Scope and purpose of processing
Firstcom Europe Limited holds personal data for the purpose of the provision of telecommunications services and related products. The personal data held is obtained in support of contractual arrangements and is necessary under the ‘legitimate interests’ pursued by the controller (Firstcom Europe Limited) as defined in article 6.1 of the GDPR. The ability to opt out of marketing communications remains, but this does not extend to operational or pricing communications.
Nature of processing
Firstcom Europe Limited does not undertake any automated decision making as defined by article 22 of the GDPR. Data will be processed internally for the purposes of objective and permission-based activities.
Duration of processing
Firstcom Europe Limited will retain personal data for the duration of the customer contract of the provision of telecommunications services and products. Thereafter, the data will be held for a reasonable period, depending on the nature of the relationship with the customer. The data will be deleted when the retention of that data can no longer be justified under the provisions of the Data Protection Act and is not overruled by other legislation or regulations.
Categories of Data Subjects
The data subjects, whose data may be held by Firstcom Europe Limited is restricted to that of existing, former, or prospective customers, partners, and associated contacts. These fall under the category of ‘sensitive data’ (as defined by the Data Protection Act) or ‘special categories of personal data’ (as defined by the GDPR).
There is no routine sharing of personal identifiable data. Where exceptions exist, these are related to the management of systems where providers require sample data for the purposes of de-bugging systems or processes. In these circumstances, Firstcom Europe Limited will implement a formal data sharing agreement to ensure the data is handled only for the resolution of the fault. The agreement would also ensure that the access, security, and disposal of the data adheres to Data Protection legislation.
In terms of transactional data (non-person identifiable data), for example data relating to Direct-Debits, there is a robust data sharing agreement and corresponding process for exchanging data with all suppliers. No person identifiable data is exchanged or transferred routinely.
Firstcom Europe Limited will under no circumstances share data with a third party for marketing purposes without the explicit permission of the customer, partner, website visitor or prospect.
Most of our data is hosted in secure data centre environments. These are accessible only through a VPN, and in the case of our CRM, through a two-factor-authentication process. Our data is held within Great Britain or the EU. Some data is held on secure local servers with the relevant backup and security protocols. Access to all our systems is managed through robust permission structures based on the requirement of the individual’s role. Our permission structures are regularly reviewed.
Out of hours access
It is necessary for some specified individuals to have access to data outside of operational hours. For example, to manage and react to incidents of exceptional call reporting (potential fraudulent calls), and to access systems remotely or onsite for the purpose of maintenance or for managing system failures or errors. In these circumstances, access is either on our premises, or is governed by the same security measures outlined in the “Data Hosting” section above.
Access to customer data for the provision of maintenance and support
Where Firstcom Europe Limited has installed a phone system, we will retain a copy of the installation records. This document may include individual user information. The data Firstcom holds as part of the installation record of individual users will not be updated where the data held in the customer’s phone system is changed.
As part of an ongoing maintenance contract, we will provide the delegated Firstcom Europe Limited staff with remote access to the customer’s telephone system by agreement with the customer. In these instances, this will provide access to information that may identify an individual, including:
- User name
- User email
- User Direct Dial Number
As a Data Processor in the Context of the Data Protection Act, these will be accessed only where necessary and for the purposes of maintenance and service provision. Firstcom Europe Limited is, at the request of the customer, able to access, alter and remove this data, and where required, reset the user’s password. Firstcom is not able to view or access users’ passwords. It remains the responsibility of users to change and update their passwords in line with the customer’s security policies.