Data Protection Policy
Under the EU Regulation 2016/679 General Data Protection Regulation
|Last updated||21 May 2018|
|Galaxkey||means Galaxkey limited|
|GDPR||means the General Data Protection Regulation.|
|Contact||means Galaxkey Data Protection Representitive|
|Register||means a register of all processing or contexts in which personal data is processed by Galaxkey and Galaxkey partners|
|Customer||means a Galaxkey paying customer or non-paying user (free subscription)|
|Galaxkey Account Data
|means the personal information about you that you provide to Galaxkey in connection with the following:
o Creation or administration of your account. This personal information may include name, usernames, email address, phone number, physical address, company name, payment details
o Information that you provide when you contact us
o Information that you provide when you access our products and services
o information that you provide through consents and preference updates
|means the data content that you protect using the Galaxkey product and or services. This may include data, text, audio, video or images. Galaxkey does not have access to your data content. Your data content does not include account data.
The Customer is solely responsible for the personal information that they protect using Galaxkey products or services as Galaxkey has no access to this information. Galaxkey terms of service and licence agreement apply to customer data content.
PART A: Your Galaxkey Account Data
2. Policy overview
This Policy describes the obligations of Galaxkey regarding data protection and the rights of the “data subject”, relating to their personal information under the EU Regulation 2016/679 General Data Protection Regulation (GDPR).
Galaxkey is a limited liability company (registered number 07338597), whose registered office is at 2 Falcon Gate Shire Park, Welwyn Garden City, AL7 1TW, United Kingdom.
Galaxkey is a data security company and needs to gather and use certain personal information about individuals to provide the Galaxkey products and services. These can include information about customers, suppliers, business contacts, employees and other people that Galaxkey has a relationship with or may need to contact for the purpose of functioning and delivering products and services.
Galaxkey implements responsible and sophisticated technical and physical controls that are designed to prevent unauthorised access to or disclosure of customer personal information that is provided to Galaxkey by the customer for processing.
This policy describes Galaxkey’s obligations regarding the collection, processing, transfer, storage and disposal of personal information to meet data protection standards and to comply with the law. It refers to customer account data and not customer data content. Galaxkey does not have access to any customer data content.
For clarification purposes, Galaxkey includes a separate section in this policy relating to data Content.
3. Why the policy exists
Galaxkey is focused on GDPR compliance and will take any action necessary to ensure that we handle customer personal information in compliance with applicable law and will take necessary steps to ensure that both Galaxkey and our product and/or services are compliant with the GDPR and to ensure the security, confidentiality, integrity and availability of the personal information that Galaxkey processes is maintained.
We endeavour to keep our legal documentation up to date to reflect any changes to our product and/or services to ensure that, as a processor of our customers’ personal information, we meet the requirements of processors under the regulation. We assess our data collection and storage practices to ensure we take the necessary steps to comply.
The goal of this data protection policy is to depict the legal data protection aspects in one summarising document. It can also be used as the basis for statutory data protection inspections, e.g. by the customer. This is not only to ensure compliance with the GDPR but also to provide proof of compliance and accountability.
This data protection policy ensures that Galaxkey:
- Complies with the data protection law and follows good practice
- Protects the rights of staff, customers and partners
- Is open about how it protects, stores and processes individuals’ personal information
- Protects itself, its employees and customers from the risks of a data breach
4. General provisions
This policy applies to all personal information that Galaxkey processes relating to identifiable individuals. This may include commercial information and personal information like:
- Company Names
- Email Addresses
- Telephone numbers
Galaxkey will review this policy on a regular basis (at least annually) to keep it up to date.
5. Galaxkey’s role
Galaxkey as a data controller
If you are a registered Galaxkey user/customer or a visitor to our website we act as the data controller of personal data. This means that we decide how and why we process your data.
Galaxkey as a data processor
All Galaxkey employees and contractors working for Galaxkey have responsibility for ensuring personal information is collected, handled and stored appropriately. All personal information is handled and processed in line with this policy and data protection requirements by law.
