GDPR - DATA PROTECTION POLICY
DEFINITIONS
In this policy, the following words and phrases have the following meanings:
“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them.
“Criminal records personal data” means personal data relating to criminal convictions and offences and personal data relating to criminal allegations and proceedings.
“Data protection legislation” means the UK GDPR, the Data Protection Act 2018 and any other applicable primary or secondary legislation as may be in force in the UK from time to time.
“Data subject” means a living identified or identifiable individual about whom the Company holds personal data.
“Member of staff” is any director, employee, worker, agency worker, apprentice, intern, volunteer, contractor and consultant employed or engaged by the Company.
“Personal data” is any information relating to a data subject who can be identified (directly or indirectly) either from those data alone or by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that data subject. It excludes anonymised data, i.e. where all identifying particulars have been removed.
“Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disclosing, 2 disseminating, restricting, erasing or destroying. It also includes transmitting or transferring personal data to third parties.
“Special category personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning the physical or mental health of a data subject or data concerning a data subject’s sex life or sexual orientation.
POLICY STATEMENT
This policy sets out how the Company processes the personal data of data subjects, including job applicants and our current and former directors, employees, workers, agency workers, apprentices, interns, volunteers, contractors, consultants, clients, customers, suppliers and other third parties. It applies to all personal data that we process, regardless of the media on which those personal data are stored, e.g. electronically, on paper or on other materials. The Company is committed to being clear and transparent about how we collect and use personal data and to complying with our data protection obligations. Protecting the confidentiality, security and integrity of the personal data that we process is also of paramount importance to our business operations. The Company will process personal data in accordance with this policy and the data protection legislation.
All employees are data subjects but they may also process personal data on the Company’s behalf about other data subjects. This policy should therefore be read and interpreted accordingly. Employees must always comply with it when processing personal data on the Company’s behalf in the proper performance of job duties and responsibilities. The data protection legislation contains important principles affecting personal data relating to data subjects. The purpose of this policy is to set out what we expect from employees and to ensure that they understand and comply with the rules governing the processing of personal data to which they may have access in the course of their work, so as to ensure that neither the Company nor they breach the data protection legislation.
The Company takes compliance with this policy very seriously. Any breach of this policy or any breach of the data protection legislation will be regarded as misconduct and will be dealt with under the Company’s disciplinary procedure.
The Company’s Managing Director has responsibility for data protection compliance within the business.
THE DATA PROTECTION PRINCIPLES
Under the data protection legislation, there are six data protection principles that the Company and all members of staff must comply with at all times in their personal data processing activities. In brief, the principles say that personal data must be:
​
1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency).
2. Collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation).
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
4. Accurate and, where necessary, kept up to date; every reasonable step must also be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy).
5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed (storage limitation).
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
The Company is responsible for, and must be able to demonstrate compliance with, these data protection principles. This is called the principle of accountability.
The Company and members of staff must only process personal data on the basis of one or more of these lawful bases for processing. Before a processing activity starts for the first time, and then regularly while it continues, we will review the purpose of the processing activity, select the most appropriate lawful basis (or bases) for that processing and satisfy ourselves that the processing is necessary for the purpose of that lawful basis (or bases). When determining whether the Company’s legitimate interests are the most appropriate basis for lawful processing, we will conduct a legitimate interests assessment, keep a record of it and keep it under review.
Where the Company relies on consent as the lawful basis for processing, this requires the data subject to have given a positive statement, active opt-in or clear affirmative action; 4 pre-ticked boxes; inactivity or silence do not constitute consent. If consent is given in a document that also deals with other matters, the request for consent must be clearly distinguishable and kept separate from those other matters. In addition, consent must specifically cover the purposes of the processing and the types of processing activity, so you must ensure that you obtain separate consents for different types of processing, where appropriate. Data subjects also have the right to withdraw their consent to processing at any time, they must be advised of this right and it must be as easy for them to withdraw their consent as it was to give it.
SPECIAL CATEGORY DATA
The data protection legislation also provides that the processing of special category personal data and criminal records personal data is only lawful in more limited circumstances where an additional lawful condition for processing also applies (this is an additional requirement; the processing must still meet one or more of the lawful bases for processing set out above). These include where:
• the data subject has given their explicit consent to the processing of their personal data for one or more specified purposes; explicit consent requires a very clear and positive statement and it cannot be implied from the data subject’s actions
• the processing is necessary for the purposes of carrying out obligations or exercising specific rights of either the Company or the data subject under employment law or social security law
• in the case of special category personal data, the processing relates to personal data which are manifestly made public by the data subject
• the processing is necessary for the establishment, exercise or defence of legal claims
The Company and members of staff must only process special category personal data and criminal records personal data where there is also one or more of these additional lawful conditions for processing. Before processing any special category personal data and criminal records personal data, staff must notify the Managing Director so that they may assess whether the processing complies with one or more of these additional lawful conditions.
