Estratos as a reseller of Action Network
RECORDS MANAGEMENT POLICY
1. SCOPE
​
1.1. This policy, together with the associated standards, applies to the management of all documents and records, in all technical or physical formats or media, created or received by the Estratos Digital GmbH (Austria) in the conduct of its business activities while reselling Action Network (CRM, emailer and action page tool) as a Software-as-a-Service service. It applies to all staff, contractors, consultants and third parties who are given access to our documents and records and information processing facilities.
​
1.2. Estratos Digital GmbH (Austria) is committed to maintaining the confidentiality of its information and ensuring that all records within Estratos Digital GmbH (Austria) are only accessible by the appropriate individuals. In line with the requirements of the General Data Protection Regulation (GDPR), Estratos Digital GmbH (Austria) also has a responsibility to ensure that all records are only kept for as long as is necessary to fulfil the purpose(s) for which they were intended.
​
1.3. Estratos Digital GmbH (Austria) has created this policy to outline how records are stored, accessed, monitored, retained and disposed of, in order to meet its statutory requirements. This policy applies to all records created, received, maintained or processed by staff of Estratos Digital GmbH (Austria) in undertaking its functions.
​
1.4. Records are defined as all documents which facilitate the business carried out by Estratos Digital GmbH (Austria) and are retained for a period of time which has been defined, in order to provide evidence of its transactions and activities. Documentation may be processed in electronic format, hard copies are only printed and held if it is required under law, by a Client of Estratos Digital GmbH (Austria) acting as data controller of a given data or by the data subject.
​
1.5. This document complies with the requirements set out in the GDPR. The retention periods outlined in this policy are good practice guidelines, and the decision making process of Estratos Digital GmbH (Austria) should ensure that specific requirements for setting shorter retention periods are considered when implementing these timeframes by the controller of the given data.
​
2. LEGAL FRAMEWORK
2.1. This policy has due regard to legislation including, but not limited to, the following:
-
General Data Protection Regulation (2016)
-
Personal Data Protection Act of Austria (Datenschutzgesetz, 1999)
2.2. This policy will be implemented in accordance with the following policies and procedures:
-
Data Protection Policy
-
Terms and conditions of Estratos Digital GmbH (Austria) products & services.
3. RESPONSIBILITIES
​
3.1. Estratos Digital GmbH (Austria) as a whole has a responsibility for maintaining its records and recordkeeping systems in line with statutory requirements.
​
3.2. The Managing Partner holds overall responsibility for this policy and for ensuring it is implemented correctly.
​
3.3. The Data Protection Officer (hereinafter: DPO) supports the management of records.
​
3.4. The Managing Partner is responsible for promoting compliance with this policy and reviewing the policy on an annual basis, in conjunction with the DPO.
​
3.5. The Managing Partner is responsible for ensuring that all records are stored securely, in accordance with the retention periods outlined in this policy, and are disposed of correctly.
​
3.6. All staff members are responsible for ensuring that any records for which they are responsible are accurate, maintained securely and disposed of correctly, in line with the provisions of this policy.
​
3.7. The Managing Partner is responsible for ensuring that any contracts held with third parties who process personal identifiable information (considered as data processors or subprocessors as outlined in the GDPR) are compliant with the GDPR.
​
4. MANAGEMENT OF PERSONAL DATA AS A DATA PROCESSOR
​
4.1. Estratos Digital GmbH (Austria)’s primary activity is providing IT solutions for social issue, advocacy and political campaigns as a data processor. Estratos Digital GmbH (Austria) resells Action Network as a CRM, emailer and action page software that is an opt-in only tool managing data, managing outbound, email-based direct messaging with consented individuals, and Action Network also provides action page services where data collection for the database of the Client, customized by the Client, can be conducted. The rights and duties of the controller are excercised by the Clients without any limitations.
