WiFi & Personal Data Protection Policy
The WandaFi ("Platform") is a resource from which we provide a variety of services to our customers.
Our objectives for operating and managing the Platform are:
- to provide high quality, reliable service to our customers;
- to respect the privacy of our customers;
- to protect the security and integrity of our Platform and related systems;
- to encourage responsible use of our Platform and other ISPs' Platforms;
- to comply with General Data Protection Regulation ("GDPR" (EU) 2016/679, effective date on 28thMay 2018) and applicable laws.
To achieve its objectives, the Platform works strict according to GDPR requirements protecting and enabling the privacy rights of individuals and ensures several specific rights, such as: right to access their personal data1(PD view), correct inaccuracies, erase data, object to processing of their data, and the right to obtain a copy of their data (PD export).
Because the Platform is shared by many customers and other users, achievement of our objectives requires appropriate use by each customer and user.
2. Policy Statement
Use of the Platform contrary to the operational and management objectives for the Platform is unacceptable and prohibited.
This Policy seeks to ensure personal data is protected no matter whom specifically, where and for what permissible purposes by using Platform it is collected, sent, processed, or stored.
This Policy is not only to ensure compliance with the GDPR but also to provide proof of compliance.
This Policy applies to all customers and to all other users of the Platform. Compliance with the policy and associated procedures are a condition of employment or any other method of delivering a service or function on behalf of or with the WandaFi.
Violations of the policy may subject an employee or other data holder / data protection officer2/ data controller3/ data processor4/ data sub-processor5to appropriate disciplinary action, in accordance with the Customer's disciplinary procedures and/or applicable laws.
This Policy to fully comply with GDPR and all other related statutory, criminal and civil obligations to which WandaFi is required to adhere. This applies to the retrieval, storage, processing, retention, destruction and disposal of personal data.
1.'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (EU GDPR, Article 4.1). Therefore, personal data in scope of this Policy can include, but it is not limited to, the following: name, identification number, e-mail address, online user identifier, social media posts, physical, physiological, or genetic information, medical information, location, bank details, credit card information, IP address.
2. Duties of the Data Protection Officer include: Acting on the compliance to all relevant data protection regulations, monitoring specific processes, such as data protection impact assessments, employee awareness and training employees, as well as collaboration with authorities. The Data Protection Officer is therefore bound to "properly and in a timely manner, in all issues which relate to the protection of personal data".
3. Data controller- The controller controls personal data and determines how it's used. The responsibilities of the controller include but are not limited to collecting, maintaining, directing actions, protecting, modifying and deleting personal data. The controller either adds users to the system, grants access to the system, and collects data from data subjects, or has employees who complete these tasks on the company's behalf. The burden of understanding the process for GDPR requests and carrying out a GDPR request rests with the controller.
4.Data processor- The processor provides services to, and processes data on behalf of, the data controller. The processor performs actions on behalf of the controller. The processor makes it possible for the controller to be GDPR compliant, but has no ownership of the data and does not respond directly to DSR (Data Subject Rights) requests.
5. Data sub-processor - The processor provides service to, and processes data on behalf of, the data controller jointly with the Data processor. Under Article 28(4) of the GDPR, where a processor engages another processor for carrying out specific processing activities on behalf of the controller, processor have an obligation to impose upon sub-processors "the same" obligations as those imposed upon the processor in the controller-processor contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of GDPR. Where that other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
4. Prohibited Uses
Examples of prohibited uses of the Platform are described below. The examples are guidelines and are not intended to be exhaustive.
The Platform may not be used in connection with criminal or civil violations of laws, regulations, or other government requirements of any jurisdiction. Such violations include theft or infringement of copyrights, patents, trademarks, trade secrets, or other intellectual property, export control violations, fraud, forgery, pyramid or other prohibited business schemes; and theft, misappropriation, or unauthorized transmission or storage of funds, personal data or online services.
The Platform may not be used to violate the security of a Platform, service or other system. Examples of security include hacking, cracking into, monitoring, or using systems without authorisation; scanning ports; conducting denial of service attacks; distributing viruses or other harmful software; smurf attacks; and unauthorized alteration or destruction of websites or other information.
The Platform may not be used to transmit or store material of a threatening nature, including threats of death or physical harm, harassment, libel, and defamation.
