Updated 25 May 2018

Introduction

As of 25th May 2018, all EU Member states come under the remit of the General Data Protection Regulation (GDPR). The GDPR sets out how personal data is can be used and stored by service providers and businesses, it also provides a formal mechanism for Data Subjects, both service and business users to retrieve, review and remove any personal data held.

 Vivi International Pty Ltd ( Vivi ) operates in several EU Member states and as such aims to be fully compliant with GDPR as at 25 May 2018.

Data Subjects

To comply with the GDPR it is necessary to understand how Vivi collects and uses personal data. Vivi has two classes of Data Subject:

Users - Users must have a valid login to access and use the Vivi System. This requires the user to either explicitly sign up for an account or use an existing account supplied by the customer. In both cases a profile is created in the system that stores the users activity and interactions with the system.

Customers - To operate as a business, Vivi stores a list of clients and business contacts. This information is stored for administrative and marketing purposes

Some users may come under both categories, as such the individual consent agreements apply for the two usage scenarios. In both cases Vivi’s Privacy Policy applies.

Data Processor & Data Controllers

 

Vivi Customer Data

For Customer Data, Vivi is classed as the Data Controller

Vivi User Data

Vivi stores personal information for the purposes of account creation and management. The only identifiable information stored by Vivi for system use is the subjects Name, Email Address and Organisation that the user belongs to.

Vivi is classed as the Data Processor. The organisation who is using the Vivi service is classed as the Data Controller. Vivi stores the information and uses it for the system functionality - however does not exert any ownership over this data.

Consent

All users of the Vivi System consent to use and abide by the End User License Agreement (EULA) The EULA is a formal agreement between the end user and Vivi for use of the Vivi software. By agreeing to the EULA the end user gives consent to Vivi to store data. The data Vivi stores is governed by a strict privacy policy

Both of these documents are available at all times:

EULA
Privacy Policy

 

Note

Usage of the Vivi system does fall under “Recital 38 Special protection of children's personal data”. In the case that system users are under the age of data consent in that jurisdiction, an organisation such as a school can agree to provide consent on behalf of it’s users for use of the Vivi System.

Data Compliance Officer

For all data compliance matters, including invoking the right to be forgotten, Vivi has assigned a member of staff that explicitly handles these matters. All data compliance requests must be submitted in writing to the following email: compliance@vivi.io.

Email Marketing

Business Subjects provide consent when engaging with Vivi, the business. This consent allows Vivi to contact them with marketing materials and service announcements. When a business subject engages with Vivi they are given the option to give consent for marketing materials - if the subject denies consent, marketing materials will not be sent.

Privacy by Design

At present, Vivi’s compliance with GDPR relies on the manual intervention of the Compliance Officer. We view this as Phase One of our GDPR Compliance.

Vivi’s proposed Privacy by Design Measures include:

- The automatic removal of data once record keeping obligations have been met.
- Data anonymization tools

Right of Access

Case 1 - Customer Data

Data subjects that fall under Vivi’s remit as data controller have the right to access the data we have stored.

Case 2 - User Data

Data subjects that fall under Vivi’s remit as Data Processor - They must first apply for access directly with their Data Controller - usually the School itself or Local Education Authority (LEA).

Right to be forgotten

All data subjects that fall under Vivi’s remit as Data Processor may, at any time, invoke their Right to be forgotten.

How to invoke the Right to be Forgotten 

Any user wishing to have their information removed must contact Vivi’s Compliance Officer in writing at compliance@vivi.io.

What happens when the right to be forgotten has been invoked?

To retain the integrity of our system records, and maintain compliance with record keeping policies, the account itself will not be deleted from the system. Instead the account will be anonymised - this means that the user’s name and email will be removed from the corresponding record.

Once a user has invoked their right to be forgotten, they will no longer be able to log in or interact with the Vivi System.

Third Countries

Vivi uses Amazon Web Services (AWS) hosting infrastructure based in Sydney, Australia. We are currently in the process of commissioning and replicating our infrastructure to domestic hubs in United Kingdom and United States - we anticipate these will be fully operational by the end of 2018.