Concept and production:
1. Policy Statement
Murray Mobile Technology (hereinafter referred to as the “Murray Mobile”) recognises and understands that the efficient management of its data and records is necessary to support its core business functions, to comply with its legal, statutory and regulatory obligations, to ensure the protection of personal information and to enable the effective management of the organisation.
This policy and related documents meet the standards and expectations set out by contractual and legal requirements and has been developed to meet the best practices of business records management, with the direct aim of ensuring a robust and structured approach to document control and systems.
The purpose of this document is to provide Murray Mobile’s statement of intent on how it provides a structured and compliant data and records management system with records being defined as all documents, regardless of the format; which facilitate business activities, and are thereafter retained to provide evidence of transactions and warranties. Such records will be created, received or maintained in hard copy and in an electronic format with the overall definition of records management being a field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, distribution, storage and disposal of records. The hard copy of the records will be permanently destroyed after retail devices or accessories, or repair devices have been collected by the customers.
This policy applies to all staff within Murray Mobile (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, interns and agents engaged with the Company in Ireland or overseas), and pertains to the processing of personal information. Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
4. General Data Protection Regulation (GDPR)
GDPR stands for General Data Protection Regulation and it is a new European regulation aimed at improving the way personal data is used and protected. The EU General Data Protection Regulation (GDPR) is a first step toward giving EU citizens and residents more control over how their data are used by organizations. Murray Mobile handles the personal information of people in the EU as it’s doing cell phone retail and repair business, then the company must comply with the GDPR.
At its core GDPR is about safeguarding customers personal data. As a cell phone retail and repair company, Murray Mobile will likely encounter personal data in the form (but is not limited to) as follow:
A record is information, regardless of media, created, received, and maintained which evidences the development of, and compliance with, regulatory requirements, business practices, legal policies, financial transactions, administrative activities, business decisions or agreed actions. It is Murray Mobile’s objective to implement the necessary records management procedures and systems which assess and manage the following processes:
Records contain information that are a unique and invaluable resource to the Company and are an important operational asset. A systematic approach to the management of our records is essential to protect and preserve the information contained in them, as well as the individuals such information refers to. Records are also pivotal in the documentation and evidence of all business functions and activities.
5.1 The creation and capture of records
Murray Mobile captures customers personal data only for the purpose of keeping the transactions and warranties for either devices or accessories sold in the company, or the devices repaired or serviced in the company. When collecting a customer’s personal data Murray Mobile will inform them exactly how it will be used and how the customer can request to access their data. Especially for the email addresses and phone numbers, Murray Mobile has never used them and will not use them for marketing purposes. Regardless of the reason, Murray Mobile is giving the customers its intent at the time of collecting their data. And the customers need to give their consent by singing the acknowledgement form.
5.2 Compliance with legal, regulatory and contractual requirements
Murray Mobile’s Data Retention & Erasure Policy has entirely complied with legal, regulatory and contractual requirements based on the EU GDPR info site. By consulting with varies of independent supervisory authorities, Murray Mobile has completed a complete data protection practice and policy. Murray Mobile has also completed the GDPR checklist to enhance its capability for systematically store and protect the customers personal data.
5.3 The storage, access, and disposal of records
As a cell phone retail and repair company, Murray Mobile encounters vast amount of personal data on a daily basis. This personal data normally comes in following forms:
The biggest benefit for Murray Mobile to protect customers personal data is that the company is using a totally self-designed and self-developed system for all the functions like repair tracking tickets and point of sales and device inventory. To make it even stronger, the hosting server for the system is located in the Daedalus data centre with numerous Firewall protection. The data transaction is encrypted with MD5 encryption and all the data is stored in Microsoft SQL server with strong password protection. There is no pure text file storage for the data that Murray Mobile collects. Other than that, the access channel is using a non-regular port which is also monitored and protected by the data centre’s Firewall.