A clear record must be kept of all consents, including explicit consents, which covers what the data subject has consented to, what they were told at the time and how and when 5 consent was given. This enables the Company to demonstrate compliance with the data protection requirements for consent.
TRANSPARENCY
Under the data protection legislation, the transparency principle requires the Company to provide specific information to data subjects through appropriate privacy notices. These must be concise, transparent, intelligible, easily accessible and use clear and plain language. Privacy notices may comprise general privacy statements applicable to a specific group of data subjects, e.g. employees, or they may be stand-alone privacy statements covering processing related to a specific purpose. Whenever we collect personal data directly from data subjects, including for employment purposes, we must provide the data subject with all the information required to be included in a privacy notice. This includes:
• the identity and contact details of the Company (as data controller) and any representative
• where applicable, the identity and contact details of the data protection officer
• the purposes for which the personal data will be processed
• the lawful basis or bases for processing
• where we are relying on our legitimate interests (or those of a third party) as the lawful basis for processing, what those legitimate interests are
• the categories of personal data, unless they were obtained directly from the data subject
• the third-party sources that the personal data originate from, unless they were obtained directly from the data subject
• the recipients, or categories of recipients, with whom the personal data may be shared
• details of any transfers to third countries or international organisations and the suitable safeguards applied
• the retention period for the personal data or, if that is not possible, the criteria to be used to determine the retention period
• the existence of the data subject’s rights, i.e. subject access, rectification, erasure, restriction of processing, objection and data portability 6 • the right to withdraw consent to processing at any time, where consent is being relied on as the lawful basis for processing
• the right to lodge a complaint with the Information Commissioner’s Office
• whether the provision of personal data is part of a statutory or contractual requirement or obligation, or a requirement necessary to enter into a contract, and the possible consequences of failing to provide the personal data
• the existence of any automated decision-making, including profiling, and meaningful information about how decisions are made, the significance and consequences.
We must issue a privacy notice, which can be by electronic means, when we first collect a data subject’s personal data from them. If the personal data have been obtained from third parties, we must provide the privacy notice information within a reasonable period of having obtained the personal data, but at the latest within one month. However, if the personal data are to be used to communicate with the data subject, the privacy notice information is to be provided, at the latest, when the first communication takes place, or if disclosure of the personal data to another recipient is envisaged, it is to be provided, at the latest, when the data are first disclosed. Staff must comply with these rules on privacy notices when processing personal data on the Company’s behalf in the proper performance of job duties and responsibilities.
PURPOSE LIMITATION
Personal data must be collected only for specified, explicit and legitimate purposes and they must not be further processed in any manner that is incompatible with those purposes. Personal data cannot be used for new, different or incompatible purposes from those disclosed to the data subject when they were first obtained, for example in an appropriate privacy notice, unless the data subject has been informed of the new purposes and the terms of this policy are otherwise complied with, e.g. there is a lawful basis for processing. This also includes special category personal data and criminal records personal data.
DATA MINIMISATION
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 7 We will only collect personal data to the extent that they are required for the specific purposes notified to the data subject. Staff must only process personal data where their job duties and responsibilities require it. In addition, they must ensure that any personal data they collect is adequate and relevant for the intended purposes and are not excessive. This includes special category personal data and criminal records personal data. When personal data are no longer needed for specified purposes, we will ensure that they are destroyed, erased or anonymised in accordance with the Company’s rules on data retention and destruction set out below.
ACCURACY
Personal data must be accurate and, where necessary, kept up to date. In addition, every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
STORAGE LIMITATION
Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed. The Company will only retain personal data for as long as is necessary to fulfil the legitimate business purposes for which they were originally collected and processed, including (but not limited to) for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements. This includes special category personal data and criminal records personal data.
DESTRUCTION AND ERASURE
All personal data, including special category personal data and criminal records personal data, must be reviewed before destruction or erasure to determine whether there are special factors that mean destruction or erasure should be delayed. Otherwise, they must be destroyed or erased at the end of the retention periods outlined above.
Personal data which are no longer to be retained will be permanently erased from our IT systems or securely and effectively destroyed, e.g. by cross-shredding of hard copy documents, burning them or placing them in confidential waste bins or by physical destruction of storage media, and we will also require third parties to destroy or erase such 8 personal data where applicable. We will take all reasonable steps to destroy or erase personal data that we no longer require.
In some circumstances we may anonymise personal data so that they no longer permit a data subject’s identification. In this case, we may retain such personal data for a longer period.
INTEGRITY AND CONFIDENTIALITY
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Company takes the security of personal data seriously and we have implemented and maintain safeguards which are appropriate to the size and scope of our business, the amount of personal data that we hold and any identified risks. This includes encryption and pseudonymisation of personal data where appropriate. We have also taken steps to ensure the ongoing confidentiality, integrity, availability and resilience of our processing systems and services and to ensure that, in the event of a physical or technical incident, availability and access to personal data can be restored in a timely manner. We regularly test and evaluate the effectiveness of our technical and organisational safeguards to ensure the security of our processing activities.
