GDPR Questionnaire

Date:
Department:

Obs.: After filling out the entire questionnaire, please forward to the email
dataprivacy@swivelsecue.com. Completion of the questionnaire is mandatory, there will be no
exceptions.

1) Explain how GDPR applies to Swivel Secure.

GDPR applies to any personal data held by the company which can be used to identify an individual EU or UK citizen. I would
understand that to include
 Personal data held on members of staff

 Personal data held on individual staff within customer or potential customer companies. This could include:

o Sales contact information for existing customers

o Contact information for potential customers

o Data received from customers by support in order to troubleshoot problems

 Personal data held on individual staff or resellers and distributors

 Personal data held on individual staff of suppliers

 It is not clear whether personal data held on staff of customers who use our cloud services is the
responsibility of Swivel Secure, Amazon Web Services or the company to whom the server is leased.

2) According to Article 35(1), is Swivel Secure obligated to conduct DPIAs (Data Protection Impact
Assessment)? Explain

The requirement is that we must carry out a DPIA where processing “is likely to result in a high risk to
the rights and freedoms of individuals”. I cannot conceive of a situation where this might occur given the
nature of our company, but it is nonetheless a legal obligation.

3) How does the company protect personal data and how can you cooperate with the company in
preventing a possible security breach

Access to all systems which contain personal data is protected by username and password, and multi-
factor or strong additional authentication where possible. Members of staff should not reveal these
credentials to anyone outside the company, and should inform management and/or change the credentials
whenever they suspect credentials may have been compromised.

Page 1
 4) Under Articles 13 and 14 of the GDPR, what can an individual request under what is called
"Privacy information"?

a) ( ) The individual can only exercise the rights to be informed and to rectify.

b) ( X ) The individual can exercise the rights to be informed, to object, to forget, to rectify, to
access, and to portability.

c) ( ) None of the alternatives.

d) ( ) The individual can request access to all the rights mentioned in Article 13 and 14, except in
relation to automated decision making and profiling.

5) Who is our "Data Controller" and our "Data Processor"?

The Data Controller is the company, Swivel Secure Ltd or Swivel Secure Europe
The Data Processor is any member of staff who handles that data, or any third party who we contract to
handle that data.

6) Inform, in simplified form, what we could characterize as "Personal Data". (Personal question)

Typical examples of personal data include:

 Personal name

 Personal email address (it is not clear whether company email address is also covered)

 Personal phone number

 National Insurance number

7) In the solutions/products presented by Swivel Secure, please mention which ones use special
personal data:

AuthControl Sentry is capable of extracting personal data from systems maintained by the customer. It is the choice of the
customer which data is collected. There is no requirement to collect special personal data except as stated below.
The only special personal data which is explicitly collected is through the biometric options of AuthControl Desktop, where
fingerprint and/or palm print data can be used to authenticate a user if the customer chooses to use it.
The latest mobile apps are capable of using biometric data to identify a user, but that is only used to confirm the identity of a
user of the device and does not require access to the biometric data directly.

Page 2 Private and Confidential

Page 3