Skynamo and General Data Protection Regulation

Version 3.3. Date 7 October 2019

Purpose of this document

This discussion document explores the application by Skynamo of the GDPR legislation and details the steps we have taken, and are planning to take, to ensure our current and continued observance of this legislation.
The Skynamo Software collects and processes Personal Data on behalf of Customers. Skynamo will be acting as a Data Processor in relation to the personal data it collects and in providing our services.
Skynamo believes that organisational compliance is a business process and must be continually addressed. It is not a ‘once and done’ box to be ticked, but a commitment to meet. Therefore, this document is an organic one that will change over time as we improve our understanding of how GDPR impacts our internal processes and those of our customers.
The purpose of this document is only to provide information on how the GDPR will apply to the Personal Data processed by Skynamo and is not intended to be contractually or legally binding in any way whatsoever, nor is it intended to constitute legal advice on your company’s compliance with the GDPR. Whilst Skynamo makes reasonable efforts to update the information included in this document, it makes no representations, warranties or guarantees that the content in the document is accurate, complete or up to date.
You are currently reading V3.2 of this document and it is subject to change without notice.
Please send any comment, questions or queries to dpo@skynamo.com.

What is GDPR?

The General Data Protection Regulation (EU) 2016/679 is a regulation in EU law which addresses data protection and privacy for all individuals within the European Union. This regulation came into effect on 25 May 2018.
There are seven key principles under the GDPR with which organisations must comply. These principles are:
Lawfulness, fairness and transparency;
Purpose limitation;
Data minimisation;
Accuracy;
Storage limitation;
Integrity and confidentiality (security); and
Accountability

These key principles govern how organisations collect and process Personal Data. The GDPR also gives individuals certain rights over their Personal Data, it sets out when organisations may transfer Personal Data outside of the EU, and sets out how data controllers appoint and contract with data processors.
Essentially, the GDPR requires any entity that processes Personal Data to ensure that:
the data is kept in a manner that is safe from unauthorised breaches;
individuals have access to their data and can change or delete their data from the system should they wish to;
there is a specific person appointed to make sure that the entity complies with the GDPR; and,
entities are accountable in the way that they deal with individuals’ Personal Data.

How the Skynamo Business is set up in the EU

Skynamo (Pty) Ltd is a limited liability company incorporated according to the laws of South Africa with registration number 2012/052717/07 (“Skynamo South Africa”).
Skynamo Ltd is a limited liability company incorporated according to the laws of the United Kingdom with registration number 11039559 and ICO registration reference ZA358748 (“Skynamo UK”).
Skynamo South Africa contracted Skynamo UK to market and sell its software product in the UK and licenced it accordingly. Therefore, Skynamo UK’s and its Value Adding Resellers in the EU’s clients’ data is stored and processed by Skynamo South Africa and other sub-processors such as Amazon, SendGrid and Fabric.
In the provision of its service, Skynamo South Africa makes use of “sub-processors” to store and process Personal Data. Skynamo ensures that it includes appropriate GDPR compliant data processing provisions in its contracts with sub-processors. Clients will be notified if Skynamo South Africa appoints a sub-processor. As provided for in the GDPR, clients have the right to object to the appointment of a sub-processor.

Current list of sub-processors:
Amazon
SendGrid
Fabric

Data Processing

Why does Skynamo store and process Personal Data?
Skynamo is a field sales management platform and mobile sales app for sales managers and field sales reps. It tracks and analyses sales rep activities and provides sales history, stock, pricing and promotional information so that reps can make smarter decisions and sell more. To offer this service, Skynamo needs access to each client’s sales reps’ personal information.

Duration of the Processing
The duration of data processing shall be for the term agreed upon by the client.

Nature and Purpose of the Processing
The scope and purpose of processing of the end users’ Personal Data is to facilitate the provision of Skynamo’s services and the use of the Skynamo software.

Types of Client Personal Data
The Personal Data processed includes e-mail, live GPS tracking, documents and other data in an electronic form provided in the context of Skynamo’s services, which shall not include any ‘Special Categories’ of data.
Skynamo processes and stores the following levels of Personal Data as a service to our clients:
Users’ Personal Data (names, contact numbers and monitoring of location)
Contact persons of users’ customers (although customers are usually businesses, the customers’ contact information will usually contain the details of a contact persons e.g. name, contact number and e-mail of the store manager).

