Versions Compared

Old Version 3

changes.mady.by.user Bruno Belizario

Saved on

compared with

New Version Current

changes.mady.by.user Bruno Belizario

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties

Version

1.0

Owner

CTO

Last Updated on

05

Last Updated by

Bruno Belizario

Approved by

Last Review

Application

This policy applies to all employees, contractors, and vendors while doing business with ecoPortal and others who have access to personally identifiable information (PII), also referred to as consumer information (“personal data”), in connection with ecoPortal’s operating activities.

...

  • use plain language and avoid jargon

  • use a format that is readable including on small screens

  • be available in the languages in which the company conducts the business

  • be reasonably accessible to consumers with disabilities in accordance with Web Content Accessibility guidelines version 2.1.

  • contain a meaningful description of categories of personal information collected

  • the business purpose for collectioninclude a link titled "Do-Not-Sell-My-Personal-Information" if the business sells personal information of California residents

  • include a link to the privacy policy (if different)

...

The ecoPortal Information Security and Data Privacy Policies are a component of the policies and implement controls which support compliance with all relevant data privacy regulations.

Responsible Person

<NAME>Manuel Seidel, <Title>, <EMAIL>, <PHONE> CEO, manuel@ecoportal.co.nz, has been assigned responsibility for overall oversight of ecoPortal’s Data Privacy Compliance Program, also known as the Privacy Information Management System (PIMS).

...

  • Storage and Transmission: Personal data must be encrypted, with strong cryptography, whenever stored on or transmitted by ecoPortal systems

  • Disposal: Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized or physically destroyed prior to disposal or reuse

  • Awareness Training: Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to relevant regulations and the handling of personal data as well as the Consumer (Data Subject) Access Request (DSAR) procedure. Relevant persons shall be trained to properly direct consumers in the exercise of their privacy rights.

  • ecoPortal will not transmit personally identifiable information (PII) to any third-party or vendor until an appropriate Data Protection Addendum (DPA), or sufficient contract language, has been fully executed by ecoPortal and the third-party.

  • ecoPortal shall not sell the personal information or of minors or of persons who have previously opted out of sales, without explicit permission and shall not ask for permission for at least twelve (12) months after a consumer has opted-out

  • ecoPortal shall ensure that no service providers continue to sell PII after a consumer has opted out

  • ecoPortal shall not use PII provided for the purposes of opting-out of a sale for any other purpose

  • ecoPortal shall not deny goods or services or otherwise discriminate against (i.e. charge different prices, or offer different levels of service) persons for exercising their privacy rights

  • ecoPortal shall provide at least two methods for consumers to submit data access requests including an email address or webform

  • Responses to access requests shall cover at least the preceding twelve (12) months

  • ecoPortal shall locate data in all relevant systems in response to access requests

  • A public-facing Privacy Policy shall include a description of consumers’ rights and shall be updated at least every twelve (12) months

  • PII collected for the purposes of responding to a SAR shall not be used for any other purpose

  • ecoPortal shall not sell any PII without posting a “Do Not Sell My Personal Information” link on the company homepage and Privacy Policy for consumers to opt-out of any sale.

  • ecoPortal shall provide at least two methods for opting out of sales of PII which are consistent with the manner in which the company typically interacts with customers

  • ecoPortal will allow consumers to opt-out of sales via web browser plugin or other privacy setting

  • When ecoPortal offers an opt-out of a specific use, it shall also offer a global opt-out

  • ecoPortal shall ensure that opt-out requests are honored as soon as feasibly possible and within fifteen (15) days in all cases

  • ecoPortal shall establish a process for consumers to submit requests via an authorized agent

  • ecoPortal shall ensure that a written contract is established with all service providers that prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than the specific purpose specified in the contract

  • Service providers shall only use, retain or disclose PII for the following purposes:

    • to provide service on behalf of the controller

    • to employ another service provider

    • to improve service quality

    • to detect security incidents and or fraud

    • to comply with the law or law enforcement

  • ecoPortal shall inform consumers of the company’s privacy practices at or before any PII collection. The Privacy Notice shall be made available via a link titled “privacy” on the company’s homepage.

  • ecoPortal shall deny access requests where the requestor’s identity cannot be reasonable verified

  • ecoPortal in any case where the company has a legal basis for denying a consumer request, it shall provide an explanation of its decision to the consumer including a reference to the relevant laws or regulations

  • ecoPortal shall provide an individual response to each requestor and not refer them to a policy or provide a generic response

  • ecoPortal may de-identify personal information in response to a request for deletion

  • ecoPortal shall not be required to delete personal information from backups unless the backups are restored, accessed, or disclosed

  • ecoPortal may retain records of completed deletion requests for compliance purposes

  • ecoPortal shall deny fraudulent requests with an explanation as to why they believe the request is fraudulent

  • Opt-out processes shall require minimal steps, and no multi-step opt-out process shall not have more steps than the opt-in process

  • Opt-in processes shall have two steps: an opt-in request followed by a verification of the request

  • When consumers who have opted-out attempt to use a service that requires opt-in, the company shall inform the consumer how to opt-in

  • When the company collects personal information that a consumer would not reasonably expect from a mobile device then it shall provide a just-in-time notice containing a summary of categories collected and a link to the full notice.

