WinWithMe Direct Messaging Software
RECORDS MANAGEMENT POLICY
1.1. This policy, together with the associated standards, applies to the management of all documents and records, in all technical or physical formats or media, created or received by the Estratos Digital GmbH (Austria) in the conduct of its business activities while providing WinWithMe Direct Messaging Software as a Software-as-a-Service service. It applies to all staff, contractors, consultants and third parties who are given access to our documents and records and information processing facilities.
1.2. Estratos Digital GmbH (Austria) is committed to maintaining the confidentiality of its information and ensuring that all records within Estratos Digital GmbH (Austria) are only accessible by the appropriate individuals. In line with the requirements of the General Data Protection Regulation (GDPR), Estratos Digital GmbH (Austria) also has a responsibility to ensure that all records are only kept for as long as is necessary to fulfil the purpose(s) for which they were intended.
1.3. Estratos Digital GmbH (Austria) has created this policy to outline how records are stored, accessed, monitored, retained and disposed of, in order to meet its statutory requirements. This policy applies to all records created, received, maintained or processed by staff of Estratos Digital GmbH (Austria) in undertaking its functions.
1.4. Records are defined as all documents which facilitate the business carried out by Estratos Digital GmbH (Austria) and are retained for a period of time which has been defined, in order to provide evidence of its transactions and activities. Documentation may be processed in electronic format, hard copies are only printed and held if it is required under law, by a Client of Estratos Digital GmbH (Austria) acting as data controller of a given data or by the data subject.
1.5. This document complies with the requirements set out in the GDPR. The retention periods outlined in this policy are good practice guidelines, and the decision making process of Estratos Digital GmbH (Austria) should ensure that specific requirements for setting shorter retention periods are considered when implementing these timeframes by the controller of the given data.
2. LEGAL FRAMEWORK
2.1. This policy has due regard to legislation including, but not limited to, the following:
General Data Protection Regulation (2016)
Personal Data Protection Act of Austria (Datenschutzgesetz, 1999)
2.2. This policy will be implemented in accordance with the following policies and procedures:
Data Protection Policy
Terms and conditions of Estratos Digital GmbH (Austria) products
3.1. Estratos Digital GmbH (Austria) as a whole has a responsibility for maintaining its records and recordkeeping systems in line with statutory requirements.
3.2. The Managing Partner holds overall responsibility for this policy and for ensuring it is implemented correctly.
3.3. The Data Protection Officer (hereinafter: DPO) supports the management of records.
3.4. The Managing Partner is responsible for promoting compliance with this policy and reviewing the policy on an annual basis, in conjunction with the DPO.
3.5. The Managing Partner is responsible for ensuring that all records are stored securely, in accordance with the retention periods outlined in this policy, and are disposed of correctly.
3.6. All staff members are responsible for ensuring that any records for which they are responsible are accurate, maintained securely and disposed of correctly, in line with the provisions of this policy.
3.7. The Managing Partner is responsible for ensuring that any contracts held with third parties who process personal identifiable information (considered as data processors or subprocessors as outlined in the GDPR) are compliant with the GDPR.
4. MANAGEMENT OF PERSONAL DATA AS A DATA PROCESSOR
4.1. Estratos Digital GmbH (Austria)’s primary activity is providing IT solutions for social issue, advocacy and political campaigns as a data processor. Estratos Digital GmbH (Austria)’s product, WinWithMe is an opt-in only messaging channel management software and Estratos Digital GmbH (Austria) offers the services of other opt-in only tools facilitating the communication of the client organisations (political parties, NGO’s, advocacy groups, hereinafter referred as Clients) with private individuals who had freely given their consent for the use of the product. The rights and duties of the controller are excercised by the Clients without any limitations.
4.2. The following information is stored by Estratos Digital GmbH (Austria) as processor via products under point 4.1.:
name (Facebook name)
Facebook Page-Scoped Identification Number (Facebook PSID),
the messages and answers, free text inputs sent and messages received by the data subject via WinWithMe,
4.3 Estratos Digital GmbH (Austria) will comply with its Clients instructions unless EU or EU Member State law to which Estratos Digital GmbH (Austria) is subject requires other processing of Customer Personal Data, in which case Google will inform its Client (unless that law prohibits Estratos from doing so on important grounds of public interest). Client instructions are to be given in written form, nomally by the electronic means used for the communication between the parties.
