Updated 20 Dec 2020
As of 25th May 2018, all EU Member states came under the remit of the General Data Protection Regulation (GDPR). The GDPR sets out how personal data is can be used and stored by service providers and businesses, it also provides a formal mechanism for Data Subjects, both service and business users to retrieve, review and remove any personal data held.
Vivi International Pty Ltd ( Vivi ) operates in several EU Member states and became compliant with GDPR on 25 May 2018.
To comply with the GDPR it is necessary to understand how Vivi collects and uses personal data. Vivi has two classes of Data Subject:
Users - Users must have a valid login to access and use the Vivi System. This requires the user to either explicitly sign up for an account or use an existing account supplied by the customer. In both cases a profile is created in the system that stores the users activity and interactions with the system.
Customers - To operate as a business, Vivi stores a list of clients and business contacts. This information is stored for administrative and marketing purposes
Data Processor & Data Controllers
Vivi Customer Data
For Customer Data, Vivi is classed as the Data Controller
Vivi User Data
Vivi stores personal information for the purposes of account creation and management. The only identifiable information stored by Vivi for system use is the subjects Name, Email Address and Organisation that the user belongs to.
Vivi is classed as the Data Processor. The organisation who is using the Vivi service is classed as the Data Controller. Vivi stores the information and uses it for the system functionality - however does not exert any ownership over this data.
Both of these documents are available at all times:- EULA
Usage of the Vivi system does fall under “Recital 38 Special protection of children's personal data”. In the case that system users are under the age of data consent in that jurisdiction, an organisation such as a school can agree to provide consent on behalf of it’s users for use of the Vivi System.
Data Compliance Officer
For all data compliance matters, including invoking the right to be forgotten, Vivi has assigned a member of staff that explicitly handles these matters. All data compliance requests must be submitted in writing to the following email: firstname.lastname@example.org.
Business Subjects provide consent when engaging with Vivi, the business. This consent allows Vivi to contact them with marketing materials and service announcements. When a business subject engages with Vivi they are given the option to give consent for marketing materials - if the subject denies consent, marketing materials will not be sent.
Privacy by Design
At present, Vivi’s compliance with GDPR relies on the manual intervention of the Compliance Officer. We view this as Phase One of our GDPR Compliance.
Vivi’s proposed Privacy by Design Measures include:
- The automatic removal of data once record keeping obligations have been met.
- Data anonymization tools
Right of Access
Case 1 - Customer Data
Data subjects that fall under Vivi’s remit as data controller have the right to access the data we have stored.
Case 2 - User Data
Data subjects that fall under Vivi’s remit as Data Processor - They must first apply for access directly with their Data Controller - usually the School itself or Local Education Authority (LEA).
Right to be forgotten
All data subjects that fall under Vivi’s remit as Data Processor may, at any time, invoke their Right to be forgotten.
How to invoke the Right to be Forgotten
Any user wishing to have their information removed must contact Vivi’s Compliance Officer in writing at email@example.com.
What happens when the right to be forgotten has been invoked?
To retain the integrity of our system records, and maintain compliance with record keeping policies, the account itself will not be deleted from the system. Instead the account will be anonymised - this means that the user’s name and email will be removed from the corresponding record.
Once a user has invoked their right to be forgotten, they will no longer be able to log in or interact with the Vivi System.
Vivi uses Amazon Web Services (AWS) hosting infrastructure based in Sydney, Australia. Vivi has contingency plans in place to replicate our infrastructure and data storage to domestic hubs if required to be compliant with local law or customer requirements.