*** t/a Springlawn - Data Protection Policy Statement
Updated: May 2018
Date of next review:
November 2018
Introduction
In order to run our business we
collect information about the people with whom we work. These are known as
‘data subjects’ and may include shareholders, directors, employees, customers
or suppliers, both current, past and prospective.
This personal information is
handled according to the requirements of the General Data Protection Regulation
(Regulation (EU) 2016/679) ("GDPR"), the Privacy and Electronic
Communications Regulations ("PECR”) and all related UK regulations
(collectively known as "DP Laws”) in the course of complying with our
obligations as an employer and/or dealing with issues arising from the
provision of goods and services to the public. The Act gives certain rights to
people whose 'personal data' we may hold.
We consider that the secure and
ethical treatment of personal data is integral to our successful operations and
to maintaining the trust of the persons we deal with.
** is registered to
process personal data and is named as the Data Controller under the register
kept by the Information Commissioner.
** have detailed privacy
policies for all its data subjects which are published online and provided to
data subjects in the appropriate manner. We also have detailed policies for
each category of subject intended to help our employees process this personal
data in accordance with the requirements of the DP Laws.
Information covered by DP
Laws
The Act uses the term 'personal
data' which essentially means any recorded information held by us and from
which a living individual can be identified. It will include a variety of
information including names, billing and delivery addresses, telephone numbers,
e-mail addresses and other personal details, including digital information such
as social media metadata and IP address.
Data Protection Obligations
** is committed to processing
personal data in compliance with the Principles below and to demonstrating such
compliance. The fundamental "Principles" relating to the processing
of personal data are that it should be:
(i)
processed fairly and lawfully and in a transparent manner;
(ii)
obtained only for specified, explicit and legitimate purposes and not used for
other purposes;
(iii)
adequate, relevant and limited to what is necessary for the purpose for which
it is processed;
(iv)
accurate, kept up to date and, where it is inaccurate, erased or rectified
without delay;
(v) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which that personal data is being processed;
(vi)
processed in a manner that ensures appropriate security, including protection
against unauthorised and against accidental loss, destruction or damage;
(vii)
processed in accordance with the rights of data subjects under the GDPR; and
(viii) not be transferred
outside of the EEA except where specific conditions are met.
Lawful Basis
*** relies on one of the
following as the legal basis on which it processes personal data:
(i)
Where it is necessary for the performance of our contract;
(ii)
Where it is necessary for compliance with our legal obligations;
(iii)
Where it is necessary for the purposes of ***’s legitimate business interests;
and in some cases
(iv) Where the data subject has given their consent for the processing of their personal data
*** may also rely on the following legal bases for processing personal data (although this is likely to be rare):
(v)
where we need to protect the data subject’s vital interests (or someone else’s’
vital interests); or
(vi) where it is needed in the
public interest
Individuals' Rights
Data subjects have other rights
under DP Laws in relation to their personal data. This includes:
(i)
the right to request that we rectify or erase information held about them
without undue delay ("right to be forgotten”);
(ii)
the right to ask us to limit the processing of this information;
(iii)
the right (if we are processing information based on consent, such as for
marketing purposes) to withdraw such consent;
(iv)
the right to object to certain processing of personal information (including
the right to object to processing of personal data for direct marketing
purposes at any time); and
(v) the right to obtain and re-use their data (i.e. ask us to move, copy or transfer it to another organisation).
Subject Access Requests
on file. All such requests must be in writing and should be forwarded immediately to our Company Secretary Pam Murray at Crawhall, Brampton, Cumbria, CA8 1TN or pam.murray@wcf.co.uk. We have 30 working days to respond to the request and provide data subjects with a copy of all the personal information we hold about them.
Our Commitment
We are committed to taking all reasonable
steps and measures to ensure that:
•
We comply with DP Laws and follow good practice;
•
We protect the rights of the data subjects whose personal data we hold;
• We are open about how we
capture, process and retain personal data;
•
We only hold personal data that is accurate and up to date and promptly rectify
or delete any inaccurate data;
•
We only utilise personal data for the purposes for which it was obtained;
•
We do not hold personal data for any longer than is necessary for the purposes
for which it was obtained;
•
We put in place appropriate security measures against unauthorised or unlawful
processing of personal data held and against accidental, destruction or damage
to, such data;
•
We do not disclose personal information to any third party except as set out in
our Privacy Policies;
•
We carry out due diligence on our third-party data processors to verify that
they have appropriate technical and organisational measures to protect our
personal data;
•
We do not transfer any personal data outside the European Economic Area ("EEA”)
without the appropriate safeguards;
•
We deal with any subject access requests promptly and courteously;
•
We report any unlawful access to the ICO in accordance with DP Laws;
•
We will carry out regular reviews of our data policies and ensure that our
Privacy Policies are updated; and
• We ensure that our employees
are appropriately trained to understand the contents of our data policies and
their contribution to compliance with the requirements of the DP Laws;
Jo L Ritzema
Managing Director
May 2018