PRIVACY & SECURITY CENTER
HI THERE, WELCOME TO OUR LEGAL STUFF!
Here you will find all the information you need regarding our data protection vision and infrastructure.
AT PARTNERHERO, DATA SECURITY IS ONE OF OUR MAIN PRIORITIES AND WE ARE CONSCIOUSLY ENSURING OUR PROCESSES AND SERVICES ARE DESIGNED WITH PRIVACY IN MIND.
CONTACT INFORMATION
For inquiries or a data subject request, please email us at:


If you’d like to learn more about your rights as a data subject and PartnerHero’s commitment to them click

Are you looking to exercise your rights as a data subject? Do you have a request in mind? If so, click         and we'll reach out shortly!
here
here!
dataprivacy@partnerhero.com
back to top
THE RIGHT TO BE INFORMED
When personal data iscollected from the data subject or obtained from another
source, we must  inform the data subject about our use of that data and their
rights over it. Compliance with this right is addressed in a separate document, Privacy Notice Procedure.
THE RIGHT OF ACCESS
A data subject has the right to ask PartnerHero whether we process data about them and to request access to that data.In addition the, the data subject has the right to the  following information:
In most cases, the decision-making process for such requests will be straightforward unless it is judged that the request is manifestly unfounded or excessive. The compilation of the information is likely to require the input of the data owner.
1. The purposes of the processing
2. The categories of the personal data concerned
3. The recipients, or categories of recipients, of the data, if any, in particular any third countries or international organizations
4. The length of time that the personal data will be stored for (or the criteria used to determine that period)
5. The data subject’s rights to rectification or erasure of their personal data and restriction of, or objection to, its processing
6. The data subject’s right to lodge a complaint with a supervisory authority
7. Information about the source of the data, if not directly from the data subject
8. Whether the personal data will be subject to automated processing, including profiling and, if so, the logic and potential consequences involved
9. When the data are transferred to a third country or international organization, information about the safeguards that apply
THE RIGHT TO RECTIFICATION
Where personal data is inaccurate, the data subject has the right to request that it be corrected, and incomplete personal data completed based on information they may provide.

Where necessary, PartnerHero Inc. will take steps to validate the information provided by the data subject to ensure that it is accurate before amending it.
THE RIGHT TO ERASURE
Also known as “the right to be forgotten”, the data subject has the right to require PartnerHero to erase personal data about them without undue delay where one of the following applies:
• The personal data are no longer necessary for the purpose for which they were collected.
• The data subject withdraws consent, and there is no other legal ground for processing.
• The data subject objects to the processing of the personal data.
• The personal data have been unlawfully processed.
• For compliance reasons (i.e., to meet the legal obligations of PartnerHero).
• Where the personal data was relevant to the data subject as a child.
Reasonable efforts must be made to ensure erasure where the personal data has been made public.

PartnerHero Inc. will need to make a decision on each case of such requests as to whether the request can or should be declined for one of the following reasons:
It is likely that such decisions will require the involvement of the PartnerHero’s Data
Protection Officer and in some cases senior management.
• Right of freedom of expression and information
• Compliance with a legal obligation
• Public interest in the area of public health
• To protect archiving purposes in the public interest
• The personal data is relevant to a legal claim
THE RIGHT TO RESTRICT PROCESSING
The data subject can exercise the right to restrict the  processing of their personal data in one of the following circumstances:
• Where the data subject contests the accuracy of the data, until we have been able to verify its accuracy
• As an alternative to erasure in the circumstances that the processing is unlawful
• Where the data subject needs the data for legal claims, but it is no longer required by us
• Whilea decision on an objection to processing is pending
PartnerHero Inc. will need to make a decision on each case of such requests as to whether the request should be allowed. It is likely that such decisions will require the involvement of the PartnerHero Inc. Information Security Manager and in some cases senior management.

Where a restriction of processing is in place, the data may be stored but not processed without the data subject’s consent, unless for legal reasons (in which case the data subject must be informed). Other organizations who may process the data on our behalf must also be informed
of the restriction.
THE RIGHT TO DATA PORTABILITY
The data subject has the right to request that their personal data be provided to them in a “structured, commonly-used and machine-readable format” (GDPR Article 20) and to transfer that data to another party (e.g., service provider). This applies to personal data for which processing is based on the data subject’s consent and the processing carried out by automated means.
Where feasible, the data subject can also request that the personal data be transferred directly from our systems to those of another provider.

For services that come under this category, little decision-making is required for each case, since this process may be executed automatically.
THE RIGHT TO OBJECT
The data subject has the right to object to processing that is based on the following legal justifications:
Once an objection has been made, PartnerHero must justify the grounds on which the processing is based and suspend processing until this is done. Where the personal data is used for direct marketing, we must no longer process the data.
• For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• For the purposes of the legitimate interests of the controller
RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING
The data subject has the right to not be the subject of automated decision-making where the decision has a significant effect on them and can insist on human intervention where appropriate. The data subject also has the right to express their point of view and contest decisions.