...

  • Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the company by postal mail, facsimile, or electronic scan

  • Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;

  • Having a parent or guardian call a toll-free telephone number staffed by trained personnel;

  • Having a parent or guardian connect to trained personnel via video conference;

  • Having a parent or guardian communicate in person with trained personnel; and

  • Verifying a parent or guardian’s identity by checking a form of government-issued identification against databases of such information, as long as the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete.

The process for validating requests on behalf of minors and verifying the identity of parents or guardians shall be described in the public-facing Privacy Policy.

Consumer (Data Subject) Access Requests (DSARConsumer (Data Subject) Access Requests (DSAR/SAR)

Subject to the exceptions noted below in this policy, ecoPortal will comply with any SAR concerning the following rights of the consumer:

...

  • Categories of PII collected

  • Categories of PII sold and disclosed to third parties

SAR when ecoPortal is the data

...

processor:

  • A The SAR must be made using the link on ecoPortal’s privacy pageecoportal.com/privacy.  If the consumer has a password-protected account on ecoPortal systems, the company may provide an “interface” or self-service mechanism that the consumer is instructed to use to initiate the SAR process.

  • A SAR can also be made using the email address privacy@ecoportal.com.

  • A SAR may be made using the webform available on the company website <LINK TO WEBFORM>

  • Where required, the consumer must provide reasonable evidence of their identity in the form of valid identification, for example, email verification.

  • When submitting the SAR via the interface, the consumer must identify the SAR type that is being requested, e.g., erasure.

  • If a SAR is submitted by an agent, the submission must include the identification of the consumer as well as a signed authorization from the consumer. ecoPortal must make reasonable efforts to verify the identity of the consumer and legitimacy of all requests submitted by authorized agents.

  • If a SAR is received which does not meet ecoPortal criteria, the ecoPortal shall inform the consumer or agent how to correct the SAR in order to receive a response from ecoPortal

SAR when ecoPortal is the data processor:

  • The SAR must be submitted via the user interface in the ecoPortal Services.

  • ecoPortal shall direct the consumer to the relevant Controller in accordance with all contractual commitments.

SAR requirements

  • The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; ecoPortal will acknowledge any manual requests within 10 business days. The acknowledgment will describe the verification process and when the consumer should expect a response.

  • ecoPortal has thirty (30) days from the initial request date to complete the request. If the company cannot respond within thirty days, it shall provide notice to the consumer. In California, the company may extend the response timeline up to an additional forty-five (45) days.

  • The SAR application will be documented and can be audited using the ecoPortal’s internal processes.

  • ecoPortal shall ensure that deletion and correction requests are sent to subprocessors as needed

ecoPortal as the data controller

  • Collect the data specified by the consumer

  • Verify the identity of the consumer by one or both methods above:

    • Document Verification: Requesters may be required to provide copies of official identification documents, such as passports, driver's licenses, or identity cards. Verify the authenticity and validity of the submitted documents.

    • Knowledge-based Authentication: Requesters may be asked to answer specific questions based on personal information only they would know.

  • Search all databases and all relevant filing systems (manual files) in ecoPortal, including all backup and archived files, whether computerized or manual and including all email folders and archives. ecoPortal maintains a record that identifies where personal data in ecoPortal is stored.

  • ecoPortal will maintain a record of requests for data and of its receipt accessible by ecoPortal’s CSM, CTO, COO and/or any other designated ecoPortal representatives. ecoPortal will also keep a record of processing to include dates.

  • Provide consumers an online mechanism for making requests, and all such requests will be logged.

  • ecoPortal will acknowledge the SAR within ten (10) days of the initial request and respond to any SAR within 30 days of the initial request.

  • SARs from employees or previous employees will be coordinated with HR and the employees’ current or previous departmental leadership.

  • submitted via the user interface in the ecoPortal Services.

  • ecoPortal shall direct the consumer to the relevant Controller in accordance with all contractual commitments.

SAR requirements

  • The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; ecoPortal will acknowledge any manual requests within 10 business days. The acknowledgment will describe the verification process and when the consumer should expect a response.

  • ecoPortal has thirty (30) days from the initial request date to complete the request. If the company cannot respond within thirty days, it shall provide notice to the consumer. In California, the company may extend the response timeline up to an additional forty-five (45) days.

  • The SAR application will be documented and can be audited using the ecoPortal’s internal processes.

  • ecoPortal shall ensure that deletion and correction requests are sent to subprocessors as needed

SAR Exemptions

  • ecoPortal may withhold information requested under SAR in accordance with any exemption under applicable law. Any such exemption must be reviewed and approved by the Data Privacy Officer or COO.

...

  • ISO 27701 Privacy Information Management System (PIMS)

  • SOC 2 Privacy Criterion

  • General Data Protection Regulation (GDPR)

  • California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)US Data Privacy

  • Personal Information Protection and Electronic Documents Act (PIPEDA)

Appendix A - Third-Party PII Disclosure Log

Third-Party

PII Disclosed

Reason

Date

Time

Compelled?

Notes