Affino GDPR Client / Supplier Questionnaire

General Information

• Company Name
  • Comrz Ltd trading as Affino
• Questionnaire completed by
  • Markus Karlsson (CEO)
• Date Completed
  • 25/5/2018

GDPR Awareness and Readiness

• Is your organisation aware of the changes to data protection law under GDPR and how it will impact your business?
  • Yes, Affino have already made the relevant changes to our policies and procedures.
• Have you undertaken formal gap analysis / an information audit against requirements under GDPR?
  • Yes
• Have you initiated a project to achieve GDPR Compliance?
  • Yes
• Do you expect to be compliant with GDPR by 25 May 2018?
  • Yes

Staff Involvement and Awareness

• Have you appointed / will you appoint a Data Protection Officer?
  • Yes, Markus Karlsson (CEO)
• Do you have a training program in place to ensure all relevant staff are aware of GDPR requirements prior to May 25 2018?
  • Yes

Data Governance

• Have you created a record of your processing of personal data?
  • Yes
• Please detail the personal data that your service or product collects, stores, processes or has access to.

  • Comrz Ltd trading as Affino processes and retains details within our CRM, including but not limited to, client name, company name, company contact details (address, email address and phone number/s), contact details (phone number/s and email address) of company personnel, and in some cases clients bank details (bank, sort code and account number).

  • Affino does not document or retain any credit card information.

Fair Processing and Privacy Notice

• Do you intend to revise your Privacy Notice for GDPR?
  • Yes, we have revised it and you can access the Privacy Policy here.

Data Subject Rights

• Do you have policies and procedures in place to comply with a data subject’s rights including their rights: to be informed; to access; to rectification; to erasure; to data portability; to object to direct marketing.
  • Yes

Data Transmission and Data Residency

• Do you transfer personal data outside of the EEA?
  • No, no customer data is transited outside the EEA. Except where users have set up a public profile on a website which is then accessed internationally
• If so, what steps have you taken to ensure GDPR Compliance?
  • N/A
• Do you have a documented process for storing data and retaining it in line with GDPR requirements?
  • Yes. All data is stored on our secure servers, and protected with advanced security procedures and an array of defensive measures.
• Has your organisation considered the GDPR Data Minimisation principle and reflected this in your relevant data retention policies?
  • Yes. Data held within our CRM database will be “flushed” automatically with data being deleted in as little as 4 months (starting in June 2018), and at a maximum of 6 years.
• Do you encrypt personal data when you transfer it to 3rd parties?
  • Messages from our CRM are not routinely encrypted. Personal data is always encrypted when transmitted, and we only when send un-encryted personal data when requested to do so in writing.
• Please describe how data that is transmitted is protected.
  • Encrypted

Data Breach

• Have you documented your data breach notification procedures to meet GDPR requirements, and have all relevant staff been given adequate training in this?
  • Yes. A copy is available on-line here
• Have you had any data breaches or large-scale data losses in the last 12 months?
  • No