GDPR Compliance Statement
Last updated: April 01, 2020
General Data Protection Regulation (GDPR)
The European Union’s (EU) General Data Protection Regulation (GDPR) is effective from May 25, 2018. The GDPR is a new regulation that enables greater data protection for individuals across the Europe, which the EU citizens have a degree of control over their personal data and the regulation governs the companies controlling or processing the data.
TFI Digital Media Limited ("we", or "our") is taking appropriate measures towards GDPR to help ensure our customers benefit from increased control and clarity with the consent to process the personal data and with the compliance to the GDPR.
TFI Digital Media Limited as a Data Processor, is committed to comply with the GDPR regulations with the following principles:
Due diligence – We are committed to comply with the GDPR regulations, process personal information fairly and lawfully and will be aware of the law changes to the GDPR
Consent for processing data – We will only process the personal data on behalf of the customer with the consent from the customer
Data retention – We will only store the personal data within the agreed data retention period
Right to be Forgotten – EU citizens have their rights to erase the personal data when it is no longer being processed
Data breaches reporting – We will notify a personal data breach to the supervisory authority (i.e. Data Protection Controller) and the customer in the event of data breaches
Children – We do not engage in any children related business hence no data processing activity for the child is carried out
Data Subject Rights under GDPR
In response to the key changes for the data subject rights under GDPR, we have made several adjustments associated with the personal data:
Breach NotificationWe will notify the supervisory authority (i.e. Data Protection Controller) and the customers within 72 hours without undue delay after first becoming aware of a data breach. For the details, please see the Data Breaches Reporting section below.
Right to AccessWe will obtain the confirmation from the customers (i.e. Data Controller) for any personal data being processed and explain where and what purpose of processing the data to the customers.
Right to be ForgottenWe will erase the personal data and cease further dissemination of the data after the agreed data retention period or upon requests.
Data PortabilityWe will provide a method for the data portability to transmit the personal data to another controller in a human readable format.
Privacy by DesignWe will take the privacy into our system design such that the data absolutely necessary for the completion of its duties (data minimization) is held and processed and the system limits the access to personal data to those needing to act out the processing.
Our Compliance Plan
In order to be GDPR compliance, there is a collaborative effort between TFI Digital Media Limited and the customers: We have the Data Processor responsibility while the customer has the Data Controller responsibility. We take the customers' compliance requirements, privacy and security seriously.
For the compliance, we periodically review and update our internal process, privacy policies and system. We liaise with our vendors and suppliers to ensure both the Data Controller and Data Processor comply with the GDPR regulations.
As with the data security and protection, we are in the process of obtaining the accredited ISO/IEC 27001 for the Information Security Management in 2020 to maintain industry standard security over the data it processes, which will be managed by the Certified Information System Security Professionals (CISSP).
Data Breaches Reporting
We have appropriate procedures in place to detect, report and investigate a personal data breach (i.e. a security breach that leads to the accidental or unlawful destruction, loss, alternation, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed). In the event of data breaches, we will notify the breach incident to the supervisory authority (i.e. Data Protection Controller) and the customer. The following information of the breach incident shall be provided:
- The contact details of the responsible person for the data protection compliance
- The detailed description of the breach incident (e.g. date, time, victims, reason, etc.)
- Any remedial action taken to mitigate the effects of the breach incident when a personal data breach is detected
We have appointed our staff Victor Leung as the contact point for the data protection compliance, who has qualified for the Certified Information System Security Professional (CISSP). For any matters related to the GDPR compliance, data privacy and security, please contact Victor on email@example.com. His role sits within the company's structure and governance arrangements to ensure the transparency of the data processing and protection to the customers.
There is no Data Protection Officer as we are not public authorities or organizations that engage in large scale systematic monitoring nor large scale processing of sensitive personal data.
Changes to This Statement
You are advised to review this statement periodically for any changes. Changes to this statement are effective when they are posted on this page.