​
4.2. The following information is stored by Estratos Digital GmbH (Austria) as processor via products under point 4.1.:
-
name
-
email(s)
-
other contact information, based on the configuration defined by the Clients
-
custom data collected upon the instruction by the Clients.
​
4.3 Estratos Digital GmbH (Austria) will comply with its Clients instructions unless EU or EU Member State law to which Estratos Digital GmbH (Austria) is subject requires other processing of Customer Personal Data. Client instructions are to be given in written form, normally by the electronic means used for the communication between the parties.
​
4.4. Estratos Digital GmbH (Austria) gives direct access for Clients to individual records containing personal data, as well as the right to delete those records without any further actions of Estratos Digital GmbH (Austria).
​
5. RETENTION OF PERSONAL DATA AS A DATA PROCESSOR
5.1. The retention periods for individual records processed by Estratos Digital GmbH (Austria) via products under point 4.1. and the action that will be taken after the retention period are based on a system of double opt-in. Names and all data of consented data subject via the product are deleted automathically on the basis of the withdrawal of consent given for the use of the products by the data subject.
​
5.2. Electronic copies of any information and files will be destroyed in line with the retention periods above.
​
6. STORING AND PROTECTING INFORMATION
​
6.1. The DPO will undertake a risk analysis to identify which records are vital to Estratos Digital GmbH (Austria)’s management and these records will be stored in the most secure manner.
​
6.2. Estratos Digital GmbH (Austria) assures the operation of an effective back up system to ensure that all data can still be accessed in the event of a security breach, e.g. a virus, and prevent any loss or theft of data for the purpose of compliance with the principle of integrity and confidentiality under the GDPR and business continuity.
​
6.3. Estratos Digital GmbH (Austria) provides 24/7 DevOps support for its Clients and a constant monitoring of the proper functioning of its products and infrastructure.
​
6.4. Estratos Digital GmbH (Austria) maintains secure user identification methods for its Clients.
​
6.5. Confidential paper records are kept in a locked filing cabinet, drawer or safe, with restricted access only to those personnel who require access to fulfill their delegated duties in accordance with their job role. Confidential paper records including records containing personal information are not left unattended or in clear view when held in a location with general access.
​
6.6. Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed-up off-site.
​
6.7. Data is not saved on removable storage.
​
6.8. Memory sticks are not used to hold personal information.
​
6.9. All electronic devices (including portable devices) used by Estratos Digital GmbH (Austria) are password-protected to protect the information on the device in case of theft. Estratos Digital GmbH (Austria) staff members must enable electronic devices to allow the remote blocking or deletion of data in case of theft.
​
6.10. Estratos Digital GmbH (Austria) staff members do not use non-encrypted personal laptops, computers, phones or other electronic devices for business purposes which involve the downloading or storing of personal identifiable or confidential data.
​
6.11. All members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.
​
6.12. Emails containing sensitive, personal or confidential information are encrypted or password-protected to ensure that only the recipient is able to access the information. The password will be shared with the recipient in a secure and appropriate format.
​
6.13. Data stored on encrypted hard drives or USBs must not be stored on or downloaded to personal devices.
​
6.14. All documents which are accessed by members of the staff externally to their premise via a portable electronic device must be done so utilizing services designated by Estratos Digital GmbH (Austria). Personal accounts must not be used to access Estratos Digital GmbH (Austria) data.
​
6.15. All staff members apply a ‘clear desk policy’ to avoid unauthorized access to physical records containing sensitive, confidential or personal information. All confidential information will be stored in a securely locked filing cabinet, drawer or safe with restricted access.
​
6.16. Personal data must not be stored on the hard drive of any device unless it is running appropriate encryption software.
​
6.17. Data must be subject to a robust password protection regime. Password sharing is not permitted.
​
6.18. Computers must be locked when not staffed to prevent unauthorized access.
​
6.19. Under no circumstances are visitors allowed access to confidential or personal information. Visitors accessing areas containing sensitive information are supervised at all times.
