INTRODUCTION AND SCOPE
Mobile Tornado Group plc (“MTG”, “we”, “us” or “our”) recognises that the privacy of the personal information that our clients provide to us is critically important. We take the privacy and security of personal information very seriously. We are committed to complying with our legal obligations under the General Data Protection Regulation (“GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“UK Data Protection Laws”) and other data protection laws around the world.
WHO ARE MOBILE TORNADO GROUP PLC
Mobile Tornado Group plc is a company, registered in England and Wales under No. 05136300, whose registered office is at Cardale House Cardale Court, Beckwith Head Road, Harrogate, North Yorkshire, HG3 1RY. MTG’s shares are traded on the Alternative Investment Market (AIM) of the London Stock Exchange. Substantial shareholders in MTG currently include Intechnology plc. MTG has been trading since 2005.
The business of MTG is the development and supply to our clients of Push To Talk over Cellular and Wi-Fi products and services. Our technology enables our clients to offer Push To Talk, Push To Message, Push To Alert and Push To Locate services to their userbases, (altogether “PTT Services”). These technologies facilitate two-way communication between users. Push To Talk, for example, allows users to exchange real time voice messages between mobile phones and/or personal computers. Push To Message, for example, allows users to message individuals in their contact list one-on-one, or broadcast to a larger group of contacts (one-to-many).
Our PTT Services are delivered via an internet protocol radio service (IPRS) platform (“IPRS Platform”). The key elements of the IPRS Platform include a PTT server (which controls the delivery of our PTT Services), load balancers and firewalls, together with various layers of software and client side applications. The IPRS Platform is connected to third party cellular networks via standard Gateway GPRS Support Nodes (GGSN’s). Our clients are public and private sector organisations and service providers (such as mobile phone operators who offer PTT Services), rather than individuals. MTG is registered with the Information Commissioner’s office under Registration No. ZA800391. MTG operates a website, which provides more information about who we are and what we do, which can be viewed at https://www.mobiletornado.com (“the Website” or “our Website”).
There are three ways to contact MTG to discuss any data protection issues you may have:
The Data Protection Officer
Mobile Tornado Group plc
Cardale House Cardale Court
Beckwith Head Road
Harrogate, HG3 1RY
+44 (0)1423511900 and ask for the data protection officer.
WHO IS RESPONSIBLE FOR THE MANAGEMENT OF DATA PROTECTION AT MTG
We have appointed Marcus Emptage as the Data Protection Officer for MTG. The Data Protection Officer is responsible for managing data protection at MTG and ensuring that we comply with our legal obligations relating to personal information. The Data Protection Officer can be contacted using the contact details given in section 3. above.
WHAT TYPES OF PERSONAL DATA DOES MTG PROCESS?
Under data protection laws, personal data is any information relating to an individual from which that person can be identified. It does not include data from which the identity of an individual cannot be identified (which is anonymous data).
THE PERSONAL DATA MTG PROCESSES RELATING TO USERS OF OUR PTT SERVICES
How our clients use our PTT Services determines what types of personal data MTG itself processes. Some of our clients procure their own PTT server and manage it themselves, via a private or public network, whilst other of our clients access, over the internet, a PTT server owned and operated by MTG on a Software as a Service (SaaS) model.
Where our clients use an MTG server on an SaaS model then certain types of personal data about end users of our PTT Services may be stored in a database that sits on the MTG server. End users (“Subscribers”) are mobile users, who either use a client app on their smart phones or use a rugged/dedicated device or a computer. Such personal data may for the Push To Talk product typically include the following:
- Usernames and passwords for organization managers that subscribe to our PTT Services
- Contact details of the organisation managers (email, phone, address)
- Names, phone numbers, user names, passwords and nicknames of Subscribers
- Call logs of Subscribers (time & duration of PTT call, call initiator, call participants list, clients’ IP address)
- The type of device that Subscribers are using
- The time of the last sign-in of a Subscriber
The types of personal data, listed above, are relevant to the provision of the PTT Services and are used by organisations or Subscribers to better manage their operations. For any particular MTG client, the types of personal data processed and stored on our IPRS Platform are determined by that client and not by MTG. Our clients have full control over how much personal data will be kept on the IPRS Platform and have the option not to provide any data that personally identifies any particular Subscriber. For example, the full name and display name of a Subscriber is a field that can be filled with any data and is not verified or checked by MTG. Similarly, the phone number of a Subscriber can be replaced with an artificial identifier which is defined by the client. Location tracking can be turned off by the client or generally by an individual Subscriber: where that is the case the location coordinates are not transmitted from the PTT application to the PTT server. Similarly, the client can disable the ability to raise alarms for particular Subscribers. MTG can generally access call initiator and call participants data.
