1.1 Who are we:
QSecure, a managed IT and security services specialist company, was founded in March 2011. The company’s mission is to protect and enhance the value of your business by building, maintaining and strengthening the structure of your organization. To achieve that, QSecure offers a variety of consultancy, professional and managed services, which include voice, networking and security solutions.
1.2 QSecure (“QSecure” or “we”) is committed:
Under the EU’s General Data Protection Regulation (GDPR) the following are defined:
2.1 Personal data
It means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State Law.
It means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
It means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
3. Personal Data and Information collected:
3.1 The Personal Data and Information QSecure collects (as the data controller) about you and the way it is collected may vary according to the products and services you use and you have purchased, the relationship you have with us even if you are not a customer and the type of information we have gained from a third party on condition of consensus to share it with us (hereinafter referred to as “Cooperation”).
3.2 In the course of our collaboration, you may be requested to provide QSecure any personally identifiable data (“Personal Data”) to be kept and submitted by QSecure, such as:
- Name, address, phone number, email address, contact number, date of birth and gender.
- Billing and account data, such as billing address, credit or debit card information, bank account number and sort code or other banking information, the invoices issued regarding your services including dates of payment owed and received or any other account-related information.
- Any personal information included in the CV that a candidate employee or a current employee provides either via the website or any other channel (e.g. via email, LinkedIn account etc).
- Calling Data (called and calling number, date, time and period of a call). QSecure does not maintain or monitor the content of your telephone conversations.
- Network data, such as IP addresses and MAC addresses.
- Your access codes, which are given by QSecure during the provision of services.
- The level of service you receive, e.g. premium etc.
- The date, time and length of your internet browsing, and your approximate location at the time of browsing.
- Our conversations via e-mail or by mail and any other way of communication.
- Your preferences for specific products, services and lifestyle activities, when you inform us what they are, or we assume what they are, based on how you use our products and services.
- We also receive information regarding the use of our products and services, such as:
- The level of services you receive, e.g. network faults and other events that may affect service delivery.
- Information about using a specific product or service that we provide or manage on your behalf, such as applications and processes running, alarms for visiting a restricted website etc.
4. QSecure collects Personal Data and Information in the following ways:
4.1 On a personal basis, during the performance of a contract or during the process of examining a candidate customer’s or employees’ application for the provision of our services and products and for hiring respectively.
4.2 By telephone or in person in our officers during the communication between the candidate customer or employee and QSecure’s employees.
4.3 Through the use of our website and other electronic programmes and social media.
4.4 By post or electronic mail.
4.5 By our remote management and ticketing systems and applications used for providing support services.
4.6 By completing any questionnaires and/or documents, for review and analysis purposes aiming at the improvement of our services.
4.7 By third parties and Public Offices with whom QSecure collaborates.
4.8 When your information is published.
4.9 By signing up for notifications or other services from us.
4.10 By receiving personal information from third parties in other cases permitted by law, such as for exclusion of fraud, bankruptcy register etc.
5. The Personal Data we collect will be used for the following purposes:
5.1 Supply customers goods or services of QSecure.
5.2 Send statements, invoices and payment reminders to customers and collect payments from them.
5.3 Developing, communicating and/or promoting:
- QSecure’s products and services (including discounts, improved services and special promotions that may be of interest to the customer), which are similar to those ordered by the customer, with the use of an automated profiling process.
- Personalised offers and recommendations based on how the customer uses QSecure' products and services, the type of the customer, location information and browsing information, with the use of an automated profiling process.
- Third party products and services (including offers or discounts), in case the customer has consented to be contacted about these. In order to update the customers with any promotions, news or developments, we communicate with them in the form of calls, fax, post or any form of electronic message (including, but not limited to, SMS, MMS, video, email, or apps), provided that the customer has given his prior written consent to QSecure to receive such information.
5.4 Send email notifications that customers have specifically requested.
5.5 Respond to any questions or tickets raised by the customers and/or interested parties regarding QSecure’s network, products and/or services.
5.6 Detect and prevent any possible fraud or other illegal acts, recover debts or trace those who have outstanding balances with QSecure.
5.7 To comply with our fair use obligations as well as to identify and resolve possible fraudulent use of our networks.
5.8 To protect our network and manage volumes of calls and other possible uses of our network.
5.9 QSecure may process the data that will be necessary for the proper provision of services to customers and for the fulfilment of its obligations to all competent bodies.
6. Processing of Personal Data
6.1 We process personal data of our customers, employees or visitors of our website according to the provisions of the General Data Protection Regulation of the EU (Regulation 2016/679), and from the time-to-time applicable national legislation relevant to the protection of personal data.
6.2 The reasons and purposes of processing of Personal Data are the following:
- Implementing our contractual obligations and providing services to QSecure’s customers and employees.
- For the protection and security of CMDA’s customers and employees.
- For investigating and reporting any illegal actions.
- For the proper conduct of QSecure’s operations.
- For the effective promotion of QSecure’s operations.
- To protect QSecure’s rights.
6.3 The legal basis for processing the Personal Data and Information:
- For the execution of a contract between the Customer and QSecure or during the process of examining a candidate Customer’s application for the provision of our services and products. E.g. in order for you to make calls from your phones, QSecure has to process the numbers you are calling, so we can establish the call. This allows us to issue your account, based on your personal use. QSecure also needs to carry out credit checks when you apply for a product or service.