4.4. Estratos Digital GmbH (Austria) gives direct access for Clients to individual records containing personal data, as well as the right to delete those records without any further actions of Estratos Digital GmbH (Austria).
5. RETENTION OF PERSONAL DATA AS A DATA PROCESSOR
5.1. The retention periods for individual records processed by Estratos Digital GmbH (Austria) via products under point 4.1. and the action that will be taken after the retention period are based on a system of double opt-in. Names, social network Identification numbers, Facebook PSIDs and messages sent and recieved by the data subject via the products are deleted automathically on the basis of the withdrawal of consent given for the use of the products by the data subject. E-mail addresses, phone numbers and ZIP codes are deleted automathically either by the withdrawal of consent given for the use of the products by the data subject or by the withdrawal of the separate consent given for the use of these contact data by the data subject. The data is nevertheless automathically deleted in a three year period after the last interaction via the products by the data subject.
5.2. Electronic copies of any information and files will be destroyed in line with the retention periods above.
6. STORING AND PROTECTING INFORMATION
6.1. The DPO will undertake a risk analysis to identify which records are vital to Estratos Digital GmbH (Austria)’s management and these records will be stored in the most secure manner.
6.2. Estratos Digital GmbH (Austria) assures the operation of an effective back up system to ensure that all data can still be accessed in the event of a security breach, e.g. a virus, and prevent any loss or theft of data for the purpose of compliance with the principle of integrity and confidentiality under the GDPR and business continuity. Backups of data must be made on a regular basis. Backed-up information will be stored off the premises, using a backup service which is operated by a provider who is compliant with the GDPR. Estratos Digital GmbH (Austria) has a system restore protocol in place.
6.3. Estratos Digital GmbH (Austria) provides 24/7 DevOps support for its Clients and a constant monitoring of the proper functioning of its products and infrastructure. Estratos Digital GmbH (Austria) runs integrity and load test of its systems to ensure safe functioning.
6.4. Estratos Digital GmbH (Austria) maintains secure user identification methods for its Clients.
6.5. Confidential paper records are kept in a locked filing cabinet, drawer or safe, with restricted access only to those personnel who require access to fulfill their delegated duties in accordance with their job role. Confidential paper records including records containing personal information are not left unattended or in clear view when held in a location with general access.
6.6. Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed-up off-site.
6.7. Data is not saved on removable storage.
6.8. Memory sticks are not used to hold personal information.
6.9. All electronic devices (including portable devices) used by Estratos Digital GmbH (Austria) are password-protected to protect the information on the device in case of theft. Estratos Digital GmbH (Austria) staff members must enable electronic devices to allow the remote blocking or deletion of data in case of theft.
6.10. Estratos Digital GmbH (Austria) staff members do not use non-encrypted personal laptops, computers, phones or other electronic devices for business purposes which involve the downloading or storing of personal identifiable or confidential data.
6.11. All members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.
6.12. Emails containing sensitive, personal or confidential information are encrypted or password-protected to ensure that only the recipient is able to access the information. The password will be shared with the recipient in a secure and appropriate format.
6.13. Data stored on encrypted hard drives or USBs must not be stored on or downloaded to personal devices.
6.14. All documents which are accessed by members of the staff externally to their premise via a portable electronic device must be done so utilizing services designated by Estratos Digital GmbH (Austria). Personal accounts must not be used to access Estratos Digital GmbH (Austria) data.
6.15. All staff members apply a ‘clear desk policy’ to avoid unauthorized access to physical records containing sensitive, confidential or personal information. All confidential information will be stored in a securely locked filing cabinet, drawer or safe with restricted access.
6.16. Personal data must not be stored on the hard drive of any device unless it is running appropriate encryption software.
6.17. Data must be subject to a robust password protection regime. Password sharing is not permitted.
6.18. Computers must be locked when not staffed to prevent unauthorized access.
6.19. Under no circumstances are visitors allowed access to confidential or personal information. Visitors accessing areas containing sensitive information are supervised at all times.
