety system and they are therefore the point of contact for data protection enquiries. However:
- In order to provide technical support, our engineers generally have access to data stored on each customer's system. We are therefore regarded as a data processor. This document describes our policies which determine how we may process that data.
- We are the controller for the following personal data relating to users of Opendium online safety systems:
- Some types of data that are collected by systems owned or operated by Opendium for network security reasons and automated fault reporting in accordance with Recital 49 of GDPR.
- "Example data" which have been exported from an Opendium online safety system.
- Personal data that are provided directly to us by the data subject.
What?
The following personal data may be routinely collected by online safety systems and are not controlled by us:
- User names
- Real names
- Contact information, such as email addresses
- Ages or year groups
- Passwords
- Notes / comments made by the system administrator
- Emails
- Network addresses
- Network traffic and web browsing history, including decrypted traffic
These data could include data which GDPR deems "special categories of personal data".
The above data may also be collected and controlled by us and stored on systems owned or operated by us in the following circumstances:
- For network security reasons and automated fault reporting. These are collected in accordance with Recital 49 of GDPR.
- As an anonymised or pseudonymised export of "example data" from an Opendium online safety system.
- In relation to a web site that the data subject has reported as miscategorised. The data subject will have submitted their personal data directly to us.
Opendium may collect and control anonymised or pseudonymised data.
Why? - customer controlled data
Schools have a number of online safeguarding obligations under the Prevent duty and the Keeping Children Safe in Education guidance. The internet filtering and reporting systems that allow schools to carry out these duties have to collect a large amount of personal data about the users in the form of internet traffic logs.
Opendium is not the controller of these data and it is the data controller's responsibility to determine the lawful basis for gathering these data and acquire any necessary consent from the data subjects.
In order to provide technical support, our engineers generally have access to data stored on each customer's system. Our engineers will protect the data as follows:
- We will not transfer personal data from a customer's system to any system that is not owned or operated by either us or that customer without written authorisation of the customer or the data subject.
- We may transfer personal data from a customer's system to systems that are owned or operated by us for the following reasons:
- To provide off-site backups of the system
- To provide the customer with technical support or for fault finding. These data may be stored in Opendium support tickets and will be deleted from our other systems as soon as they are no longer required, or within one month at the most, unless we receive written authorisation to extend the retention period.
- To assist the customer with their safeguarding duties.
- As anonymised or pseudonymised data. These are referred to as "example data" and are controlled by us. We will not attempt to deanonymise them. We may allow third parties to access these anonymised or pseudonymised data, who will be held to the same standards as ourselves.
- Personal data which are stored on our systems will be retained for no longer than three years unless we are instructed in writing to extend this retention period. These data will be deleted within one month of the termination of our data processing agreement unless it is extended or replaced.
- No personal data will be sent from or accepted to an Opendium employee's direct email address or telephone number. Limited transfers of personal data may be made by means of our support email address or telephone number. Support tickets and emails are considered unstructured data in accordance with Recital 15 or GDPR and we will apply a "best efforts" approach with regards to any personal data which they contain. Employees receiving any such emails will delete the email and inform the sender that they must resend it to our support address. However, our email system may retain archived copies.
- We may process personal data in order to provide the customer with technical support and for fault finding purposes.
- We may process personal data for other reasons upon written authorisation from the customer.
We may utilise third party data processors.
Your rights - customer controlled data
Data subjects have a number of rights with regards to their data. Please contact the data controller (which is likely to be the organisation that operates the online safety system) to ask about or exercise any of your rights.
Why? - Opendium controlled data
The legal basis for processing these data is given by Article 6, Paragraph 1(f) of GDPR - "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
- We receive automated fault reports which may contain personal data in accordance with Recital 49 of GDPR. Such data are exempt from the Right to Erasure (Article 17) requests as per Article 17, Paragraph 3(e). It is not practical to separate any personal data in these reports from other data and as these data are controlled by Opendium, they will not be erased upon termination of the data processing agreement. These fault reports are used to improve our products and provide technical support to our customers. These data may be retained indefinitely.
- Anonymised or pseudonymised "example data" may be exported from an Opendium system and used to improve and demonstrate our systems. They may be made available to third parties, with appropriate contractual restrictions to prevent any attempted deanonymisation. These data may be retained indefinitely.
- If a data subject reports that a website has been miscategorised, we may use their personal data to help to evaluate the reported web site. As a result of the report, anonymised data may be recorded within our filtering database. These data will be retained for no longer than three years (except for anonymised data recorded within our filtering database, which may be retained indefinitely).