5.4 The protection and security of record integrity and authenticity As it has already mentioned above that Murray Mobile is not using any 3rd party systems to store the customers personal data. So there is such a strong integrity and authenticity for the protection of the records. Other than the company itself there is no middle media or any other party to have access to the records. Besides the super strong systematically data protection, Murray Mobile also limited the access of the data from its own personnel. Only the management team members who has signed the data protection acknowledgement form have the access credential for the data. Each end point which has the ability to capture and record the customers personal data is password protected and the staff who are using it have signed the data protection form. Another mechanism to prevent the personal data breach is Murray Mobile’s system server has limited access from other IP addresses. The Firewall has the setting that only allows the IP address from the company’s headquarter to access the database.
5.5 The use of records and the information contained therein
Murray Mobile only uses the customers personal data for the purpose of keeping the transactions and warranties for either devices or accessories sold in the company, or the devices repaired or serviced in the company. On the other side, the company can also use these records to protect itself from scamming and misleading with the circumstances of wrong information has been given by customers. Of course the other purpose of using this data is to generate the company’s annual report both on finance and technology trending. And it can help the company with inventory management on devices and repair parts.
The information contained in these records which is related to the customers personal data is: name, phone number, email address, IMEI/SN. Also it contains other information that is not personal data such as transaction value, date and time, repair technician, sales person, device model, accessory name, etc. Because everything is stored in the entire system with same gateway, all the information regardless its personal data or not is protected by Murray Mobile.
6. Retention Period Protocols
All records retained during their specified periods are traceable and retrievable. Any file movement, use or access is tracked and logged, including inter-departmental changes. All company and employee information is retained, stored and destroyed in line with legislative and regulatory guidelines.
The first question for Murray Mobile to retain the customers personal data is how long it realistically need to keep the records for. According to the EU GDPR, it’s impossible for the company to keep customers records for ever. By consulting with varies of independent supervisory authorities, Murray Mobile decides to keep the records for 24 months which is a reasonable time period to keep personal data for inactive customers. After this period, the company’s system will delete any personal data relating to their records. However, it does not mean to delete the actual records but to remove only the personal data or anonymous them by replacing with machine names. The company will need to keep the other information which is not related to any personal data for accounting and other purposes.
For all data and records obtained, used and stored within Murray Mobile, the company
in the below areas:
All systems and records have designated owners (IAO) throughout their lifecycle to ensure accountability and a tiered approach to data retention and destruction. Owners are assigned based on role, business area and level of access to the data required. The designated owner is recorded on the Retention Register and is fully accessible to all employees. Data and records are never reviewed, removed, accessed or destroyed without the prior authorisation and knowledge of the designated owner.
In specific circumstances, data subjects’ have the right to request that their personal data ismerased, however Murray Mobile recognises that this is not an absolute ‘right to be forgotten’. Data subjects only have a right to have personal data erased and to prevent processing if one of the below conditions applies:
Where one of the above conditions applies and the company received a request to erase data, it first ensures that no other legal obligation or legitimate interest applies. If it’s confident enough that the data subject has the right to have their data erased, this is carried out by the Data Protection Officer in conjunction with any department manager and the IT team in Murray Mobile to ensure that all data relating to that individual has been erased.
These measures enable Murray Mobile to comply with a data subjects right to erasure, whereby an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing. Whilst the company’s standard procedures already remove data that is no longer necessary, it still follows a dedicated process for erasure requests to ensure that all rights are complied with and that no data has been retained for longer than is needed.
If for any reason, Murray Mobile is unable to act in response to a request for erasure, it always provides a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy. Such refusals to erase data
Heads of departments and information asset owners have overall responsibility for the management of records and data generated by their departments' activities, namely to ensure that the records created, received and controlled within the purview of their department, and the systems (electronic or otherwise) and procedures they adopt, are managed in a way which meets the aims of this policy.
Where a DPO has been designated, they must be involved in any data retention processes and records or all archiving and destructions must be retained. Individual employees must ensure that the records for which they are responsible are complete and accurate records of their activities, and that they are maintained and disposed of in accordance with Murray Mobile's protocols.