There are exceptions to this right, which are if the decision:
• Is necessary for a contract
• Is authorized by law
• Is based on the data subject’s explicit consent
In assessing these types of request, a judgement needs to be made about whether the above exceptions apply in the particular case in question.
Data Subject Request Received
Log Data Subject Request
Confirm Data Subject’s Identity
Evaluate Validity of Request
Charge For Request
Compile Requested Information
Take Requested Action/Provide Information
Close  Data Subject Request
The data subject submits a request via one of a number of methods, including electronically (via email or via our website), by letter or on the telephone. This may be received by any part of the organization but should ideally be channelled through People Operations (Human Resources). A Data Subject Request Form is available for this purpose.
Log data subject request The fact that the request has been received is logged in the Data Subject Request Register and the date of the request recorded.
The identity of the data subject is confirmed via an approved method. More information may be requested to confirm identity if required. If the identity of the data subject cannot be confirmed,
the request is rejected and the reason for this communicated
to the data subject.
Evaluate validity of request. The test of whether the request is “manifestly unfounded or excessive” is applied. A decision is made whether to reject the request or apply a charge to it. If the request is for rectification, erasure, restriction of or is an objection to processing, a decision is made about whether the request is reasonable and lawful. If not, the request is rejected, and the data subject informed of the decision and their right to complain to the supervisory authority.
Charge for request. If a charge is applied, the data subject is informed of the charge and has an opportunity to decide whether or not to proceed. If the data subject decides not to proceed, the request is rejected and the reasons communicated to the data subject.
The relevant information is compiled according to the type of request. This may involve planning how the requested action (e.g., erasure or restriction of processing) will be achieved. A maximum of one month is permitted to address the request; if the request will take more time, then a maximum of two further months are allowed, and the data subject must be informed of the delay and the reasons for it within one month of the request being submitted.
The requested action is carried out (if applicable) and the information requested is provided to the data subject electronically, if that is the preferred method, or via other means.
The fact that the request has been responded to is logged in
the Data Subject Request Register together with the date of closure.
People Operations
People Operations
Request Administrator
Request Administrator
Request Administrator
Request Administrator
Request Administrator
Request Administrator
Step
People Involved
Description
PROCEDURE STEPS
The steps depicted in the flowchart in Figure 1 are expanded upon in the following table which addresses each type of request.
This procedure is intended to be used when a data subject exercises one or more of the rights they are granted under the European Union General Data Protection Regulation (GDPR).

Each of the rights involved has its own specific aspects and challenges to PartnerHero Inc. in complying with them and doing so within the required timescales. In general, a proactive approach will be taken that places as much control over personal data in the hands of the data subject as possible, with a minimum amount of intervention or involvement required on the part of PartnerHero Inc. This may be achieved by providing online access to the personal data so that the data subject can verify and amend it as required.

However, in some cases there is a decision-making process to be followed by PartnerHero Inc. regarding whether a request will be allowed or not; where this is the case, the steps involved in these decisions are explained in this document.

This procedure should be considered in conjunction with the following related documents:
• Data Protection Impact Assessment Process
• Personal Data Breach Notification Procedure
• Privacy and Personal Data Protection Policy
• GDPR mapping
1 identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
INTRODUCTION
The following general points apply to all of the requests described in this document and are based on Article 12 of the GDPR:
1. Information shall be provided to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
2. Information may be provided in writing, electronically or by other means.
3. The data subject may request the information orally (e.g., over the telephone or face-to- face), as long as the identity of the data subject has been established.
4. We must act on a request from a data subject, unless we are unable to establish their identity.
5. We must provide information without undue delay and within a maximum of one month from the receipt of the request.
6. The response time frame may be extended by up to two further months for complex or a high volume of requests. However,he data subjects must be informed of this within one month of the request, and the reasons for the delay given.
7. If a request is made via electronic form, the response should be via electronic means where possible, unless the data subject requests otherwise.
8. If it is decided that we will not comply with a request, we must inform the data subject without delay and at the latest within a month, stating the reason(s) and informing the data subject of their right to complain to the supervisory authority
9. Generally, responses to requests will be made free of charge, unless they are “manifestly unfounded or excessive” (GDPR Article 12). In which case we will either charge a reasonable fee or refuse to action the request.
10. If there is doubt about a data subject’s identity, we may request further information to establish it.
Please refer to the exact text of the GDPR if clarification of any of the above is required.

The procedure for responding to requests from data subjects is set out in this

The specifics of each step in the procedure will vary according to the type of request involved.Refer to the relevant section of this procedure for more detail.
flowchart.
GENERAL POINTS
DATA SUBJECT REQUEST PROCEDURE
Data Protection Policy
Data Subject Request Procedure
back to top
This procedure is intended to be used when putting in place a new arrangement for the transfer of personal data to a country outside of the European Union or to an international organization.
It may also be used when validating whether existing arrangements meet the requirements of the General Data Protection Regulation (GDPR).

An international organization is defined by the GDPR as “an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries” (GDPR Article 4).

The intention of the GDPR is to protect the personal data of EU citizens wherever it is held; there are strict requirements governing where personal data can be transferred to and the measures that must be in place for such as transfer to be legal. The penalties for contravening the GDPR are significant and care must be taken by PartnerHero Inc. to ensure that we remain within the law at all times.

This procedure should be considered in conjunction with the following related documents:
• Data Protection Impact Assessment Process
• Privacy and Personal Data Protection Policy
• Data Subject Request Procedure
INTRODUCTION
PROCEDURE FOR INTERNATIONAL TRANSFERS OF PERSONAL DATA
In order to establish whether a transfer of personal data is legal under the GDPR, the destination country or countries must be firmly established, along with any other countries that will receive A transfer of the personal data as part of the arrangement.

