Privacy Policy

Introduction

Echoz.ai is dedicated to safeguarding all facets of data protection and recognizes its obligations under the General Data Protection Regulation (GDPR) throughout the organization. This policy delineates the organization’s approach to handling personal data, encompassing customers’ personal files, data subject access requests, and employees’ responsibilities regarding personal data.

Scope:

This policy applies comprehensively to all parties, including customers, suppliers, and vendors, who access personal information of customers stored and captured by clients. It is incumbent upon all employees, contractors, consultants, partners, and any other external entities to adhere to this policy. This inclusivity extends to anyone closely collaborating with Echoz.ai or acting on its behalf, potentially requiring access to personal information of customers stored and captured by Echoz.ai.

Definitions:

Establishment: The primary establishment of the controller in the EU is defined as the location where the controller primarily makes decisions regarding the purpose and means of its data processing activities. For processors in the EU, the primary establishment is their administrative center. Controllers based outside the EU must appoint a representative in the jurisdiction in which they operate to act on their behalf and interface with supervisory authorities.

Personal data: Any information pertaining to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be directly or indirectly identified, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Special categories of personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

Data controller: The natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data subject: Any living individual who is the subject of personal data held by an organization.

Customer: A party that receives or consumes products (goods or services) and has the ability to choose between different products and suppliers. In the government context, a customer may be a government employee, citizen, resident, or visitor consuming any provided government services.

Users: An individual, including employees (permanent and contracted), as well as non-employees (contractors, consultants, suppliers, vendors, partners, customers, etc.), associated with Echoz.ai.

Processing: Any operation or set of operations performed on personal data or sets of personal data, whether automated or not. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.

Profiling: Any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyze or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the data subject’s right to object to profiling and their right to be informed about the existence of profiling, measures based on profiling, and the potential effects of profiling on the individual.

Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Controllers have an obligation to report personal data breaches to the supervisory authority, especially where the breach is likely to adversely affect the personal data or privacy of the data subject.

Data subject consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Child: The GDPR defines a child as anyone under the age of 16 years old, though this may be lowered to 13 by Member State law. Processing personal data of a child is only lawful if parental or custodian consent has been obtained. Controllers must make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child.

Third party: A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Filing system: Any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

Policy Statement

We may offer access to the Echoz.ai Service, or specific components thereof, on an evaluation basis. This evaluation period extends until one of the following occurs: (i) the conclusion of the designated evaluation period specified in the Sales Order, (ii) your decision to purchase a subscription to the Service, or (iii) termination of the evaluation by Echoz.ai, either for cause or without cause, as notified through a termination notice with immediate effect.

Safeguarding Information and Privacy

In alignment with our unwavering commitment to data protection, Echoz.ai’s Board of Directors and Management assert their dedication to strict compliance with all relevant EU and Member State laws governing personal data. We pledge to safeguard the fundamental “Rights and freedoms” of individuals whose data we collect and process, adhering meticulously to the tenets outlined in the General Data Protection Regulation (GDPR).

Scope and Application:

Our data protection policy extends its protective mantle over every facet of personal data processing within Echoz.ai. This comprehensive approach ensures that the information of our customers, clients, employees, suppliers, partners, and all individuals associated with us receives the utmost care and attention.

Ownership and Accountability:

As stewards of data protection, the GDPR owner oversees our adherence to regulatory standards. This designated individual conducts annual reviews of our processing register, ensuring that our practices evolve in tandem with changes in Echoz.ai’s operations and emerging regulatory requirements. Our commitment to transparency is underscored by our willingness to make this register available upon request by the supervisory authority.

Acquisition and Processing of Personal Data:

Echoz.ai recognizes the indispensable role of personal data in achieving our business objectives. Whether in tangible or digital form, the information we gather spans a diverse spectrum, encompassing names, email addresses, mailing addresses, customer photos, financial data, medical records, and demographic details. Our commitment to responsible data stewardship remains unwavering.

Collaboration and Accountability with Partners:

Our data protection ethos extends beyond our organizational boundaries to encompass our partners and third-party collaborators. It is incumbent upon them to fully comprehend and adhere to the principles articulated in this policy. Echoz.ai mandates that no third party may access personal data under our purview without first entering into a robust data confidentiality agreement. We reserve the right to conduct periodic audits to ensure ongoing compliance with these obligations, thereby upholding the integrity and security of the data entrusted to us.

