Below we examine what personal data iCohere processes, and for what purposes.
iCohere collects personal data as a contractor.
Below we will describe the way in which iCohere processes and stores the personal data which iCohere obtains in the course of its core business, which can be summarized as providing surveys for its clients.
Description of Core Business
iCohere sells or grants licenses for an application with which its clients (businesses) are able to ask their customers (in general members and employees) to participate in online communities and eLearning (hereafter referred to as the application).
The application is managed and configured by the client after training. The client is given the ability to login to the application, to configure and/or revise it. It is up to the client to determine which types of information their end-users are asked to fill in.
The following personal data is generally requested in the application and is then processed by the client personally: email address, first and last name. It is up to iCohere’s client to determine what (if any) additional personal data it requests from the end-user.
Because the data referred to above may identify natural persons it amounts to ‘personal data’ within the meaning of the GDPR.
The application can be viewed not only by the client, but also by iCohere. Besides the stated personal data the following data is also known to iCohere: The end-user browser, the pages visited by the end-user, additional profile fields entered, transcript information, even registration, and attendance information.
Controller/processor in Core Business
The GDPR defines the ‘controller’ as the person/business entity that sets the goal and the means for the processing of personal data. A ‘processor’ under the GDPR is the person/business entity – not being employed by the controller – that processes the personal data on behalf of the controller.
With regard to the personal data which is processed in the course of iCohere’s core business, it is the client who sets the goal and the means for the processing. The application is a tool for obtaining the personal data and while the application is supplied to the client by iCohere, it is the client who fills in the application (and therefore establishes the goal for which the application is being used) and who determines how this application is to be used (and therefore determines the means for the processing).
iCohere is not employed by the client. By providing the application and ensuring that the application continues to work, and by also being able to view the results of the application, iCohere processes the personal data on behalf of the client and is therefore to be regarded as the processor. iCohere makes no independent decisions with regard to this personal data.
Goal of Core Business
Because it is iCohere’s client who determines what personal data is obtained and what is to be done with it, it is iCohere’s client who sets the goal.
The application involves the client asking end-users to take part in online activities such as communities, virtual conferences and eLearning. It is up to the client to ask for the end-user’s consent and/or to enter into an agreement with them.
iCohere and its client enter into a contract for the use of the application and a contract covering the processing of personal data. Under the terms of this contract iCohere has no control over the personal data placed at its disposal. It makes no decisions over the receipt and use of the data, its supply to third parties, and the duration of storage of data. Control over the personal data provided under the contract is never vested in iCohere.
iCohere does not use the personal data for any purposes other than those set by its client.
Period of retention of personal data in the core business
iCohere retains the personal data for as long as the contract with the client continues. This may be different if the contract with the client contains some other agreed term.
It is possible that, at the client’s request, iCohere will retain the personal data for a specified period of time, after which it is automatically deleted without a copy being retained.
Deletion of personal data in the core business
iCohere will, upon first request by the client, destroy all extracts and copies received from the client and/or data relating to the client which is processed on behalf of the client, in a manner to be further determined in mutual consultation. This process may take several business days to complete.
Internal management, technical and organizational security measures in the Core Business
The personal data is stored in protected form in iCohere’s database. This comprises the email address, first name, last name, and other information that is collected from end-users as specified by the client. Only authorized persons, employees of iCohere, have access to this data. Product related teams are iCohere’s teams that are charged with the operational development, support, maintenance and testing of iCohere’s software application. Other teams/divisions, such as Sales, Marketing, HR, Office Management and Finance have no access to this data.
All iCohere personnel have signed a confidentiality statement and they are all aware that no personal information may be disclosed outside the company.
iCohere uses the services of Cogeco Peer1, an international organization that is accredited under ISO 21001 standards and is based in Toronto Canada, where the personal data is stored. The Cogeco Peer1 DPA is accessible online at: https://www.cogecopeer1.com/wp-content/uploads/2018/04/COGECO_PEER_1_DP_ADDENDUM.pdf
iCohere application databases are backed up hourly. Application files are backed up nightly. Backups are normally retained in full for one month.
Data leaks in the Core Business
Clients will be notified as soon as possible, and in any case within three business days of discovery, should a breach of security or data be detected within iCohere. iCohere will provide the client(s) with all applicable information regarding the security/data breach.
© iCohere, Inc. All Rights Reserved.
Last Revised August 2018