*** t/a Springlawn - Data Protection Policy Statement
Updated: May 2018
Date of next review: November 2018
In order to run our business we collect information about the people with whom we work. These are known as ‘data subjects’ and may include shareholders, directors, employees, customers or suppliers, both current, past and prospective.
This personal information is handled according to the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the Privacy and Electronic Communications Regulations ("PECR”) and all related UK regulations (collectively known as "DP Laws”) in the course of complying with our obligations as an employer and/or dealing with issues arising from the provision of goods and services to the public. The Act gives certain rights to people whose 'personal data' we may hold.
We consider that the secure and ethical treatment of personal data is integral to our successful operations and to maintaining the trust of the persons we deal with.
** is registered to process personal data and is named as the Data Controller under the register kept by the Information Commissioner.
** have detailed privacy policies for all its data subjects which are published online and provided to data subjects in the appropriate manner. We also have detailed policies for each category of subject intended to help our employees process this personal data in accordance with the requirements of the DP Laws.
Information covered by DP Laws
The Act uses the term 'personal data' which essentially means any recorded information held by us and from which a living individual can be identified. It will include a variety of information including names, billing and delivery addresses, telephone numbers, e-mail addresses and other personal details, including digital information such as social media metadata and IP address.
Data Protection Obligations
** is committed to processing personal data in compliance with the Principles below and to demonstrating such compliance. The fundamental "Principles" relating to the processing of personal data are that it should be:
(i) processed fairly and lawfully and in a transparent manner;
(ii) obtained only for specified, explicit and legitimate purposes and not used for other purposes;
(iii) adequate, relevant and limited to what is necessary for the purpose for which it is processed;
(iv) accurate, kept up to date and, where it is inaccurate, erased or rectified without delay;
(v) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which that personal data is being processed;
(vi) processed in a manner that ensures appropriate security, including protection against unauthorised and against accidental loss, destruction or damage;
(vii) processed in accordance with the rights of data subjects under the GDPR; and
(viii) not be transferred outside of the EEA except where specific conditions are met.
*** relies on one of the following as the legal basis on which it processes personal data:
(i) Where it is necessary for the performance of our contract;
(ii) Where it is necessary for compliance with our legal obligations;
(iii) Where it is necessary for the purposes of ***’s legitimate business interests; and in some cases
(iv) Where the data subject has given their consent for the processing of their personal data
*** may also rely on the following legal bases for processing personal data (although this is likely to be rare):
(v) where we need to protect the data subject’s vital interests (or someone else’s’ vital interests); or
(vi) where it is needed in the public interest
Data subjects have other rights under DP Laws in relation to their personal data. This includes:
(i) the right to request that we rectify or erase information held about them without undue delay ("right to be forgotten”);
(ii) the right to ask us to limit the processing of this information;
(iii) the right (if we are processing information based on consent, such as for marketing purposes) to withdraw such consent;
(iv) the right to object to certain processing of personal information (including the right to object to processing of personal data for direct marketing purposes at any time); and
(v) the right to obtain and re-use their data (i.e. ask us to move, copy or transfer it to another organisation).
Subject Access RequestsAll data subjects have the right at any time to request to see personal information held about them either digitally or
on file. All such requests must be in writing and should be forwarded immediately to our Company Secretary Pam Murray at Crawhall, Brampton, Cumbria, CA8 1TN or firstname.lastname@example.org. We have 30 working days to respond to the request and provide data subjects with a copy of all the personal information we hold about them.
We are committed to taking all reasonable steps and measures to ensure that:
• We comply with DP Laws and follow good practice;
• We protect the rights of the data subjects whose personal data we hold;
• We are open about how we capture, process and retain personal data;
• We only hold personal data that is accurate and up to date and promptly rectify or delete any inaccurate data;
• We only utilise personal data for the purposes for which it was obtained;
• We do not hold personal data for any longer than is necessary for the purposes for which it was obtained;
• We put in place appropriate security measures against unauthorised or unlawful processing of personal data held and against accidental, destruction or damage to, such data;
• We do not disclose personal information to any third party except as set out in our Privacy Policies;
• We carry out due diligence on our third-party data processors to verify that they have appropriate technical and organisational measures to protect our personal data;
• We do not transfer any personal data outside the European Economic Area ("EEA”) without the appropriate safeguards;
• We deal with any subject access requests promptly and courteously;
• We report any unlawful access to the ICO in accordance with DP Laws;
• We will carry out regular reviews of our data policies and ensure that our Privacy Policies are updated; and
• We ensure that our employees are appropriately trained to understand the contents of our data policies and their contribution to compliance with the requirements of the DP Laws;
Jo L Ritzema