Categories of Data Subjects:
Data subjects include the client's representatives and end users including employees, contractors, collaborators, and client's customers. Data subjects may also include individuals attempting to communicate or transfer personal information to users of Skynamo’s services. The data subjects exclusively determine the content of data submitted to Skynamo.

Legal Basis for Processing

Data Controllers must have a legal basis for processing Personal Data and must satisfy itself that it has such an appropriate legal basis for processing. As required by the GDPR, Skynamo will only process customers’ Personal Data in accordance with the customer’s documented instructions.
Article 6 of the GDPR allows the following as legal bases for processing Personal Data. At least one of these must apply whenever an entity processes Personal Data:
Consent: the data subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
Vital interests: is necessary in order to protect the vital interests of the Data Subject or of another natural person;
Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Security

Personnel
Skynamo personnel will not process customer data without authorisation. Personnel is obliged to maintain the confidentiality of any customer data and this obligation continues even after they have stopped working with Skynamo.

Data Privacy Contact
Skynamo has appointed a Data Protection Officer (“DPO”) to oversee Skynamo’s data protection program and ensure that Skynamo is GDPR compliant.
Name and contact info: Wim Morris, dpo@skynamo.com
The duties of the DPO are to:
inform and advise Skynamo and its employees of their data protection obligations
monitor compliance with the GDPR
provide advice about the data protection impact assessment and monitor its performance
cooperate with the supervisory authority
act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, about any other matter.

Technical and Organisation Measures
Skynamo has implemented and will maintain appropriate technical and organisational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction.

ISO 27001
As part of our continuous focus on improvement and security, Skynamo South Africa has contracted external consultants to navigate us through our ISO27001 certification. This included the formalisation of our Information Security Policy and processes.

Access and Erasure
In terms of the GDPR, data subjects have the right to access, amend and erase their Personal Data being processed. These requests must be directed and complied with by the Data Controller – who, in Skynamo’s case, is the client.
Skynamo South Africa operates as a Data Importer and Processor and will, therefore not deal with these requests directly. All such requests will be directed to the Data Controller (i.e. our client). Skynamo as Data Processor will, however, assist the Data Controller by appropriate technical and organisational measures to fulfil its obligations in this regard.

Legal

Our legal team is always updating our legal documentation to reflect any product changes and to include the mandatory processor provisions required by Article 28 of the GDPR.

Internal and external education

Skynamo trains all employees regarding their data protection responsibilities. We are developing online training programs to ensure that all employees are up to date on the latest requirements and developments to be continuously compliant.

Clients’ obligations in respect of GDPR when using the Skynamo Software

Most of our customers are employers whose employees use the Skynamo Software. As the Software will collect employees’ Personal Data, our customers, as Data Controllers, must ensure that their processing complies with the seven data protection principles listed above, including the issuing of privacy notices which cover the processing of personal data via the Skynamo Software.
In terms of GDPR, employers have to provide their employees with information that explains how they process their employee’s personal data.  This is most often done by means of a “Privacy Notice”.

What information should you include in your employee privacy notice?
Your contact details, as Data Controller;
If you have a representative, the identity and details of the representative;
If you appoint a data protection officer, the contact details of the Data Protection Officer;
A description of the personal data that will be collected;
The reason for collecting and processing this Personal Data;
The legal basis on which you collect and use the Personal Data;
Who this Personal Data will be shared with;
Will the Personal Data be transferred outside of the European Economic Area? If so, details about the security measures and safeguards that are in place to enable this transfer to lawfully take place and to protect the security of the Personal Data. You will have to provide detail / information on how the Data Subject (your employee) can obtain a copy of or access these safeguards;
How long will you keep the Personal Data for?
What rights do employees have in respect of their Personal Data?

Below is an example and framework of what a Privacy Notice could look like. It is very important that your lawyer check your Privacy Notice before you give it to your employees to ensure that it contains all the necessary information and that it is GDPR compliant in light of your specific business.

PRIVACY NOTICE

1. EMPLOYER DETAILS
Name:
Contact details:
Representative:

2. COLLECTION OF PERSONAL DATA
Explain how you will collect Personal Data and what types of Personal Data you will be collecting and processing. For example, Personal Data, including name, contact details and live location, is collected by the Skynamo Software while the Software is in use.

3. HOW YOUR PERSONAL DATA WILL BE USED
Explain how you will use the Personal Data you collect. For example, how will you use the reports generated by the Skynamo Software?

