Who is responsible for data protection and data security?
Maintaining appropriate standards of data protection and data security is a collective task undertaken by Avanti and all of its staff. Avanti has responsibility for ensuring that all personal information is collected, processed and stored in compliance with the requirements of applicable data protection laws, namely the Data Protection Act 2018, the Privacy Communications (EC Directive) Regulations 2003 (as revised) and the EU General Data Protection Regulation (2016/679) (“GDPR”), together the “Data Protection Laws”.
The contact details of our DPO are set out in the “Contact – questions or complaints” section below.
Types of personal data collected directly
“Personal Information” is any information relating to an identified or identifiable individual (or “data subject”). The specific personal information that we collect depends on the products and services used or subscribed to. Such data includes, but is not limited to, the following:
- Name, title, address, telephone numbers, email address, country of residence, user name, passwords, company name, job title;
- Results of any credit background checks;
- Location data;
- Log files;
- Any debit or credit card information, bank account details including sort code and account number, and any payment history;
- Direct mailer lists and marketing opt-ins; and
- Credit reference checks.
Types of personal data collected via use of the website (“Cookies”)
The information we collect in this way is used for internal review and improvement purposes, for example to improve and/or customise the content, and/or layout of our websites for our users or each individual user. This information is not shared with other organisations for commercial purposes.
Types of personal data collected from other sources
We collect the following data about end users from their VSAT terminal and store them in our OSS device:
- Name, title, address, telephone numbers, email address, country of residence;
- MAC address, international mobile equipment identities (IMEI);
- Location data; and
- Log files.
Principles relating to processing of personal data
There are a number of fundamental principles upon which the GDPR is based, specifically that personal data must be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for a legitimate purpose and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and kept up to date, and every reasonable step taken to ensure that where there is any inaccurate data is it either erased or rectified without delay (having regard to the purposes for which they are processed);
- Kept no longer than is necessary for the purposes for which the data is required; and
- Processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using the appropriate technical and organisational measures.
- As a controller of the personal data, we are required by law to demonstrate compliance with the above principles. We ensure such compliance both in the processing or currently undertakes and as part of the introduction of new methods or processing such as new IT systems.
How we use personal information
In some circumstances, the Data Protection Laws dictate that a data subject’s prior consent is required before processing of the Personal Information is permitted. Please refer to the Consent section below for further details.
We may collect, use and disclose personal information in order to:
- Respond to any prospective customer or partner enquiries based on consent implicit in raising a query;
- Provide our services, including client management, communication with corporate representatives and account management which is in our legitimate interests in fulfilling the contract with our clients;
- For our other business purposes, such as
- carrying out analytical market research (sometimes using anonymized information), audits,
- developing new products or making product recommendations,
- improving our services and products,
- gauging customer satisfaction and providing customer service,
- enhancing our Sites or apps,
- identifying user trends, and
- evaluating the use of our Sites, products and services and understanding browsing habits and trends.
All of these activities are in our legitimate business interests in identifying and developing opportunities for our business and improving customer service.
- Data may be shared with regulatory bodies and legal advisers to comply with a legal obligation, exercise or defend our legal rights.
Who we share Personal Information with
We may share and/or process Personal Information with:
- other companies within the Avanti Group;
- other third parties where consent to such disclosure has been provided;
- a third party in the event of any reorganisation, merger, sale, joint venture, assignment or transfer of all or part of the Avanti business;
- government or legal bodies, law enforcement agencies or public authorities when we are compelled to disclose in order to comply with any Data Protection Laws.
Where we store Personal Information
Most Personal Information collected and processed during the use of any of our products or services is stored on servers located in the European Economic Area (“EEA”). Information may be transferred to our other offices and/or to third parties (including government or legal bodies, law enforcement agencies or public authorities as required by law in different jurisdictions worldwide, and our partners including installation companies worldwide as part of meeting our contractual obligations), which may be situated outside the EEA (for example in the country of the local service provider delivering the telecommunications services to end-customer premises) and may be processed by staff operating outside the EEA. Such transfer and processing is done in accordance with internationally recognised standards or via express individual consent, or where the transfer is necessary for one of the other reasons set out in the GDPR such as:
- the performance of a contract between us and you;
- reasons of public interest;
- to establish, exercise or defend legal claims, or to protect your vital interests where you may be physically or legally incapable of doing so; and
- in some limited cases, for our legitimate interest.