7. Data Protection Law
The General Data Protection Regulation (GDPR) describes how organisations-including Galaxkey- must collect, handle and store personal information.
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
These rules apply regardless of whether personal information is stored electronically, on paper, or on other materials.
8. Data protection principles
Galaxkey is committed to processing personal information in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal information shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
9. The Rights of Data Subjects
The GDPR sets out the following rights applicable to data subjects. See the relevant sections for details on how Galaxkey observes the rights of the data subject:
- The right to be informed (16)
- The right of access (17)
- The right to rectification (18)
- The right to erasure (also known as the ‘right to be forgotten’) (19)
- The right to restrict processing (20)
- The right to data portability (21)
- The right to object (22)
- The Rights with respect to automated decision-making and profiling (25)
10.Lawful, fair and transparent processing
The GDPR seeks to ensure that personal information is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. All personal information processed by Galaxkey is done on at least one of the Lawful basis allowed for processing personal information (see ICO guidance for more information), they are:
- Consent: The data subject has given consent for the processing of their personal information
- Contract: The processing is needed to fulfil a contract to which the data subject is party, or necessary to take steps requested by the data subject prior to entering into a contract with them
- Legal obligation: The processing is necessary for compliance with the law
- Vital interests: The processing is necessary to protect the vital interests, someone’s life
- Public task: The processing is necessary for the performance of a task carried out in the public interest or for official functions, which has a clear basis in law
- Legitimate interests: The processing is necessary for the purposes of our legitimate interests or the legitimate interests of a third party
- Galaxkey maintains a Register to ensure its processing of personal information is lawful, fair and transparent
- The Register is reviewed on a regular basis (at least annually) to ensure it is accurate
- Where consent is relied upon as a lawful basis for processing information, evidence of opt-in consent is kept with the personal information
- Galaxkey does not collect any “special category data” sensitive personal information (for example, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation)
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent is clearly available and systems are in place to ensure such revocation is reflected accurately in Galaxkey’s systems
12.Specified, Explicit, and Legitimate Purposes
Galaxkey collects and processes the personal information set out in the Register (see 26 of this policy for further details). This includes:
- Personal information collected directly from data subjects and/or personal information obtained from third parties
- Galaxkey only collects, processes, and holds personal information for the specific purposes described in the Register (see section 26 of this policy) or for other purposes expressly permitted by the GDPR and law
- Data subjects are kept informed at all times of the purposes for which the Galaxkey uses their personal information (see section 18 of this policy)
13.Adequate, Relevant, and Limited Data Processing
- Galaxkey will only collect and process personal information on a lawful basis (see section 9), for and to the extent needed for the intended purposes of which the data subject has been informed
- Galaxkey ensures that personal information is adequate, relevant and limited to what is necessary for relation to the purposes for which processed
- See the Register (section 26) for details on the personal information that Galaxkey collects and processes
- Galaxkey ensures this through administrative controls which are enforced through company policy.
14.Accuracy of Data and Keeping Data Up-to-Date
- Galaxkey takes reasonable steps to ensure personal information is accurate.
- Where necessary for the lawful basis on which information is processed, steps are put in place to ensure that personal information is kept up to date.
- If the information is found to be no longer required it is disposed of in a secure manner.
- Galaxkey keeps the information in as few places as necessary.
- Galaxkey provides an easy means for customers to update and rectify their information that Galaxkey holds about them via the Galaxkey website www.Galaxkey.com or by contacting Galaxkey at firstname.lastname@example.org
- If inaccuracies are discovered Galaxkey will update the information.
- If a customer is no longer reachable their information will be securely removed after 12 months as per the Galaxkey data retention period.
- Galaxkey will only keep personal information for the amount of time that it is needed for the original processing purpose. If it is no longer needed, Galaxkey will take reasonable steps to securely remove the information.
