We know that privacy and integrity is very important for our customers’ employees when using IoT services. Therefore it’s very important for us that our customers and users can trust that all their personal data processed by TelliQ are adequately protected and handled properly in line with the new European Union General Data Protection Regulation (GDPR) and that their right to privacy is maintained.
We make an effort to be transparent with the personal data processing we perform on behalf of our customers and provide tools and information to enable them to comply with GDPR as smoothly as possible.
Processing of Personal Data
Privacy by Design
TelliQ strives to process only the personal data and information that is required when developing and updating IoT services and functions. This means not collecting more information than necessary, deleting information when it is no longer needed, and only using the information for the original purpose.
This is done by analyzing if personal data is processed, minimizing the data to whats is actually needed as well as ensuring that only authorized persons have access to the data.
Access to personal data in the TelliQ IoT system is only available to authorized users. Drivers, for example, can only see their own trips and if they are private other users can’t access them.
Data processing agreement
TelliQ acts as Data Processor for our clients (Data Controllers) with IoT services. When you become a TelliQ customer, a data processing agreement must be written that ensures that we get to process personal data for our customers and that it’s done correctly.
Contact TelliQ Customer Center to get a copy of our standard Data Processing Agreement.
Which Personal Data being processed and for what purpose
We process the following personal data from our users and drivers in the IoT system; Name, Email, Password (Encrypted), Private Positions and Addresses, Phone Number, and IP Address. In some cases we also process serial numbers from RFID tags and registration numbers from private vehicles (we don’t classify company-owned vehicles as personal data).
The information is used to access and utilize the IoT service. Private trips and, in some cases, vehicles is also registered and stored but are only available to an authorized driver or user.
Contact information and device data are also used for proactive and reactive customer service in automated troubleshooting and measures, service information and support.
TelliQ is the data controller when processing personal data for sending information with news, product offerings and customer surveys. Personal data being processed are name, title, email and phone number.
How the Personal Data is processed
When collecting information to set up new users with access to the IoT system, an email address will be added by one of the clients administrators or by TelliQ customer center. After that an activation link is sent out where the data subject themselves can add and set passwords. They will also be able to consent to their personal data being processed.
TelliQ doesn’t store or collect consent of drivers that doesn’t have access to the IoT system. Legal grounds for processing personal data must then be determined and collected by the client (data controller) by either consent, contract, legitimate/vital interest or legal obligation. Personal data used for drivers without access is as drivers on a trip in the driving journal and in analysis reports.
Authorized TelliQ employees who work in customer care also use personal data to write support tickets, contact and troubleshooting when requested, or where deviations in the IoT service were identified in proactive customer care. The data is available via a support tool where all actions made by TelliQ staff are registered and logged.
Contact information for authorized signatories, purchasers of IoT services and recipients of shipments are also processed in internal and external finance, administration and delivery systems. The data is collected when the IoT system is purchased and stored in CRM systems.
Sending emails with service information, news, product offerings, and customer surveys is done outside of the IoT system via subcontractors to data subjects who have agreed to receive the information from different sources.
IP addresses are logged when entering TelliQ AB:s website or IoT system to prevent and investigate hacking as well as web activity analysis. IP addresses aren’t used to retrieve personal information other than the actual IP address or to link between users and IP addresses.
The registration number of a vehicle is used for identification in the IoT system and also to gather more information about the vehicle via a sub-processor such as average fuel consumption etc.
Routines for removing Personal Data
The removal of Person Data in IoT systems is done as follows:
User information (Name, Email, phone number) is stored as long as you are a TelliQ customer and is removed only when the service is canceled or on request.
Driving journals (start / stop address, distance, odometer, trip type and purpose) are saved as long as you are a TelliQ customer and is removed only when the service is canceled or on request.
This also applies for inactive vehicles that are no longer used.
Positions from vehicles are available for three months.
IP address from the web is also deleted after three months.
Data in backup:s is stored for a maximum of 4 months and then deleted.
The removal of Person Data in other systems is done as follows:
Contact information (name, title, email and phone number) for sending news, product offerings and customer surveys are removed on request or in case of consent being withdrawn. Contact information for data subjects that hasn’t opened any emails from TelliQ in a 6 month period is also removed.
The procedure to remove personal data is started directly upon request and is done within 180 days.
Withdraw consent, rectify, request extracts or erase Personal Data
Since TelliQ is the data processor and the IoT service in some cases contain billing, tax and book information, the request to rectify, request extracts, or erase personal data needs to be requested directly from the data controller.
If a user withdraws consent or objects with the processing in the IoT system, access to the IoT service will be removed and the user will be flagged as “non- consented” for the clients (data controller) administrators. The user or administrator should then contact the data controller (usually the employer) who passes the request to TelliQ Customer Center. They will ensure that an authorized person is making the requesting. Corrections can be made either in the IoT system or by request from the data controller.
When processing Personal Data for sending news, product offerings and customer surveys, TelliQ AB is data processor (and not data controller). When a data subject objects and doesn’t consent to their personal data being processed, the data will be deleted and will be removed from the processing.
It is possible to withdraw consent via link in the sent email or by contacting TelliQ Customer Center. Also contact TelliQ Customer Center to rectify, request extracts or delete personal data.
Data protection and protective measures
We continuously work with improving our information security and use the latest technology for firewalls, virus protection and monitoring to ensure a high level of data protection. Through systematic methods and analysis data protection will constantly be improved and kept up to date to ensure that we maintain the correct level of security. Please read our Information Security Policy. We also have an ongoing project to certify parts of the company according to ISO27001 to further improve our data protection and identify protective measures..
TelliQ has an Operational Monitoring Group and only members of the group have direct access to personal data registers in production systems and backups.
TelliQ does not use sub-processors or do any processing in countries outside of EU/EES that do not comply with the terms of transfer according to current data protection legislation or does not comply to the Data Processing Agreement. TelliQ has an agreement with all of its partners and sub-processors who handle personal data.
All the data in the IoT system is stored on Amazon Web Services (AWS) servers that are used for hosting of our production systems and are certified according to ISO27001. Other sub-processors that TelliQ uses also meet the requirements of current data protection legislation.
TelliQ uses sub-processors to assist in providing IoT services with high quality and availability. Sub-processors are used for hosting cloud services, order and billing services, mass email sending, customer surveys, email management and storage of documentation as well as vehicle information.
All sub-processor fulfill the obligations specified in the Data Protection Agreement.
Contact TelliQ Customer Center to request a copy of our latest Subcontractor List.
List updated: 2018-04-30
Personal Data Breach
Personal data breach is when an incident leads to accidental destruction, loss, modification, deletion or unauthorized access to the personal data processed by TelliQ.
The following steps are taken when a data breach occurs:
Examination of the incident
Take appropriate measures to reduce the impact of the incident and prevent repetition
Report is made and sent to Data Controller containing:
Description of the nature of the personal data incident
Categories of and the approximate number of data subjects affected
Categories of and the approximate number of personal data items affected
Description of likely consequences of the personal data breach
Description of actions taken by the Data controller to rectify the personal data breach
Contact information to whom than can provide more information and answer questions regarding the data breach
It is the responsibility of the Data Controller to report the personal data incident to the official regulator within 72 hours in cases where the incident is likely to pose a risk to data subjects’ rights. In other cases, no report needs to be made.
For any questions regarding processing of personal data and our data protection measures, please contact TelliQ AB:s Data Protection Officer (DPO).
Sebastian Widerlöv, firstname.lastname@example.org, +46 589 89826
For corrections, request of extracts and request to remove personal personal data, please contact TelliQ Customer Center.