GDPR

What is the role of IO when processing personal data?

Predominantly, IO acts as a Data Processor regarding personal data of data subjects provided by IO customers.

Also, IO acts as a Data Controller regarding personal data of registered users of this Website. In this case, IO processes personal data for the purposes of the legitimate interests as it stated in Article 6(1)(f) of the GDPR (European General Data Protection Regulation). Providing services to other businesses, IO designs this Website to interact with individuals, who have relevant and appropriate relationship with those businesses, and such processing is necessary to display them web-analytics.

What are personal data processed by IO?

Acting as a Data Processor, IO processes mainly users’ ID or some other technical data of individuals, located worldwide and providing this data to IO customers via their websites, which provide this data to IO. The exact scope of personal data being transferred from IO customers to IO may vary and can be found in personal data protection contractual clauses signed between IO and each of its customers.

Acting as a Data Controller, IO processes mainly the first and last names, e-mail, and position of individuals, who have a relevant and appropriate relationship with IO customers.

What is the purpose of the processing?

Acting as a Data Processor, IO processes and conducts web-analytics regarding personal data of data subjects provided by IO customers. IO runs analytics about the provided data and provides its customers with a report of same. Only in individual cases, personal data may be included in the data provided by IO customers to IO to conduct such analysis. If so, the scope of personal data being processed while doing the analysis is app. only 1 % of the overall data provided to IO.

Acting as a Data Controller, IO processes a minimum of personal data to keep users’ accounts and identify their owners’ rights during their access to web-analytics.

What are the processing activities?

The main processing activities conducted by IO with regard to personal data of third parties are the following:

• collecting;
• tracking;
• structuring;
• storing;
• retrieving;
• using; and
• erasing.

Personal data of third parties, if provided by IO customers, is not changed during the processing activities of IO.

Who from IO has access to processed personal data?

IO tries everything to minimize the processing of personal data. In this regard, IO has implemented organizational and technical security measures which allow only a minimum necessary number of IO employees to process personal data of third parties.

After the successful implementation of a GDPR compliance system, only 2-3 Employees in the Kyiv office of IO have access to the personal data of third parties.

Where is personal data processed?

Data provided by IO customers is processed with systems only located in Germany and the Netherlands. The web analysis of IO is conducted only via these servers.

Access to the final customer reports is possible for a very limited number of IO Employees in Ukraine and for IO customers worldwide.

Is the personal data being processed by individuals?

No, usually all processing activities are conducted automatically by IO scripts and only on servers located in Germany and the Netherlands.

Only in rare cases of script problems (e.g., bugs), IO Employees might need to take a look at ad hoc final reports and need to access the servers to solve technical problems. In these cases, such employees might review also personal data included in the reports.

What are the technical security measures for personal data protection?

IO already has implemented best practices on IT level standards to protect data in general, and personal data in particular.

IO also is conducting several IT security tests in order to audit and evaluate potential security issues on a regular level.

IO has in place sophisticated and adequate security measures, both on the organizational and technical side to protect personal data, to be compliant with the requirements of the GDPR.

What are the organizational security measures for personal data protection?

IO has in place sophisticated and adequate security measures, both on the organizational and technical side to protect personal data, to be compliant with the requirements of the GDPR.

Based on this, IO has, e.g., among others, the following organizational and technical security measures in place:

• a Data Protection Officer;
• an EU Representative;
• established personal data protection system (policies, trainings for employees);
• personal data protection contractual clauses with business partners and customers;
• a safeguard system and structure for all personal data which is transferred from the EEA to recipients outside the EEA;
• only secure protocols (SSL) for processing data;
• each IO customer has separate data storage;
• secure authentication;
• monthly security, vulnerability, and penetration scanning;
• a cloud-based development environment with code-only-access for engineers;
• data anonymization for management and support teams; and
• confidentiality contracts with IO employees.

Who are the recipients of processed personal data?

The recipients are IO customers only.

Is personal data transferred outside the EEA?

A transfer from IO servers inside the EEA to recipients outside the EEA is possible when IO customers are located outside the EEA, and when they access IO reports, in rare cases, also including personal data.

For these purposes, IO concludes contracts and has in place other safeguarding measures to protect the transfer from its servers in the EEA outside the EEA. The safeguard measures are in line and in compliance with the GDPR requirements.

What is the legal basis for processing personal data?

The legal basis for all processing actions is a contract between IO and its customers.

IO customers provide IO with data of their own clients, and individuals, who are in the service of such customers, provide their personal data when registering on this Website. IO has contractual clauses with its business partners in place that foresee the compliance with the GDPR.

IO completely fulfills its obligations, existing under the GDPR.

Can I withdraw my consent?

Yes. Every data subject has the right to withdraw its consent. As for data subjects, whose personal data are provided to IO by its customers, such withdrawal of consent needs to be filed with the controller of the personal data. But IO can support the data subject to forwarding this request to the responsible data controller.

Can I access my personal data?

Yes. Every data subject has the right to access its personal data. As for data subjects, whose personal data are provided to IO by its customers, such request needs to be filed with the controller of the personal data. But IO can support the data subject to forwarding this request to the responsible data controller.

Can you erase my personal data?

Yes. Every data subject has the right to request the erasure of its personal data. As for data subjects, whose personal data are provided to IO by its customers, such request needs to be filed with the controller of the personal data. As to personal data of EU citizens, IO only acts as a data processor. But IO can support the data subject to forwarding this request to the responsible data controller.

What are the time limits for storing personal data?

IO stores personal data of EU citizens in connection with the contractual obligations it has towards its customers. This can differ on a case by case basis. Nevertheless, IO is fulfilling the principle of data minimization and its obligations under the GDPR also with regard to data storage.

What are the categories of data subjects?

When IO acts as a Data Processor, data subjects whose personal data is processed by IO is limited to users of websites of IO customers.

When IO acts as a Data Controller, data subjects whose personal data is processed by IO is limited to individuals, who both have a relevant and appropriate relationship with IO customers and who are users of the IO Website.

Does IO process children’s personal data?

IO does not collect information about the age of data subjects at all. IO is also not responsible for the website construction of the customer’s website. However, if IO understands that it processes personal data of children, special data protection measures are in place.

Does automated processing significantly affect data subjects’ rights?

No. Automated processing does not lead to automated decision-making, and it does not have the significant impact on data subjects’ rights, as personal data is only used for analytical reports for IO customers.

Who are the data controllers?

When IO acts as a Data Processor, the controllers of the personal data are the IO customers.

When IO acts as a Data Controller, the controller is IO itself.

Is any sensitive personal data or data regarding criminal convictions processed by IO?

No.

Contacts