The Platform may not be used to transmit or store material of an offensive nature, including obscene, pornographic, indecent, abusive and harmful materials, or to transmit to recipients material which is inappropriate for them, including obscene or offensive materials to children.
The Platform may not be used to spam. Spam includes any of the following activities:
- sending any unsolicited email that could be expected, in our judgement, to provoke complaints;
- sending email that does not accurately identify the sender, the sender's return address, and the email address of origin;
- sending unsolicited email without identifying in the email a clear and easy means to be excluded from receiving additional email from the originator of the email;
- collecting the responses of unsolicited email;
- sending email with charity requests, petitions for signatures, or any chain mail related materials;
- transmitting email by or on behalf of a user of the Service which uses our mailbox for responses, or which promotes the content hosted or transmitted using our facilities, or which states or implies in any way that we were involved in the transmission of such email or content;
- posting a single message or messages similar in content to more than five online forums or newsgroups;
- posting messages to an online forum or newsgroup that violate the rules of the forum or newsgroup.
Note: sending the email with request in order to protect personal data is not included into Spam. The receipt of such a request is the basis for conducting an inner inspection (audit) and taking concrete measures to protect and restore the violated rights according to GDPR requirements and applicable laws.
The Platform may not be used, directly or indirectly, with systems that are not configured and maintained in a manner which prevents their use by others in violation of this Policy. Examples include improperly securing a server so that it may be used by others to conduct a denial of service attack, improperly securing a mail server so that it may be used by others to distribute spam, and improperly securing an FTP server so that it may be used by others to illegally distribute licensed software.
The Platform may not be used in a manner that damages our reputation or goodwill; violates another ISP's acceptable use policy and/or terms of service; or interferes with another's use of the Platform or our service.
The resale of the Service is not permitted, unless expressly permitted in a written agreement signed by us.
The Platform may not be used to attempt an activity prohibited by this Policy - whether or not successful.
5. Indirect Use
A violation of this Policy by a person having only indirect access to the Platform through a customer or other user will be considered a violation by the customer or other user, whether or not with the knowledge or consent of the customer or other user. As an example, resellers are responsible for the actions of customers to whom they directly and indirectly provide services using Platform.
6. Data Protection
Once all sensitive data types are identified and current security practices understood, protection efforts can begin. These aim to reduce risk and minimize the impact to data through security and monitoring.
For WandaFi, in addition to existing objectives, the highest data protection goals are to be defined and documented. Data protection goals are based on data protection principles:
- Lawfulness, fairness and transparency. It means that the personal data shall be processed lawfully, fairly and in transparent manner in relation to the data subject;
- Purpose limitation. It means that the personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Data minimization. It means that the personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accuracy. It means that the personal data accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Storage limitation. It means that the personal data shall kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance GDPR requirements in order to safeguard the rights and freedoms of the data subject;
- Integrity and confidentiality. It means that the personal data shall be processed in manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
- Transfers on the basis of an adequacy decision. It means that the personal data couldn't transferred to countries outside EU unless the country to which the data is to be transferred has adequate protection for the individuals.
The other elements of data protecting considered below:
- Determination of protection need with regard to confidentiality, integrity and availability;
- Determination of roles and responsibilities of data protection activity participants (e.g. operational data protection officer, controller, processor (sub-processor), coordinator and operational managers);
- Proper security controls that are appropriate for the specific data types and usage scenarios, including various methods like data encryption at different levels (at rest, in transit, and in use), availability and resiliency mechanisms that prevent data loss, and auditing to continuously monitor activities taking place on the database;
- Commitment to continuous improvement of a data protection management system;
- Training, sensitization and obligation of the employees;
- Detecting and responding to data breaches involving personal data.
7. Technical and organisational measures (TOM)
Appropriate technical and organisational measures that must be implemented and substantiated, taking into account, inter alia, the purpose of the processing, the state of the technology and the implementation costs.
The description of the implemented TOM can, for example, be based on the structure of ISO/IEC 27002, taking into account ISO/IEC 29151 (guidelines for the protection of personal data). The respective chapters should be substantiated by referencing the existing guidelines.