Roles and Responsibilities under the General Data Protection Regulation

Data Processor Responsibility:

Echoz assumes the vital role of a Data Processor. Throughout Echoz, management and individuals in managerial or supervisory positions bear the responsibility for fostering and advocating for exemplary information handling practices within the organization. These responsibilities are meticulously outlined in individual job descriptions to ensure clarity and accountability.

Policy Owner Accountability:

The Policy Owner, a distinguished member of the senior management team at Echoz, holds unwavering accountability to the Board of Directors for the meticulous management of personal data within the organization. This mandate encompasses ensuring steadfast compliance with data protection legislation and championing a culture of adherence to best practices. Key responsibilities include:

  • Pioneering the development and meticulous implementation of GDPR requirements as outlined in this policy.
  • Diligently managing security protocols and risk mitigation strategies to ensure seamless compliance with the policy.

Operational Oversight:

Appointed by the Board of Directors based on their exceptional qualifications and extensive experience, the Policy Owner assumes day-to-day responsibility for Echoz’s resolute adherence to this policy. They are directly answerable for ensuring rigorous compliance with the GDPR, working collaboratively with other managers responsible for data processing within their respective domains.

Procedural Management:

The Policy Owner holds a pivotal role in overseeing procedural intricacies such as the Subject Access Request Procedure. Serving as the primary point of contact for Echoz’s esteemed Employees/Staff, they provide invaluable guidance and clarity on any facet of data protection compliance.

Collective Responsibility:

Echoz firmly upholds the principle that compliance with data protection legislation transcends individual obligation; rather, it is a collective commitment shared by every Employee/Staff/Contractor involved in processing personal data. This collective responsibility underscores Echoz’s unwavering dedication to safeguarding the privacy and rights of individuals.

Data Accuracy Assurance:

At Echoz, we entrust our Employees/Staff/Contractors with the critical responsibility of ensuring the accuracy and currency of any personal data provided to the organization. Upholding the integrity and reliability of data is paramount, reflecting Echoz’s steadfast commitment to excellence in data management and compliance with regulatory standards.

Data Protection Principles

The General Data Protection Regulation (GDPR) mandates that all processing of personal data must adhere to the following principles of data protection:

Lawful, Fair, and Transparent Processing:

Echoz adheres to the foundational principles of lawful, fair, and transparent processing of personal data.

  • Lawful Processing: Echoz identifies a lawful basis before processing personal data, ensuring compliance with established conditions for processing, such as consent.

  • Fair Processing: The Data Controller (Client) at Echoz ensures fairness by providing necessary information to data subjects, whether the data is obtained directly from them or from other sources.

  • Transparent Processing: Information is communicated to data subjects in a clear and intelligible manner, using plain language to facilitate understanding.

Specific Information Provided to Data Subjects May Include:

  • Identity and contact details of the controller and the GDPR Owner.
  • Purposes and legal basis for processing personal data.
  • Duration of data storage.
  • Rights to access, rectify, erase, or object to processing.
  • Categories of personal data processed.
  • Recipients of personal data, where applicable.
  • Intention to transfer data to third countries and level of protection provided.
  • Any additional information necessary for fair processing.

Purpose Limitation:

Echoz ensures that personal data is collected only for specific, explicit, and legitimate purposes. Data obtained for specified purposes is not used for any purpose beyond those formally notified to the supervisory authority.

Data Minimization:

Echoz ensures that personal data collected is adequate, relevant, and limited to what is necessary for processing.

Data Accuracy and Timeliness:

  • Echoz reviews and updates stored data as necessary, ensuring its accuracy and relevance.
  • All staff are trained in the importance of collecting accurate data.
  • Data subjects are responsible for ensuring the accuracy and timeliness of data provided to Echoz.

Data Retention and Secure Disposal:

  • Echoz reviews the retention dates of personal data annually and securely deletes data no longer required.
  • Personal data is retained in a minimized and encrypted form, in line with the Data Retention Policy.

Security Measures:

  • Echoz conducts risk assessments to evaluate security measures.
  • Technical measures include password protection, automatic terminal locking, and encryption of devices.
  • Organizational measures include training, employment contract clauses, and disciplinary actions for breaches.
  • Physical access controls and clear desk policies are implemented to safeguard data.

These stringent controls are selected based on identified risks to personal data and the potential for damage or distress to individuals.

Rights and Liberties

At Echoz.ai, we uphold the fundamental rights of data subjects, ensuring transparency, fairness, and respect in all aspects of data processing. Data subjects possess a range of rights concerning the processing of their personal data and the information recorded about them:

Access Requests:

Data subjects have the right to make subject access requests to ascertain the nature of information held about them and to whom it has been disclosed.

