With a continued focus on Personal Data, how companies handle it, and compliance with GDPR laws, you may ask yourself is Kaisa GDPR compliant?
Well, the short answer is yes, we are. Within the context of GDPR, Kaisa is the data processor, while each of Kaisa's customers are data controllers. The people communicating with the data controller (our customers) are data subjects.
Sections in this article:
1. Different Roles
2. Personal Data
3. Retention Period
4. Sensitive Information
5. Lawful Grounds for Personal Data Processing
6. Security
7. How can Kaisa help Data Controllers with specific Personal Data requests
Different Roles
As data controllers, Kaisa customers get to decide what personal data should be stored and how long it should be retained. They should also manage any requests from data subjects for access to their personal data, or for their personal data to be deleted.
On the other hand, as data processor, Kaisa instead acts on behalf of the data controller when it comes to handling data coming to our side. Kaisa stores and processes personal data securely and prevents unauthorised access, and we implement our data controllers’ instructions for storing and retaining personal data. We also process any data subject requests that are approved by the data controller or alternatively we offer the data controller facilities to implement those requests.
The precise details are agreed in a data processing agreement or “DPA” between Kaisa and each customer, or in Kaisa's Privacy Policy here.
Personal Data
Kaisa can collect and store the following personal data:
- Home telephone or mobile number
- Email address
- IP-address
- Device type
- Text message content
- Online form content
- Voice recordings
Kaisa does not store full IP addresses. The only way Kaisa data can be used to identify a person’s online activity is via the phone number they used to call a Kaisa number.
Retention Period
Data controllers decide how long personal data should be retained, after considering how long personal data is needed:
• To allow communications with that person by phone or SMS
• To comply with legal requirements
After the retention period, Kaisa automatically and irreversibly anonymises phone numbers, and deletes call recordings, voicemails, and SMS text messages.
We continue to store metadata for an extended period to support historical statistical analysis of customer behavior. After phone numbers have been anonymised this metadata is no longer personally identifiable.
Sensitive information
Kaisa recommends customers to not record calls where there is an expectation that sensitive personal information might be recorded such as, but not limited to, medical, ethnic, or credit card information.
Lawful Grounds for Personal Data Processing
Data controllers are responsible for deciding the lawful grounds for processing personal data.
For example, data controllers may decide:
• Data controller has a legitimate reason to store phone numbers and call data to facilitate further communications, for example, to return a call.
• Data subjects need to give consent, and how that consent should be obtained. • Before recording a call, Kaisa plays an audio file provided by the data controller explaining that the call is being recorded. Then, callers can choose to accept or decline the call being recorded.
Security
All personal data including call metadata and recordings are stored in encrypted databases. Data is encrypted at rest and in transit. Kaisa databases are not directly accessible externally and all access points are secured.
To add to your peace of mind, we are proud to announce Kaisa is ISO 27001 Certified, as testament of our data handling and security.
How can Kaisa help Data Controllers with specific Personal Data requests
As mentioned in the Retention section, we have automated processes to irreversibly delete or de-identify personal data in our systems, after a predetermined time period. However there are manual processes that can be triggered on demand to delete or manage specific Personal Data Requests.
Telephone numbers and emails can be removed directly from our Dashboard, you can find more information here and here.
Accounts can be fully deleted, including their contents, using our API. You can find documentation on this topic here.
Any specific requests can always be escalated to our Support team, as we should be able to delete or irreversibly anonymise any records on request, including email threads, telephone numbers, email addresses or accounts. You can contact us following these instructions in this link or using the Contact Us button in the header of this page.
Comments
0 comments
Please sign in to leave a comment.