We are committed to a policy of protecting the rights and privacy of individuals, including our employees, clients, and other data subjects as applicable, in accordance with the General Data Protection Regulation 2018 (GDPR).
This policy applies to all personal data processed by us. Our Privacy Notice’s compliment this policy and are published on our website. We also have a specific data protection policy for our employees which we have published on our staff-access intranet.
This policy will be reviewed periodically by our leadership team, and if necessary updated.
We will process personal data in accordance with our responsibilities as a data controller under GDPR, using the following data protection principles:
1. Process personal data lawfully, fairly and in a transparent manner;
2. Collect personal data only for specified, explicit and legitimate purposes;
3. Process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing;
4. Keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;
5. Keep personal data only for the period necessary for processing; and
6. Adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
We will inform you of the reasons for processing your personal data, how we use such data and the legal basis for processing in our Privacy Notices. We will not process personal data of individuals for other reasons. Where we rely on legitimate interests as the basis for processing data, we will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals.
We will update your personal data promptly if you advise us that your information has changed or it is inaccurate.
We keep a record of our processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).
We will ensure that personal data is not kept longer than necessary. We have a register in place to record what data should or must be retained, for how long and why we must retain the data. When the data held in accordance with this policy and procedure is destroyed, we will ensure that the data is destroyed securely.
We will obtain personal data only by lawful and fair means and, where appropriate, with the knowledge and consent of the individual concerned. Where a needs exists to request and receive the consent of an individual prior to collection, use or disclosure of their personal data, we are committed to seeking such consent.
We will, when required by applicable law, contract, or where we consider that it is reasonably appropriate to do so, provide data subjects with information as to the purpose of the processing of their personal data.
We use the personal data of individuals for the following broad purposes:
1. The general running and management of the business, and business administration; and
2. To provide services to our clients.
We will process personal data in accordance with all applicable laws and contractual obligations. More specifically, we will not process personal data unless at least one of the following requirements are met:
We will only process special categories of data (also known as sensitive data) where the data subject expressly consents to such processing or where one of the following conditions apply:
As a data subject, you have a number of rights in relation to your personal data.
You have the right to make a subject access request. If you make a subject access request, we will inform you:
For how long your personal data is stored (or how that period is decided);
We will also provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you request otherwise.
To make a subject access request, you should send the request to email@example.com and use our form for making a subject access request. We will ask you for proof of identification before the request can be processed. We will inform you which documents are acceptable to verify your identification.
We will normally respond to a request within one month from the date the Subject Access Request Form is received, along with proof of identity as requested. In some cases, such as where we might be processing large amounts of your data, we may take up to three months to respond to the request. If this is the case, we will write to inform of this.
If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it. Alternatively, we may agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded. If you submit a request that is unfounded or excessive, we will notify you that this is the case and let you know whether or not it will be responded to.
You also have a number other rights in relation to your personal data. You can require us to:
To ask us to take any of these steps, please send a request to firstname.lastname@example.org./
We take the security of personal data seriously. We have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by our employees in the proper performance of their duties.
Some of the processing that we carry out may result in risks to privacy. Where processing would result in a high risk to your rights and freedoms, we will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
If we discover that there has been a breach of personal data that poses a risk to your rights and freedoms, we will report this to the Information Commissioner within 72 hours of discovery. We will also record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to your rights and freedoms, we will inform you of the breach and provide you with information about its likely consequences and the mitigation measures we have taken.
We may transfer personal data to internal or third party recipients where one of the transfer scenarios listed below applies:
The data subject has given consent to the proposed transfer;
Policy and Ownership Details;
Document Name: Data Protection Policy
Effective From: September 2018
Version Number: 1.0
Author: Sophie Mullen
Owner: Steve Burke
Document Control: All printed versions of this document are classified as uncontrolled. A controlled version of this document is available on our website or intranet.
Release Number: DP1
Date September: 2018
Revision Description: 1st draft of new policy incorporating new legislation
Author: Sophie Mullen
Working with and for CPUK will be a pleasure!