Comintelli Policy on Personal Data

Comintelli does collect, access, use, maintain, and disclose certain Personal Data to fulfill its obligations under customer agreements. This policy details Comintelli’s management, security and compliance measures with regards to Personal Data and Applicable Data Privacy Laws.

DEFINITIONS

For the Purpose of this document the following terms shall have the following meaning:

“Applicable data privacy laws” means any national or internationally binding data privacy laws or regulations applicable at any time to any active agreement between a Customer and Comintelli. It includes, but is not limited to, European Union General Data Protection Regulation (GDPR).

“Customer” means the legal entity/entities which determines the purposes and means of the processing of Personal Data – GDPR term: Data Controller

“Comintelli” means the legal entity processing Personal Data on behalf of a Customer – GDPR term: Data Processor;

“Personal Data” means any information relating to an identified or identifiable natural person;

“Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Sub-processor” means a third party subcontractor engaged by Comintelli which, as part of the subcontractor’s role of delivering the services, will process Personal Data on behalf of the Customer.

PROCESSING

Processing of Personal Data

Comintelli undertakes to only process Personal Data in accordance with this policy. Comintelli shall, when processing Personal Data comply with any Applicable Data Privacy Laws, applicable recommendations by the Data Inspection Board or other competent authorities. Comintelli shall accept to make any changes and amendments to this policy that is required under applicable data privacy laws.

With regards to Comintelli’s deliveries to Customer, Comintelli shall assist the Customer in fulfilling its legal obligations under Applicable Data Privacy Laws, including but not limited to the Customer’s obligation to respond to requests for exercising the data subject’s rights to request information (register extracts) and for Personal Data to be corrected, blocked or erased at their request. Comintelli shall in addition not carry out any act that causes a Customer to act in breach of Applicable Data Privacy Laws.

If data subjects, competent authorities or any other third parties request information from Comintelli regarding the processing of Personal Data, Comintelli shall refer such request to such affected Customer. Comintelli shall not in any way act on behalf of or as a representative of such Customer and shall not, without prior instructions from the affected Customer, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party. In the event Comintelli, according to applicable laws and regulations, is required to disclose Personal Data that Comintelli processes on behalf of such affected Customer, Comintelli shall immediately inform such Customer thereof.

Sub-processors

Comintelli shall ensure that any sub-processors are bound by written agreements that require them to comply with data processing obligations according to this policy.

Comintelli, or a Comintelli assigned third-party, audit its Sub-processors concerning Sub-processor’s operations to ensure compliance with this policy and applicable data privacy laws. Customers are entitled to confirmation that such an audit has occurred.

Comintelli is fully liable to Customers for the performance of the Sub-processor’s obligations.

Information security and confidentiality

In order to assist Customers to fulfil their legal obligations, including but not limited to security measures and privacy risk assessments, related to Personal Data, Comintelli shall take appropriate technical and organizational measures to protect the Personal Data which is processed. All such measures are detailed in Comintelli Policy on IT and Security and Comintelli Policy on Business Continuity Management and Disaster Recovery.

Comintelli administrative systems

Comintelli operates a number of internal administrative systems in which certain Customer Personal Data might be stored. All such systems are provided as SaaS/Cloud Services and shall be governed by separate Data Processing Agreements, or similar commitments in the providers’ master agreements with Comintelli, to a standard that, as a minimum, comply with the specifications of Personal Data management in this policy.

Intelligence2day® – Personal Data management

Intelligence2day® stores data in five sub-system environments:

  1. SQL stack – The SQL stack is the root of all information about a user in Intelligence2day. The user-ID is the link to other user data within the system. If this record is deleted it is not possible to backtrack the Personal Data from any other part of the system. When deleting a user the user-ID is removed from SQL, thus disconnecting the user’s history in the system from the personal identifiable data.
  2. Solr search index – All information about a user (such as the user profile) except the password is stored in the Solr search index. The user actual name and profile cannot be encrypted in the search index in order to enable searchability. When a user is deleted, all user data in the search index is deleted. All information about an article is stored in the Solr search index but the link to the author profile is only via the user-ID. For reference purposes, the author of an article must be traceable even after delete. When a user is deleted, any links to the user profile are disabled.
  3. Cassandra database – Two tables in Cassandra holds Personal Data:
    • Statistics data that displays logged on users. This data table only stores the information for 7 days, then it is automatically deleted.
    • Personal settings, alerts and lists are deleted when the used profile is deleted.
  4.  Disk – All user profile pictures are stored on disk. When deleting a user profile the directory is deleted from the server.
  5. Cookies – Three cookies are saved during each logged on session:
    • jsessionid – necessary session identifier. Approved by GDPR. Temporary
      cookie, not saved to disk.
    • TOKEN: Cross Site Request Forgery CSFR-Token for improved security.
      Temporary cookie, not saved to disk.
    • Consent – Permanent cookie confirming the user’s consent regarding the
      processing of cookies. Third parties may save cookies when users, through Intelligence2day®, use services such as Google graphs and external widgets.

Other than the above, Intelligence2day® stores all origins (IP-address) of failed login attempts as needed for legal, security and traceability reasons. To maintain consistency of logging important events such as deletions and security related events, the user-ID and IP-address must be stored in log files and statistics for a long time.

CONSENT

Any user logging on to the system will personally be requested to consent to the two following statements, else log in will not be enabled:

“Intelligence2day® uses temporary cookies to maintain user sessions, to provide protection against Cross-Site Request Forgery (CSRF) and to analyze application usage. The cookies do not contain any personal information and we do not share information about your use of Intelligence2day® with other parties. You consent to our cookies if you continue to use Intelligence2day®.”

“Intelligence2day® stores Personal Data such as your name, e-mail, phone number, preference settings, etc that enables the system to perform according to its specifications and for users to identify each other in different kinds of information exchange. You can at any time download a file from Intelligence2day® detailing your Personal Data as stored in the system at the time of such download. For Personal Data deletion, see our policy on Personal Data. You consent to our Personal Data storage if you continue to use Intelligence2day®.”

VALIDITY AND EDITION COMPLIANCE

The commitments and compliance statements herein all apply to Personal Data management in Intelligence2day® edition 1805 and later.