Skip to main content

Comprehensive Data Protection Policy

1. Definitions

For the purposes of this policy: - "Service" refers to My Skills Journey platform
- "User" refers to any individual with an account on the Service
- "Entry" refers to any content submitted by Users
- "Summary" refers to AI-generated analysis of User entries
- "Usage History" specifically and exclusively refers to:
a) Initial account creation timestamp
b) Login activity timestamps
c) Account deletion timestamp (if applicable)
No other behavioral, tracking, or usage data is collected or retained.

2. Data Controller Information

2.1 Controller Details

  • Legal Entity Name: My Skills Journey
  • Registered Address: Coventry, United Kingdom
  • Country of Registration: United Kingdom
  • Registration Number: -to be advised-
  • Data Protection Contact: [email protected]
  • Technical Support Contact: [email protected]

2.2 Supervisory Authority

Information Commissioner's Office (ICO) - Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF - Website: www.ico.org.uk - Telephone: 0303 123 1113 - International: +44 1625 545 700

3. Legal Basis for Processing

3.1 Contractual Necessity (Article 6(1)(b) GDPR)

  • Processing required to provide the Service: a) Account creation and maintenance b) Entry storage and management c) Summary generation d) User authentication e) Service delivery

3.2 Legitimate Interests (Article 6(1)(f) GDPR)

  • Fraud Prevention and Security: a) Email retention for 3 years post-deletion b) Basic timestamp retention for 3 years post-deletion c) System security maintenance d) Service abuse prevention

3.2.1 Legitimate Interests Assessment

  • Purpose Test:
  • Preventing multiple trial periods
  • Maintaining service integrity
  • Protecting against automated abuse
  • Ensuring fair access
  • Necessity Test:
  • Email retention is minimal required data
  • Timestamp retention limited to essential points
  • 3-year period based on observed abuse patterns
  • No alternative means to achieve purpose
  • Balancing Test:
  • Minimal data retained
  • Limited to technical identifiers
  • No behavioral profiling
  • No sharing with third parties
  • Clear user notification
  • Strong security measures

3.3 Explicit Consent (Article 6(1)(a) GDPR)

  • Optional recruiter matching service
  • Marketing communications (if applicable)
  • Consent withdrawal process automated
  • Separate consent for each purpose
  • Clear consent records maintained

4. Data Collection & Processing

4.1 Personal Data Categories

4.1.1 Essential Data

  • Email address
  • Account creation timestamp
  • Login timestamps
  • Account deletion timestamp (if applicable)

4.1.2 Service Data

  • User-submitted entries
  • AI-generated summaries
  • Profile preferences
  • Consent records

4.1.3 Technical Data

  • Authentication tokens
  • Session identifiers
  • Security logs

4.2 Data Retention Periods

4.2.1 Active Account Data

  • User entries: Duration of account
  • Generated summaries: Duration of account
  • Profile preferences: Duration of account
  • Consent records: Duration of account + 6 years (legal requirement)

4.2.2 Post-Deletion Retention

  • Email address: 3 years from deletion
  • Account creation timestamp: 3 years from deletion
  • Login timestamps: 3 years from deletion
  • Account deletion timestamp: 3 years from deletion
  • All other data: Permanently deleted within 3 days

4.2.3 Backup Retention

  • System backups: 30 days rolling
  • Disaster recovery: 7 days rolling
  • Emergency restoration: Subject to user consent

4.3 Automated Processing

4.3.1 AI Processing Systems

  • Purpose: Skills and behavior analysis
  • Processing operations: a) Text analysis of user entries b) Pattern recognition c) Skill categorization d) Summary generation
  • Safeguards: a) Regular accuracy audits b) Human oversight available c) Right to contest results d) Alternative manual processing available

4.3.2 Matching Systems

  • Purpose: Recruiter-candidate matching
  • Processing operations: a) Skill requirement analysis b) Profile matching c) Anonymization d) Ranking algorithms
  • Limitations: a) Top 10 matches only b) Consenting users only c) No automated decisions d) Human review required

5. Data Subject Rights

5.1 Right of Access (Article 15)

  • Response time: Within 30 days
  • Format: Machine-readable
  • Delivery methods: a) Secure download b) Email attachment c) API access (if applicable)
  • Verification required: a) Account credentials b) Additional ID if necessary

5.2 Right to Rectification (Article 16)

  • Scope: All user-submitted data
  • Process: Self-service or support request
  • Timeline: Immediate for self-service
  • Verification: Account access required

5.3 Right to Erasure (Article 17)

5.3.1 Deletion Process

  • Initiation: Self-service or support request
  • Timeline: 3 days processing
  • Scope: All user data except: a) Email address (3-year retention) b) Essential timestamps (3-year retention) c) Legal compliance records

5.3.2 Retention Justification

  • Legal basis: Legitimate interests
  • Purpose: Fraud prevention
  • Proportionality assessment: a) Minimal data retained b) Limited retention period c) Strict access controls d) Regular necessity review

5.4 Right to Restriction (Article 18)

  • Implementation method: Account status flags
  • Processing pause: Immediate
  • Notification: Automatic email
  • Duration: Until resolution

5.5 Right to Portability (Article 20)

  • Data scope: All user-submitted content
  • Format: JSON/CSV
  • Delivery: Secure download link
  • Timeline: Within 30 days

6. Security Measures

6.1 Technical Security

6.1.1 Encryption

  • In-transit: TLS 1.3
  • At-rest: AES-256
  • Key management: HSM-based
  • Rotation schedule: 90 days

6.1.2 Access Controls

  • Multi-factor authentication
  • Role-based access control
  • Session management
  • Access logging and monitoring

6.1.3 Infrastructure Security

  • Network segregation
  • Firewall configuration
  • Intrusion detection
  • Regular penetration testing

6.2 Organizational Security

6.2.1 Personnel Security

  • Background checks
  • Security training
  • Confidentiality agreements
  • Access reviews

6.2.2 Policy Framework

  • Security policies
  • Incident response procedures
  • Change management
  • Business continuity

7. Breach Management

7.1 Detection

  • Automated monitoring
  • Alert systems
  • Log analysis
  • User reporting

7.2 Response

  • Initial assessment: 24 hours
  • ICO notification: 72 hours if required
  • User notification: Without undue delay
  • Remediation tracking

8. Sub-processors

8.1 Current Sub-processors

[List of current sub-processors with] - Names - Purposes - Locations - Data access levels - Security certifications

8.2 Sub-processor Management

  • Security assessment
  • Contract requirements
  • Monitoring process
  • Change notification

9. International Transfers

9.1 Data Locations

  • Primary storage: UK
  • Backup locations: [Specify]
  • Processing locations: [Specify]

9.2 Transfer Safeguards

  • Standard Contractual Clauses
  • Adequacy decisions
  • Supplementary measures
  • Transfer impact assessments

10. Policy Updates

10.1 Review Process

  • Regular reviews: Every 6 months
  • Impact assessments
  • Stakeholder consultation
  • Version control

10.2 Communication

  • Change notification method
  • Notice period: 30 days
  • Consent requirements
  • Documentation

Effective From: 07 December 2024
Last Updated: 07 December 2024
Version: 1.0
Document Owner: Chief Data Officer
Next Review: 07 December 2024