6.20. The physical security of Estratos Digital GmbH (Austria)’s offices and storage systems, and access to them, is reviewed termly (and documented) by the person with responsibility for sites in conjunction with the DPO. If an increased risk in vandalism, burglary or theft is identified, this will be reported to the Managing Partner and extra measures to secure data storage will be put in place. Data Protection Impact Assessments are undertaken where required.
6.21. Archive rooms should be lockable and secure, and be able to maintain restricted access.
6.22. All members of Estratos Digital GmbH (Austria)’s staff are obliged to sign a non-disclosure agreement before being given access to personal data. Estratos Digital GmbH (Austria) takes its duties under the GDPR seriously and any unauthorized disclosure may result in disciplinary and criminal action.
6.23. The DPO is responsible for supporting continuity and recovery measures are in place to ensure the security of protected data.
7.1. Before onboarding subprocessors, Estratos Digital GmbH (Austria) conducts an audit of the security and privacy practices of subprocessors to ensure subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. The subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms to fulfill the obligations under GDPR.
7.2. Estratos Digital GmbH (Austria) uses the Google Cloud Platform and Firebase Realtime Service as subprocessors while providing the services of WinWithMe to store and access personal data (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The Data Processing and Security Terms of the firms are available at: https://cloud.google.com/terms/data-processing-terms) Estratos Digital GmbH (Austria) uses EU-based cloud infrastructure of Google. While providing service to Clients in Brazil, local Google Cloud environment is used that stores data in São Paulo in harmony with the LGPD regulations.
8. ACCESSING INFORMATION
8.1. Estratos Digital GmbH (Austria) is transparent with data subjects as a data controller, the information we hold and how it can be accessed.
8.2. Estratos Digital GmbH (Austria) as a data processor provides its Clients all the relevant information to enable them to act as a transparent data controller.
9.1. Estratos Digital GmbH (Austria) stores data in a single-tenant environment on the servers of the cloud service providers under point 7.2. Estratos Digital GmbH (Austria) also logically isolates the Client’s data.
9.2. Estratos Digital GmbH (Austria) keeps a continous and veryfiable log file on all the operations performed upon the processed personal data.
10. DATA INCIDENTS
10.1 If Estratos Digital GmbH (Austria) becomes aware of a Data Incident, Estratos Digital GmbH (Austria) will: (a) notify the Client of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
10.2 Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Estratos Digital GmbH (Austria) recommends Client take to address the Data Incident.
10.3 Notification(s) of any Data Incident(s) will be delivered by e-mail or at Estratos Digital GmbH (Austria)’s discretion, by direct communication (for example, by phone call or an in-person meeting).
10.4 Estratos Digital GmbH (Austria) will not assess the contents of Customer Data to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
10.5 No Acknowledgement of Fault by Google. Google’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Google of any fault or liability with respect to the Data Incident.
11. INFORMATION AUDIT
11.1. Estratos Digital GmbH (Austria) will conduct an information audit on an annual basis against all information held by it to ensure that they are correctly managed in accordance with the GDPR.
11.2. The information audit may be completed in a number of ways, including, but not limited to interviews with staff members with key responsibilities to identify information and information flows, questionnaires to key staff members to identify information and information flows.
11.3. The DPO is responsible for completing the information audit.
11.4. Estratos Digital GmbH (Austria) cooperates with its Clients with all their audits and monitoring activities aiming for compliance with GDPR.
12. DISPOSAL OF DATA
12.1. All records containing personal information or information must be disposed of in a way which ensures they are unreadable or unreconstructable. Paper records must be shredded using a cross cut shredder, CDs/DVD should be cut into small pieces and hard drives must be wiped according to the nature of the data stored on them.
12.2. In case of opt-out performed by the data subject, the relevant personal data must also be deleted from the log file under point 9.2, with the exception of a statutory regulation, the Client or the data subject required it otherwise in accordance with the GDPR.
13. MONITORING AND REVIEW
13.1. This policy will be reviewed on an annual basis by the Managing Partner in conjunction with the DPO – the next scheduled review date for this policy is November 2024.
13.2. Any changes made to this policy will be communicated to all members of staff.
(Last modified: 01/10/2023)