Under UK Data Protection Laws sensitive personal data is information relating to someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. None of the types of personal data listed above (and which are typically collected by our clients) will constitute sensitive personal data, with the possible exception of certain Subscriber names and addresses. However, as noted above, Subscriber personal identifiers, such as names and addresses, are optional and their collection is solely dictated by the client.
MTG does not record the voice traffic processed by the IPRS Platform. MTG personnel has no way to retrieve the content of Subscriber discussions conducted over the IPRS Platform. Our clients typically appoint a controller/despatcher to manage the Subscribers in their organization. They do this via a despatch console installed in a Windows environment on a PC typically located at the client’s premises. The despatch console communicates with the IPRS Platform over the Internet. Voice recording is a feature that can be enabled on the despatch console and is automatically enabled during a Push To Alert event (see further below). Through the despatch console, a controller/despatcher can record, retrieve and playback audio communications made by Subscribers. The recordings are stored only locally on the computer on which the despatch console is running. The despatch console is capable of:
- Searching and retrieving recorded sessions based on users groups, dates and time of calls
- Displaying call details (session name, call type, start/end time)
- Locating specific voice-bursts or listening to entire session in sequential mode
- Saving recorded PTT comms to the client’s local storage in .wav format
An important feature of MTG’s IPRS Platform is the Push To Alert functionality. This allows Subscribers at risk to send a notification from their devices to control rooms, despatchers and dedicated groups, by pressing an SOS button. Whenever the dedicated SOS button is clicked, a notification is sent to the relevant PTT server (which notification MTG can access) and from there it is forwarded to the control rooms or emergency groups of the relevant client. All steps in delivery, approval, and treatment are monitored and recorded for later debriefing. Once the emergency alert notification is received by the IPRS Platform then a number of processes are automatically triggered:
- The despatch consoles receive up- to- date location information
- Ambient listening is turned on upon despatcher’s request
- The voice recording system turns on automatically
- The system logs the entire emergency session
- The despatcher traces the event until closure
- All interested parties are alerted in real-time
A further important feature of our IPRS Platform is the Push To Locate functionality. This allows for the tracking of individual Subscribers who carry a GPS-enabled device. MTG software installed on the GPS-enabled device automatically attempts to derive its location at pre-defined update intervals. Controllers/despatchers can also request a location update, set and track geo-fencing events, and initiate location based group calls. The precise details of how the Push To Alert function operates for any of our clients are determined by the relevant client. In many instances MTG personnel will be able to ascertain where a given Subscriber is.
Where our clients use their own PTT server (and in effect only license software from MTG) then MTG will generally not itself process any Subscriber personal data during the ordinary operation of the IPRS Platform. When such clients require us to access their own PTT server to inspect its operation, maintain it, rectify faults, deal with reported user issues or to update or alter the software on it, then such clients are responsible for providing us with a secure connection to their server, which restricts our service engineer access to client Subscriber personal data. When a client uses their own PTT server they are responsible for backing up any Subscriber personal data stored on it.
MTG’S ROLE IN RELATION TO SUBSCRIBER PERSONAL DATA PROCESSED ON OUR IPRS PLATFORM
Our clients are for the purposes of UK Data Protection Laws, data controllers in relation to Subscriber personal data handled by our IPRS Platform because they determine the purposes for which and the means by which such Subscriber personal data is processed. Further information about how our clients manage such Subscriber personal data and their policies in relation to it will typically be available on our client’s websites, intranet sites or from their own data protection personnel.
