When you join Activate Locate, you are trusting us with your information. We understand this is a big responsibility, and we are committed to full transparency about all our practises. Our Privacy Policy is meant to help you understand what information we collect, why we collect it and how you can update and manage your information. This is a redacted version of the GDPR Narrative for publication. To receive the full version, please get in touch with your Activate Locate point of contact or review the below:
Your app must never publicly disclose any personal or sensitive user data related to financial or payment activities or any government identification numbers.
An app that collects device location and does not comprehensively disclose its use and obtain consent in accordance with the above requirements
An app that collects restricted permissions in the background of the app including for tracking, research, or marketing purposes and does not comprehensively disclose its use and obtain consent in accordance with the above requirements.
We don't allow unauthorized publishing or disclosure of people's non-public contacts.
When processing Personal Data in the context of providing our Personal Security Solution with unobtrusive tracking and mutual support networks for effective localised response, we regard ourselves as the Processor. All other services, with some minor exceptions, see us acting as the Controller. Where we are Processor, we provide a standard Data Processing Agreement as an addendum to our contract with clients. Please see 2 KEY SERVICES for detail on data collection and flow.
We maintain a Data Asset Register including records of Information Security and Privacy Impact Assessments, lawful bases for processing, and Data Flow Maps.
We have established the lawful bases for all Personal Data processing activities and they have been documented as part of our processing records.
Consent procedures have been implemented where required and records of consent are maintained.
We provide a transparent and concise Privacy Notice and have published our Data Protection Policy, both at https://www.activatelocate.com/privacy.html. Our apps and other digital platforms provide a direct link to this information and we refer callers to our Assistance Centres to it in a pre-recorded message. During the provision of services, where Activate Locate act as Controller, notice of purpose is also provided at the time data is collected directly from the data subject.
We have implemented a Data Subject Rights Procedure which allows Data Subjects to exercise their rights to access, rectify and delete their Personal Data in accordance with GDPR. We carry out identity checks to ensure that access to data is not provided to unauthorised persons acting as or on behalf of the Data Subject. If requested, we provide data in common, portable formats, such as .csv or .doc. Where we act as Processor of Personal Data on behalf of a client, we will contact the client for instructions if a request is received directly from a Data Subject.
Privacy by Design has been embedded in all change management processes and in particular for procurements activities. Privacy Impact Assessments are undertaken and where significant impact on the way we process Personal Data has been identified, there is a requirement to complete a comprehensive Data Protection Impact Assessment and put in place appropriate Technical and Organisational Measures (TOM) to address any risk to Privacy. Assessment outcomes must be signed off by our Data Protection Officers before a project can be approved.
Our Information Security Management System (ISMS) is certified to ISO/IEC 27001 standard. We commission annual vulnerability assessment and penetration testing and independent assessment and attestation (SOC 2 Type II) of the design and effectiveness of the measures we have implemented to protect data. A detailed description of these Technical and Organisational Measures (TOM) is available in our ISMS Narrative document and we will also share independent verification reports on request.
In addition to our Incident Management Procedures which ensure proper escalation and management of information security incidents, we have established a Data Breach Contingency Plan to deal with high risk data breaches. Governance is in place to ensure that all incidents are investigated and appropriate action plans are developed to address any risks identified and prevent recurrence.
In the course of service delivery, we are required to transfer Personal Data worldwide, between Activate Locate, clients, members and third parties such as medical, security, technical and logistics providers. Where we transfer Personal Data from the EEA to another country which does not have adequacy status, we rely on Binding Corporate Rules of Activate Locate, Privacy Shield certification (UK) or Standard Contractual Clauses (Rest of the World) for Third-Party Service Providers as appropriate.
We process Special Category Personal Data when providing Medical and Security Assistance, Occupational Health and other Medical Services. We do so based on contract or legitimate interest and if such information needs to be shared, we do so only with the Data Subject’s explicit consent. We only collect as much information as is required to fulfil the request for assistance, for example health information when providing a medical referral and religious believes or sexual orientation when providing Travel Security advice.
We have been commissioning third party audits against GDPR compliance criteria with internationally well-established Testing, Inspection and Certification Services Companies such as the British Standards Institute (BSI). Quality indicators have been defined in relation to our Information Security System and Privacy Programme and we audit these at a local level annually as part of our internal standards audits. Regular functional reporting on GDPR compliance levels and Information Security to board level informs our Information Security and Privacy Strategies.
Our Data Retention, Archiving and Destruction Policy is published at https://www.activatelocate.com/privacy.html. Retention periods have been defined based on the purpose of processing. At the end of the defined period, Personal Data is destroyed, either by deletion of all data or by anonymisation of particular datasets. Where we act as Processor, clients may instruct us to destroy or return data sooner or later than our standard retention period.
Information is received via data feeds from individual users (which includes our networks of Community Source Agents) or directly from clients. The lawful basis has been determined by the Controller (the client). Personal Data is shared with subsidiary companies and sub-contractors who provide the same technical and organisational controls as Activate Locate to protect the security and confidentiality of the data. Such data transfers are lawful based on Binding Corporate Rules (Activate Locate entities), Privacy Shield certification (sub-processors in the UK) and Standard Contractual Clauses (sub-processors based in the Rest of the World).
Our Online Support Teams have access to Personal Data in UK and other regions where support may be required. In addition, authorised Activate Locate employees can access Personal Data.
Crisis response is driven from our Active Response Cell in the United Kingdom and West Africa.
Sub-processors can access Personal Data in the following countries:
UK: Hosting; Data Aggregation/Transformation and Storage
Nigeria, West Africa: Administration and Support
India: Maintenance, Development and Support
We retain the personal data only for as long as is necessary for the specified legal or contractual purposes. Requests from data subject who wish to exercise their legal rights are referred to the respective client who is the Controller.
Personal Data is collected when data subject contacts one of our Assistance Centres by phone or email. The lawful basis for collecting and processing the Personal Data is legitimate interest and contract. Where we transfer sensitive data we rely on explicit consent (verbal or written depending on circumstance). We collect no more data than is required to fulfil the request for assistance. Personal Data is stored in our Case Management System, in our Assistance Centres, with the central hub hosted in a UK Data Centre. Authorised personnel in our Assistance Centres have access to the Personal Data. Personal Data is shared with subsidiary companies and sub-contractors who provide the same technical and organisational controls as Activate Locate to protect the security and confidentiality of the data. In some cases Personal Data needs to be shared with third parties who may not provide the same safeguards; this will only be done with the express consent of the data subject. We retain the Personal Data only for as long as is necessary for specified legal or legitimate organisational purposes.
Activate Locate requires your permission to allow your pre authorised contacts to send push notifications to your phone. This allows them to know exactly where you are. You can easily disable this function by switching OFF ActivateLocateME in your individual profile settings - making you invisible.
2.3.1 End User License EULA
Activate Locate GDPR Narrative (Public) Version 1.00
Last Updated: Dec 2020