Data Processing Agreement

Download the iLost DPA

Open DPA (PDF)

Context and explanation of Lost and Found data-processing

Quick Summary: Organizations act as controller for found item data (Phase 1), while iLost acts as controller for user claim data (Phase 2). The DPA covers Phase 1 processing.

Definitions

  1. iLost platform: The online service operated by iLost that allows organizations to register found items and enables users to search, claim, and manage lost and found items.
  2. Organization: A business, institution, or other entity that uses the iLost platform to register and manage found items, for example a hotel, venue, or public transport company.
  3. User (data subject): A person who has lost an item and interacts with the iLost website or embedded search widget to search for, claim, or recover that item. In this document, "user" is used as a synonym for "data subject".
  4. Controller: The party that determines the purposes and means of the processing of personal data.
  5. Processor: The party that processes personal data on behalf of the controller.
  6. Personal data: Any information relating to an identified or identifiable natural person, such as name, contact details, identification numbers, photos, and online identifiers including IP addresses.
  7. Found item: An item registered in the iLost platform by an organization, which can be matched and linked to a user once a claim is made in Phase 2.

iLost is a platform and acts like a mediator between an organization using iLost and a person (data subject) that lost something. iLost is responsible for all personal information of the data subject processed through the platform from the moment the user (data subject) is directly interacting with the iLost website. The DPA is required for Phase 1.

Phase 1

Information entered by a staff member of an organization into the iLost application, possibly holding personal information. Here the organization is the controller at first, with the "basis for processing" this information defined as having the item returned back to its owner (that is the intention and goal).

A staff member of the organization can, based on the information available in Phase 1, proactively reach out to a possible owner (for example, by sending a notification or email) or directly match the item with someone who appears at the desk. These actions still fall within Phase 1, with the organization acting as the controller for the related personal data.

Phase 2

A potential owner searches and claims a found item on the iLost website. The information provided by this user is intended to prove ownership and may contain personal data (personal anecdotes, name, address, photos of themselves or documents). The user agrees with the way iLost processes that information by accepting the privacy policy and terms and conditions. iLost is the controller for processing that information.

From the moment a user claims a found item entered by the organization, the personal information of the user will be linked to this found item in the database of iLost. Although email and IP address will not be visible to staff members of the organization, this means the found item in Phase 1 is now linked to an identifiable individual (the claiming user) in Phase 2.

Therefore, when phase 2 starts iLost will be responsible for all processed information about the data subject, the user. And the organization will still be responsible for any personal information derived from a found item or made available in claims on a found item.

Visual flow overview

Please find the visual mapping diagram below that illustrates the complete data flow between Phase 1 and Phase 2, including the roles of organization and user, and the transition of controller responsibilities.

Phase 1 and Phase 2 data flow diagram