The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:
The Rights of Data Subjects
The GDPR sets out the following rights applicable to data subjects (please refer to the parts of this policy indicated for further details):
Lawful, Fair, and Transparent Data Processing
The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:
If the personal data in question is “special category data” (also known as “sensitive personal data”) (for example, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation), at least one of the following conditions must be met:
Adequate, Relevant, and Limited Data Processing
The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed) as under Part 5, above, and as set out in Part 21, below.
The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Further details of the technical and organisational measures which shall be taken are provided in Parts 22 to 27 of this Policy.
The Company’s Data protection lead is Stephanie Halstead.
The Data protection lead shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.
The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:
The Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR.
Data Protection Impact Assessments shall be overseen by the Data protection lead and shall address the following:
The Company shall provide the information set out in Part 12.2 to every data subject:
Where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and
Where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:
Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:
Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
The Company does not process personal data using automated means and so the right to data portability is not applicable.
Objections to Personal Data Processing
The Company does not use personal data in automated decision-making processes.
The Company does not use personal data for profiling purposes.
Personal Data Collected, Held, and Processed
The following personal data is collected, held, and processed by the Company (for details of data retention, please refer to the Company’s Data Retention Policy):
The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:
The Company shall ensure that the following measures are taken with respect to the storage of personal data:
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.
Data Security – Use of Personal Data
The Company shall ensure that the following measures are taken with respect to the use of personal data:
The Company shall ensure that the following measures are taken with respect to IT and information security:
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
The Company may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA.
The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:
All personal data breaches must be reported immediately to the Company’s Data protection lead.
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data protection lead must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 29.2) to the rights and freedoms of data subjects, the Data protection lead must ensure that all affected data subjects are informed of the breach directly and without undue delay.
Data breach notifications shall include the following information:
This Policy shall be deemed effective as of 25th of May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
Document Owner and Approval
The Data protection lead is the owner of this document and is responsible for ensuring that this record is reviewed in line with the review requirements of the GDPR.