- To ensure that personal information is kept for no longer than is necessary, Galaxkey has a data retention period of 12 months if the user is not active or after the expiration of the subscription.
- Galaxkey removes information securely by digital shredding.
Galaxkey ensures that all personal information collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. (see sections 27 to 30 for further details on the security measures that Galaxkey takes).
17.Records and Accountability
Galaxkey keeps internal records of all personal information collection, holding and processing. This may include:
- Details of the type of personal information and who it relates to
- Third party processing personal information on behalf of Galaxkey
- Purpose for collecting, holding and processing the personal information
- Details of transfer of personal information outside of the EEA and the security safeguards in place
- Details of how long the information will be retained, this is 12 months unless otherwise contractually agreed
- Details of the technical and organisational measures that Galaxkey is taking to protect the personal information
18.Data Protection Impact Assessment
Galaxkey will carry out a Data Protection Impact Assessment for any new processing requirements or uses of personal information when new technologies or processing are considered which may result in a high risk to the rights and freedoms of the data subject under the GDPR.
19.Keeping data subjects informed
Galaxkey will keep the data subject informed of how their information is collected, processed, transferred, and stored. Galaxkey shall inform the data subject of:
- Purpose for collecting the information at the time of collection
- Information collected for communication purposes, at the time of the first communication
- Transfer of data to another party, before transfer or as soon as reasonably possible
- Transfer of information to a third party located outside of the EEA and inform them of the security safeguards in place
20.Subject Access Requests
Individuals have the right to access their personal information and any such requests made to Galaxkey shall be dealt with in a timely manner.
All individuals who are the data subjects of personal information held by Galaxkey are entitled to:
- Ask what information Galaxkey holds about them
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed how Galaxkey is meeting its data protection obligations
A data subject can contact Galaxkey requesting this information via a subject access request (SAR) free of charge.
The subject access request should be made by email to email@example.com. Galaxkey will verify the individual making the subject access request before handing over the information.
Galaxkey will aim to respond to such a request in, usually, one month of receipt but this may be extended if the SAR is complex. The individual will be kept informed of the progress.
21.Rectification of Personal Data
Data Subjects can request that their personal information be rectified. Galaxkey will rectify personal information it holds on request from data subject in a timely manner. Galaxkey provides an easy method for the data subject to rectify and update their personal information via the Galaxkey website or by emailing firstname.lastname@example.org
22.Erasure of Personal Data
Data subjects can request that their personal information that Galaxkey holds about them be erased. Galaxkey will erase personal information in accordance with the GDPR. Unless Galaxkey has reasonable grounds to refuse the erasure, all requests will be complied with.
23.Restriction of Processing
Data Subjects can request that Galaxkey stops the processing of their information. Galaxkey will comply and will only retain the personal information of the individual (if any) necessary to ensure that the information is no longer processed by Galaxkey.
Galaxkey ensures the portability of the data subject’s information. To facilitate data portability Galaxkey will make the personal information available in a Galaxkey encrypted format that is securely transferable to the data subject on request. This will be complied with in a timely manner.
25.Objections to Personal Data Processing
Data Subjects can object to Galaxkey processing their personal information based on legitimate interests, direct marketing, processing for scientific and/or historical research and statistic purposes. Unless the law allows, Galaxkey will comply with the data subjects request and stop processing their information.
26.The Rights with respect to automated decision-making and profiling
Galaxkey does not use personal data for automated decision making and profiling.
27.Register of Personal Data Collected, Held, and Processed
Galaxkey sometimes partners with third parties to provide the Galaxkey products and services. The third parties that we partner with are chosen by us, they adhere to the data protection regulation and data protection and privacy policies and practices.
We may need to share personal account data with these third parties to fulfil our function and contract. We only do this is if it is necessary and when we do we have safeguards in place to protect the data and privacy as outlined in this policy.
