Last reviewed & updated: March, 2024

1. Introduction

As a carrier provider, EXA Infrastructure holds personal data about our employees, clients, suppliers and other individuals for a variety of business purposes. Under the GDPR, “personal data” scope is information that identifies you as an individual or could do so in combination with other information. EXA acts as a Data Controller for those processing activities it undertakes for its own purposes – for example, processing data pertaining to its employees, or for marketing activities. EXA acts as a Data Processor for data it processes under instructions from its customers.

The lawful and correct treatment of personal information is critical to successful business operations and to maintaining the confidence of those we deal with. We will always do our utmost to ensure that EXA treats personal information lawfully and correctly.

This policy sets out how we seek to protect personal data. We must be sure that EXA employees understand the rules governing the use of personal data. This policy requires staff to ensure that the Data Protection team or the Legal department is consulted before any significant new data processing activity starts to make sure that the relevant compliance steps are addressed.

2. Scope

This policy applies to all staff, including temporary workers and contractors. You must be familiar with this policy and comply with its terms.

This policy supplements our other policies relating to Information Security and compliance which can be found within the Legal & Compliance hug on the EXA intranet. EXA may also supplement or amend this policy by additional policies and guidelines from time to time.

Any new or modified policy will be circulated to staff before being adopted.

3. Roles & Responsibilities

Role

Responsibility
All Employees
  • Be familiar with this policy and the data handling procedures
  • Read and acknowledge understanding and compliance with corporate policies

EXA Privacy Board
  • Review and approve the Corporate Data Privacy Policies and Procedures
  • Meet monthly to discuss any privacy related issues and to ensures compliance with all data privacy legislation
  • Enforce training completion across the company

Data Protection Team

(local Data Stewards)
  • Write data privacy related documentation and create content for the corporate data privacy training
  • Monitor and promulgate compliance with the GDPR and local data privacy legislation
  • Identify and communicate to the Privacy Board any data privacy issues, risks, DPIA needs and continuous Escalate non-compliance
  • Investigate incidents and potential breaches
  • Respond to internal and customer queries logged through ManageEngine – Privacy Requests section

EXA Legal Team
  • Manage Data Processing Agreements (DPAs)
  • Advise on privacy related legal matters
  • Review and respond to privacy related queries and complaints

EXA Security Team
  • Create and maintain the technical and organisational measures related to data privacy (based on ISO 27001)
  • Conduct information security risk assessments

EXA HR Team
  • Take appropriate measures to manage employees’ personal data
  • Support the data subject access request process

4. Our Procedures

4.1 Fair and Lawful Processing

EXA must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless:

  1. The individual whose details we are processing has consented to this
  2. The processing is necessary to perform a contract with the individual, for example to meet an order placed by the individual
  3. The processing is otherwise in EXA’s legitimate interests and does not unduly compromise the individual's privacy

In most cases, this provision will apply to routine business data processing activities which include implementation of the name and telephone number, email address of a technical contact into a PO, an employee asking a customer for his business card in order to insert the personal data into the CRM system or Microsoft Outlook or deleting personal data from a database.

The Privacy Policy on the EXA website contains notice to third parties on data protection.

This notice:

  1. Sets out the purposes for which we hold personal data
  2. Highlights that our work may require us to give information to third parties
  3. Explains the right of data subjects to the personal data we hold about

It is important to make sure our customers and others we deal with see this notice. If you come across any EXA website which does not show the correct notice, please inform the Data Protection team immediately.

4.2 Sensitive Personal Data

In cases where EXA may process sensitive personal data, we will require the data subject's explicit consent to do so, unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work, or when responding to a properly made lawful access request). Any consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

The only EXA departments that can process sensitive personal data where EXA is the Controller are:

  1. Human Resources (HR)
  2. Finance
  3. ICT Department
  4. Legal
  5. Security
  6. Data Protection team

Any other department that believes that it is necessary to process sensitive personal data must receive the prior approval of the Legal team or the local Data Protection contact.

4.3 Accuracy & Relevance

EXA will ensure that any personal data we process is accurate, adequate, relevant and not excessive given the purpose for which it was obtained, i.e. it should be fit for the purpose for which it is used. Personal data may only be collected about customers or suppliers if there is a business need for the personal data concerned and if the level of information provided is proportionate to this need. For example, customer contact details may be required to process a purchase order but ethnicity details or information that relates to a customer’s religious belief would be excessive in this context. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If the information is inaccurate, you should record the fact that the accuracy of the information is disputed and inform the Data Protection team through the online Helpdesk system.

If a customer or supplier (as distinct from an individual data subject) notifies EXA of a change in the customer’s or supplier’s personnel, EXA staff must update any local contact databases that it maintains. You are therefore required to inform your line manager of any changes in the supplier’s or customer’s personnel so that all local contact databases can be updated to reflect the change.

