Nested Knowledge is committed to ensuring protection of all personal information that we hold. Nested Knowledge is located in the United States of America and provides services to users in countries across the world, except countries sanctioned by the U.S.
Question: Who is the data subject, processor, controller, and subprocessor in this example?
Nested Knowledge orders buisiness cards for employees. A printing business, ACMEPrints, prints the business cards with the name and contact information of Nested Knowledge's employees. A cloud provider Cumulus Web Services hosts a database containing ACMEPrint's customers and their employees' contact information.
Answer: Nested Knowledge is the controller, the employees are the data subjects, ACMEPrint is the processor, and Cumulus Web Services is the sub-processor.
Scope: GDPR applies to the processing or controlling (by companies in ANY location) of personal data belonging to data subjects in the EU.
Nested Knowledge is committed to processing data in a lawful, fair, and transparent manner for explicit and legitimate purposes. Nested Knowledge will make all reasonable effort make sure data is accurate and up to date.
We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction.
Personal information is stored, archived and destroyed in accordance with our service and regulatory obligations. Data is deleted when it is no longer needed.
Nested Knowledge maintains a Record of Processing Activities (ROPA) describing the data categories, purpose, data subjects, legal basis, retention period, and security measures about the data that we control and process.
Before processing personal information that may result in a high risk to data subjects, Nested Knowledge employees will undergo a Data Protection Impact Assessment (DPIA), as described in our Data Protection Policy.
Question: a new Marketing intern would like to target LinkedIn Ad campaigns based on customers' political affiliation, derived by analyzing public voting records. Can the intern do so?
Answer: No, political affiliation is sensitive personal data. To consider proceeding, the marketing team must complete and document a DPIA that evaluates the lawful basis for processing, potential harms, risk reduction, and other details.
OurPrivacy Policy ensures that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information. Nested Knowledge will use 3rd party compliance service to stay updated with privacy regulation changes.
Our Privacy Policy was first published online on January 3rd, 2022 and last updated on May 16, 2023.
Individuals have a right to access any personal information that Nested Knowledge processes about them and to request information about:
Nested Knowledge provides easy-to-access information via our Privacy Policy. We can be reached for further inquiry through our Data Protection Officer.
We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information.
As described in our Third Party Policy, we will notify user of significant changes to how their data is processed, such as the addition of a new subproccesor, at least 7 days in advance.
Nested Knowledge is obligated to report information on data breaches and mitigations to the required government agencies as well as reporting information of data breaches to the affected parties. Our Incident Response policy ensure that we have safeguards in place to identify, assess, investigate and report any personal data breach as early as possible. We inform clients of breaches in accordance with our Escalation Policy.
As described in theThird Party Policy Nested Knowledge maintains a List of Subprocessors and Third Party providers. We update the list on an ongoing basis when a change in subprocessors occurs.
New contracts with subprocessors and subcontractors will incorporate data protection and data breach notice requirements.
For any GDPR-related issues, contact the DPO or CEO (see Key Contacts).
Author | Date of Revision/Review | Comments |
---|---|---|
K. Cowie | 10/03/2023 | Major revisions |
K. Kallmes | 05/22/2023 | Minor revisions |
K. Cowie | 05/21/2023 | Minor revisions |
K. Cowie | 01/24/2022 | Minor revisions |
K. Holub | 10/04/2023 | Copy edits |
K. Kallmes | 11/19/2021 | 2021 version finalized and signed off |