MTG is the data processor in relation to Subscriber personal data processed on our IPRS Platform as we process that Subscriber personal data on behalf of our clients. Our obligations in relation to such personal data are set out in section 8 below.
MTG’S RESPONSIBILITIES IN RELATION TO SUBSCRIBER PERSONAL DATA
As noted in section 7 above, MTG are a data processor in relation to Subscriber personal data that we process on the IPRS Platform. In relation to Subscriber personal data MTG has a number of legal obligations, which are set out below together with brief details of how we comply with them:
- To only process personal data in accordance with instructions from the data controller, which in all cases will be our client. We comply with this as the client’s managers and controllers/despatchers set up how the IPRS System manages personal data and we merely ensure that the system performs in accordance with those instructions.
- To enter into binding processor contracts with the data controllers (our clients). The GDPR sets out minimum terms which a controller must impose on its processor by contract. We either have in place such contracts or are in the process of amending relevant contracts so that they contain fully compliant provisions.
- Not to engage a sub-processor without the controller’s prior specific or general written authorisation. The identity of any sub-processors we use is confirmed and agreed either pecifically or in general terms with our clients prior to their appointment.
- To implement appropriate technical and organisational measures to ensure the security of personal data. How we comply with this obligation is set out in section 21 below.
- To notify the relevant data controller (our client) of personal data breaches without undue delay. We would do this as soon as we were aware of any data breach. We would notify our key client contact in the first instance.
- To notify the relevant data controller (our client) immediately if any of their instructions would lead to a breach of the GDPR or local data protection laws. This oversight is managed by our data protection officer, whose details are set out in sections 3 & 4 above.
- To comply with GDPR/DPA accountability obligations, including maintaining records and appointing a data protection officer. Details of our data protection officer are set out in sections 3 & 4 above. Our data protection officer manages our accountability and record keeping obligations in accordance with the GDPR.
- Ensure that any transfer outside the EEA is authorised by the controller and complies with the GDPR transfer provisions.
OUR CLIENT’S RESPONSIBILITIES IN RELATION TO SUBSCRIBER PERSONAL DATA
Our clients, as data controllers in relation to the personal data of their Subscribers, are responsible for, amongst other things, the following:
- Ensuring that their processing of Subscriber personal data is in compliance with the six data protection principles set out in the GDPR.
- Ensuring that individual Subscribers can exercise their rights regarding their personal data, including the rights of access, rectification, erasure, restriction, data portability, objection and those related to automated decision-making.
- Implementing appropriate technical and organisational security measures to ensure the security of personal data.
- Notifying personal data breaches to the ICO and, where necessary, other supervisory authorities in the EU, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
- Complying with certain accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer.
Ensuring compliance with the GDPR’s restrictions on transfers of personal data outside the EU.
- Co-operating with supervisory authorities: they must cooperate with supervisory authorities (such as the ICO) and help them perform their duties.
- In particular it is the responsibility of our clients to ensure that their Subscribers, controllers/despatchers and organisation managers do not misuse any personal data collected during their use of our IPRS Platform.
WHO HAS ACCESS TO SUBSCRIBER PERSONAL DATA HELD ON OUR IPRS PLATFORM
On the client side, there are potentially two types of person who may have access to Subscriber personal data: controllers (despatchers) and organisation managers.Controllers/Despatchers – their role is to manage the Subscribers in their organisation via a despatch console installed on Windows/PC station. The access they have to Subscriber personal data is determined by the client and not by MTG.
Organisation managers – Their role is to manage the Controllers/Despatchers and/or Subscribers in their organisation. They control access to the IPRS Platform for Subscribers in their organisation. The access they have to Subscriber personal data is determined by the client and not by MTG.