- Some of QSecure’s products, such as cloud services, may contractually (through the terms and conditions of the service) give QSecure the right to undertake the storing and/or otherwise the processing of Personal Data related to natural persons on behalf of the business customer and upon the business customer’s written instructions. In such a case the business customer remains the Data Controller of its Personal Data and QSecure acts only as a Processor of this Personal Data. QSecure as a Data Processor is committed to maintain the confidentiality of this Personal Data subject to the business customers’ instructions, the terms and conditions of the service ordered, and QSecure’s Information Security Management System.
- Complying with any legal obligation, such as accounting and tax audits, under which retention periods are set, and are subject to rigorous internal policies and procedures.
- Protection of QSecure’s legitimate interests, e.g. prevent possible fraud, maintain the security of our network and services and improve our services. In this case, we make sure that QSecure’s legitimate interest does not exceed your rights. In addition, in some cases you reserve the right to object to the processing. For more information, see Article 8.
- Customers’, Employees’ or Visitors’ consent, where QSecure cannot rely on one of the above reasons. All of the previous mentioned groups can revoke consent at any time. For more information see Article 8.
7. Protection of Personal Data and Information
7.1 QSecure will not make your Personal Data and Information available to any third party unless permitted or required to do so by the applicable legislation and it shall not sell or transfer any of this information to any third party.
7.2 In case QSecure processes Personal Data for which the Customer’s, Employee’s and/or Visitors’ consent is required, it shall seek their express or written consent.
7.3 In case QSecure processes Personal Information for the processing of which the authorization of the Commissioner of Personal Data Protection is required, such authorization shall be obtained before any processing takes place.
7.4 QSecure sustains solid information security measures and procedures to safeguard customers’, employee’s and visitors’ Personal Data, in line with its legal obligations. A comprehensive approach is considered for information security to effectively ensure the confidentiality, integrity and availability of the Personal Data. QSecure has already implemented a corporate Information Security Management System (ISMS) based on international standards ISO 27001 and ISO 27002. The ISMS includes amongst others the implementation of a corporate information security policy and procedures that cover e.g. security governance, document security, information management, operations and communications, personnel security, physical security, access to information systems, incident management etc. It also covers the necessary technical and procedural measures to effectively defend against cyber threats (hackers).
8. Your rights as a data subject
8.1 At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights according to the provisions of the General Data Protection Regulation of the EU (Regulation 2016/679) and the applicable local law on your personal data:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of data portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to withdraw consent – you have the right to withdraw your consent at any time, in the event of any processing is based solely on consent received by you. It is noted that any recall does not affect the lawfulness of the processing that was based on your consent before it was withdrawn by you or any processing is done on any other legitimate basis of processing.
- Right to judicial review – in the event that QSecure refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in the point 8.3 below.
8.2 All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data (data processor).
8.3 In the event that you wish to make a complaint about how your personal data is being processed by QSecure (or third parties) or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and QSecure’s data protection representatives Data Protection Officer (DPO). QSecure accepts the following forms of ID when information on your personal data is requested: Passport, ID, birth certificate, utility bill (from last 3 months).
9. Transmission of Personal Data
9.1 During the fulfilling of our contracting and legal obligations, QSecure may transfer your data to third parties such as:
- QSecure’s Service Providers, external partners and product suppliers. In the event that QSecure has a contractual relationship with a service provider or other partner or supplier providing services and products on behalf of QSecure and therefore has access to your personal data, QSecure does not authorize the partner to use or to disclose your personal data in any other way beyond the provision of its services.
- Public and regulatory authorities to the extend QSecure is obliged by the Law.
- External consultants, such as legal consultants, auditors, accountants and marketing consultants.
- Third parties to promote joint services. Third parties are responsible for implementing the law.
- Third parties with which we collaborate for promotional purposes, e.g. LinkedIn.
9.3 Mergers and Acquisition: In the event of an acquisition from another organization or reorganization, your personal data will be transferred to this organization.
10. Transmission of Personal Data to Third Countries
10.1 In the event that the transmission of your personal data to a third country will be necessary, the processors in third countries are required to comply with the European Data Protection Obligations and provide all appropriate safeguards for the transmission of personal data. The transmission if and when it should take place will be carried out in accordance to the procedure in article 46 of the General Data Protection Regulation of the EU (Regulation 2016/679).
11. Duration of Personal Data Storage (Retention period)
11.1 QSecure will store and process Personal Data for as long as mandated by the Laws of the Republic of Cyprus and/or throughout the validity period of the customer’s contract or employee’s contract.
11.2 Certain Personal Data may be stored after the termination of the customer’s contract according to the provisions of the applicable Cyprus legislation. The following data is not erased:
11.3 Data maintained for law enforcement purposes when lawfully requested to do so by a Court of law (Law 183(I)/2007).
11.4 Data maintained for the purposes of taxation legislation (Law 95(I)/2000 and Law 4/1978), which are maintained for a period of six (6) years.
11.5 Data processed for the purposes of legitimate interest (e.g. an action against a customer), which are maintained until the legitimate purpose is completed.