4. LAWFUL BASIS FOR PROCESSING Explain on which legal basis in terms of Article 6 you are collecting, storing and processing the Personal Data. For example:
Consent: the data subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

5. DATA RETENTION PERIODS
[explain how long you will retain the employee’s personal data]

6. EMPLOYEE’S RIGHTS
Explain which rights the employee has in respect of their Personal Data. For example:
Under GDPR, the employee has the right to request access to and rectification or erasure of personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.
If the employee has provided consent for the processing of their data, they have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before their consent was withdrawn.
The employee has the right to lodge a complaint to the Information Commissioners’ Office if they believe that the employer has not complied with the requirements of the GDPR with regard to their personal data.

7. SUB - PROCESSORS
[will you make use of any sub-processors? For example – “we will be making use of Skynamo and the Skynamo Software which will process your Personal Data on our behalf”]

8. DATA TRANSFERS
Will employees’ Personal Data be transferred to third parties? If so, how will the data be protected? Will any data transfers be done to an area outside of the EEA?
For example – transfer of your Personal Data might happen outside the EEA if a support query is lodged with Skynamo. In order to ensure that your data is protected, we have a data transfer agreement in place with Skynamo that regulated these data transfers.

9. DATA BREACHES
Explain how you will deal with data breaches or refer to your Data Breach Policy if available. For example:
“We want you to report any suspected data breaches. Please refer to our Data Breach Policy for details of how we will deal with any suspected data security breach and notify you and any applicable regulator of a suspected breach.”
OR
“We will follow these procedures if there is any suspected data security breach:
We will, not later than 72 hours after having become aware of it, notify the personal data breach to the relevant supervisory authority”

10. DATA PROTECTION OFFICER [if applicable]
If you have appointed a Data Protection Officer, provide his or her details here
Please take note that the above information is merely to provide a guideline of the steps that employers whose employees use the Skynamo Software will need to take in order to be GDPR compliant. It does not constitute legal advise and Skynamo provides no guarantee that the information and steps provided are sufficient for your business to be GDPR compliant. Please consult your lawyer about your GDPR compliance.

FAQ

Are you GDPR certified?
No, as far as we are aware one cannot be GDPR certified. There is no audit and certification body but if this happens we will seek certification.

How are you protecting your customers’ data?
We are in the continuous process of improving our GDPR compliance and protect our clients and their users’ data by Design and Default.

Where is the data stored?
The data of Skynamo UK’s clients is stored on AWS infrastructure in Ireland or another location in the EEA as agreed to with our customer, but can be accessed from South Africa if a support query is lodged based on the specific Personal Data.

What process did you follow to get ready for GDPR?
Skynamo appointed a Data Protection Officer, contracted legal advice and implemented procedural and architectural changes as needed and continues to do so.

Is your data encrypted when sending orders via email?
No. Emails are transmitted via secure protocols and are safe in transit, but any recipient (intentional or not) will be able to read the email.

Can you switch the GPS off because surely that is not GDPR compliant?
The use of a live tracking service is not prohibited by the GDPR. The GDPR only prohibits the collection of inappropriate or excess/surplus data. Since September 2019 it is, however, possible to enable the no-tracking option. Please note that when you select to turn off tracking, your location is no longer stored, unless you log a visit.  Visit locations are used to report on onsite and offsite visits at your customers.  This means that no one will be able to see your live location or the route that you travelled during the day on any of the reports in Skynamo.  Even though we don’t save your location, we still need access to the location of your device to give you a smooth experience in terms of sorting the customer list to show the customers closest to you.  For travel claim purposes we only save the distance that you travelled for the day. For more information on how to change your tracking settings in Skynamo, please feel free to contact our support team at support@skynamo.com.

How does Skynamo obtain the Personal Data it processes?
The Personal Data which Skynamo processes is inputted by Clients or Users on the Software and is also collected automatically whilst Users use the Software.

What is the retention period generally for the Personal Data Skynamo stores?
As required by our clients.

Is the Personal Data Skynamo holds shared with third parties?
As explained above, the Personal Data which Skynamo processes is only shared with the sub-processors which Skynamo appoints. The Personal Data is not shared with any other third parties which are not involved in the processing of the Personal Data.

Can customers or Users delete the Personal Data?
Yes, all data can be deleted from the Software and from our databases upon the instructions of our customers.

Disclaimer: This discussion document is neither a magnum opus on EU data privacy and data protection laws nor does it constitute legal advice regarding your company’s compliance with EU data protection laws like the GDPR. Instead, it provides background information to help you better understand how Skynamo is addressing GDPR. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this document as legal advice, nor as a recommendation of any legal understanding.