In addition MTG’s customer care engineers may have access to Subscriber personal data. MTG’s customer care engineers typically access the IPRS Platform remotely using a secure connection. They maintain the IPRS Platform and ensure that it is working properly and provide assistance to Subscribers with problems. There are two levels of engineers: lower level engineers only have access to run time logs, while senior level engineers may access the Subscriber database but only for troubleshooting purposes.
WHO HAS ACCESS TO SUBSCRIBER PERSONAL DATA HELD ON OUR IPRS PLATFORM
MTG holds and processes personal data relating to individuals who work for or represent our current and prospective clients or who are, work for or represent suppliers to MTG (altogether “MTG Contacts”). MTG Contacts tend to be our principal or historic points of contact with an organisation, client administrative & technical personnel, organisation managers and controllers/despatchers and those involved in the supervision and/or provision of our PTT Services and the software and hardware that are used to run them.
That personal data includes all or at least some of the following items:
- First name, surname, title, work address and post code, work email address, work and mobile contact telephone number
- Information about marketing preferences
- Information about our interactions with them
This data will not generally be regarded as sensitive personal data, with the possible exception of certain names and addresses. In order to improve the Website, we may also collect anonymous data about how users navigate through and use the Website. We do not collect or process personal data about children.
UPDATING OR CHANGING MTG CONTACTS PERSONAL DATA
If you are or believe that you may be an MTG Contact then please do help us to keep your personal data up to date by notifying us of any changes relating to for example your name, work address or marketing preferences. You can update any information MTG holds about you by contacting your usual contact at MTG or by contacting the data protection officer, whose details are in sections 3 & 4 above. They will be delighted to help you.
HOW DOES MTG COLLECT MTG CONTACTS PERSONAL DATA?
We collect personal data about MTG Contacts when we engage with existing and prospective clients and suppliers. This can be during marketing activities, when a contract to provide PTT Services is concluded or in connection with the provision of the PTT Services. The personal data can be collected in meetings, via our Website, during phone or video calls or during the client set up/registration process to use our PTT Services.
HOW DOES MTG COLLECT MTG CONTACTS PERSONAL DATA?
We will use MTG Contacts personal data in the following ways:
- To fulfil our contractual obligations to our clients in relation to the provision of PTT Services.
- To deal with any technical or Subscriber issues that arise on our IPRS Platform.
- To manage the administrative aspects of our contracts with clients and suppliers including billing, software and hardware updates and support.
- To comply with any legal obligations upon us.
WHAT IS THE LEGAL BASIS ON WHICH MTG PROCESSES MTG CONTACTS PERSONAL DATA
UK Data Protection Laws provide that a data controller can only lawfully process personal data if it satisfies at least one of up to six possible legally defined grounds or bases for doing so, which are set out in the GDPR. We set out below the bases that MTG relies on in relation to its processing of MTG Contacts personal data.
The legally defined reasons MTG relies on are as follows:
The MTG Contact has consented to our processing his or her personal data
MTG can collect and process MTG Contact personal data with the consent of the contact. This will be the case if the contact has provided his or her personal data to us during the course of dealing with us either as a contact of a client, prospective client or supplier. MTG relies on this ground to carry out administrative, support and billing functions to our clients and suppliers.
MTG’s Contractual Obligations
MTG may process MTG Contact personal data to comply with and perform our contractual obligations under a contract or potential contract with a client or supplier. We rely on this basis to carry out administrative, support and billing functions to our clients and suppliers.
MTG may process personal data to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and which does not materially impact on the rights, freedoms and interests of individuals. We have a legitimate interest in carrying out marketing activities in order to offer our current and prospective clients and targets new and improved PTT Services that we think might be of interest to them. We rely on this ground in relation to our marketing activities.
As MTG is not a data controller but only a data processor in relation to Subscriber personal data, MTG does not need to satisfy at least one of the six permissible grounds in relation to Subscriber personal data but its clients have to.