Protection from Harm:

Data subjects have the right to prevent processing that is likely to cause them damage or distress, safeguarding their emotional and psychological well-being.

Opt-Out of Direct Marketing:

Data subjects can opt-out of processing for the purposes of direct marketing, preserving their autonomy and control over their personal information.

Transparency in Automated Decision-Making:

Data subjects have the right to be informed about the mechanics of automated decision-taking processes that significantly affect them, promoting transparency and accountability.

Protection from Solely Automated Decisions:

Data subjects are entitled to not have significant decisions affecting them made solely by automated processes, ensuring human oversight and intervention where necessary.

Rectification and Erasure:

Data subjects have the right to request rectification, blocking, erasure (including the right to be forgotten), or destruction of inaccurate data, enabling them to maintain the accuracy and integrity of their personal information.

Data Portability:

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, as well as the right to have that data transmitted to another controller, facilitating data mobility and interoperability.

Objection to Automated Profiling:

Data subjects can object to any automated profiling occurring without their consent, preserving their right to privacy and autonomy in decision-making processes.

Echoz.ai’s Commitment:

Echoz.ai may, at its discretion, charge for allowing data subjects access to information about them, with any charges being reasonable and proportionate to the request. We are dedicated to responding promptly to any data subject access request, aiming to provide a comprehensive response within [30] calendar days. However, Echoz.ai reserves the right to withhold data subject access where statutory exemptions apply, ensuring compliance with relevant regulations while safeguarding the rights and freedoms of all individuals.

Securing Personal Data

At Echoz.ai, safeguarding Personally Identifiable Information (PII) and Personal Data is of paramount importance. This encompasses any information maintained by Echoz.ai that can be used to identify individuals, such as names, social security numbers, dates and places of birth, contact details, and biometric records. Additionally, it includes any other data linked or linkable to an individual, spanning medical, educational, financial, and employment information, among others.

Within our organization, personal data may also reside in various repositories, including line manager inboxes or desktops, payroll systems, or within documents stored in relevant filing systems. Echoz.ai may collect relevant personal information from employees, customers, or data subjects for equal opportunities monitoring purposes. When collecting such information, we anonymize it unless the intended purpose necessitates the use of individuals’ personal information in full.

Echoz.ai is committed to securely retaining personal information about data subjects, including details stored in personnel files. Hard copies of information are securely kept in locked filing cabinets, while electronically stored data is subject to stringent access controls. We employ robust password and encryption protocols where necessary to enhance data security.

To ensure comprehensive data protection practices, Echoz.ai provides thorough training on data protection to all employees who handle personal information as part of their duties. Confidentiality clauses in employment contracts further reinforce the importance of data security among our staff.

When employees use laptops off-site, they must adhere to Echoz.ai’s policies concerning information security and the use of computers for remote work. This includes strict adherence to guidelines for working from home and bringing personal devices to work, ensuring that data remains secure and protected at all times.

At Echoz.ai, we remain steadfast in our commitment to maintaining the highest standards of data security and privacy, ensuring the confidentiality and integrity of personal information across all facets of our operations.

The Essence of Consent

At Echoz.ai, we hold a profound understanding of the concept of ‘consent,’ recognizing it as the cornerstone of ethical data processing practices. Consent, as interpreted by Echoz.ai Management, embodies explicit, freely given, and well-informed agreement by data subjects to the processing of their personal data. It is a specific, unambiguous indication of the individual’s wishes, expressed either through a statement or a clear affirmative action.

Active Communication and Demonstration:

Echoz.ai emphasizes the importance of active communication between parties to demonstrate valid consent. Consent cannot be assumed or inferred from silence or non-response to a communication. Echoz.ai is committed to meticulously documenting and demonstrating the process of obtaining consent for all data processing operations, ensuring transparency and accountability.

Explicit Consent for Sensitive Data:

For sensitive data, such as credit card information or bank account details, Echoz.ai adheres to the principle of obtaining explicit written consent from data subjects. This ensures that individuals have full awareness and control over the processing of their sensitive information, unless an alternative legitimate basis for processing exists as permitted by applicable regulations.

Standardized Consent Procedures:

In most scenarios, Echoz.ai routinely obtains consent for the processing of personal and sensitive data through standardized consent documents. These documents are utilized, for instance, when a new client enters into a contract with Echoz.ai, during the initial login process for customers, or as part of induction procedures for participants in programs. This standardized approach ensures clarity, consistency, and compliance with data protection regulations across all interactions with data subjects.

