Adflex Limited is strongly committed to maintaining the privacy of all individuals whose personal data it holds and processes and managing all such data in accordance with United Kingdom legislation. Within this statement, Adflex setsout some of the steps it is taking in order to comply with the new legal requirements for the processing of personal data
Adflex is undertaking a review of all its activities and implementing the requirements of the General Data Protection Regulation (GDPR) to ensure compliance in all areas of its business. This will include a review of our security arrangements, consideration of the extent to which any personal data needs to be processed both by Adflex and on behalf of its customers, the periods during which any personal data is retained, the contracts with our customers, the way in which any sub-contractors process personal data and contracts with them.
Adflex remains committed to the principle that any personal data collectedin connection with its own business will not be shared with any other party for the purposes of marketing and will only be shared with a third party when an individual specifically agrees or where it is for the purposes of providing the servicesrequested by the customer. Where Adflex processes personal data for a customer, it will only use the data for the purposes of providing the services as directed by the customer and for no other reason. Adflex only processes personal data within the United Kingdom and, other than the use of data centres and a cloud service provider, does not involve any third parties in the processing of data.
Where Adflex processes personal data for its customers, the management of this data can be the responsibility of both the customer and Adflex. In the case of most of its applications, the customer can determine the extent of any personal data which Adflex processes and amend and delete the types of data it sends to Adflex. In the case of our online services, the customer is able to decide who has access to the services and protect access by security controls.
Adflex is committed to ensuring that it has in place the appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
Adflex is certified as a PCI DSS Level 1 processor for the handling of payment card data and applies the same levels of security to any personal data it holds or processes. As part of its internal arrangements, Adflex restrict access to only those employees who need to be able to review personal data, vet all employees who have access to personal data and ensure that all such employees have undertaken to keep any personal data confidential.
Adflex only uses industry certified data centres and cloud service providers who deliver high levels of security and availability and monitored 24 x 7 x 365 for processing activities including availability and intrusion. All services benefit from quick failover points and regular backing up of data. Regular internal and external scans are performed together with penetration tests annually or after any major infrastructure changes.
Personal and cardholder data is encrypted inflight using Transport Layer Security (TLS)encryption (also known as HTTPS) and at rest using AES256. Adflex has in place documented processes to ensure that all confidential information, including personal data, is securely destroyed when no longer required. In the case of personal data utilised in the processing of card transactions, this will be held for no longer than 13 months.
In the event of a security breach, Adflex has processes in place for identifying and reviewing any suspected data breach. If a breach involves the loss, alteration or destruction of any personal data processed for a customer, Adflex will advise the customer as soon as is possible with full details and the steps being taken to limit the effects of the breach Adflex will provide full co-operation to the customer in any investigation or that of a regulator.
Data Subject Rights
Adflex is committed to adhering to the new extended data subject rights for personal data it holds as part of its own business and working with all its customers for whom holds or processes personal data to meet each individual’s rights, including being advised of the data held, rectifying errors in the data, destruction and, where relevant, the right to restrict any processing. Adflex does not utilise automated decision making or profiling when processing personal data for a customer.
In order to comply with the new law, Adflex recognises the need, as a processor, to have detailed contracts in place with its customers and is reviewing all its arrangements. These contracts will need to adequately cover such items as the length of the arrangement, the reason for the processing, the types of data being processed, consent to the use of any sub-contractors by Adflex and rights and obligation of our customers who provide Adflex with the personal data for processing.
Adflex has started training its entire staff on the effects of GDPR. It is implementing procedures to ensure all new staff receive adequate training on joining Adflex with periodic refresher courses. Adflex is reviewing and updating as necessary all its staff policies to comply with the changes being introduced by GDPR.
Adflex Limited GDPR Statement May 5th 2018