If you are a contact of an existing client, or a prospective client who has shown an interest in our products or services, we may contact you by post and by telephone with marketing material and information about our PTT Services. We may also email such contacts to promote our PTT Services, unless, when the contact first provided their details to us or subsequently, the contact indicated that they didn’t want to receive or no longer want to receive such marketing emails messages from us. In addition, all our promotional emails contain an opt out option, which can be used to tell us to stop sending marketing emails. We regularly check (or ensure third parties appointed by us to run certain of our business services regularly check) our MTG Contact databases against lists maintained by the Telephone Preference Service (https://www.tpsonline.org.uk/tps) and the Mail Preference Service (https://www.mpsonline.org.uk) to ensure that we don’t call or post items to MTG Contacts who have registered with these services not to receive marketing calls or mailings.
CHANGING YOUR MARKETING PREFERENCES
You can tell us at any time to stop marketing to you by using any of the methods set out in section 3 above or by submitting a request to firstname.lastname@example.org Each time you receive a marketing email from MTG, you will be given the opportunity to opt-out of receiving further marketing emails or texts. We will try to implement any change to your marketing preferences as soon as reasonably possible.
WHO DO WE SHARE PERSONAL DATA WITH?
MTG does not share Subscriber personal data with any other entity except, where lawfully requested by the relevant data controller (our client). We do not share MTG Contact personal data with any third party.
WHAT ARE YOUR LEGAL RIGHTS IN RELATION TO YOUR PERSONAL DATA?
Individuals (“Data Subjects”) have a number of legal rights in relation to the personal data we hold about them. These include:
- The right to obtain a copy of any personal data about the Data Subject which we hold at any time and to obtain certain information about how we process that data. This is called a Subject Access Request and Data Subjects can submit such a request by contacting the data protection officer: see sections 3 & 4 above.
- The right to request that any inaccurate or incomplete personal data that we hold about the Data Subject is corrected. The Data Subject can update their personal data by contacting the data protection officer: see sections 3 & 4 above.
- In certain circumstances, the right to request that we erase or restrict our processing of personal data that we hold about the Data Subject.
- The right to request the transfer of their personal data to the Data Subject or to a third party nominated by them.
- The right to request that we stop using their personal data for direct marketing or for purposes based on legitimate interests. A Data Subject can tell us at any time to stop marketing to them by using any of the methods set out in section 3 above.or by e-mailing email@example.com.
- The right to require us to stop processing their personal data where the Data Subject contests the accuracy of the information we hold about them.
- Where our processing of the Data Subject’s data is based on their consent, the right to withdraw their consent at any time so that we then stop processing their personal data based on that consent.
- The right to have any decision, made solely on the basis of automatic processing of the Data Subject’s personal data, reviewed by a human being, express their point of view on the decision, obtain an explanation of the decision and challenge it.
- The right to compensation in certain circumstances where we breach the Data Subject’s rights relating to any information in a way that causes the Data Subject damage.
If you would like to exercise any of your legal rights in relation to the personal data we hold about you, you can submit a request by e-mailing firstname.lastname@example.org or by contacting the data protection officer whose details are set out in sections 3 & 4 above. Generally Data Subjects will not have to pay a fee to exercise any of their legal rights. However, we are entitled to charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. We can also refuse to comply with an unfounded or excessive request. We may need to request information from a Data Subject to confirm their identity, in order to make sure that personal data is not disclosed to someone who is not entitled to have it. We may also need to ask a Data Subject for additional information to help us respond to their request. We will try to respond to a Data Subject’s request within one month but, if the request is very complex or if a Data Subject has made a number of requests, it could take longer. In such circumstances, we will explain to the Data Subject why it will take longer to respond and we will keep them updated.
HOW DO WE PROTECT PERSONAL DATA?
MTG takes the security of personal data very seriously. We use appropriate security measures to protect personal data from unauthorised access, disclosure, alteration or loss. In relation to Subscriber data, we understand the importance of secured communications when any Subscriber is communicating privately and does not want a third party to listen in. In order to achieve that, the IPRS Platform needs to eliminate the risk of interception. MTG’s IPRS Platform is built with security by design principles, meaning confidentiality, integrity, and availability.
