MyDay Privacy Policy

This privacy policy relates solely to myday.

Last updated: May 20th 2020

Definitions: Data Controller, Data Processor, Data Subject and Personal Data, Sensitive Personal Data, Special Category Data, processing, Right to Object and appropriate technical and organisational security measures shall have the meanings given to them in the DPA and the GDPR.

Data Controller: University of South Wales

Data Processor: Collabco Ltd. Company Registration No. 6737467

Purpose: This application collects and displays Personal Data on behalf of the Data Controller for the benefit of the Data Subject promoting positive engagement through the use of data and information.

Data sharing: Personal Data is only shared between the Data Controller and the Data Processor with the contractual permission of the Data Controller. Personal Data is not shared with 3rd parties and is not processed outside of the EEA.

Data Categories: Specific data categories stored by myday are listed at https://myday.collabco.com/privacy-policy which is updated as myday is developed. Data Controllers choose which components to enable for use on the myday platform. There are some mandatory data categories, such as identity information.

Data hosting: myday is hosted within the Microsoft Azure public cloud platform and protected by Microsoft guarantees available at https://www.microsoft.com/en-us/trustcenter/ which provide equal or superior security to the myday platform, which itself is built for the Azure cloud. Microsoft are a sub-Processor of myday data as a hosting platform but do not have direct data access.

Lawful basis: Personal Data is stored within myday as:

part of a contractual requirement between the Data Subject and the Data Controller under direct consent by the Data Subject

Duration: Most myday Data is replicated from the Data Controller’s environment and tracks the source data’s lifecycle. Personal Data generated by myday has its own lifecycle as listed on the Data Categories website.

Consent: Where consent is required for capturing additional data within myday, consent is requested from the Data Subject and a suitable withdrawal of consent is provided.

Data Subject Rights: All Access, Rectification, Erasure, Restriction, Portability, Objections requests should be addressed to the Data Controller. The Data Processor will assist in the Data Controller in meeting their obligations to the Data Subject.

Data Protection Authority: As a UK based company, the Data Protection Authority is the Information Commissioner’s Office; registration number Z3035597

Restriction of Data: If Personal Data is not made available to the application, the Data Processor is unable to provide an effective solution.

Security: The Data Processor takes the security of data seriously. The company has internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.

Automated Decision Making: The myday experience will alter based on the nature of the relationship with the Data Controller, the Data Subjects profile, location and other data. This enables myday to deliver a relevant experience. The Data Controller defines these targeting rules.