This may also involve reaching a clear understanding of the legal basis of any international organizations that will be receiving the personal data, in particular the countries that are part of the agreement governing those organizations.
DETERMINE THE DESTINATION COUNTRY OR COUNTRIES
1 identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Once a clear understanding of the destination country or countries of the personal data has been established, the list of countries and international organizations for which an adequacy decision applies must be consulted. This list is published in the Official Journal of the European Union and on the European Commission website (ec.europa.eu).
ESTABLISH WHETHER AN ADEQUACY DECISION APPLIES
In the event that the country or one or more of the countries to which personal data is to be transferred is not subject to an adequacy decision from the European Commission, appropriate safeguards must be put in place to provide for data subjects’ rights and enforceable legal remedies.

There are a number of ways in which the GDPR allows for these safeguards to be provided. These are:
The status of some of the above safeguards may change over time, as the GDPR becomes more mature and further guidance is issued both by the European Commission and the individual supervisory authorities.

The most appropriate method of providing protection for the rights of data subjects whose data will be transferred should be chosen and incorporated into the contractual clauses of the relevant agreement.
1. between public authorities or bodies only, via a legally binding agreement which is capable of being enforced
2. using binding corporate rules
3. using standard data protection clauses adopted either by the European Commission or the relevant supervisory authority
4. via an approved code of conduct
5. via a certification scheme
IMPLEMENT APPROPRIATE SAFEGUARDS
The supervisory authority that is relevant to the transfer (usually in the country of the controller of the data) has the power to approve a set of binding corporate rules (BCRs) that may be used to cover the transfer of personal data.

These binding corporate rules are required by the GDPR to specify all aspects of the transfer, including how data protection will be provided, how data subjects will exercise their rights and how compliance will be verified. The full requirements are listed in Article 47 (“Binding corporate rules”) paragraph 2, points a) to n) of the GDPR.

The initial creation and approval (by the supervisory authority) of BCRs is a significant piece of work that must be approached with the full commitment of the senior management of PartnerHero Inc. and may take a long time to achieve (more than twelve months is not uncommon). There may be an existing set of BCRs that may apply to the transfer being considered and advice should be sought from the legal department if it is intended to use this route to comply with the GDPR with regard to a data transfer.
BINDING CORPORATE RULES
The European Commission and each of the individual supervisory authorities may create and maintain sets of model data protection clauses that are intended to be used in contracts that apply to the transfer of personal data. When used in their entirety, these clauses are generally accepted as meeting the requirements of the GDPR to provide adequate safeguards.
To obtain the latest version of these clauses, refer to the website of the relevant supervisory authority.
STANDARD DATA PROTECTION CLAUSES
Article 40 of the GDPR (“Codes of conduct”) provides for the drawing up of appropriate codes of conduct by organizations such as associations and industry bodies to address compliance with the GDPR. Organizations then agree to abide by the code of conduct and their compliance is monitored by the relevant association.

Such a code of conduct may be used to cover an international transfer of personal data and whether PartnerHero Inc. has already, or could, sign up to such a code, may be investigated as a possible route to provide appropriate safeguards.
CODES OF CONDUCT
In the event that an adequacy decision does not apply to the destination country and appropriate safeguards cannot be put in place via the above methods, a transfer of personal data may only be made internationally if one of the following situations applies:
The specifics of each of these conditions must be reviewed directly from the GDPR Article 49 (“Derogations for specific situations”) before basing a transfer on them.
1. the data subject explicitly consents to the transfer, having been informed of the risks
2. the transfer is necessary to meet contractual commitments to the data subject or the data subject asks for the transfer prior to contract
3. the transfer is in the data subject’s interests with regard to a contract
4. it is for important reasons of public interest (recognized by law)
5. the transfer is to do with a legal claim
6. the data subject’s vital interests are protected by the transfer or if they are unable to consent
7. the transfer is made from a public register
OTHER ACCEPTABLE CONDITIONS FOR TRANSFERS OF PERSONAL DATA
If none of the conditions set out in this procedure apply then an international transfer of personal data may only take place if all of the following conditions apply:
Refer to GDPR Article 49 (“Derogations for specific situations”) paragraph 1 for the exact definitions of the above conditions.
1. The transfer is not repetitive
2. A limited number of data subjects is involved
3. It is for compelling legitimate interests which are not overridden by those of the data subject
4. All of the circumstances of the data transfer have been assessed
5. Suitable safeguards are provided, based on the assessment
6. The assessment and the safeguards are documented
7. The supervisory authority is informed of the transfer
8. The data subject is informed of the data transfer and the reasons for it
9. The data subject is informed about his/her rights under the GDPR
EXCEPTIONAL TRANSFERS
Once the legal basis of the transfer of personal data has been established and approved, the mechanics of achieving the transfer should be addressed. These will vary according to factors such as the type and volume of data involved, the destination and the technology used.

Care must be taken to ensure that the safeguards that have been agreed to as part of the setting up of the transfer are adhered to and that evidence of their use is maintained for future audit purposes.