Below are our main third-party processing partners and links to their privacy policies. These partners do not have access to any of the data content protected with Galaxkey software.
Data collected or shared
28.Secure Transfer and Communications of Personal Data
Galaxkey takes the following measures with respect to all communications and other transfers involving personal information:
- All electronic transfer of personal information is encrypted using modern cryptographic methods
- All electronic transfer of personal information is classified as ‘confidential’
- Galaxkey only transfers personal information over secure networks
- All personal information transferred physically, whether in hardcopy form or on removable electronic media is transferred in a secure manner
- All personal information transferred through fax, scan and print is transferred in a secure manner
- Access to personal information is limited to personnel who need access to perform a function and appropriate security is in place to avoid unauthorised sharing of information
29.Secure Use of personal data
Galaxkey takes the following measures with respect to using personal information:
- Galaxkey only collects personal information required to fulfil the purpose of providing the customer or user with the Galaxkey product and/or service.
- Galaxkey only uses personal information for marketing purposes if consent is given by the data subject
- Galaxkey only shares personal information with employees or Galaxkey third parties as necessary to provide the customer with the Galaxkey product and/or service
- Access to personal information is limited to personnel who need access and appropriate security is in place to avoid unauthorised sharing of information
- Galaxkey does not transfer personal information to other parties without authorisation
- Where personal information is processed for marketing purposes Galaxkey ensures that consent is obtained
- Galaxkey handles personal information with care and takes measures to ensure no unauthorised person gains access to the data
- No personal information is left unattended in any way i.e. On a desk or on a computer screen in open view
- Galaxkey uses appropriate technical measure to protect personal information. All information is encrypted in storage and in transit
- Galaxkey partners and third parties processing information on Galaxkey’s behalf use appropriate technical measures to secure the information
- When personal information is deleted this is done securely such that the information is irrecoverable.
- All physical information (hardcopies and removable media) is kept securely and locked away securely
- No paper containing information is left where unauthorised people can see or access it and all printers are appropriately secured.
- Printouts of personal information are disposed of securely when no longer required.
- All electronic information is protected from unauthorised access, accidental deletion and malicious hacking attempts.
- All electronic personal information is stored in an encrypted format
- Any information on removable media is secured and stored securely
- Personal information is only stored on designated drives and servers and only uploaded to cloud services that have appropriate data protection measures and meet their legal data protection obligations
- Data is backed up frequently and backups are encrypted
- All servers, computers and mobile devices containing personal information are protected with approved technical measures
31.Secure Data Disposal
Galaxkey disposes of personal information in a secure manner such that the information is irrecoverable.
Technical and Organisational measures
Galaxkey takes adequate technical and organisational measures to ensure the protection of personal information.
- Galaxkey maintains an effective security management system including, review of security policies, risk assessments of processing systems and internal audits.
- Galaxkey has steps in place to ensure human resource security including, background checks, security and confidentiality policies and security and privacy awareness training
- Galaxkey partners have appropriate levels of protection for personal information and work in accordance with this policy and the GDPR
- Galaxkey utilises security best practices
- Galaxkey reviews handling and processing methods of personal data on a regular basis
- Galaxkey reviews the personal information that it holds and processes on a regular basis
- Galaxkey ensures that only those Galaxkey personnel with an actual need-to-know will have access to any personal information
- Galaxkey uses the principles of least-privilege, only allowing the required access to personal information to fulfil the function
- Galaxkey uses two-factor authentication
- Galaxkey uses authenticated access control
- Galaxkey encrypts all personal information at rest and in transit
- Galaxkey has measures in place to ensure the confidentiality, availability and integrity of personal information
- Galaxkey will hash and then encrypt all personal information.
- Galaxkey digitally signs personal information for integrity purposes.
