GDPR @ Shireburn

Shireburn have been working to ensure that we process Personal Data in accordance with Data Protection Law, namely the Maltese Data Protection Act (Chapter 440 of the Laws of Malta) as amended and, as of 25 May 2018, the General Data Protection Regulation (GDPR), the Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, the legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union.

This regulation has strengthened the rationale behind some of our existing procedures and processes, required us to strengthen others and has ensured that we place data privacy right at the forefront of our operations.

In preparation for the introduction of GDPR, we have made an assessment of our position and taken action to ensure compliance.  We have audited the data that we hold, both data about our clients, prospects, suppliers and others, but also any retention of data from our clients.

Here is a list of Technical and Organisational Measures we have at Shireburn

We have implemented the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR including the updating of our processes, policies and procedures including our Terms of Service, our Privacy Policy, our Legal Policy and our Data Retention Policy. We have also published our list of Sub-Processors and, as far as is possible, we have confirmed their compliance with our data protection requirements..

We have trained all our staff about the objectives of GDPR, the obligations and responsibilities imposed by the law and the updated policies and procedures related to all things related to data protection.

We have a large number of clients, some of whom use our software products on their own premises but others use our Shireburn Indigo platform which is a hosted and managed service.  Others utilize our services for managing their networking and assisting them in their IT infrastructure.  All of these have different implications for everything from data processing responsibilities, data storage, data storage location obligations and data retention.

We have prepared the Shireburn Data Processing Agreement which addresses all the issues across all our client base and will enter into this  agreement with our clients.

Shireburn is fully aware of the philosophy of GDPR to protect the privacy of data subjects and we subscribe to this philosophy.  We will continue to place the privacy of our clients at the forefront of our activities.

Data Retention Policy

Personal Data will be retained by Shireburn in accordance with the Data Retention Policy of Shireburn as defined in the table below as it relates to different data types:

Data TypeRetention Policy
Client’s Personal Data shared with Authorised Staff for the purposes of the provision of implementation and support services.30 days
Data managed in Shireburn On-Premises SoftwareManaged by the Client
Data Managed within Shireburn Indigo and other Software-as-a-Service.60 days following termination of the Subscription agreement
Personal Data stored related to contracts, billing, procurement and similar administrative processes to enable the on-going relationship between Shireburn and the Client10 years from termination of the relationship.
Personal Data related to correspondence, proposals, actions and opportunities.Up to 6 years after termination of the relationship with Client
Personal Data of users registered on Help Desk services.
Applicable from 21 October 2019
3 years from last contact on Help Desk.

Shireburn shall hold the Client’s Personal Data only as long as is necessary to provide the Services, including administration, accounting, marketing and reporting in the context of a Legitimate Business Interest, and subject to:

  1. the rights of a Data Subject in terms of the Data Protection Law, such as requests for data access or deletion;
  2. any legal requirement for data retention as specified in any other law of the Republic of Malta, including laws including but not limited to Social Security, Income Tax, Value Added Tax, Employment and Industrial Relations etc.
  3. a request by an authorised Governmental or regulatory authority for an additional retention period

Modifications to this data retention policy can be effected by Shireburn publishing the new policy at this page and giving the client 10 days’ notice of such change. as long as, in the event that the client is not in agreement with such change, the client shall have the right to terminate the Services without penalty.

Sub-Contractors / Sub-Processors

Shireburn uses a number of specialised service providers as sub-contractors or sub-processors to assist it in delivering an optimal level of service to our clients. In so doing, we ensure the competence, reliability and professionalism of these sub-contractors. We also enter into agreements that ensure the obligations that we have assumed with respect to our clients are, at a minimum, also assumed by these sub-contractors/sub-processors.

The table below outlines the list of the current sub-contractors that we use specifically to process our data, in each case identifying the purpose of the processing that they do and the hosting location. Not all these sub-contractors/sub-processors may be relevant to you, as they may be limited to processing data related to different Shireburn products.

Sub-contractor/ Sub-ProcessorPurposeLocation of Hosting
Microsoft AzureCloud Hosting, AnalyticsThe Netherlands & Ireland
Microsoft CorporationCustomer and internal Communications, Business Analytics, Project Management, Remote Access, Document Repository and all modules of Office 365 for Business.The Netherlands & Ireland
Recurly IncSubscription and billing managementUnited States of America
BraintreeThird Party Payment Processor.United States of America
StripeThird Party Payment Processor.United States of America
IntercomCustomer CommunicationUnited States of America
Zoho Corporation B.V.Customer Support, Customer and internal Communications, Business Analytics, Project Management, Digital Signing, Remote Access, Document Repository and all modules of Zoho One.The Netherlands & Republic of Ireland
GoogleBusiness Analytics, Cloud ServicesUnited States of America
HotjarProduct AnalyticsRepublic of Ireland
CreateShiftProduct Management, Customer Feedback
(To be decommissioned on the 28th February 2022)
Republic of Ireland
SendGrid/TwilioEmail Service ProviderUnited States of America
SG SolutionsBusiness ContinuityMalta
Aha! Labs IncProduct Management, Customer Feedback
(Applicable from the 20th December 2021)
United States of America
AtlassianIssue Management, Document Repository, Source Code Repository, Project Management, Timesheet ManagementUnited States of America
MiroInternal CollaborationRepublic of Ireland
Catamorphic Co.Feature Flag ManagementUnited States of America
DevArtData AnalyticsUnited States of America
RecruiteeJob Applicant TrackingGermany and Republic of Ireland
ZKTecoAttendance Hardware and Software ServicesRepublic of Ireland

Data Protection Policy