The website of the European Commission and the relevant supervisory authority should be monitored so that any changes that affect the legality or performance of the transfer are identified and acted upon.
PUTTING THE TRANSFER IN PLACE
Data Protection Policy
International Data Transfers Policy
back to top
Cookies Policy

Last updated: August 2018

PartnerHero ("us", "we", or "our") uses cookies on https://www.partnerher.com. By using our site, you consent to the use of cookies.

Our Cookies Policy explains what cookies are, how we use cookies, how third-parties we may partner with may use cookie, your choices regarding cookies and further information about cookies.
Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you and make your next visit easier and the Service more useful to you.

Cookies can be "persistent" or "session" cookies.
When you use and access the ParnterHero site, we may place a number of cookies files in your web browser.

We use cookies for the following purposes: to enable certain functions of the Service, to provide analytics, to store your preferences, to enable advertisements delivery, including behavioral advertising.

We use both session and persistent cookies on the Service and we use different types of cookies to run the Service:

- Essential cookies. We may use essential cookies to authenticate users and prevent fraudulent use of user accounts.
In addition to our own cookies, we may also use various third-parties cookies to report usage statistics of the Service, deliver advertisements on and through the Service, and so on.
If you'd like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser.

Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
You can learn more about cookies and the following third-party websites:


• AllAboutCookies:
• Network Advertising Initiative:
http://www.allaboutcookies.org/
http://www.networkadvertising.org/
What are cookies
How PartnerHero uses cookies
Third-party cookies
What are your choices regarding cookies
Where can your find more information about cookies
GDPR - Cookies Policy
back to top
In its day-to-day operations, PartnerHero Inc. uses a variety of data from identifiable individuals, such as:

• Current, past and prospective employees
• Customers
• Customers’ user base
• Subscribers
• Other stakeholders

In collecting and using this data, ParnerHero Inc. is subject to a variety of legislations controlling how such activities may be carried out and the safeguards that must be put in place to protect it.

The purpose of this document is to outline the policies and relevant legislation and to describe the steps PartnerHero Inc. is is taking to ensure that it complies with the legislation.

These policies apply to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to PartnerHero systems.

INTRODUCTION
GDPR FUNDAMENTAL CONCEPTS
The most relevant GDPR policies  are the following:
Personal data is defined as:
‘processing’ means:
‘controller’ means:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
THE GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) is the legislation that most influences PartnerHero’s data protection policies. .. Significant fines can be administered under the GDPR, which is intended to secure the individual information of nationals of the European Union. PartnerHero’s policies are consistent with the GDPR, as well as other important legislation, and they are clear and verificable.
PRIVACY DATA PROTECTION POLICY
RIGHTS OF THE INDIVIDUAL
The data subject (“an identified or identifiable natural person”) also has rights under the GDPR. These consist of:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.
Each of these rights must be supported by appropriate procedures that allow the required action to be taken within the time tables stated in the GDPR. These time tables are shown below:
The right to be informed
The right of access
The right of correction
The right of erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
Data Subject Request Type
Deadline
When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)
One month
One month
Without undue delay
Without undue delay
One month
On reception of objection
Not specified
OUR STAFF RESPONSIBILITIES
Any staff member of PartnerHero Inc who is involved in the collection, storage or
processing of personal data has the following responsibilities under the legislation:
• to obtain and process personal data fairly.
• to keep such data only for explicit and lawful purposes.
• to disclose such data only in ways consistent with these purposes.
• to keep such data safe and secure.
• to keep such data accurate, complete and up-to-date.
• to ensure that such data is adequate, relevant and not excessive.
• to retain such data for no longer than is necessary for the explicit purpose.
Any data access requests received should be forwarded immediately to the Manager, Compliance & Information Management.
PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
As per GDPR regulation, 2016 version, there are 7 principles involving personal data and how companies manage this data. These are as follows, as per Chapter II, Article 5.1

(a)  processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b)  collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
PartnerHero Inc. complies with these principles by employing business workflows that use metadata to search, discover, classify, label, protect and apply actions at all levels of personal data. Also, Operational Security Procedures define support for and provide the specific guidelines for all teams involved including IT Support, Customer Support or Line of Business
1. Personal data shall be:
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
PRIVACY BY DESIGN
PartnerHero Inc has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.

The data protection impact assessment will include:
• Consideration of how personal data will be processed and for what purposes.
• Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s).
• Assessment of the risks to individuals in processing the personal data.
• What controls are necessary to address the identified risks and demonstrate compliance with legislation.
• Use of techniques such as data minimization and pseudonymisation should be considered where applicable and appropriate.
TRANSFER OF PERSONAL DATA
Transfers of personal data outside the European Union must be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. Transfer depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data in the receiving country and may change over time.

Intra-group international data transfers must be subject to legally binding agreements referred to as Binding Corporate Rules (BCR), which provide enforceable rights for data subjects.
BREACH NOTIFICATION
It is PartnerHero’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority (DPA) will be informed within 72 hours. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.