- Appropriate incidents management, back-up and disaster recovery solutions are in place
32.Transferring Personal Data Outside the EEA
Galaxkey may transfer personal data to countries outside of the EEA as allowed under the GDPR. Including: The country or territory has adequate levels of data protection for personal information, the country has appropriate safeguards approved by the European Commission and ICO and is compliant with the GDPR, the data subject has provided consent for the transfer, the transfer is needed to fulfil the contract or pre-contractual steps between the data subject and Galaxkey, it’s required for public interest, it’s required for legal claims, it’s required to protect vital interest of the data subject or other individuals (someone’s life), the transfer is made from a register that by law is to provide public information that is publically accessible.
33.Disclosing of data for other reasons
In certain circumstances, Galaxkey is allowed to disclose personal information to law enforcement agencies without the consent of the data subject. Under these circumstances, Galaxkey will disclose requested personal information and will always ensure the request is legitimate by seeking advice from the Galaxkey board members and from Galaxkey’s legal advisers if necessary.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information, Galaxkey shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO within 72 hours after having become aware of it. Galaxkey will then follow the advice of the ICO on how to proceed and the measures to take. (more information on the ICO website).
Galaxkey aims to ensure that individuals are aware that their personal information is being processed and that they understand how their personal information is being used and how to exercise their rights under the GDPR.
This is available from Galaxkey on request and is available on the Galaxkey website at www.Galaxkey.com
PART B: Your Data Content
Galaxkey realises that customers require privacy as well as data security. That’s why Galaxkey allows customers ownership and control over their data content. Galaxkey provides the customer with technologies, tools and features that allow them to determine their privacy and security through customer control over where information is stored, their security (in transit and a rest) as well as access control and management. Galaxkey can manage encryption keys and identities if the customer chooses this option and consents to this option, alternatively, Galaxkey does not control the customer encryption keys.
As a Galaxkey customer, you own your data content and you choose which Galaxkey products and/or services you use to protect, process and store your data content. Galaxkey has no access to your data content. You choose the data content that you protect, process and store whilst using Galaxkey.
As a non-paying user, your encrypted data content is stored in our secure Galaxkey cloud in the EEA. As a paying customer, you can choose where to store your data content. This can be on premise or in the cloud.
As a Galaxkey customer, you control your data content. You manage the access to your data content and Galaxkey services and resources through users, groups, permissions and credentials that you control. Galaxkey does not control any of this or your data content. Galaxkey provides strong encryption and data protection technologies for you to secure your data but you control when and how this is used to secure your data content. As a paying customer, you can also decide where and in which jurisdiction your data content is stored. A non-paying user’s encrypted data content is stored in the secure Galaxkey cloud within the EEA.
As a Galaxkey customer, you manage access to your data content and user access to Galaxkey services and resources. Galaxkey provides an advanced set of access, encryption, and logging tools and features to help you do this effectively and securely. Galaxkey has no access to your data content or your encryption keys. We can never use your data content or derive information from your data content. Galaxkey can manage encryption keys and identities if the customer chooses and consents to this option.
As a Galaxkey paying customer, you choose the jurisdiction in which your data content is stored. We do not move or replicate your data content outside of your chosen jurisdiction. Galaxkey uses AWS security approved datacentres to store your encrypted data content if you choose this option. If this is your chosen option of storage you decide the jurisdiction according to your geographic requirements. Non-paying user’s encrypted data content is stored in the secure Galaxkey cloud within the EEA.
Galaxkey provides strong encryption, data protection technologies for your data content in transit and at rest. Systematic strong encryption and key management processes are in place to protect customer credentials. The Galaxkey architecture does not store any end-user access passwords in any form (encrypted or hashed). We do not have access to your encryption keys. You are responsible for keeping your credentials safe so that no one else can access your account using them. Galaxkey performs cloud and local backups at regular intervals.
Galaxkey utilises security best practices for privacy and data protection to help our customers operate securely when using Galaxkey products and/or services. Our processing partners have adequate levels of protection and comply with their obligations under the GDPR. Galaxkey uses data centres with ISO 27001 accreditation.