GDPR

GDPR Impact & Response

This document uses the following terms:

Customer: Direct client of BearBox International Ltd.
End User: Client of the Customer. End Users are granted access to the Customer's site by the Customer.
BearBox Server: Secure server managed by BearBox International Ltd.
BearBox: BearBox International Ltd.
BearBox System: Hardware & Software comprising the BearBox system

Data protection impact assessment

Data that is stored by BearBox

  • General access control data
    • Site access logs
    • Access codes
    • Fob IDs
    • Vehicle registration plates used to access a site
  • Details held pertaining to Customers:
    • Headquarters address
    • Site addresses
    • Contact names
    • Work phone numbers
    • Work email addresses
  • Details held pertaining to End Users:
    • Names
    • Phone numbers
    • Email addresses

Data that is not stored by BearBox.

  • BearBox International Ltd. does not store any CCTV footage in its central server. All CCTV recordings are retained locally at the Customer's site.

Necessity

  • Data and logs are only be used for the benefit of managing the site.
  • No data or logs are provided to third parties, except where the Customer has contracted a third party to monitor the site.
  • Site access logs are collected and retained for purposes of reporting and security.
  • Customer details are required for contacting Customer sites and resolving issues on their sites, and for commercial purposes.
  • End User details are required for providing site access:
    • Names are required to identify customers on the BearBox site management platform
    • Phone numbers are required only so that they can be used by the Customer in the event of an incident, to contact the End User.
    • Email addresses are required to provide access via an app.

Length of retention

  • Customer data is retained for the duration that Customer is a client of BearBox. It can be removed thereafter on request.
  • End user data is retained only for as long as the End User is a client of the Customer plus 30 days.
  • Site access logs are retained for purposes of reporting and security.

Access

  • Access to Customer and End User data is available to members of the BearBox International Ltd. team via a password protected website or app.
  • Access to End User data per site is available to Customers via a password protected website or app.
  • Access to CCTV systems is available to Customers and can be provided to their nominees upon request.

Requesting data

Customers and End Users can request to see personal information held on them. BearBox will remove any such personal data on request. Some data (e.g. an email address) may be required to access BearBox services and users may be unable to access their services without them.

Risks to Individuals

Risk of data loss

Personal data exposed by hacking the BearBox Server

  • For Customers: LOW RISK
  • For End Users: LOW RISK

Minimal personal data is retained. Access to the BearBox Server is password protected.

Data incident breach response plan

  • Send out notification to all affected Customers informing them of the breach.
  • Customer password management:
    • Set all Customer passwords to a random string
    • Send new passwords to email address of Customer
  • Breach resolution:
    • Identify point of breach
    • Seal off point of breach
  • Inform Customers of updated security plan
GDPR Impact & Response