Under the GDPR, the relevant DPA has the authority to impose a range of fines of up to four percent of annual worldwide turnover or twenty million Euros, whichever is the higher, for infringements of the regulations.
ADDRESSING COMPLIANCE TO THE GDPR
The following actions are undertaken to ensure that PartnerHero Inc. complies at all times with the accountability principle of the GDPR:
• The legal basis for processing personal data is clear and unambiguous.
• A Data Protection Officer is not appointed due to the company’s size. Current GDPR current requirements do not specify the need for one..
• All staff involved in handling personal data understand their responsibilities for following good data protection practice.
• Training in data protection has been provided to all staff.
• Rules regarding consent are followed.
• Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively.
• Regular reviews of procedures involving personal data are carried out.
• Privacy by design is adopted for all new or changed systems and processes.
• The following documentation of processing activities is recorded:
Organization name and relevant details
Purposes of the personal data processing
Categories of individuals and personal data processed
Categories of personal data recipients
Agreements and mechanisms for transfers of personal data to non-EU countries including details of controls in place
Personal data retention schedules
Relevant technical and organisational controls in place
These actions are reviewed on a regular basis as part of the management review process of the information security management system.
OUR OBLIGATIONS AS A BPO
The following are our obligations as a service provider:
• Ensuring our associates are fully trained in GDPR compliance
• Providing our clients with the necessary assistance if they wish to become compliant.
• Making sure our processes and are built in the mindset of privacy by design.
• Have internal processes to address/mitigate breaches of data.
• Treating our client’s information as if it were our own and ensuring we are consciously protecting it.
Personal Data Protection Policy
INTRODUCTION
PRIVACY DATA PROTECTION POLICY
THE GENERAL DATA PROTECTION REGULATION
GDPR FUNDAMENTAL CONCEPTS
PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
OUR STAFF RESPONSIBILITIES
RIGHTS OF THE INDIVIDUAL
CONSENT
PRIVACY BY DESIGN
TRANSFER OF PERSONAL DATA
BREACH NOTIFICATION
ADDRESSING COMPLIANCE TO THE GDPR
OUR OBLIGATIONS AS A BPO
PARTNERS AND APPLICANTS
The following resources will help you understand our commitment to data protection, your rights as a data subject, what to expect by working with us and many more resources that will help us build a compliant relationship.
Feel confused with all the GDPR panic going around? Fret no more, the resources in this page will give you a digested look on what you need to know as a business or service provider.
GDPR ESSENTIALS
OVERVIEW
The GDPR can seem very daunting when you look at the amount of legal jargon and vague explanations surrounding how we protect data and who is accountable for its protection.

The simple answer: we all are accountable!

The GDPR matters to everyone involved in the processing of personal data. If you have questions about how a business can work with a service provider or third-party and keep a healthy and compliant relationship,  we’ve got you covered.
THE PURPOSE OF THE GDPR
As it stands, the GDPR aims to protect one thing above all else: the data subject (e.g., the user providing the data). As a data subject, I expect my information to be handled carefully and with respect. The GDPR aims to address this.

The GDPR has a noble cause: to ensure every business is ready to handle customer data with technical and operational measures that track and protect data as it flows through the business.
Simple enough, right? Kidding, we know it can be a real hassle.
On the bright side, this new regulation is an amazing leap forward for data subjects. We can now exercise control over the data we share, which is such an important thing in this day and age. We’ve become highly dependant on technology, and our personal data has been treated as a resource.

Up until the GDPR, there was no clear outlining of sensible rights we should have over the data we share across so many tech platforms. This regulation has provided new rights for data subjects, while creating confusion and stress amongst business owners. This is mostly due to the severe penalties applied to those organizations who are not compliant with the GDPR.
KEY ROLES & RESPONSIBILITIES
Within the law itself, the GDPR appoints specific roles to all of the entities involved in the handling of data subjects’ personal information. The roles are there to give clear expectations on the level of involvement and accountability shared amongst those involved in the processing of personal data.

For a business working with a service provider, there are two pivotal roles: data controller and data processor.
THE SERVICE PROVIDER’S COMMITMENT
Being a processor doesn’t mean you just wait for your controller to take the lead. If you are an active processor you will ensure that data is protected accurately and you will push for the proper documentation to be in place. If you need clear expectations, you will ask for them!

If your controller is not pushing for a DPA, then you should. An ideal processor is one that prioritizes data protection and is able to produce the resources for their client (the controller) to make sure the relationship is compliant.

Many SaaS businesses have their DPAs available for download on their websites as an ideal way to streamline the process for their clients.
CONCLUSION
In conclusion, there are two important things you need to do in order to achieve a compliant relationship with your controller or your service provider:
• Set clear expectations and document them (DPAs)
• Ensure your people are trained and aware of the GDPR and its implications
The rest is up to each party. As a data controller or processor, you need to ensure you’ve implemented the technical and operational measures required by the law to comply with the GDPR.
DATA PROCESSOR
Data Processor
The data processor is a business or entity that gains access to and processes data collected by and controlled by another entity.

As a processor, your role within GDPR is to follow the guidelines set by the controller. Every processor needs to be aware of the law and its implications to ensure the data they process is safeguarded under the GDPR standards.

Processors are dependant on the data controllers to understand their limitations and responsibilities with the data shared with them. It’s the controller’s job to be clear about the expectations they have from the processor and, most importantly, document them through a DPA (Data Processing Agreement).

As a processor, you are accountable for the following:
• Understanding the GDPR purpose and mission
• Processing data only as established by the controller
• Ensuring that  possible data breaches or discrepancies in security are reported to the controller without undue delay
• Prioritizing the education for your staff on the law and its changes
• Ensure the execution of the business’ technical and operational measures which are set in place to achieve compliance
DATA CONTROLLER
In a service provider relationship between two businesses, the data controller is the entity that directly collects data from its users or data subjects.

