Applicable is committed to information security and to demonstrate this have achieved certification in or are registered to the following standards:
Applicable achieved initial registration to this standard in 2014 in recognition of the commitment to our global standards concerning security best practice. We have undergone many continual assessments on our activities around the world and two recertifications, the latest being in March 2020. We ensure our scope covers everything we do and everywhere we do it. ISO/IEC 27001:2013 is an internationally recognized best practice framework for an information security management system which is essential for our own practices, our partners, and our customers. Our latest certificate can be found here.
Following the EU Central Court of Justice ruling of 16th July 2020 which invalidated the Privacy Shield program as an adequate transfer mechanism for moving personal data from the EU to the US Applicable have implemented the same mechanism of utilisation of Standard Contractual Clauses which it operates for its other operational locations.
Applicable is a member of CiSP which is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business.
General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (EU GDPR) (Regulation (EU) 2016/679) effective 25 May 2018 and following Brexit (effective 1st January 2021) the UK General Data Protection Regulation (UK GDPR). The GDPR (EU and UK) impacts every organisation which controls or processes personally identifiable information (Pii). It has responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the Data Protection Act 1998 (DPA) which the GDPR (EU) and its UK variation superseded.
Applicable has always been and remain committed to the highest standards of information security and privacy taking matters of security and privacy seriously. We place a priority on protecting and managing all Pii in accordance with data protection legislation in all the geographies in which we operate and also that required by our contractual obligations with Customers and Data Controllers. We have integrated the GDPR (EU and UK) requirements and necessary approaches in to Applicable’s existing information security framework as policy. The existing security controls adopted at Applicable are further expanded based upon ISO/IEC 27701:2-19 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. This approach ensures that specific privacy risk assessments and management controls are included in the overall technical and organisation measures and controls to deliver privacy by design and default, and to satisfy providing a rigorous approach to GDPR (EU/UK). Contractual arrangements with customers, contractors and suppliers reflect privacy legislation. Privacy policies and notices are published on the Applicable website with comprehensive supporting policies, procedures, and processes in place to ensure Applicable comply with the GDPR (EU/UK).
UK Data Protection Officer
The Data Protection Officer (DPO) contact for Applicable Ltd. In the UK is Iain McIvor, Head of Information Security and Privacy. A dedicated email address for contact for data protection matters has been set up firstname.lastname@example.org.
ICO Certificate of Registration
EEA Data Protection Officer
The Data Protection Officer (DPO) contact for Applicable Ltd. in the EEA is an organisation called DataRep. A dedicated email address for contact for data protection matters has been set up email@example.com.
“Personal Information” or “Information” means information that is (1) accessed, processed or transferred outside the UK / EU as part of the delivery and support of Applicable’s services (this relates to the Applicable office and home based staff in the United States of America and Australia and datacentre locations in the UK, USA and Singapore); (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual.
Applicable were a party and participant in the U.S. Department of Commerce’s EU-U.S. Privacy Shield until the EU Central Court ruling of the 16th July 2020. Following this ruling Applicable has withdrawn from the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States with reliance now upon the use of standard / model clauses for international transfer.
Personal Data Collected
Applicable has installed policies and procedures to ensure that it adheres to the General Data Protection Regulation (European Union / United Kingdom) as part of its broader information security management system. This includes provision to involve an independent third party to resolve privacy disputes when necessary.
Disclosure to Law Enforcement
Applicable may only disclose Personal Data when required to do so where required by law, or at our sole discretion, where we deem it necessary to protect the safety of any individual, the general public, or to prevent violation of the rights of Applicable or any third party.
Change of Ownership
In the event of change in ownership, or a direct merger or acquisition with another entity, we reserve the right to transfer all of Applicable information, including Personal Data, to a separate entity. Applicable would use commercially reasonable efforts to notify of any change of ownership; merger or acquisition by a third party. Modifications required would be addressed at that time.
When supplied with information by its clients or gathering information internally agree and conform the purpose for which that personal information was collected; how it may be accessed or processed; and agree the Applicable locations where this may be stored or accessed from.
- Applicable are not supplied or do not intentionally collect information from under 13s.
- Applicable does not take or process online payments
- Applicable does not sell or rent any personally identifiable information to third parties.
- Applicable retains information only in line with data protection and legal retention guidelines and defined within the Applicable Retention Policy.
Applicable offer and honour all the data subject right principles under the GDPR (EU/UK).
Applicable shall take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Applicable has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction verified under its ISO27001:2013 registration. Applicable cannot guarantee the security of Information on or transmitted via the unsecured Internet.
Applicable shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized. To the extent necessary for those purposes, Applicable shall take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use.
In line with data subject rights under the GDPR (EU/UK) and upon request, Applicable will grant individuals reasonable access to personal information that it holds about them. In addition, Applicable will take reasonable steps to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.
Elsewhere on the Applicable website Privacy Notices are published.
Any questions or concerns regarding the use or disclosure of personal information should be directed to Applicable at the address given below. Applicable will investigate and attempt to resolve complaints and disputes regarding use and disclosure or personal information in accordance with the principles contained in this Policy.
Any data subject has the right to raise their concerns to about our use of your information, we would prefer you to raise it with us in the first instance to give us the opportunity to put it right, in the UK you as escalation you can contact the Information Commissioner’s Office via their website at www.ico.org.uk/concerns or write to them at:
Information Commissioner’s Office
In the EU, as escalation you can contact the Autoriteit Persoonsgegevens (formerly known as the College Bescherming Persoonsgegevens) via their website at https://autoriteitpersoonsgegevens.nl/en or write to them at:
PO Box 93374
2509 AJ Den Haag
3130 Great Western Court
Following the UKs exit from the European Union, as of the 1st January 2021 we are required to provide a Data Protection Representative within the EEA allowing data subjects to raise matters directly to this representative for the purposes of the EU GDPR. Applicable have appointed DataRep to undertake this role on our behalf and they can be contacted by email at firstname.lastname@example.org.