TPSMYDATA.CO.UK DATA PROCESSING SCHEDULE
Services
TPS / CTPS screening and flagging of telephone numbers in accordance of UK law (https://ico.org.uk/your-data-matters/nuisance-calls/)
TPS refers to the ‘Telephone Preference Service’
CTPS refers to the ‘Corporate Telephone Preference Service’
Personal Data
| Type of Personal Data | Category of Data Subject | Nature of Processing Carried Out | Purpose(s) of Processing | Duration of Processing |
|---|---|---|---|---|
| Telephone Number | Customer/Prospect | TPS/CTPS Screening | Flag telephone numbers on TPS and/or CTPS | Immediate (via API) and/or Maximum 28 days for batch processing. Data retention period is selected by data controller. |
Technical and Organisational Data Protection Measures
The following are the technical and organisational data protection measures referred to in Clause 12.6.2 of the terms and conditions:
1. The Data Processor shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Data Controller, it maintains security measures to a standard appropriate to:
1.1 the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
1.2 the nature of the Personal Data.
2. In particular, the Data Processor shall:
2.1 have in place, and comply with, a security policy which:
2.1.1 defines security needs based on a risk assessment;
2.1.2 allocates responsibility for implementing the policy to a specific individual such as the Data Processor’s Data Protection Officer;
2.1.3 is provided to the Data Controller on or before the commencement of this Agreement;
2.1.4 is disseminated to all relevant staff; and
2.1.5 provides a mechanism for feedback and review.
2.2 ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
2.3 prevent unauthorised access to the Personal Data;
2.4 protect the Personal Data using pseudonymisation, where it is practical to do so;
2.5 ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
2.6 have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using SSL encryption);
2.7 password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure, and that passwords are not shared under any circumstances;
2.8 not allow the storage of the Personal Data on any mobile devices such as laptops or tablets unless such devices are kept on its premises at all times;
2.9 take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
2.10 have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
2.10.1 the ability to identify which individuals have worked with specific Personal Data;
2.10.2 having a proper procedure in place for investigating and remedying breaches of the GDPR; and
2.10.3 notifying the Data Controller as soon as any such security breach occurs.
2.11 have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
2.12 have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment.
Last Updated: 3rd February 2021