Echoz.ai remains steadfast in its commitment to upholding the principles of transparency, fairness, and respect for individual autonomy in all data processing activities. Consent serves as the cornerstone of our data protection framework, reflecting our dedication to ensuring the privacy and rights of all individuals whose data we handle.

Commitment to Security

At Echoz.ai, we prioritize the security of personal data as a fundamental aspect of our operations. It is the responsibility of all employees and staff to ensure that any personal data held by Echoz.ai, for which they are accountable, is kept secure and confidential at all times. Under no circumstances should personal data be disclosed to any third party unless authorized by Echoz.ai management and governed by a confidentiality agreement.

Access Control and Secure Storage:

All personal data must be accessible only to authorized personnel who require it for their designated roles, in adherence to our Access Control Policy. Personal data must be stored securely, which includes:

  • Physical storage in lockable rooms with controlled access.
  • Use of locked drawers or filing cabinets for manual records.
  • Password protection for computerized data in line with corporate requirements.
  • Encryption of data stored on removable computer media as per our Secure Disposal of Storage Media policy.

Prevention of Unauthorized Access:

Manual records containing personal data must never be left unattended where they could be accessed by unauthorized individuals. They should not be removed from business premises without explicit authorization. Once manual records are no longer needed for day-to-day operations, they must be securely archived in line with our retention policy.

Data Retention and Disposal:

Personal data may only be deleted or disposed of in accordance with our Data Retention Policy. Manual records that have reached their retention date must be securely shredded and disposed of as confidential waste. Hard drives of redundant PCs must be removed and immediately destroyed as mandated by our disposal procedures.

Echoz.ai is committed to maintaining the highest standards of security and confidentiality when handling personal data. By adhering to rigorous security measures and policies, we ensure the integrity and protection of all data entrusted to us.

Approach to Data Retention and Disposal

At Echoz.ai, we recognize the importance of carefully managing the retention and disposal of data to uphold the integrity and privacy of personal information. Our commitment to data protection extends to every stage of the data lifecycle, including retention and disposal practices.

Extended Data Storage for Legitimate Purposes:

Echoz.ai may retain data for extended periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research, marketing, or statistical purposes. However, such retention is subject to the implementation of appropriate technical and organizational measures to safeguard the rights and freedoms of data subjects. We prioritize the ethical and responsible use of data, ensuring that it serves legitimate purposes while respecting individual privacy rights.

Establishing Retention Periods:

The retention period for each category of personal data is meticulously defined in our Data Retention Policy. This policy outlines the criteria used to determine retention periods, taking into account any statutory obligations that compel the organization to retain specific data. By adhering to clear retention guidelines, Echoz.ai ensures compliance with regulations while effectively managing data storage.

Uniform Application of Retention and Disposal Policy:

Echoz.ai’s data retention and disposal policy applies universally across all data management practices. This ensures consistency and transparency in our approach to data handling, irrespective of the nature or origin of the data. By adhering to a standardized policy, we maintain clarity and accountability in our data management processes.

Secure and Responsible Disposal:

Echoz.ai prioritizes the secure disposal of data to mitigate risks associated with unauthorized access or misuse. Personal data is disposed of securely, in accordance with the principles of the GDPR and processed in a manner that upholds security standards. Any data disposal activities are conducted in strict adherence to our secure disposal policy, minimizing the potential for data breaches or privacy violations.

Echoz.ai remains committed to upholding the highest standards of data integrity and privacy throughout the data lifecycle. Through robust retention and disposal practices, we ensure that personal data is managed responsibly, ethically, and in accordance with regulatory requirements.

Managing Information Assets

At Echoz.ai, we recognize the importance of effectively managing our information assets, including personal data, to mitigate risks and seize opportunities. As part of our comprehensive approach to privacy risk assessment, we establish a robust data inventory and data register, delineating the flow of data throughout our organization.

Comprehensive Data Inventory:

Our data inventory encompasses a detailed overview of the data flow processes within Echoz.ai. This includes:

  • Identification of business processes that utilize personal data.
  • Classification of the types of personal data involved.
  • Determination of the sources from which personal data is obtained.
  • Assessment of the volume and diversity of data subjects.
  • Description of each item of personal data, ensuring clarity and specificity.
  • Documentation of processing activities undertaken with personal data.
  • Maintenance of categorized inventory detailing the purpose(s) for which each data category is utilized.