As a controller, clear understanding of GDPR is a must because awareness is the biggest requirement for any controller out there.

If we strip it down, the controller is the entity or business who requests the information from a data subject in order to provide a product/service.

If you play the role of a controller, you are accountable for the following:
• Informing your data subjects of the personal information you’re collecting from them (name, emails, location data, etc.)  
• Providing the option to exercise consent for the gathering of personal data
• Ensuring you are clear and direct about the purpose of collecting the data subject’s personal information
• Having a clear privacy policy that is aligned with the GDPR mision and void of complicated language
• Ensuring you have resources in your site that educate the data subject on their rights under the GDPR
• Complying with data subject requests within the law’s designated time-frames
In addition, you must be sure that you forge an agreement to ensure that any service providers (data processors) who will gain access to the data you’ve collected will also be in compliance.
You, Your Service Provider & The GDPR
back to top
SPECIFIC ROLE RESPONSIBILITIES
This section details the specific information security responsibilities and authorities of each role within the PartnerHero Inc. organization structure. It does not include any other types of responsibility (e.g., managerial, technical) and should not be taken as a full job description. Competences necessary to fulfil each role are defined by the data protection office of information security manager
AUTHORITIES
• Approve significant expenditure on information security-related matters
• Recruit additional resources for the management of information security
• Approve high-level policies for information security
• Initiate high-level incident management actions
The Information Security Steering Group has the authority to:
The Information Security Steering Group has the following responsibilities:
The group is made up of members of the executive management team who perform the following roles:
• Maintain a clear and current understanding of the GDPR legislation and its implications for the business processes of the organization
• Establish and maintain the information security policy, objectives and plans
• Communicate the importance of complying with the GDPR, meeting the objectives and the need for continual improvement throughout the organization
• Maintain an awareness of business needs and major changes
• Ensure that information security requirements are determined and are met with the aim of minimizing risk and maintaining effective controls for PartnerHero Inc. and for our customers
• Determine and provide resources to plan, implement, monitor, review and improve information security and management (e.g., recruit appropriate staff, manage staff turnover)
• Oversee the management of risks to the organization and its services
• Conduct management reviews of information security, at planned intervals, to ensure continuing suitability, adequacy and effectiveness of ??
• Select auditors and ensure that internal audits are conducted in an objective and impartial manner
• Establish a continual improvement policy with respect to information security for PartnerHero Inc.
• Review major information security incidents
• Ensure that arrangements that involve external organizations having access to
• information systems and services are based on a formal agreement that defines all necessary security requirements
RESPONSIBILITIES
INFORMATION SECURITY STEERING GROUP
MEMBERS
The Information Security Steering Group oversees compliance with the GDPR and the operation of information security controls as a representative of top management within PartnerHero Inc. and has overall responsibility for its effectiveness.
The group is made up of members of the executive management team who perform the following roles:
Further members may be nominated by existing members on an as-needed basis.
• Chief Executive Officer (CEO)
• Vice President (VP, Ops)
• Business Development Director
INFORMATION SECURITY MANAGER
The Information Security Manager is the primary role with a dedicated focus on information
security and related issues, in our case we won’t be appointing a DPO. Due to the size of our business, the responsibilities of a DPO will be fulfilled by our Information Security Manager.
RESPONSIBILITIES
The Information Security Manager has the following responsibilities:
• Report to the Information Security Steering Group on all security-related matters on a regular and ad-hoc basis
• Communicate the information security policy to all relevant interested parties where appropriate, including customers
• Implement the requirements of the information security policy
• Manage risks associated with access to the service or systems
• Ensure that security controls are in place and documented
• Quantify and monitor the types, volumes and impacts of security incidents and
• malfunctions
• Define improvement plans and targets for the financial year
• Monitor achievement against targets
• Establish and maintain a continual improvement action list
• Report on improvement activities
• Identify and manage information security incidents according to a process
• Attend management review meetings on a regular basis
• Liaise with G Suite customer representatives on information security-related
• Matters
• Assign responsibilities, raise awareness and training staff involved in the
• processing of personal data and the related audits
• Provide advice where requested regarding data protection impact assessments and monitor the performance results
• Cooperate with all relevant supervisory authorities for data protection
• Act as the contact point for supervisory authorities on issues relating to personal data processing and consult, where appropriate, on other security matters
• Act as a point of contact for G Suite customers regarding the processing of
• PII (Personal Identifiable Information) under relevant contract(s)
AUTHORITIES
The Information Security Manager has the authority to:
• Declare information security incidents
• Approve limited expenditures on information security-related matters
• Review the operation of controls within all business areas
• Make decisions regarding data subject requests allowable under the relevant data protection legislation
• Represent the organization to supervisory authorities with regard to data protection issues
• Represent the organization to G Suite customers with regard to data protection issues
INFORMATION SECURITY ADMINISTRATOR
The Information Security Administrator is a technical role involved in the implementation and maintenance of many of the controls used to manage risk.
RESPONSIBILITIES
The Information Security Administrator has the following responsibilities:
• Ensure that security controls are in place and documented
• Manage the day-to-day maintenance of controls, including:
Access control (user account lifecycle)
Testing and implementing security patches
Vulnerability scanning
Software operation(e.g., IDS, IPS, firewalls, DLP)
System and network hardening
Remote access
Cryptographic key management
Log management
• Identify and manage information security incidents according to a process
AUTHORITIES
The Information Security Administrator has the authority to:
• Take action to prevent an information security incident from occurring or escalating, where possible
• Maintain information security records in accordance with defined policies and procedures
INFORMATION ASSET OWNER
The Information Asset Owner has primary operational responsibility for one or more
information assets as defined in the PartnerHero Inc. Information Asset Inventory which indicates where personal data is stored.
RESPONSIBILITIES
The Information Asset Owner has the following responsibilities:
• Maintain responsibility for specific, named information assets
• Maintain and review security controls for allocated asset(s)
• Participate in risk assessments concerning their asset(s)
• Ensure the relevant entry in the asset inventory is kept up to date
AUTHORITIES
The Information Asset Owner has the authority to:
• Implement controls with regard to the information assets under their control
INFORMATION SECURITY AUDITOR
The Information Security Auditor is responsible for checking that the information
security controls used to provide GDPR compliance are effectively implemented and
maintained.
RESPONSIBILITIES
The Information Security Auditor has the following responsibilities:
• Plan, establish, implement and maintain an audit program including the frequency, methods, responsibilities, planning requirements and reporting
• Define the audit criteria and scope for each audit
• Conduct internal audits at planned intervals
• Ensure the audit process is objective
• Report the results of audits to relevant management
• Retain documented information as evidence of the audit program and the audit
• results
AUTHORITIES
The Information Security Auditor has the authority to:
• Investigate information security-related procedures and controls in order to assess their suitability and effectiveness
• Report findings to relevant management
OTHER ROLES WITH INFORMATION SECURITY
RESPONSIBILITIES
There are a number of other internal roles within the organization which, whilenot solely dedicated to information security, have relevant responsibilities and authorities.
DEPARTMENT MANAGERS
RESPONSIBILITIES
A Department Manager has the following responsibilities:
• Review and manage employee competencies and training needs to enable them to perform their role effectively within the information security area
• Ensure that employees are aware of the relevance and importance of their activities and how they contribute to the achievement of information security objectives
AUTHORITIES
A Department Manager has the authority to:
• Arrange training and awareness activities for the employees under their direction, within budget constraints
• Take action to prevent an information security incident from occurring or escalating, where possible
Support Associates
Due to the often technical nature of information security issues, Support Associates have an important part to play in the provision and maintenance of controls.
RESPONSIBILITIES
Support Associates generally have the following responsibilities:
• Perform tasks such as incident and change management
• Provide technical expertise in matters of information security
• Implement technical controls
• Administer systems  (e.g., user creation, backups)
• Monitor security  (e.g., network intrusions)
AUTHORITIES
A Support Associate has the authority to:
• Take action to prevent any data breach information from occurring or escalating, where possible
Associates
The responsibilities of Associates are defined in a variety of organization-wide policies and are only summarized in brief below.
RESPONSIBILITIES
An Associate has the following main responsibilities:
• Ensure they are aware of and comply with all information security policies of the organization relevant to their business role
• Report any actual or potential security breaches
• Contribute to risk assessment where required
AUTHORITIES
An Associate has the authority to:
• Take action to prevent a data breach from occurring or escalating, where possible
INFORMATION SECURITY ROLES
Within the information security framework relevant to our compliance with the GDPR, the following major roles need to be defined and allocated:
The specific responsibilities and authorities of each of these roles are described in later sections of this document.

