Our commitment to You and the protection of Your data
Enquiry Tracker is committed to partnering with customers and Enquirers to help them understand and comply with the EU General Data Protection Regulation (GDPR). The GDPR strengthens the rights individuals have regarding organisations holding personal data relating to them, and applies to any organisation that does business in the EU, including schools, academies and other educational establishments (and their supplying software companies such as Enquiry Tracker).
Below are some examples of how Enquiry Tracker is committed to GDPR.
Data Protection Commitments
Privacy Protection Commitments
- In short, Enquiry Tracker will NEVER share your data to anyone without your consent.
Data processing necessary for purpose
- Enquiry Tracker only processes personal data to help data controllers fulfil a necessary purpose, and improve the ongoing experience of fulfilling that purpose.
Data Protection Team
- Enquiry Tracker has a Data Protection team whose responsibility is to ensure Enquiry Tracker is GDPR compliant, and leads our Critical Incident Response process.
- If you have a question, you can contact via email – [email protected]
Privacy Settings set at highest level
By default, no other Organisation can see any information about Enquirers added into Enquiry Tracker.
Records of processing activities
- Enquiry Tracker logs a record of all activities, and key changes including status updates and emails .
- These records can be made available to a supervisory authority on request.
Account and Password Protection
- User’s accounts are always password protected, and we utilise strong password policy and non-reversible hashing for storage of the password.
- See our Security Document for more information.
- Users have the additional security option to enable Two-Factor Authentication, via an enabled Google account, which prevents anyone from accessing a User’s account without possessing their mobile device.
Privileged Access Controls
- For Enquiry Tracker employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
- Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Enquiry Tracker’s security policies.
Protecting Rights of Data Subjects
- Enquiry Tracker will NEVER share your data to anyone without your consent.
- Enquiry Tracker stores data until it is no longer necessary to provide services to the Enquirer or the Organisation.
- Enquiry Tracker does not automatically delete information about Enquirers because Enquiry Tracker is fully User controlled.
- If the Enquirer completed any WebForm with an Organisation (e.g. event registration form), the data entered becomes the property of that organisation.
- Enquiry Tracker enables the Customer to archive or permanently delete data when it is no longer required. It is the responsibility of the Organisation to know how long data is required to be kept, which depends on local laws and regulations.
Deletion of Data (right to erasure, and the right to refuse)
- Enquirers can request to have their information permanently deleted at anytime by contacting the Organisation.
- Enquirers have a right to erasure, and can contact the organisation to delete any personal data related to them under GDPR Article 17. Enquiry Tracker provides the tools for the Organisation to find that information, and permanently delete their record of Enquirer data.
- Under GDPR Article 17, the Organisation has a right to refuse the request to erasure of personal data if that data is required to:
- To comply with legal obligations for the performance of a public interest task or exercise of official authority
- When the data is necessary for the exercise or defence of legal claims
- A key purpose of Enquiry Tracker is to collect and store consent forms, such as Compliance with Code of Conduct, that are required for an organisation to deliver on their compliance obligations. Organisations are bound by data retention guidelines set out by their local authorities. Therefore, it is the responsibility of the Organisation to know their regulations and be certain data is not required for compliance or future legal cases before permanently deleting any data.
- If the Organisation has no grounds to refuse an Enquirer’s request to erasure, they must comply without undue delay or at most within a month of the request.
Protection Policies and Procedures
- Enquiry Tracker applies stringent internal processes to keep your data safe throughout design, development, testing and day to day operations.
Risk Assessment / Mandatory Privacy Impact Assessments (PIAs)
- Enquiry Tracker has a risk management program to ensure appropriate measure are taken to protect personal information. This procedure applies to all systems, employees, consultants, temporaries and other workers at Enquiry Tracker.
- Enquiry Tracker supports Organisations in their mandatory requirement to conduct PIAs to ensure they are in compliance as projects progress.
Data Breach Notifications
- In the event of a suspected data breach, Enquiry Tracker has a Critical Incident Response Team , and a Data Breach Policy and Incident Response Plan that is reviewed regularly.
- In the event of a data breach, Enquiry Tracker will notify the Organisation without undue delay after becoming aware.
- Individual Enquirers will be notified, after consulting with the Organisation, if adverse impact is determined.
- Enquiry Tracker will notify the appropriate EU authority within 72 hours after having become aware of the data breach.
Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for the changes the GDPR brings. This page will be revised to reflect GDPR-related information as it becomes available. If you have any questions about how Enquiry Tracker can help you with compliance, we hope you’ll reach out to us on [email protected]