Our Head Office is located in the UK and data transfers between our UK locations and those in the EU are protected by the EU Standard Contractual Clauses.
We may send you by post or email details of products, services, special offers, promotions and other information that we think may be of interest to you. Third parties may also, working on our behalf, market to you via telephone, email and/or direct mail. From time to time we may also contact you for customer research purposes. You can unsubscribe from such communications at any time, by the unsubscribe link found at the bottom of every marketing email.
Personal Information can only be processed on the basis of one or more of the lawful bases set out in the Data Protection Laws, one of which includes consent. Consent is obtained if the data subject concerned has indicated his or her agreement clearly either by a statement or positive action to the processing. Express consent is usually required for processing sensitive Personal Information, for example, racial or ethnic origin, political opinions, genetic or biometric data, sexual orientation.
Avanti obtains such consent by notification at time information collected, through an ‘opt-in’ option to receive marketing materials at all points of data capture. To comply with Data Protection Laws, Avanti is required to evidence that consent was captured at the necessary time and must maintain records of all such consents and withdrawals.
Data subjects must be easily able to withdraw their consent at any time and withdrawal will be promptly implemented by Avanti following receipt by it of any such written request (please see “Data subjects’ rights” section below for further information).
We may retain certain Personal Information for any residual aspect of the purposes set out above, or to comply with accounting tax rules and regulations, the specific retention requirements of which may differ depending on local laws and regulations. In all circumstances, however, Personal Information will not be retained longer than is necessary in relation to the purpose for which such data is processed.
Certain customer, supplier or end-user account information will be held for 6 years from the end of any contract with us, to ensure we comply with our legal and regulatory obligations (even if the services are no longer being provided).
We will keep any contact information for a reasonable period of time after a contract has ended, in case the data subject chooses to use our services or products again. In such event and unless the data subject has opted out of marketing, we may contact them about our services or products during this time.
Protection of Personal Information
The Personal Information we collect is stored by us and/or our third party service providers on databases protected through a combination of physical and electronic access controls and integrated management systems (we are accredited to ISO 27001:2013 and ISO 9001:2015 standards), firewall technology, encryption and other reasonable organisational, technical and administrative measures. Once the Personal Information has been received, these strict procedures and security features are in place to prevent unauthorised access.
Data subjects’ rights
All data subjects have the right to:
- withdraw consent where processing is carried out on the basis of consent;
- request to review, correct, update or erase the information previously provided to us;
- request access to the information;
- request it be transferred to another person or organisation; and
- lodge a complaint with the ICO (https://ico.org.uk/make-a-complaint/).
All such requests should be in writing using the contact information listed below under the ‘Contact’ section. For any excessive or repeated requests we may charge a reasonable administrative-cost fee.
Each of these rights are supported by appropriate procedures within our business that allow the required action to be taken within the timescales stated in the GDPR, as set out in the below table:
|Data Subject Request||Timescale|
|The right to be informed||When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)|
|The right of access||One month|
|The right to rectification||One month|
|The right to erasure||Without undue delay|
|The right to restrict processing||Without undue delay|
|The right to data portability||One month|
|The right to object||On receipt of objection|
|Rights in relation to automated decision making and profiling||Not applicable|
In certain circumstances the timescale mentioned above may be extended by a further two (2) months, for example, if further information is required from the data subject to enable us to progress the request.
Avanti has adequate resources and controls in place to ensure and document its GDPR compliance, including:
- integrating data protection into internal documents, processes and policies, and the related Cookies policy;
- testing Avanti’s privacy measures and conducting periodic reviews and audits to assess compliance, including using any such results to demonstrate compliance improvement efforts.
Changes to this Policy
Contact – questions or complaints
Questions, comments and requests (including any data subject access requests) regarding this Policy are welcomed and should be addressed to The DPO, Avanti Communications, One Ariel Way, London W12 7SL, United Kingdom or can be emailed to firstname.lastname@example.org.
If you are based in the EU, questions, comments and requests (including any data subject access requests) regarding this Policy should be addressed to The DPO, Avanti HYLAS 2 Cyprus Limited, 37 Spyrou Kyprianou Avenue, 1st Floor, Office 101, Kato Polemidia, CY-4154, Limassol, Cyprus or can be emailed to email@example.com.