Adflex Limited is strongly committed to maintaining the privacy of all individuals whose personal data it holds and processes and managing all such data in accordance with United Kingdom legislation. Within this statement, Adflex sets out some of the steps it is taking in order to comply with the new legal requirements for the processing of personal data.
Adflex has undertaken a review of all its activities and implementing the requirements of the General Data Protection Regulation (GDPR) to ensure compliance in all areas of its business. This includes a review of our security arrangements, consideration of the extent to which any personal data needs to be processed both by Adflex and on behalf of its customers, the periods during which any personal data is retained, the contracts with our customers, the way in which any sub-contractors process personal data and contracts with them.
Adflex remains committed to the principle that any personal data collected in connection with its own business will not be shared with any other party for the purposes of marketing and will only be shared with a third party when an individual specifically agrees or where it is for the purposes of providing the services requested by the customer. Where Adflex processes personal data for a customer, it will only use the data for the purposes of providing the services as directed by the customer and for no other reason. Adflex only processes personal data within the EEA.
Where Adflex processes personal data for its customers, the management of this data can be the responsibility of both the customer and Adflex. In the case of most of its applications, the customer can determine the extent of any personal data which Adflex processes and amend and delete the types of data it sends to Adflex. In the case of our online services, the customer is able to decide who has access to the services and protect access by security controls.
Adflex is committed to ensuring that it has in place the appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
Adflex is certified as a PCI DSS Level 1 processor for the handling of payment card data and applies the same levels of security to any personal data it holds or processes. As part of its internal arrangements, Adflex restricts access to only those employees who need to be able to review personal data, vet all employees who have access to personal data and ensure that all such employees have undertaken to keep any personal data confidential.
Adflex only uses industry certified data centres and cloud service providers who deliver high levels of security and availability and monitored 24 x 7 x 365 for processing activities including availability and intrusion. All services benefit from quick failover points and regular backing up of data. Regular internal and external scans are performed together with penetration tests annually or after any major infrastructure changes.
Personal and cardholder data is encrypted inflight using Transport Layer Security (TLS) encryption (also known as HTTPS) and at rest using AES256. Adflex has in place documented processes to ensure that all confidential information, including personal data, is securely destroyed when no longer required.
In the event of a security breach, Adflex has processes in place for identifying and reviewing any suspected data breach. If a breach involves the loss, alteration or destruction of any personal data processed for a customer, Adflex will advise the customer as soon as is possible with full details and the steps being taken to limit the effects of the breach Adflex will provide full co-operation to the customer in any investigation or that of a regulator.
Adflex is committed to adhering to the new extended data subject rights for personal data it holds as part of its own business and working with all its customers for whom holds or processes personal data to meet each individual's rights, including being advised of the data held, rectifying errors in the data, destruction and, where relevant, the right to restrict any processing. Adflex does not utilise automated decision making or profiling when processing personal data for a customer.
In order to comply with the new law, Adflex recognises the need, as a processor, to have detailed contracts in place with its customers and is reviewing all its arrangements. These contracts will need to adequately cover such items as the length of the arrangement, the reason for the processing, the types of data being processed, consent to the use of any sub-contractors by Adflex and rights and obligation of our customers who provide Adflex with the personal data for processing.
Adflex has trained its entire staff on the effects of GDPR and has implemented procedures to ensure all new staff receive adequate training on joining Adflex with periodic refresher courses for all staff. Adflex has updated as necessary all its staff policies to comply with the changes being introduced by GDPR.