We may share these data with the customer where we have safeguarding or security concerns, in order to provide technical support to the customer, or to assist with recategorisation of a reported website. These data may be shared with law enforcement organisations and isolated and anonymised parts may be passed to third party organisations, such as the Internet Watch Foundation. We may utilise third party data processors.
Your rights - Opendium controlled data
Data subjects have the following rights with regard to their data. To exercise any of these rights, contact dataprotection@opendium.com by email.
- Right of access, rectification and erasure of their personal data.
- The right to request restriction of the processing of their data or to object to its processing.
- The right to lodge a complaint with a supervisory authority.
Other users
Who?
Opendium supplies various systems not described elsewhere in this document. This section of the data protection policy applies to individuals who's data are processed by these systems. This may include, but is not limited to: staff, visitors and customers of organisations that use these systems.
We are not the controller of the data that are processed by these system. The controller for these data is likely to be the organisation that operates the system and they are therefore the point of contact for data protection enquiries. However:
- In order to provide technical support, our engineers generally have access to data stored on each customer's system. Therefore we are regarded as a data processor. This document describes our policies which determine how we may process that data.
- We are the controller of some data that is collected for network security reasons and automated fault reporting in accordance with Recital 49 of GDPR.
What?
Please refer to the data controller for information about what data may be processed.
Personal data may also be collected and controlled by us and stored on systems owned or operated by us for network security reasons and automated fault reporting in accordance with Recital 49 of GDPR. These data may include data such as IP addresses and user names.
Opendium may collect and control anonymised or pseudonymised data.
Why? - customer controlled data
Opendium is not the controller of these data and it is the data controller's responsibility to determine the lawful basis for collecting these data.
In order to support our customers, our engineers generally have access the data stored on each customers' systems. Our engineers will protect the data as follows:
- We will not transfer personal data from a customer's system to any system that is not owned or operated by either us or that customer.
- We may transfer personal data from a customer's system to systems that are owned or operated by us for the following reasons:
- To provide off-site backups of the system
- To provide the customer with technical support or for fault finding. These data may be stored in Opendium support tickets and will be deleted from our other systems as soon as they are no longer required, or within one month at the most, unless we receive written authorisation to extend the retention period.
- As anonymised or pseudonymised data. These are referred to as "example data" and are controlled by us We will not attempt to deanonymise them. We may allow third parties to access these anonymised or pseudonymised data, who will be held to the same standards as ourselves.
- Personal data which are stored on our systems will be retained for no longer than three years unless we are instructed in writing to extend this retention period. These data will be deleted within one month of the termination of our data processing agreement unless it is extended or replaced.
- No personal data will be sent from or accepted to an Opendium employee's direct email address or telephone number. Limited transfers of personal data may be made by means of our support email address or telephone number. Support tickets and emails are considered unstructured data in accordance with Recital 15 or GDPR and we will apply a "best efforts" approach with regards to any personal data which they contain. Employees receiving any such emails will delete the email and inform the sender that they must resend it to our support address. However, our email system may retain archived copies.
- We may process personal data in order to provide the customer with technical support and for fault finding purposes.
- We may process personal data for other reasons upon written authorisation from the customer.
Your rights - customer controlled data
Data subjects have a number of rights with regards to their data. Please contact the data controller (which is likely to be the organisation that operates the system) to ask about or exercise any of your rights.
Why? - Opendium controlled data
The legal basis for processing these data is given by Article 6, Paragraph 1(f) of GDPR - "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
- We receive automated fault reports which may contain personal data in accordance with Recital 49 of GDPR. Such data are exempt from the Right to Erasure (Article 17) requests as per Article 17, Paragraph 3(e). It is not practical to separate any personal data in these reports from other data and as these data are controlled by Opendium, they will not be erased upon termination of the data processing agreement. These fault reports are used to improve our products and provide technical support to our customers. These data may be retained indefinitely.
- Anonymised or pseudonymised "example data" may be exported from an Opendium system and used to improve and demonstrate our systems. They may be made available to third parties, with appropriate contractual restrictions to prevent any attempted deanonymisation. These data may be retained indefinitely.
We may share these data with the customer where we have security concerns or in order to provide technical support to the customer. These data may be shared with law enforcement organisations. We may utilise third party data processors.
Your rights - Opendium controlled data
Data subjects have the following rights with regard to their data. To exercise any of these rights, contact dataprotection@opendium.com by email.
- Right of access, rectification and erasure of their personal data.
- The right to request restriction of the processing of their data or to object to its processing.
- The right to lodge a complaint with a supervisory authority.