The development of our IPRS Platform, its installation and maintenance are carried out in accordance with the rules set out by the latest security standards. Our products and services comply with the security and privacy requirements of GDPR, ISO 27000 and AES-256. When Subscribers, organisation managers, controllers/despatchers communicate using our IPRS Platform, either over a cellular data connection or Wi-Fi, the PTT server uses a proprietary Mobile Tornado communications protocol, which would make it very hard for an unauthorised third party to intercept the communications.
Additionally sensitive information like user credentials/passwords is encrypted using state of the art third party encryption software.
In order to increase the safety and privacy of the subscribers, MTG has further introduced the following features in the PTT service:
- If the credentials of a Subscriber are used in another device, the Subscriber receives a warning message (“logged on in another device”) and the PTT application automatically signs-out from the service in favour of the second device. This ensures that the subscriber is aware of this fact and no one can listen to PTT sessions that they are not allowed to participate in.
- To minimize the chances of impersonation, when a subscriber talks in a PTT session, the display name associated with the Subscriber (as dictated by client) appears on screen, so other Subscribers get to know who is speaking.
Except for very large groups, the names of the participants in a call are listed and shared among all Subscribers participating in the PTT session so they can see who has joined the call and thus protect their privacy.
Our security model can be represented by four different layers: physical, logical, data and code. Physical access to relevant hardware is restricted to authorised personnel. Access to the management portal is protected by the use of cryptographic protocols (TLS), logical protection deployed over the firewalls, switches, load-balancers, and the use of single board computers (SBCs), which allow for enhanced security.
Where a client uses an MTG server, there is a state of the art firewall between that server and the internet. The firewall is a network security device, which monitors incoming and outgoing network traffic and permits or blocks data packets passing through it based on a set of security rules, which are continually updated so as to target current threats such as malicious viruses and hackers.
Further MTG’s security methodology utilises several mechanisms in connection with the encryption of data sent between us and our clients’ IT systems, the main ones being as follows:
- Deep packet inspection and rate limits enforcement by SBC
- Segmentation and segregation of networks and functions
- Limitation of unnecessary lateral communications
- Multiple factor subscriber authentication
- IP, users ID, and packet authentication
- Voice stream encryption by AES-256
- Continuous validation of the integrity
- Strict hardening of network devices
- Personal address book protection
- Protocol compliance validation
- Remote control of user device
- Private keys support in KMS
- Voice recording encryption
- IM manipulation protection
- Constant security audits
All MTG Contact personal data, which we store electronically, is stored on our private, secure network of computers. Access to our IT systems is password protected. Our IT provider regularly monitors our computer and network systems for possible vulnerabilities and attacks and use state of the art firewalls and anti-virus software, which is regularly updated.
WHERE IS YOUR PERSONAL DATA PROCESSED?
We only process personal data in the UK or the EEA.
PERSONAL DATA OF INTERNATIONAL SUBSCRIBERS AND MTG CONTACTS
MTG is based in the UK and is committed to complying with UK Data Protection Laws. UK Data Protection Laws are amongst the strictest in the World and we generally take the view that if we comply with UK Data Protection Laws that such compliance will help us ensure compliance with local data protection laws that apply outside the UK. However where we contract with a client based outside the UK we endeavour to ensure that we also comply with any particular local data protection law requirements.
HOW DO YOU MAKE A COMPLAINT TO THE REGULATOR?
You also have the right to make a complaint to the Information Commissioner’s Office (ICO), which is the UK data protection supervisory authority, if you feel that your personal data has not been handled properly or if you are not happy with the way that we have responded to any request you have made relating to the personal data we hold about you. The ICO can be contacted by telephone on 0303 123 1113 or online at www.ico.org.uk/concerns. We would appreciate the opportunity to resolve any data protections issues with you, so please contact us in any of the ways set out in section 3 above, in the first instance.
What are cookies?
Are cookies safe?
Yes. The information stored in cookies is anonymous and secure. It cannot be used to identify you personally and cannot harm your computer.
Can I switch cookies off?