​
6.20. The physical security of Estratos Digital GmbH (Austria)’s offices and storage systems, and access to them, is reviewed termly (and documented) by the person with responsibility for sites in conjunction with the DPO. If an increased risk in vandalism, burglary or theft is identified, this will be reported to the Managing Partner and extra measures to secure data storage will be put in place. Data Protection Impact Assessments are undertaken where required.
​
6.21. Archive rooms should be lockable and secure, and be able to maintain restricted access.
​
6.22. All members of Estratos Digital GmbH (Austria)’s staff are obliged to sign a non-disclosure agreement before being given access to personal data. Estratos Digital GmbH (Austria) takes its duties under the GDPR seriously and any unauthorized disclosure may result in disciplinary and criminal action.
​
6.23. The DPO is responsible for supporting continuity and recovery measures are in place to ensure the security of protected data.
​
7. SUBPROCESSORS
7.1. Before onboarding subprocessors, Estratos Digital GmbH (Austria) conducts an audit of the security and privacy practices of subprocessors to ensure subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. The subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms to fulfill the obligations under GDPR.
​
7.2. Estratos Digital GmbH (Austria) uses Action Network as a subprocessor (Action Squared Inc.; 1900 L St NW, Suite 900, Washington DC 20036; Privacy Policy: https://actionnetwork.org/privacy) as a comprehensive CRM solution, integrated emailer, action pages platform.
​
8. ACCESSING INFORMATION
​
8.1. Estratos Digital GmbH (Austria) is transparent with data subjects as a data processor or controller, the information we hold and how it can be accessed.
​
8.2. Estratos Digital GmbH (Austria) as a data processor provides its Clients all the relevant information to enable them to act as a transparent data controller.
​
9. DATA INCIDENTS
​
9.1 If Estratos Digital GmbH (Austria) becomes aware of a Data Incident, Estratos Digital GmbH (Austria) will: (a) notify the Client of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
​
9.2 Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Estratos Digital GmbH (Austria) recommends Client take to address the Data Incident.
​
9.3 Notification(s) of any Data Incident(s) will be delivered by e-mail or at Estratos Digital GmbH (Austria)’s discretion, by direct communication (for example, by phone call or an in-person meeting).
​
9.4 Estratos Digital GmbH (Austria) will not assess the contents of Customer Data to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
​
10. INFORMATION AUDIT
10.1. Estratos Digital GmbH (Austria) will conduct an information audit on an annual basis against all information held by it to ensure that they are correctly managed in accordance with the GDPR.
​
10.2. The information audit may be completed in a number of ways, including, but not limited to interviews with staff members with key responsibilities to identify information and information flows, questionnaires to key staff members to identify information and information flows.
​
10.3. The DPO is responsible for completing the information audit.
​
10.4. Estratos Digital GmbH (Austria) cooperates with its Clients with all their audits and monitoring activities aiming for compliance with GDPR.
​
11. DISPOSAL OF DATA
​
11.1. All records containing personal information or information must be disposed of in a way which ensures they are unreadable or unreconstructable. Paper records must be shredded using a cross cut shredder, CDs/DVD should be cut into small pieces and hard drives must be wiped according to the nature of the data stored on them.
​
11.2. In case of opt-out performed by the data subject, the relevant personal data must also be deleted from the log file under point 9.2, with the exception of a statutory regulation, the Client or the data subject required it otherwise in accordance with the GDPR.
​
12. MONITORING AND REVIEW
12.1. This policy will be reviewed on an annual basis by the Managing Partner in conjunction with the DPO – the next scheduled review date for this policy is November 2024.
​
12.2. Any changes made to this policy will be communicated to all members of staff.
​
(Last modified: 05/01/2024)
​
Estratos Digital GmbH
​
address: 98 Sommerhaidenweg, 1190 Wien (Vienna), Austria
company registry number (Firmenbuchnummer): 544761w
email: privacy@estratos.eu
​