Individuals in certain countries will have additional rights relating to their data – for example, the right to ask us to delete it from our systems. If you receive this type of request, please refer to the EXA Data Subject Requests Procedure.

Please log any such requests immediately into the Helpdesk portal Security and Privacy Requests – Data Privacy/GDPR Request.

4.4 Processing Data in Accordance with the Individuals Rights

You should abide by any request from an individual not to use their personal data for direct marketing purposes and notify the Marketing team about any request.

Do not send direct marketing material to individuals (as opposed to business contacts) electronically (e.g. via email or SMS), as consent is required for email and SMS marketing communications for consumers (B2C). Note that this is not applicable for business to business (B2B) communications under the ePrivacy Directive. For this reason, it is imperative that all marketing campaigns are managed by the Marketing team.

Please contact the Marketing team for advice on direct marketing

4.5 Your Personal Data

You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please update the relevant information in Workday or inform your line manager and the HR department so that they can update your records.

Please read the Employee Privacy Notice and contact the HR department if you would like to correct or request information that we hold about you.

4.6 Data Security

You must keep personal data secure against loss or misuse. This means you should comply with our security guidelines and policies (especially our Security Policies). A summary of the technical and organisational security measures (TOMs) implemented by EXA are available upon request to the data.

Protection team global.data.protection@exainfra.net. Any changes to the TOMs should be approved by the Security team.

Where other organisations process personal data as a service on our behalf (e.g. payroll or outsourcing companies), the Legal department will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organisations. Before passing any personal data to a third party, check with the Data Protection team or the Legal department that that third party has been through our processes (DPIA), enabling them to handle such data, and that a written agreement (DPA) is in place with them.

We need to be especially careful with apps and cloud-based services. If you are considering putting data into an application or uploading it into the cloud, please first discuss this with the Data Protection team.

If you need  support with data privacy-related queries, due diligence questionnaires and bid requests, please log your request into the Helpdesk portal and select the appropriate category in the Security and Privacy Requests section.

4.7 Data Protection Impact Assessment

Where a type of processing uses new technologies, and the processing is likely to result in a high risk to the rights and freedoms of natural persons, EXA, in its role of a data controller, shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

For more detail on the initiatives that require a data protection impact assessment and the step-by-step process, refer to the EXA DPIA Process.

4.8 Data Retention

We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, considering the reasons that the personal data was obtained, but should be determined in a manner consistent with MSP03 EXA Retention Policy.

4.9 Transferring Data Internationally

There are restrictions on international transfers of personal data. We may transfer customer personal data outside the EEA, including to the United States of America, for storage purposes. Any transfer of customer personal data outside of the EEA shall be made through transfer mechanisms approved or allowed for under the relevant legislation and we shall take all necessary steps to ensure that there is adequate protection, as required by legislation. You may obtain a copy of the standard data protection clauses which provide for appropriate safeguards from the Legal department.

5. Data Subject Requests

Please note that under the data protection legislation in certain countries, individuals are entitled (subject to certain exceptions) to request access to information held about them. This may include any opinions you and other employees have added to their records.

If you receive a subject access request, right to be forgotten request or any other data subject request, please refer to the EXA Data Subject Requests Process for further clarification and guidance.

Please log any such requests immediately into the Helpdesk portal – Security and Privacy Requests – Data Privacy/GDPR Request.

6. Other Requests & Complaints (Interested Parties)

From time to time, EXA may receive requests from third parties, including government bodies, law enforcement, digital rights owners and individuals asking to move their data elsewhere (technically known as data portability requests). Some of these requests have short time limits and some of these requests have criminal penalties if we tell other people about the request. It is important that you follow EXA’s Lawful Request Guide (which can be found on the Security Management page) immediately if you receive one of these requests. It is important that you do this even if you think the request has been made to the wrong company within EXA or if you think that the request should not have been made to us at all.

Any data privacy requests or complaints received by third parties should be logged immediately into the Helpdesk portal – Security and Privacy Requests – Data Privacy/GDPR Request.

Any support needed with bid questionnaires related to data privacy or customer queries about what types of data is being processed by EXA should be logged in the EXA Helpdesk.

Please always list the services provided to the customer/prospect customer for the Data Protection team to be able to respond accurately to your request.

Should EXA ever need to process customer personal data on customer’s behalf, a Data Processing Agreement (DPA) is necessary. Please note that this is not the case with all services. VPN/Wavelengths/Managed Bandwidth/Ethernet and IP Transit Services do not require a DPA since EXA acts as a telecoms service provider (e.g. in respect of personal data contained in email communications) transmitted on these services and processed for the sole purpose of transmitting these communications. EXA has no access to user-level data and carries out no data processing activities. The customer and its staff, and not EXA, determine the contents of communications and the purposes for which personal data processed within the respective services are used.

