DATA PROTECTION POLICY

 

 

 

123Telecom Limited

Data Protection Policy

 

1st March 2024

 

 123Telecom Limited are compliant with the data protection regulations and Data Protection Act, continually monitor and update policies and processes to ensure continued compliance with Data Protection Legislation and Regulations including the General Data Protection Regulations (GDPR) and Data Protection Act 1998/2018. As part of the various services and products we offer our customers, we may hold or have access to data that can identify individuals in order to be able to provide our customers with the services, products and support that is agreed through our contracts. In all instances, access to such data is controlled and limited to authorised staff of 123Telecom.

Processing Information

Scope and purpose or processing

Personal data is held for the purposes of the provision of telecommunication services and related products. The personal data held is obtained in support of contractual arrangements and is necessary under the ‘legitimate interests’ pursued by the controller ( 123Telecom Limited) as defined in article

6.1 of the GDPR.

 

The facility to opt out of marketing communications remains, but excludes operational or pricing communications.

 

Nature of processing

123Telecom Limited does not undertake any automated decision making as defined by article 22 of the GDPR.

Data will only be processed internally by our team for the purposes or objective for which it was intended and any other internal activities which may include permission based or legitimate-interest based marketing.

 

Duration of processing and retention

123Telecom Limited will maintain personal data for the duration of contracts during the provision of telecommunication services and products. Thereafter, the data will be held for a ‘reasonable’ period, depending on the nature of the relationship with the customer. The data will be deleted when the retention of that data can no longer be justified under the provisions of the Data Protection Act and is not overruled by competing legislation or regulations. The terms against which data are held vary and are dependent on the business cycle, regulations and legislation.

In most cases, the term ‘reasonable’ shall mean 7 years, in line with other legal business data retention requirements.

 

Requests for information

Persons whose data are held by 123Telecom Limited may request their own data. These are called subject access requests.  These should be submitted in writing to our postal address or via email to [email protected] . We will need to verify the identity of the requestor and in the

unlikely event there is substantial cost to 123Telecom in terms of retrieving the data, we may charge a maximum of £10. The regulations require us to respond within 28 days of the request.

 

Deletion of information

Persons whose data are held by 123Telecom Limited may request that their data be permanently deleted as stated in Data Protection Regulations and Data Protection Legislation, and such requests will be complied with as soon as practical where a customer no longer has a relationship with 123Telecom Limited. Where a requestor continues to have a business relationship with 123Telecom Limited, we may need to ensure that the requestor’s details are replaced with those of an alternative contact to enable the continued effective management of our relationship with our customers and partners.  Any such requests should be submitted in writing to our postal address or via email

to [email protected]. We will need to verify the identity of the requestor in all circumstances.

 

Types of Personal Data

The personal data held may include: Name, Position, Telephone Number(s), email address. Where services or invoicing has been requested by the customer at a residential address, this address will also be held.

No ‘sensitive data’ (as defined by the Data Protection Act) or ‘special categories of personal data’ (as defined by the GDPR) are held against any current, former or prospective (wholesale on ly) customers.

 

Categories of Data Subject

The data subjects whose data may be held by 123Telecom Limited is restricted to that of existing, former or prospective customers, employees/applicants, suppliers/potential suppliers and any associated contacts. These data fall under the category of ‘personal data’ and do not include any ‘sensitive data’ (as defined by the Data Protection Act) or ‘special categories of personal data’ (as defined by the GDPR).

 

Data sharing

There is no routine data sharing of person identifiable data.

 

In terms of transactional data (non person identifiable data), for example direct debit data, there is a robust data sharing agreement and corresponding process for exchanging data with the BACS network and/or any intermediaries between 123Telecom and the BACS network. No person identifiable data is exchanged or transferred routinely.

 

Data hosting

The majority of our data is hosted securely in-house, with secure cloud/data centre backup within the UK or EU. Access is only permitted from in-house equipment or via secure VPN.

In the case of our CRM, a two factor authentication process is used, including restricted access to our own fixed IP ranges. Our data is held within the EU, and where practicable these data will be held in a UK based environment.

In the case of customers outside of Europe, some of their cloud telephony services may be located in the USA and therefore some data related to those specific services may be also located in the USA for the sole purpose of providing those services.

 

Emails

Like most organisations, 123Telecom uses Cloud based email services.

 

Emails, including attachments, will be visible to the receiving staff member, or team/support members, on mobile/tablet/Computer web-browser or App access at all times whilst the staff member is an employee of 123Telecom Limited.

If you have any issues with this policy and if you would like a dedicated office-only email address, then please contact us or raise a ticket via our [email protected] email address.

 

Out of hours access

There are a number of specific roles within our organisation that require that ‘specified individuals’ have access to data outside of operational hours. For example to manage and react to fault or fraud incidents. In these circumstances access is via fixed IP locked secure VPN back to our main secure systems.

Customers with Leased Lines may also have a very limited amount of personal contact data located on our UK based 24/7/365 out of hours leased line support sub-contractor purely for the purpose of providing the out of hours service the customer requires us to deliver.

 

Voice recording

123Telecom only supply Cloud Telephony with hosted call recording. 123Telecom are not responsible for any on-site call recording customers may have and we have no access to any such equipment a customer may have.

Cloud Telephony hosted call recordings are only accessible by the customer to whom they belong.

 

Our call recording platforms are fully PCI compliant, with the added ability for automatic stop/start of recordings based on the URL of the webpage being viewed in the Chrome web browsed on the PC associated with the extension being recorded.

Our recording platforms are also MiFID 2 compliant, which became a requirement for many companies in the Finance sector on 3rd January 2018. Features to assist with your MiFID 2 compliance include: 5 or 7 years storage; UK based storage servers; Fully Encrypted Recordings; Validated and authenticated user access via SSL; Full Audit Trail.

 

Access to customer’s data for the provision of support services

Where 123Telecom Limited has supplied a Cloud Telephony solution, we will retain or have access to information which was supplied for the purpose of configuring the system, such as extension numbers, extension/staff names and company/team/individual telephone address books.

As a ‘Data Processor’ in the context of the Data Protection Act, these data will only be accessed where necessary and for the purposes of maintenance and service provision. 123Telecom Limited is, at the request of the customer able to access, alter and or remove these data, and where required, reset user’s passwords to items such as Voice Mail and Call Conferencing accounts. 123Telecom Limited is not able to view or access a user’s current Voice Mail password, and it remains the responsibility of users to change and update their Voice Mail passwords in line with the customer’s security policies.

 

Risk management

There have been no data security incidents since 123Telecom commenced trading in 1998.

 

Changes to this policy

123Telecom may occasionally update this Data Protection Policy to reflect company and customer feedback. We would encourage you to periodically review this Statement to be informed of how 123Telecom is protecting your information.

 

Contact information

We welcome your comments regarding this Data Protection Policy.

 

If you believe that we have not adhered to this policy statement, please contact 123Telecom at [email protected].

 

If our Data Protection Office agrees with your comments, we will use commercially reasonable efforts to promptly determine and remedy the problem.