Data Protection Policy
This Data Protection Policy (this Policy) and any other documents referred to in it set out the basis on which NAVIEN LIMITED (the Company) will process any User Data in the course of the provision of the Service.
The following definitions apply in this Policy. Any terms that are not defined in this Policy shall be interpreted in accordance with relevant legislation, regulations and/or plain English explanations.
Agreement: Terms of Service that stipulate the rights and obligations of the Company and the User in relation to the use of the Service provided by the Company.
App: NAVIEN WiFi SMART TOK Room Controller, which is a mobile application software (to be connected to the Boiler Products) available on the Company’s website for the User to download and install onto their smartphone.
Boiler Products: the boiler products connected to the App via smartphones.
DPA: the Data Protection Act 1998.
Data Protection Officer: the individual described and identified in clause 10.
ID: a combination of letters, characters or numbers supplied by the User in order to identify themselves for the purpose of using the Service and protecting User Data.
Navien Smart Care (the Service): the services to be provided by the Company under the Agreement in connection with the User’s downloading and installing of the App which consists of:
- Smart Remote Control Service: enables the User to remotely control the Boiler Products via the App, and
- Error Notification Service: notifies the User of errors occurring to and state information of the Boiler Products connected to the App.
Passwords: a combination of letters, characters or numbers supplied by the User for the purpose of logging in to access and use the Service and for protecting User Data.
User: the user who uses the Service provided by the Company under the Agreement.
User Pay Service: any service as part of and/or in addition to the Service which the Company may introduce from time to time for a fee payable by the User to the Company.
User Data: personal information, including financial information, provided by the User to the Company in the course of using the Service and personal information of the User collected by the Company in the course of the provision of the Service. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behavior.
Processing: any activity that involves use of User Data. It includes obtaining, recording or holding User Data, or carrying out any operation or set of operations on User Data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
3 Data Protection Principles
The Company shall comply with the eight enforceable principles of good practice as follows:
- Processing fairly and lawfully.
- Processing for limited purposes and in an appropriate way.
- Adequate, relevant and not excessive for the purpose.
- Not kept longer than necessary for the purpose.
- Processing in line with data subjects’ rights.
- Not transferred to people or organisations situated in countries without adequate protection.
4 Processing of Customer Data
- The Company may collect and process User Data in the course of the provision of the Service
and User Pay Service for the purpose of conducting the following activities:
- Provision of Smart Remote Control Service.
- Provision of Error Notification Service.
- Analysing the patterns of the User in relation to the App, Boiler Products, or any other relevant products or services provided by the Company from time to time for the purpose of improving the quality of such products and services.
- Conducting surveys of the User in connection with any products or services provided by the Company.
4.2 User Data that may be collected and processed by the Company includes, but is not limited to:
- Landline or mobile number
- E-mail address
- ID & Password
- Information about any operational aspects of the App and/or the Boiler Products connected to the App
- Information about any errors occurring to the App and/or the Boiler Products connected to the App
- Non-provision of User Data as defined in clause 2 and 4.2 by the User may restrict access to and use of the Service wholly or partly.
- The Company may outsource the processing of User Data to third parties with the User’s consent for the purpose of the provision of the Service subject to certain legal safeguards specified in the Data Protection Act 1998 (the DPA) and any other relevant legislation and regulations. The User may consent by ticking a box contained in this Policy displayed as part of the registration stage of the App.
5 User Data: processing period
The Company may process User Data for a period of up to 3 years immediately after the cancellation or termination of the Service by either the Company or the User. The Company will endeavor to delete the data immediately but where this is not possible in certain cases the data is stored and archived until such time it can be expunged.
6 User Data: provision to third parties
- Subject to clause 4.4, the Company shall not provide User Data to third parties.
- Notwithstanding clause 6.1, the Company may provide User Data to third parties with the User’s consent where relevant regulations require to do so. The User’s consent may be obtained in the manner specified in clause 4.4.
7 User rights and obligations
- The Company will process all User Data in line with the User’s rights, in particular their right to
- Request access to any data held about them by the Company.
- Prevent the processing of their data for direct-marketing purposes.
- Ask to have inaccurate data amended.
- Prevent processing that is likely to cause damage or distress to themselves or anyone else.
- The User may make subject access requests to the Company for User Data held about them. Any such request must be made in writing to the Data Protection Officer (see clause 10), which shall be processed by the Company within a reasonable period of time.
- Where the User makes a request as specified in clause 7.1 and 7.2, the Company shall suspend processing User Data until and unless processing such a request is complete as far as reasonable practicable.
- Any request specified in clause 7.1 and 7.2 may be made via the legal representative of the User or any other person who has the User’s authority to make any such request, which must be in writing to the Data Protection Officer (see clause 10).
8 Destruction of User Data
Where User Data are not required for the purpose of the provision of relevant services or products provided by the Company, subject to clause 5, the Company shall use reasonable endeavours to destroy User Data in the following manner immediately after the cancellation or termination of the Service howsoever arising:
- User Data shall be transferred to the Company’s designated database, stored for a reasonable period of time, or destroyed immediately. The Company shall process User Data transferred to the database, subject to the DPA and any other relevant legislation and regulations.
- The Company shall destroy User Data within 5 working days immediately after the expiry of the processing period as specified in clause 5, or the date on which the Company determines that User Data may not be required due to the cancellation or termination of the Service howsoever arising.
- Any electronic data shall be destroyed by way of technical means that prevent the restoration of such destroyed data and any other data in non-electronic formats shall be destroyed by way of shredding or incinerating.
9 Data Security
The Company will take appropriate and proportionate security measures against unlawful or unauthorized processing of User Data, and against the accidental loss of, or damage to, User Data. The Company shall have in place procedures and technologies to maintain the security of all User Data from the point of collection to the point of destruction as follows:
- Provision of training to a designated Data Protection Officer.
- Undertaking quarterly internal audits.
- Periodically reviewing and updating this Policy and ensuring compliance with it.
- Encryption of User Data.
- Installing, running, and maintaining firewall programmes in a secure location.
- Limiting access to User Data to a designated Data Protection Officer and any other authorised personnel via the Company’s access prevention system.
- Keeping accurate records of logging-in to the Company’s system in relation to this Policy for a minimum period of 6 months using a secure function.
- Storing documents, USBs, or any other electronic and non-electronic materials that contain User Data in a secure location with a locking mechanism.
10 Data Protection Officer
The Data Protection Officer is responsible for ensuring compliance with the DPA and this Policy and dealing with complaints or suggestions from the User. Any questions about the operation of this Policy or any concerns that this Policy has not been followed should be referred in the first instance to the Data Protection Officer. The post is held by:
Name: Jang-Won Kim
Department: Information Management Team
Telephone: +82 2 3489 2280
Email address: firstname.lastname@example.org
11. Changes to this Policy
The Company reserves the right to change this Policy at any time as required by any relevant legislation, regulations, or its Policy. The Company will notify the User of those changes no later than 7 working days prior to the changes to take effect by way of announcements displayed on the Company’s website (www.navien.co.uk) or by emails or SMS.