The General Data
Protection Narrative
Seerist GDPR Compliance
In this document, “consent”, “controller”, “data protection impact assessment”, “data subject”, “personal data”, “processing”, “processor” and “special categories of personal data” mean those concepts, roles and activities as defined in the GDPR. When we refer to the “GDPR” in this narrative we are referring to either the European Union General Data Protection Regulation 2016/679 (“EU GDPR”), the EU GDPR as incorporated into UK legislation (“UK GDPR”), the UK Data Protection Act 2018 and any legislation in force in EU member states from time to time which implements the EU GDPR.
1. Compliance Requirements
1.1 Data Protection Officer (“DPO”)
We are not required to have a DPO by law.
1.2 Controller – Processor Responsibilities
When processing personal data in the context of providing our services, we regard ourselves as controller only in instances where we internally make decisions on how personal data is used in connection with our services, and processor where we only use personal data as allowed by our clients. Where we are processor, we provide a standard data processing agreement (“DPA”) as an appendix to our contract with clients in accordance with article 28 of the GDPR.
1.3 Data Processing Records
We maintain controller records of data processing activities including information security and data protection impact assessments, the lawful basis for processing and data flow diagrams, in each case where required. We also maintain processor records of data processing activities.
1.4 Conditions for Lawful Basis for Processing
Where we are the controller for personal data, we have established the lawful basis for all personal data processing activities, and they have been documented as part of our processing records.
The lawful basis for processing personal data under the GDPR article 6 and where applicable article 9 will be one or more of the following, depending on the nature of the data and the project:
With the consent of the data subject;
Necessary for entering into, or performing, a contract;
Necessary for the purpose of Seerist’s or our client’s legitimate interests;
Necessary to protect the vital interests of a data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
Necessary for the prevention or detection of an unlawful act;
Necessary for the establishment, exercise or defense of a legal claim;
Necessary for compliance with a legal obligation; and
The data has been manifestly made public by the data subject.
Where clients are controllers in their own right and they are subject to the GDPR, they will be required to have their own lawful basis for processing.
1.5 Privacy Policy and Notice
As a controller we provide privacy notices to data subjects unless to do so would prove impossible or would involve a disproportionate effort or otherwise would render impossible or seriously impair the achievement of the objectives of the processing. We provide a public Privacy Notice on our website to explain why and when we, as a controller, collect personal data as well as providing other information to data subjects about our processing of their personal data, who we may share their personal data with and their data subject rights. We may act as a controller in relation to certain services (as described in more detail below) and we may also act as controller for personal data processing which is unconnected with the services we provide. For example, in relation to our client or prospective client contacts who we may wish to contact occasionally about products and services that could be of interest to them, and also information gathered about our website users such as browsing habits.
We have an organizational Data Protection Policy to ensure our employees comply with applicable data protection laws. Our organizational Data Protection Policy forms part of the induction program for all new staff so that all employees are aware of the GDPR and data protection restrictions and obligations generally. Refresher training is provided every two years for data protection and annually for information security.
1.6 Data Subject Rights
We have implemented response procedures for data subject access requests which allow data subjects to exercise their rights to access, rectify and delete their personal data in accordance with the GDPR where we are a controller for their data. Data subject correction, deletion and portability requests are infrequent. Should Seerist receive such requests, they would be forwarded to the appropriate personnel, responded to promptly and adequately and data subjects would be able to
Determine whether their personal data is correct,
Have their personal data deleted in accordance with their legal rights, and/or
Have their personal data transferred to another entity if applicable criteria are met.
Where we act as processor of personal data on behalf of a client, if a request is received directly from a data subject, we will contact the controller client for instructions on dealing with the request.
1.7 Privacy and Data Protection Impact Assessments
Where we, as controller, process personal data that is considered high risk, or when we process such information in a new way requiring new tools, assessments are carried out to comply with article 35 requirements of the GDPR. These assessments allow us to implement appropriate technical and organizational measures and integrate the necessary safeguards into the processing in order to meet the requirements of this regulation and protect the rights of data subjects. As a processor we will, on request, assist our controller clients with their own data protection impact assessments relating to the services we provide to them.
