The Company is committed to working in accordance with the General Data Protection Regulation and with the highest standards of ethical conduct.
This policy outlines the rules, behaviours and standards required of the organisation, employees, workers and third parties working on behalf of the Company in relation to the collection, retention, transfer, disclosure, use and destruction of any personal data. All workers will be responsible for data protection and must abide by the rules and policies of the Company.
Personal Data and Sensitive Personal Data
There are two types of personal data that fall under the GDPR and for which the Company, its employees, workers and third parties are responsible for. These are:
Data Protection Principles
The Organisation is committed to adhering to the Data Protection Principles which state:
Information is kept and processed about individuals for legal purposes (such as for payroll), for administration purposes and for the purposes of day-to-day people-management. The Company is aware that in order to process personal data, or sensitive personal data, the Company must rely on the data being:
If the organisation wishes to hold and process data which does not fall within conditions listed above, then it will seek to obtain the consent of the individual.
If it is necessary to obtain consent then the Company will write to the individual to ask for consent, ensuring that the consent is:
The Organisation collects and processes the following personal data:
Rights of Data Subjects
The Company will recognise that individuals have the following rights under data protection legislation:
Right of Access
Individuals have the right to access the information stored about them. Employees can ask for access to their own personal details held electronically or held manually. Employees who wish to see their records should give notice electronically, in writing, using the Subject Access Request Form which can be found on P:\Administration\Administration Templates\GDPR. Non-employees can contact email@example.com.
The Company has up to 1 month to provide the information following the subject access request, which it will usually do in electronic format.
In complex cases, or where there are numerous related requests, the Company will liaise with the individual to inform them of progress of their request(s), and if it is not possible to complete this within 1 month, the Company will inform the individual of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
In the event that data is retained with third parties, the Company will ensure that the request is communicated and actioned by the third party in line with the timescales outlined above, unless impossible or if it would require disproportionate effort.
The Company reserves the right to charge a fee or to refuse to respond to a request if it is manifestly unfounded or excessive. Similarly, the Company reserves the right to withhold personal data if disclosing it would adversely affect the rights and freedoms of others.
Rectification of Data
The Company is committed to keeping data that is accurate and up to date. Data will be checked for accuracy where possible, and any data that is in accurate, out of date or unnecessary will be corrected or erased as appropriate.
Where an individual identifies that their personal data is incorrect or incomplete, or where they are aware that their personal data has changed, they must inform the organisation as soon as possible. The organisation will then take steps to rectify any inaccuracies as soon as possible, and at the latest within 1 month.
In complex cases, or where there are numerous cases, the Company will liaise with the individual to inform them of progress of their request, and if it is not possible to complete this within 1 month, the Company will inform the individual of the delay and the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
In the event that data has been disclosed to third parties, the Company will ensure that the request for rectification is communicated and actioned by the third party in line with the timescales outlined above, unless this is impossible or if it would involve disproportionate effort.
The Right to be Forgotten
Also known as ‘the right to erasure’, the right to be forgotten doesn’t provide an absolute right to be forgotten, but data subjects have a right to have personal data erased and to prevent processing in some circumstances i.e.
If you wish to ask for your own personal data to be partially/fully erased and no longer processed, please write to firstname.lastname@example.org full details of your request. The Company has up to 1 month to respond to you and either delete the data or explain why it is unable to comply with your request. Circumstances where the Company may be unable to comply include where it is required to retain the information by law, or if the data is needed in connection with legal proceedings.
In complex cases, or where there are numerous related requests, the Company will liaise with you to inform you of progress of the request, and if it is not possible to respond to this within 1 month, the Company will inform you of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months, if necessary.
In the event that data is retained with third parties, the Company will ensure that the request is communicated and if appropriate actioned by the third party in line with the timescales outlined above.
Security of Data
The Company is committed to taking steps to ensure that personal data is protected, and to prevent any unauthorised access, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of our security systems and by regular training and awareness raising.
Any data breaches will be managed according to the procedures documented in our Data Protection Breach Reporting Policy and Procedure.
The Company is committed to ensuring that subject data is kept for no longer than necessary and only kept as long as it’s relevant and necessary for legitimate purposes. As soon as data is no longer necessary for the purposes for which it was originally collected, it will be securely deleted, unless it is necessary to keep the data for some other legitimate reason.
The Company does not intentionally keep data longer than necessary and when data is no longer required, the Company is committed to securely deleting it as soon as possible.
For more information and our retention guidelines, please refer to our Data Retention Policy.
All staff are responsible for data protection and should be alert to any actual, suspected, threatened or potential data protection breaches. As soon as a data protection breach has been discovered, where possible, the member of staff should complete a Data Protection Breach Reporting Form, available at P:\Administration\admin Templates\GDPR (to the fullest extent possible at that time), which provides full details concerning the breach. This form should then be passed to the Administrator as soon as possible and within 24 hours of the discovery of the breach. If you need help completing the form, or are unable to complete the form, then any delay should be avoided and instead the matter should be reported immediately, either verbally or using electronic means, such as email.
For more information regarding managing data protection breaches, please refer to the Data Protection Breach Reporting Policy and Procedure.
Transferring Personal Data to a Country Outside the EEA
We may transfer the personal information that we collect from you to a destination outside of the UK and, in some cases, outside of the European Economic Area (EEA) if necessary for the processing purposes we have described above (including where we transfer your personal information to third parties), for example to our bulk emailing service MailChimp and our CRM database Insightly. In these cases, staff operating outside of the EEA who work for one of our suppliers may process your personal information.
We may share your private personal information with such service providers subject to obligations consistent with this privacy notice and any other appropriate confidentiality and security measures, and on the condition that the third parties use your private personal data only on our behalf and in line with our instructions.
On occasion you may wish to allow your data to be transferred to another Organisation either by you receiving the data and transferring it, or by the data being transferred directly.
This right to data portability only applies to data that you have provided to the Company, where the data processing is based either on your consent or the performance of the contract and where the processing is carried out by automated means, and it will only be transferred where it is technically feasible to do so.
If you wish to make a request for your data to be transferred, you must write to us at XXX, and we will respond to you within 1 month. If the requests are numerous or complex we reserve the right to extend this timescale by a further 2 months. If we are unable to complete your request, we will write to you to inform you why, along with your right to complain to the Information Commissioner’s Office (ICO).
Objections to Personal Data Processing
You have the right to object to data processing where the Company is:
If you wish to object to processing, you should write to email@example.com outlining the grounds relating to your particular situation and we will stop the processing unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is in relation to legal claims. If we are unable to agree to your request, we will write to inform you why, along with your right to complain to the ICO.
Organisational Data Protection Measures
The Company is committed to ensuring the security of your data and to processing it in line with the Data Protection rules. As such, the organisation will:
We are committed to monitoring this policy and will update it as appropriate every three years or more frequently if necessary.
Any queries or concerns can be addressed directly to firstname.lastname@example.org