Transparent Data Flow Mapping:

Echoz.ai meticulously maps the flow of data across our organization, tracing its journey from inception to utilization. Our data flow mapping encompasses:

  • Identification of key systems and repositories that store and process personal data.
  • Documentation of any data transfers, both internal and external.
  • Clear delineation of the role of Echoz.ai at each stage of the data flow process.
  • Identification of recipients and potential recipients of personal data, ensuring transparency and accountability.
  • Documentation of all retention and disposal requirements, aligning with regulatory mandates and organizational policies.

By maintaining a comprehensive data inventory and transparent data flow mapping, Echoz.ai ensures a holistic understanding of our information assets. This enables us to effectively address privacy risks, optimize data management practices, and uphold the trust and confidence of our stakeholders. At Echoz.ai, we are committed to the responsible stewardship of personal data, fostering a culture of accountability, transparency, and compliance throughout our organization.

Comprehensive Risk Assessment:

Echoz.ai conducts thorough assessments to gauge the level of risk associated with the processing of personal data. We employ Data Protection Impact Assessments (DPIAs) as a key tool in evaluating the risks inherent in our data processing activities. These assessments are not only conducted internally for Echoz.ai’s operations but also extend to processing activities carried out by third-party organizations on our behalf.

Risk Management Strategies:

Upon identifying potential risks through our assessment processes, Echoz.ai swiftly implements risk management strategies to mitigate the likelihood of non-conformance with our data protection policies. Our goal is to minimize risks and ensure compliance with relevant regulations and guidelines.

Proactive Approach to High-Risk Processing:

In cases where processing activities, particularly those involving new technologies or posing high risks to individuals’ rights and freedoms, are likely to result in significant impacts, Echoz.ai conducts DPIAs prior to commencement. These assessments comprehensively evaluate the potential impact of processing operations on the protection of personal data. By addressing risks proactively, we uphold our commitment to safeguarding individuals’ privacy and data rights.

Escalation and Review Mechanisms:

Echoz.ai maintains robust escalation and review mechanisms to address any concerns arising from DPIAs. If a DPIA reveals potential risks that could cause damage or distress to data subjects, the decision to proceed is escalated to the GDPR Owner for review. In cases where significant concerns persist, the matter may be further escalated to the supervisory authority for additional scrutiny.

Risk Mitigation Measures:

To mitigate risks associated with processing personal data, Echoz.ai implements appropriate controls and measures. These controls are carefully selected and applied to reduce the level of risk to an acceptable threshold, guided by our documented risk acceptance criteria and the requirements of the GDPR. By adopting proactive risk management practices, Echoz.ai ensures the ongoing protection and integrity of personal data entrusted to us.

Rights and Responsibilities of the Data Controller

As the Data Controller, the Client holds significant responsibilities in ensuring the lawful and appropriate processing of personal data. Here’s a detailed overview of the rights and obligations associated with this role:

Assessment of Processing Admissibility: 

The Data Controller is solely responsible for assessing the admissibility of any processing requested and for upholding the rights of affected parties. This includes documenting all orders, partial orders, or instructions related to data processing activities.

Immediate Notification of Errors:

 In the event of identifying errors or irregularities during the review of processing results, the Client must promptly notify the data Processor. This ensures swift rectification of any issues that may arise during the processing.

Right to Inspect Compliance:

 The Client has the right to inspect compliance with data protection provisions and contractual agreements with the data Processor. This includes the entitlement to conduct inspections personally or through third parties, accessing stored data, processing programs, and conducting on-site inspections as necessary.

Facilitation of Inspections: 

The Processor must facilitate inspections by providing necessary information, demonstrating policies, and offering required documentation. Inspections should be carried out without disrupting the Processor’s business operations, with advance notice provided except in urgent circumstances.

Notification Obligations:

 The data Processor is obligated to immediately notify the data Controller of any personal data breaches or justifiably suspected incidents. Notifications should include detailed information about the breach, its potential consequences, and measures taken or proposed to rectify the situation.

Reporting Significant Disruptions:

 Any significant disruptions or violations against data protection provisions must be promptly reported to the data Controller. This includes breaches of legal data protection provisions or contractual stipulations.

Communication of Inspections or Measures:

 The data Processor must inform the data Controller of any inspections or measures conducted by supervisory authorities or third parties related to the commissioned data processing. This ensures transparency and collaboration between the Controller and Processor in upholding data protection standards.

By adhering to these rights and obligations, the Data Controller plays a crucial role in safeguarding personal data and maintaining compliance with data protection regulations and contractual agreements.