Our procedures to ensure your privacy and security
- Align our internal policies with the requirements under the GDPR (General Data Protection Regulation 2016/679)
- Follow the Privacy by Design principles in the development of our products and services
- Map our data inventories and data flows so we always know where your data is
- Meet regularly to discuss information security matters
- Appoint a Data Protection Officer to ensure that personal data is processed in compliance with the applicable data protection rules
- Ensure that our third party vendors' data processing terms are GDPR-compliant
- Ensure that personal data is not accessed by anyone within or outside our organization unless there is a need-to-know basis and the principles for disclosure of such data are complied with
- Train our employees in GDPR awareness and data processing procedures
- Keep improving our security measures in order to keep your data safe and in line with technological developments
GDPR and applicable national data protection laws and telecommunications laws
Our commitment to privacy includes a commitment to balance the fair processing of your data with any other obligations applicable to the service, as well as with our civic corporate responsibility in the markets where we operate.
As such, we may be required by other applicable laws to process certain data for sector specific reasons, however we will always strive to minimize any privacy impacts.
Although certain national requirements for the processing of personal data due to sector specific legislation may be distinct from the GDPR, rest assured as the principles within the GDPR are at the core of those national legislations as well.
We apply GDPR standards and key principles to all data and not just data of individuals in the European Economic Area (EEA). Therefore regardless of where you are located or what the processing activity is about, your data will be protected under the highest standards.
GDPR and Law Enforcement Authorities’ requests
In the course of our business we will need to offer assistance to law enforcement authorities, however this cooperation is handled under prescribed conditions.
Hence, in some countries we are mandated to offer assistance to law enforcement authorities by local laws, or we need to protect a legitimate business interest such as fighting against fraud that harms our interests.
In relation to the processing of data for the purpose of responding to law enforcement requests of end user data, the GDPR sets out the rules as to when this can be processed: processing of data on the basis that it is necessary to fulfill a legal obligation constitutes a lawful basis for processing. In this regard, there are certain national laws, like criminal laws of Member States that fall outside the EEA’s legislative competence, and are not governed by the GDPR. Still, we process your data for these purposes with the same level of care as for any other purpose.
Additionally, please bear in mind that the GDPR does not apply to the processing of personal data by competent authorities for the purposes of investigation and prosecution of criminal offences.
All requests for information from Law Enforcement Agencies and National Regulatory Authorities are handled and managed by our Abuse Department, which handles and manages all requests for information from Law Enforcement Authorities and Government Agencies, as well as dealing with complaints of nuisance calls and investigation into fraud.
The Abuse Department ensures that all requests for information are lawful by ensuring that the appropriate documentation fulfils the legal requirements relating to the request and that it is sent in the correct format (warrant, subpoena or court order), otherwise we will not process the request.
The Abuse Department will then send a request for this information to the customer under the terms of contract to ensure that the appropriate information is obtained. Please remember that such requests are confidential and may not be disclosed with third parties other than Ecocarrier.
The GDPR, national criminal laws and telecommunications laws are different, but not contradictory. They pursue different legitimate goals, and companies like Ecocarrier must guarantee compliance with all of them. We ensure that confidentiality and all applicable legal requirements in the processing of personal data are adhered to at all times.
GDPR and customers as companies
If you are a Customer (or are planning to become one) you will share certain personal data with us. Corporate or enterprise data refers to data of a natural or legal person engaged in an economic activity (that is, pure company data), and personal data means data related to an identified or identifiable natural person. Corporate data falls outside the scope of the GDPR. The personal data we collect from you will be data related to (a) the individuals that work in your company such as your commercial contacts and legal representatives and/or (b) your end users and calling and called parties involved in the usage of our services.
In some cases, we will only act as a data processor and in some other cases, as a controller, depending on the type of data, as explained in our data processing agreement.
Keeping your data secure
We implement appropriate technical and organizational measures to protect the personal data you provide to us. Such measures are designed to provide a level of security appropriate to the risk of processing your personal data.
Additionally, because we want your data to be safe at all times, apart from our infrastructure team that keeps our systems up and running, we have an information security team (working in accordance with an information security internal functioning policy) that meets regularly to discuss security threats and possible improvements to our security measures and internal processes and keeps our employees informed about their obligations regarding information security.
You may see our Security Measures document here.
Our data processing agreement
You may see our Data Processing Agreement here.
We work with third party Sub-processors in order to (i) provide infrastructure and storage services, (ii) help us provide customer support and commercial communications and (iii) help us render our services to Customers. If such a provider processes any personal data in order to render a specific service, we perform a privacy and security scan to evaluate the sub-processor’s privacy and security standards, and execute a data processing agreement.
We can provide the most up to date list of sub-processors we work with, who may have access to certain personal data.
Please bear in mind that, in order to render our services, we work with partners whose names may not be disclosed due to confidentiality obligations. However, we make sure that, in cases where they might need to process your data, they do so under the same privacy and security standards as we do.
International data transfers
We may share data with third parties outside the EEA whenever it is absolutely necessary to render our services, and we ensure that their data processing terms are GDPR-compliant.
We have employees located around the world that may access certain personal data, only on a need-to-know basis, for the performance of the service we offer you (account management, technical support, legal compliance, etc). However, all employees are trained in the same way in order to be compliant with the GDPR, regardless of the country they are based in.
How to reach us
Please contact us at firstname.lastname@example.org.