Processing of Personal data
Below we examine what personal data CusJo processes, and for what purposes.
CusJo collects personal data as a contractor.
Below we will describe the way in which CusJo processes and stores the personal data which CusJo obtains in the course of its core business, which can be summarised as providing surveys for its clients.
Description of Core Business
CusJo sells or grants licences for an application with which its clients (businesses) are able to ask their customers (in general consumers) to participate in a survey in order to obtain feedback or information from the consumers about their own products or services (hereafter referred to as the application).
The application is filled in by the client himself with the questions that he wishes to put to the consumers. The client is given the ability to login to the application, to further fill it in and/or revise it. It is down to the client to determine which customers are asked to fill in the survey and what personal data the client wishes to receive from the customer.
The following personal data is generally requested in the application and is then processed by the client personally: surname, given names, address, email address, telephone number. It is down to CusJo’s client to determine what personal data it requests from the customer.
Because the data referred to above may identify natural persons it amounts to ‘personal data’ within the meaning of the GDPR.
The following meta-data is known to CusJo:
The browser, the pages visited by the consumer, the hardware, the URL. This information is not capable of identifying natural persons, so in this case there is no question of it being personal data within the meaning of the GDPR.
Controller/processor in Core Business
The GDPR defines the ‘controller’ -briefly – as the person who sets the goal and the means for the processing of personal data.
A ‘processor’ under the GDPR is the person who – not being employed by the controller – processes the personal data on behalf of the controller.
With regard to the personal data which is processed in the course of CusJo's core business it is the client who sets the goal and the means for the processing. The application is a tool for obtaining the personal data and whilst the application is supplied to the client by CusJo, it is the client who fills in the application (and therefore establishes the goal for which the application is being used) and who determines that this application is to be used (and therefore determines the means for the processing).
CusJo is not employed by the client, but by providing the application and ensuring that the application continues to work, and by also being able to view the results of the application, it processes the personal data on behalf of the client and is therefore to be regarded as the processor. CusJo makes no independent decisions with regard to this personal data.
Goal of Core Business
Because it is CusJo's client who determines what personal data is obtained and what is to be done with it, it is CusJo's client who sets the goal.
The application involves the client asking consumers to fill in a questionnaire. It is down to the client to ask for the consumer’s consent and/or to enter into an agreement with them.
CusJo and its client enter into a contract for the use of the application and a contract covering the processing of personal data. Under the terms of this latter contract CusJo has no control over the personal data placed at its disposal. It makes no decisions over the receipt and use of the data, its supply to third parties, and the duration of storage of data. Control over the personal data provided under the contract is never vested in CusJo.
CusJo does not use the personal data for any purposes other than those set by its client unless CusJo is the creator of the survey in which case CusJo refrains from getting an personally identifiable data and uses it as meta data for benchmarking and broad analysis purposes.
Period of retention of personal data in the core business
CusJo retains the personal data for as long as the contract with the client continues. This may be different if the contract with the client contains some other agreed term that require the storage of the data for future use.
The possibility exists of agreeing with the client that CusJo retains the personal data for a specified period of time, after which it is deleted when the sub-domain is deleted.
Deletion of personal data in the core business
CusJo will at all times and upon first request by the client immediately destroy all extracts and copies received from the client and/or data relating to the client which is processed on behalf of the client, in a manner to be further determined in mutual consultation.
Internal management, technical and organisational security measures in the Core Business
The personal data is stored in CusJo database. Only authorised technical persons and product related teams who are employees of CusJo have access to this data. Product related teams are CusJo's teams that are charged with the operational development, support, maintenance and testing of CusJo's software (CusJo's product). Other teams/divisions, such as Sales, Marketing, HR, Office Management and Finance have no access to this data.
All CusJo's personnel have signed a confidentiality statement and they are all aware that no personal information may be disclosed outside the company.
CusJo uses the services of Microsoft Azure, and has its servers in Singapore, where the personal data is stored. Under the terms of the contract with Microsoft Azure the data remains within Singapore and is not retained otherwise than on the express request of CusJo.
Data leaks in the Core Business
Should a breach of security or data leak be detected within CusJo this would be reported to the client as soon as possible, and in any case within 72 hours of discovery, and CusJo would provide the client with all the information it has about the breach or data leak. Further actions would be in accordance with the ‘Procedure for reporting and handling data breaches’.
Data Protection Functionary
CusJo's organisation is too small to justify the appointment of a separate Data Protection Functionary. If you have any questions you can contact CusJo.