1.8 Breach Management
Under our procedures for incident management, we ensure that we have safeguards and measures in place to detect, assess, investigate and report any personal data breach at the earliest possible time. All employees have been made aware of the reporting lines and steps to follow if confidential information is lost or compromised or suspected of being lost or compromised. Governance is in place to ensure that following an incident appropriate root cause analysis is conducted and remediation plans are developed to address any risks identified and prevent recurrence. Where we are a processor for personal data, we will notify controller clients without undue delay of any personal data breach relating to personal data we process for them.
1.9 Location of Information and Data Transfers
Seerist, Inc., is headquartered in the United States and is comprised of the following affiliate companies (collectively, “Seerist Affiliates”): Seerist North America, Inc., Seerist UK, Ltd., Seerist Federal, and Geospark Analytics, Inc. During the provision of services, personal data may be transferred outside of a client’s home country and may be stored in and accessed from multiple countries. We have put organizational procedures in place to secure, encrypt and maintain the integrity of any personal data that is transferred to countries outside the European Economic Area (“EEA”) (or in the case of UK GDPR outside the UK). If the country does not have adequacy status, we rely on the European Commission’s Standard Contractual Clauses, including for transfers of personal data to the US.
1.10 Sub-Processors
Where we are a processor, we sometimes use sub-processors to process personal data for the purposes of providing services. We have set out details of those sub-processors and the location of the processing (https://seerist.com/privacy-policy/), in compliance with article 28 of the GDPR.
1.11 Special Categories of Personal Data
We do not process special category personal data under any circumstances.
1.12 Information Security and Accountability
We have an Information Security Management System that runs from company headquarters audited and certified to SOC 2. Our security measures which safeguard the confidentiality, integrity and availability of information include organizational policies; screening and training of Seerist’s people; defined and audited processes; and technological controls such as, encrypted hard drives, segmented data stores, encrypted data backups, firewalls, network and communication security, two-factor authentication, and continuous monitoring. Only necessary limited personnel in Seerist have access to the personal data. In addition, we have an auditor who checks adherence to company policies, to meet or exceed international standards.
Our third party service providers are expected, to the extent applicable, to provide the equivalent technical and organizational controls as Seerist to protect the security and confidentiality of personal data and to commit to appropriate contract terms to ensure compliance with applicable data protection law.
1.13 Data Retention and Deletion
We have a company Data Retention, Archiving and Destruction Policy which sets out retention periods for storing information. Where we are the controller, personal data is retained for no longer than the minimum time needed, as required by applicable laws and regulations, as agreed upon contractually, or for the purposes for which it was collected. At the end of the defined period, personal data is permanently destroyed. Where we act as processor, clients may provide us with instructions to save data for or destroy or return data within, a specific period.
2. Key Services
2.1 Seerist and Seerist Essentials
Personal data is collected direct from a data subject – who is typically part of the client’s personnel – when they create their own profile and account for the purpose of accessing Seerist Platform content through the website. Personal data is limited and may include personal details such as name, location, job function, job seniority and contact details (such as telephone and email address). We may also process other personal data which a data subject includes in an inquiry. In creating the user’s profile, the data subject is made aware of our privacy policy, the rights are summarized and their consent must be given to any marketing.
In relation to contact information referred to above which is collected in connection with creation of profiles and accounts, Seerist acts as controller. Seerist also collects personal data from its websites for its own uses such as service improvement, data analytics and to use for marketing purposes. In relation to Seerist collection of personal data for these purposes, Seerist is also a controller.
2.2 Seerist Experts Services (Seerist Acts as Processor)
Seerist offers a variety of consulting services including enhancing client’s readiness for, response to and recovery from a wide yet specific range of critical events. Seerist uses information provided by the client to offer advice on a defined scope. Seerist only uses information as instructed by the client.
If you have any further questions with regards to the security of the Seerist Platform, please do not hesitate to contact your Seerist account manager or reach out to us at privacy@seerist.com
Owner: Contracts Manager I Author: Contracts Manager I Approved: 09/11/23 I Version: 1.1 I Classification: Public
Copyright © Seerist. All rights reserved. All rights reserved. This document cannot be reproduced without the express written permission of Seerist. Any reproduction without authorization shall be considered an infringement of Seerists’ copyright.