General Data Protection Regulation (for EU residents)
Last updated: May 10, 2018
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). While the GDPR was developed with a focus on Social Networks, companies like CounterPath that market goods or services to EU residents whose personal data is collected are subject to the regulation.
Under the GDPR, personal data is defined as: “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The operational data we collect as it relates to our software and services is stored in order to: 1) to fulfil our contractual obligations to our customers and/or 2) is necessary for the use of services. Namely, we collect the data necessary to be able to provision the user account to be operational, and to ensure compliance within the terms of our licensing and contracts. We retain data as long as required, either by our contractual obligations to our customers, or by regulation. CounterPath makes use of encryption to protect the transmission and storage of data. Access to data within CounterPath is strictly controlled and limited to those that need access to perform their duties. CounterPath does not share this data with any party that is not part of the contractual obligation. A company may contract with CounterPath to purchase a softphone solution, and they in turn may provide the softphone solution to their customers. In this case, some operational data would be supplied by, and shared with, the company that is contracting for the service.
Wherever possible, CounterPath anonymizes the data it collects. CounterPath processes data as it relates to the use of our client and server software for operational and contractual compliance reasons, and this data is not mixed with our marketing systems. Our marketing systems are operated separately from our operational databases, and use an explicitly separate method of data collection. We expressly ask all users to opt into our marketing programs, and they may opt out our marketing programs at any time through an unsubscribe system. We do store data on servers outside of the EU with countries recognized by the EU under Article 45 of Regulation (EU) 2016/679 as providing adequate data protection.
For any user that wishes to see what information CounterPath has collected about them in the course of using our website, software or services, they can contact us at firstname.lastname@example.org. You can request the following information:
• Identity and the contact details of the person or organisation that has determined how and why to process your data is processed.
• Contact details of the data protection officer, where applicable.
• The purpose of the processing as well as the legal basis for processing.
• If the processing is based on the legitimate interests of CounterPath or a third party, information about those interests.
• The categories of personal data collected, stored and processed.
• Recipient(s) or categories of recipients that the data is/will be disclosed to.
• If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
• How long the data will be stored.
• Details of your rights to correct, erase, restrict or object to such processing.
• Information about your right to withdraw consent at any time.
• How to lodge a complaint with the supervisory authority.
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
• The source of personal data if it wasn’t collected directly from you.
In order to access this information, we will require scans of two of the following forms of ID: Passport, driving licence, birth certificate, utility bill (from last 3 months). In order to determine what information that we have recorded about the individual, we also require a means to identify the individual, such as your email address or account IDid. CounterPath will validate the identity of the requester and the validity of the request , and supply the information in a reasonable timeframe (currently less than 30 days from receipt). Users then may request that specific information be removed or updated. Some of the data is stored in encrypted formats that by design even CounterPath cannot read, and will be provided in this encrypted manner. CounterPath will make the changes within a reasonable period of time within compliance with the directive (currently less than 30 days from receipt), unless the data is covered by one of the five lawful grounds for processing data, namely Contractual Obligation, Compliance with a Legal Obligation, Vital Interests, a Public Task, or Legitimate Interests.
For any organization that that wishes to update or remove any of their user’s information that CounterPath has collected about their users in the course of using our software, they can make a request via the Technical Assistance Center. In order to determine what information we have recorded about the individual, we do require a means to identify the individual, such as their email address or account idID. CounterPath will validate the identity of the requester and the validity of the request, and supply the information in a reasonable timeframe (currently less than 30 days from receipt). Organizations then may request that specific information be removed or updated. Some of the data is stored in encrypted formats that by design even CounterPath cannot read, and will be provided in this encrypted manner. CounterPath will make the changes within a reasonable period of time within compliance with the directive (currently less than 30 days from receipt), unless the data is covered by one of the five lawful grounds for processing data, namely Contractual Obligation, Compliance with a Legal Obligation, Vital Interests, a Public Task, or Legitimate Interests.
In all cases, CounterPath will respond to the requester within 30 days of each requests. Once data is removed, it cannot be restored.
Our website is directed to individuals who are the age of majority or older in their jurisdiction. We do not knowingly collect information from children under the age of 13. If you believe your child has provided information to this website, please contact using the information provided below.
In the case of a bBreach as defined by the GDPR, CounterPath will report any breaches within 72 hours as required by the GDPR to relevant authorities and affected identifiable entities. To reach CounterPath’s Privacy Officer/GDPR Owner, please contact the following:
300-505 Burrard St.
Vancouver. BC, V7X1M3 Canada