Examples of such guidelines include:
- Guideline for the rights of data subjects
- Access control
- Information classification (and handling thereof)
- Physical and environmental-related security for end users such as: permissible use of values; guideline for information transfer based on the work environment and screen locks; handling technical weak points; mobile devices and telecommuting
- Restriction of software installation and use
- Data backup
- Information transfer
- Protection against malware
- Cryptographic measures
- Communication security
- Privacy and protection of personal information
- Supplier relationships: Noting regular inspection and evaluation of data processing, especially the efficacy of the implemented technical and organisational measures.
There are several GDPR compliant obligations ensure by the Platform related to controls and security around the handling of personal data. The data processor (sub-processor) or controller should implement appropriate technical and organizational measures to address these. Some specific concepts include:
Data protection by design and default. Control exposure to personal data.
- Control accessibility - who is accessing data and how
- Minimaze data being processed in terms of amount of data collected, extent of processing, storage period, and accessibility.
- Include safeguards for control management integrated into processing.
Security of processing. Security mechanisms to protect personal data.
- Employ pseudonymization and encryption
- Restore availability and access in the event of an incident
- Provide a process for regularly testing and assessing effectiveness of security measures.
Notification of a personal data breach to the supervisory authority. Detect and notify of breach in a timely manner (72 hours).
- Detect breaches
- Assess impact on and identification of personal data records concerned
- Describe measures to address breach
Records of processing activities. Log and monitor operations.
- Maintain an audit record of processing activities on personal data
- Monitor access to processing systems
Data protection impact assessment. Document risks and security measures
- Describe processing operations, including their necessity and proportionality
- Assess risks associated with processing
- Apply measures to address risks and protect personal data, and demonstrate compliance with GDPR
It will be incumbent upon the WandaFi or its Customer as Data Protection Controller to ensure that its entire IT environment complies with each of these principles and establishes appropriate measures.
To achieve the objectives of this Policy, we will determine, in our discretion, whether a use of the Platform violates this Policy. While it is not our intent to monitor, control, or censor communications on the Platform, when we become aware of a violation of this Policy, we may take such action as we deem appropriate to address the violation as described below.
Violations of this Policy may result in a demand for immediate removal of offending material, immediate temporary or permanent filtering, blocked access, suspension or termination of service, or other response appropriate to the violation, as we determine in our discretion.
When feasible, it is our preference to give notice so that violations may be addressed voluntarily; however we reserve the right to act without notice when necessary, as we determine in our discretion. To the extent doing so does not interfere with our ability to achieve the objectives of this Policy (as we determine in our discretion), we will attempt to limit any filtering, suspension, termination, or other response to the addresses, locations, users, or services with respect to which the violation occurs. We will not have any liability for the actions we take in response to violations of this Policy. The responses described in this Policy are not exclusive and we may take any other technical or legal action we deem appropriate.
We may cooperate with system administrators at other ISPs or other Platform or computing service providers to enforce this Policy or a policy of another provider. We may involve, and will cooperate with, law enforcement if criminal activity is suspected. Violators may also be subject to civil or criminal liability under applicable law.
9. Incident Reporting
Complaints regarding violations of this Policy should be directed to following e-mail: firstname.lastname@example.org.
Complaints in respect of personal data processing and ensuring an adequate data protection should be addressing to Data Protection Officer by following email: email@example.com
Where possible, include details that would assist us in investigating and resolving the complaint.
10. Contact Information
If you have questions or comments about this Policy, please contact us by sending an email via firstname.lastname@example.org
11. Important Customer Information
This Policy is not by itself sufficient to prevent possible harm to persons who use the Platform as a result of violations by others. Our customers (and other users of the our Platform) are responsible for taking such steps as they deem necessary to protect the security, integrity, and availability of their Platforms, systems, services, and information, and to restrict access to undesired content, sites, and services. We will not be liable to our customers or other users of the Service or the Platform for harm that results from violations of this Policy.
This Policy supplements, but does not supersede, the contracts between us and our customers; if such a contract restricts a use of the Platform that is not addressed in this Policy, the contract will govern with respect to such use.
A violation of this Policy by our customer is a material breach of the customer's Contract with us and may result in termination or other consequences as specified in the Contract.
12. Revisions to this Policy
We may revise this Policy at any time, effective when posted to our public web site.