There are also particular information security responsibilities that must be carried out by existing internal roles within the organization, and these are also described  in summary within this document.

These roles are:
In general, responsibilities that apply to all employees, contractors and other interested parties are set out within the relevant organizational policies.
• Information Security Steering Group
• Information Security Manager
• Information Security Administrator
• Information Asset Owner
• Information Security Auditor
• Department Managers
• Support Associates
• Associates
INTRODUCTION
PartnerHero Inc. treats the security of its personal data seriously. A key attribute of an effective approach to information security is a clear allocation of roles, each with defined responsibilities and authorities. Each role needs to be allocated to specific individuals or groups within the organization.

Everyone within the organization plays a part in keeping the information we hold and process about individuals safe. This document should be read in conjunction with others that describe how information security is managed within PartnerHero Inc, including:
• Privacy and Personal Data Protection Policy
• Information Security Incident Response Procedure
• Personal Data Breach Notification Procedure
• Data Subject Request Procedure
The purpose of this document is to provide guidelines when an incident occurs  that
results in, or is believed to have resulted in, a loss of personal data for which PartnerHero is a controller. This document should be used in conjunction with the Information Security Incident Response Procedure which describes the overall process of reacting to an incident affecting the information security of PartnerHero Inc.

The EU General Data Protection Regulation 2016 (GDPR) requires that incidents
affecting personal data that are likely to result in a risk to the rights and freedoms of data subjects must be reported to the data protection supervisory authority without undue delay and where feasible, within 72 hours of becoming aware of the incident. In the event that the 72-hour target is not met, reasons for the delay must be given.