A Data Protection Agreement can be provided by the Legal or the Data Protection team.

7. Reporting Breaches

All members of staff have an obligation to report actual or potential data protection failures. This allows us to:

Investigate the failure and take remedial steps if necessary

Report the breach to regulatory authorities or the police where it is advisable to do so

If you suspect a data breach, please refer to EXA Personal Data Breach Procedure for further guidance.

Please report any actual or suspected data privacy breach immediately via the Helpdesk portal Security and Privacy Requests – Data Privacy/GDPR Request.

8. Access to Customers Personal Data

EXA only holds personal data that is relevant to our dealings with a given data subject. That data will be collected, held and processed in accordance with the applicable data protection principles. In cases where EXA acts as a data processor, the EXA client would be the data controller.

Customer personal data that may be recorded, stored, monitored and/or processed includes:

billing contact and account administration personal data

name, address, phone number and/or email address(es)

online identification and authentication data, including video calls services attendance PINs, SIP/IP/MAC address(es), URLs, logs

You can request our Data Processing Agreement and provide it to our customers to sign by submitting a request to legal@exainfra.net .

9. Training

All staff will receive training on data privacy requirements. New hires will receive training as part of the induction process. Further training will be provided at least every year or whenever there is a substantial change in the law or our policies and procedures.

Training is provided online and by the Legal and Security teams as applicable and will cover:

General GDPR awareness training

Presentation-based training, created by the Data Protection team and approved by the Privacy Board, covering corporate-specific elements

Key policies and procedures for reading and acknowledgement Completion of training is compulsory.

10. Consequences of Failing to Comply

EXA takes compliance with this policy very seriously, and failure to comply puts both you and the company at risk.

The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures, which may result in dismissal.

If you have any questions or concerns about anything in this policy, do not hesitate to contact the Legal team at legal@exainfra.net or the Data Protection team at global.data.protection@exainfra.net.

11. Definitions

You should be aware of and understand the following definitions that are used in this policy:

Business purposes: The purposes for which personal data may be used by us, e.g. personnel, administrative, financial, regulatory, payroll and business development purposes.

Business purposes include the following:

  1. Compliance with our legal, regulatory and corporate governance obligations and good practice
  2. Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
  3. Ensuring business policies are adhered to (such as policies covering email and internet use)
  4. Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  5. Investigating complaints
  6. Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  7. Monitoring staff conduct, disciplinary matters
  8. Marketing our business
  9. Improving services

Personal data: Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts. Personal data we gather may include: individuals' contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, CV, ID numbers, location data, online identifiers, factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

Sensitive personal data: Personal data about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership information, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, physical or mental health or condition, criminal offences, or related proceedings. Any use of sensitive personal data should be strictly controlled in accordance with this policy.

Processing: Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, , restriction, erasure or destruction. This includes: implementation of the name, telephone number, email address of the technical contact into the Purchase Order document; asking an employee of a EXA customer for his business card in order to insert Personal Data into the customer relationship management (CRM) system or in the contacts in Microsoft Outlook; and deleting personal data from a database.

Additional data protection terms include:

Biometric Data: Biometric Data has its own definition in GDPR which is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.

Data Controller: Any person, partnership or company who determines how and for what purposes personal data is processed. A third party may carry out processing on the controller’s behalf, although the data controller remains responsible for the processing.

Data Processor: A person who processes personal data for a data controller, other than the controller’s employee. Outsourced IT and HR service providers may be processors.

GDPR: General Data Protection Regulation.

Pseudonymization: This is often confused with anonymization, but with pseudonymization, the individual can still be identified – for example at its most basic level changing an employee’s name to an identification number instead and removing all their other personal details could be pseudonymization.

SAR: Subject Access Request. This is a request made by an individual who wants to see a copy of the information an organization holds about them. More specifically, an individual is entitled to the following: to be told whether any personal data is being processed; to be given a description of the personal data, the reasons it is being processed, and, whether it will be given to any other organizations or people; to be given a copy of the information comprising the data; and to be given the details of the source of the data, where this is available. From 25 May 2018, SARs has been governed by Article 12 of GDPR and its subsequent provisions. Under GDPR, responses to a SAR should be “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”

12. Enforcement

Any employee found to have violated this process may be subject to disciplinary action, up to and including termination of employment. Violations of system or network security are prohibited and may result in criminal and civil liability. EXA will investigate incidents involving such violations and may involve and will cooperate with law enforcement if a criminal violation is suspected.

Breaches of this or any other security policy should be reported using the corporate security incident management process.

13. Exceptions

Any exceptions to this policy must be registered, approved by senior management and regularly reviewed. Currently, there are no exceptions permitted on this policy.

14. References

  • REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • EXA Employee Privacy Notice Dec 2022
  • EXA DPIA Process
  • EXA Data Subject Request Process
  • Employee Privacy Notice