Skip to Content
Go back
BAS-IP / MEMO ON PERSONAL DATA PROCESSING COMPLIANCE

We are committed to strong and innovative data protection practices, so that every client can trust that their personal data is processed safely and securely.

BAS-IP DISTRIBUTION LTD (Company or BAS-IP) has prepared this memorandum for our clients regarding our compliance with applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (GDPR). Below, we will familiarise you with our activities regarding compliance with personal data protection requirements.

DEFINITIONS

  • UK GDPR” means the UK General Data Protection Regulation, as incorporated into UK law under the Data Protection Act 2018, together with other applicable UK data protection and privacy legislation.
  • GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) and any related data protection and privacy legislation applicable within the European Union and the European Economic Area.
  • Personal data means any information relating to an identified or identifiable natural person.
  • Data subject means an identifiable natural person, who can be identified, directly or indirectly;
  • Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
  • Subprocessor means a natural or legal person, engaged by a processor that carries out processing of personal data on behalf of the controller;
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

ABOUT BAS-IP

BAS-IP develops and manufactures IP-intercoms, access control systems, and communication systems, and is a leading actor in this field. You can find more information about our activities on the website: https://bas-ip.com/.

In the course of its activities, the Company may collect, access, or otherwise process personal data relating to various categories of data subjects: clients and users, employees, contractors, and other data subjects. During such processing, the Company is committed to taking all necessary measures and following the relevant policies, procedures, and other documentation on personal data protection to process personal data in accordance with applicable law and best practices.

Roles during the processing of personal data

BAS-IP may have various roles under the UK GDPR and GDPR:

  • As a controller, the Company determines the purposes and means of the processing of personal data while, for instance, communicating with clients and website visitors, marketing activities that involve the processing of personal data, etc.
  • As a processor, Company may process personal data on the instructions from our client, acting as a controller or on behalf of the respective controller.
  • While processing personal data as a processor, we may engage third-party service providers that will act as subprocessors.
When processing personal data in the course of providing services to its clients, the Company acts as a processor and complies with the applicable requirements of the UK GDPR and GDPR, as well as the relevant contractual obligations between the Company and the client.

BAS-IP AND DATA PROTECTION

BAS-IP is committed to complying with the highest data protection standards and applicable personal data protection legislation.

All activities that involve the processing of personal data are conducted in accordance with internal documentation regarding the regulation of personal data processing.

The following personal data protection measures are applied by the Company:

Regular review of personal data protection documentation and making necessary changes to our documentation and activities

Regular review and updating of internal personal data protection documentation is an integral part of the Company’s strategy to ensure compliance with the requirements of the UK GDPR, GDPR, and other regulatory acts in the field of personal data protection.

Relevant internal documentation and adopted policies and procedures, in particular regarding data subject requests, notification of personal data breaches, compliance assessments of third parties involved in the processing of personal data, etc., are periodically updated or amended as necessary, in particular in the event of changes in legislation or the introduction of new personal data processing activities.

In addition, personal data processing activities are recorded, which include maintaining records of personal data processing (RoPA), and, if necessary, a data protection impact assessment (DPIA) and a legitimate interest assessment (LIA) are conducted.

Thus, by keeping its personal data protection documentation up to date, the Company ensures a high level of personal data protection and continuous compliance with legislation.

Compliance with requirements for the protection of data subjects’ rights

The Company’s Privacy Policy, which is publicly available on its website, provides clients and other data subjects with information about the purposes for which personal data may be processed, how and what specific personal data may be processed, as well as information about their rights under applicable personal data protection laws, including how to exercise those rights.

In addition, the Company has adopted a Request and Complaints Procedure, which contains the procedure for responding to data subject requests and their rights in accordance with the UK GDPR and GDPR.

The Company is committed to providing all necessary support to the client in the context of responding to requests from data subjects whose data is processed by the Company as a processor in accordance with the provisions of the UK GDPR, GDPR, and contractual obligations between the Company and the client.

Compliance with best standards and practices for technical and organisational security

The Company has implemented technical and organisational measures to ensure the security of personal data. The Company’s internal documentation clearly defines the technical and organisational measures used when processing personal data:

  • developed and adopted documentation governing information security, and also continuously monitors information security events and ensures timely response to incidents;
  • has implemented safeguards to restrict access to personal data, such as controlling access to personal data, in particular through the use of personalised accounts, controlling requirements for the length and complexity of account passwords, and protecting network access to reduce the risk of network attacks; verification of the compliance of physical data centers where data is stored with security requirements; multi-factor authentication and user authentication during authorisation, as well as configuration and application of data access permissions, review of existing access rights regularly, etc.;
  • uses encryption technologies when storing and processing personal data using cloud technologies and establishes requirements for the use of only up-to-date and robust cryptographic protocols, algorithms, cipher suites, encryption keys, and key management approaches;
  • regularly reviews backups of personal data to determine whether their storage complies with operational requirements and legal obligations;
  • takes other organisational security measures, including implementing a policy of separation of roles and responsibilities, regularly updating relevant policies and procedures, monitoring the performance of duties, and demonstrating a willingness to cooperate with relevant government authorities. The personnel security measures implemented by the Company include background checks of employees in some cases, raising employee awareness of information security issues and monitoring such awareness, as well as conducting training and professional development programs;
  • continuously monitors changes in legislation and implements best practices in the field of personal data protection in accordance with cybersecurity standards, guidelines, recommendations of personal data protection supervisory authorities, and the Information Commissioner’s Office (ICO).

The Company complies with all policies and procedures to ensure the security of personal data protection, regularly checks their relevance, and ensures timely review.

Regular third-party verification

All third parties involved in the processing of personal data are verified using an internal regulated procedure for assessing third-party compliance. In particular, such checks assess the availability of relevant documentation relating to the processing of personal data, as well as the availability and effectiveness of technical and organisational security measures implemented to protect personal data from unauthorised access, loss, or integrity breaches.

Secure transfers of personal data

When providing services, the Company may transfer personal data outside the United Kingdom, for example, to the United States and Ukraine.

To ensure security and compliance with legal requirements for the transfer of personal data, an assessment is carried out in advance. In addition, internal monitoring is regularly carried out to ensure compliance with the legal requirements and practices of the United States, Ukraine, and, where necessary, other countries to which personal data is transferred, with UK and EU personal data protection standards and practices. In addition, the security measures taken by data importers are thoroughly checked, in particular by signing the relevant documentation governing the protection of personal data.

When the Company transfers personal data subject to the UK GDPR and/or the GDPR, it enters into a Data Processing Agreement (DPA) with its contractors. Such agreements incorporate the appropriate transfer mechanisms, including the EU Standard Contractual Clauses (SCCs) together with the UK Addendum, or the International Data Transfer Agreement (IDTA).

Regular trainings

The Company regularly organises training for its employees and contractors on compliance with the UK GDPR and GDPR requirements, as well as personal data protection. The topics covered in the training include, among others, the general requirements of the UK GDPR, GDPR, and other applicable personal data protection laws, roles in processing, principles of personal data processing, grounds for processing, ensuring the rights of data subjects, and issues of personal data protection.

In addition, the Company has also adopted the necessary documentation and implemented appropriate measures to ensure training and awareness of employees in the field of data protection.

OUR CONTACTS

If you have any further questions regarding personal data protection at BAS-IP, please contact us by email: [email protected].

Sincerely,

BAS-IP DISTRIBUTION LTD