Where an incident affects personal data, a decision must be taken regarding the extent, timing and content of communication with data subjects. The GDPR requires that communication must happen “without undue delay” if the breach is likely to result in “a high risk to the rights and freedoms of natural persons”.
INTRODUCTION
PERSONAL DATA BREACH NOTIFICATION PROCEDURE
Once it has been determined that a breach of personal data has occurred, the GDPR requires that the following parties be informed:
1. The supervisory authority
2. The data subjects affected
Notification depends upon an assessment of the risk that the breach represents to “the rights and freedoms of natural persons” (GDPR Article 33). The following sections describe how this decision must be taken and what to do if notification is required.
The GDPR states that the supervisory authority shall be notified of a personal data breach “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” (GDPR Article 33). This requires that the organization assess the level of risk before deciding whether or not to notify the supervisory authority.

Factors to be taken into account as part of this risk assessment include:
Parties involved in this risk assessment may include representatives from the following areas, depending on the nature and circumstances of the personal data breach:
The risk assessment method, its reasoning and its conclusions should be fully documented and signed off by top management. The result of the risk assessment should include one of the following conclusions:
These conclusions may be subject to change based on feedback from the supervisory authority and further information that is discovered as part of the ongoing investigation of the breach.
1. The personal data breach does not require notification.
2. The personal data breach requires notification ofthe supervisory authority only.
3. The personal data breach requires notification of both to the supervisory authority and the affected data subjects.
• Whether the personal data was encrypted
• If encrypted, the strength of the encryption used
• To what extent the data was pseudonymised (i.e., whether living individuals can reasonably be identified from the data)
• The data items included e.g. name, address, bank details, biometrics
• The volume of data involved
• The number of data subjects affected
• The nature of the breach (e.g., theft, accidental destruction)
• Any other factors that are deemed to be relevant
• Top management
• Business area(s)
• Technology
• Information security
• Legal
• Information Security Manager
DECIDING WHETHER TO NOTIFY THE SUPERVISORY AUTHORITY
In the event that it is decided to notify the supervisory authority, the GDPR requires that this be done “without undue delay and, where feasible, not less than 72 hours after having become aware of it” (GDPR Article 33). If there are legitimate reasons for not having given the notification within the required timescale, these reasons must be given as part of the notification.

The notification mustbe given via appropriate secure means to the body listed as our supervisory authority, using the form Personal Data Breach Notification Form as a template.

The following information must be given as part of the notification:
Written confirmation should be obtained from the supervisory authority that the personal data breach notification has been received, including the date and time at which it was received.

Where necessary, the GDPR allows the information pertaining to the breach to be provided in phases without undue further delay.

Documentation of the personal data breach, including its effects and the action taken, will be produced as part of the Information Security Incident Response Procedure.
1. A description of the likely consequences of the personal data breach
2. A description of the measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects
3. If the notification falls outside of the 72-hour window, the reasons why it was not submitted earlier
4. Name and contact details of the data protection officer or other contact point where more information may be obtained
5. The nature of the personal data breach, including, where possible:
a. Categories and approximate number of data subjects concerned
b. Categories and approximate number of personal data records concerned
HOW TO NOTIFY THE SUPERVISORY AUTHORITY
The GDPR states that data subjects shall be notified of a personal data breach “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons” (GDPR Article 34). Note the addition of the word “high” over and above the definition given in Article 33.

The risk assessment carried out earlier in this procedure will have determined
whether the risk to the rights and freedoms of the data subjects affected is judged to be sufficiently high to justify notification to them.

However, if measures have subsequently been taken to mitigate the high risk to the data subjects, so that it is no longer likely to happen, then communication to the data subjects is not required by the GDPR.

Notification to affected data subjects is also not mandated by the GDPR where it “would involve disproportionate effort” (GDPR Article 34). However, in this case a form of public communication should be used instead.

Again, this may change based on feedback from the supervisory authority and further information that is discovered as part of the ongoing investigation of the breach.
DATA SUBJECTS
DECIDING WHETHER TO NOTIFY DATA SUBJECTS
In addition to the points required by the GDPR, it may be appropriate to offer advice to the data subject regarding actions they may be able to take to reduce the risks associated with the personal data breach.

In most cases it will be appropriate to notify affected data subjects via letter or email or both in order to ensure that the message has been received and that they have an opportunity to take any action required.
HOW TO NOTIFY DATA SUBJECTS
Once it has been decided that the breach justifies communication to the data subjects affected, the GDPR requires that this be done without undue delay.

The communication to the affected data subjects “shall describe in clear and plain language the nature of the personal data breach” (GDPR Article 34) and must also cover:
• Name and contact details of the data protection officer or other contact point where more information may be obtained
• A description of the likely consequences of the personal data breach
• A description of the measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects
Personal Data Breach Notification Procedure
back to top
Data Protection Policy
The supervisory authority for the purposes of the GDPR for PartnerHero Inc. is as follows:

Name:
Address:
Telephone:
Fax:
Email:

Where PartnerHero Inc. operates internationally, the details above are for the
lead supervisory authority.
THE SUPERVISORY AUTHORITY
Drift
Slack
Mandrill
Zendesk
WordPress
WTB Accounting
Google Analytics
PartnerHero Gmbh
PartnerHero America
Amazon Web Services
PartnerHero Subprocessors:
back to top