Where the Company uses third-party service providers to process personal data on our behalf, additional security arrangements need to be implemented in contracts with those third parties to safeguard the security of personal data. Staff can only share personal data with third-party service providers if they have been authorised to do so and provided that certain safeguards and contractual arrangements have been put in place, including that:
• the third party has a business need to know the personal data for the purposes of providing the contracted services
• sharing the personal data complies with the privacy notice that has been provided to the data subject (and, if required, the data subject’s consent has been obtained)
• the third party has agreed to comply with our data security procedures and has put adequate measures in place in ensure the security of processing
• the third party only acts on our documented written instructions 9
• a written contract is in place between the Company and the third party that contains specific approved terms
• the third party will assist the Company in allowing data subjects to exercise their rights in relation to data protection and in meeting our obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments
• the third party will delete or return all personal data to the Company at the end of the contract
• the third party will submit to audits.
Before any new agreement involving the processing of personal data by a third-party service provider is entered into, or an existing contract is amended, staff must seek the approval of its terms from our Managing Director
Hard copy personnel files, which hold personal data gathered during the working relationship, are confidential and must be stored in locked filing cabinets. Only authorised members of staff, who have a business need to know in order to properly perform their job duties and responsibilities, have access to these files. Files will not be removed from their normal place of storage without good reason. Personal data stored on removable storage media must be kept in locked filing cabinets or locked drawers and cupboards when not in use by authorised members of staff. Personal data held in electronic format will be stored confidentially by means of password protection, encryption or pseudonymisation, and again only authorised members of staff have access to those data.
The Company has network backup procedures in place to ensure that personal data held in electronic format cannot be accidentally lost, destroyed or damaged. Personal data must not be stored on local computer drives or on personal devices.
The data protection legislation requires the Company to notify any personal data breach to the Information Commissioner’s Office within 72 hours after becoming aware of the breach and, where there is a high risk to the rights and freedoms of data subjects, to the data subject themselves. A personal data breach is any breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and includes any act or omission that compromises the confidentiality, integrity or availability of personal data or the safeguards that we, or our third-party service providers, have put in place to protect them. The Company has procedures in place to deal with any suspected personal data breach.
ACCOUNTABILITY
The Company is responsible for, and must be able to demonstrate compliance with, the data protection principles. This means that we must implement appropriate and effective technical and organisational measures to ensure compliance and we also require staff to fully assist and co-operate with us in this regard. In particular, we have:
• appointed our Managing Director to be responsible for data protection compliance and privacy matters within the business
• implemented a privacy by design approach when processing personal data and we will conduct and complete data protection impact assessments (DPIAs) where a type of data processing, e.g. the adoption of a new program, process or IT system, in particular using a new technology, is likely to result in a high risk to the rights and freedoms of data subjects
• integrated data protection requirements into our internal documents, including this data protection policy, other related policies and privacy notices
• introduced a regular and mandatory data protection training programme for all members of staff on the data protection legislation and on their data protection duties and responsibilities and we also maintain a training record to monitor its delivery and completion
• introduced regular reviews of our privacy measures and our policies, procedures and contracts and regular testing of our systems and processes to monitor and assess our ongoing compliance with the data protection legislation and the terms of this policy in areas such as security, retention and data sharing.
We also keep records of our personal data processing activities.
PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS
We are required to implement privacy by design measures when processing personal data by implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the data protection legislation.
Where a type of data processing, e.g. the adoption of a new program, process or IT system, has a possibility to result in a high risk to the rights and freedoms of data subjects, the Company will conduct and complete a DPIA. This includes (but is not limited to):
• systematic and extensive automated processing and automated decision-making activities, including profiling, and on which decisions are based that have legal effects, or similar significant effects, on data subjects
• large-scale processing of special category personal data or criminal records personal data
• large-scale systematic monitoring of publicly accessible areas, e.g. using CCTV.
A DPIA will comprise a review of the new technology, program, process or system and it must contain a description of the processing operations and the purposes, an assessment of the necessity and proportionality of the processing in relation to those purposes, an assessment of the risks to individuals and the measures in place to address or mitigate those risks and demonstrate compliance.
AUTOMATED PROCESSING AND AUTOMATED DECISION-MAKING
Automated processing is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, and automated decision-making occurs when an electronic system uses an individual’s personal data to make a decision without human intervention.
DIRECT MARKETING
The Company is subject to certain rules when marketing to our clients and customers. In particular, a data subject’s prior consent is required for electronic direct marketing. There is a limited exception for existing clients and customers which allows us to send marketing texts and emails if we have obtained their contact details in the course of a sale to that person, we are marketing similar products or services to them and we gave that person an opportunity to opt out of marketing when first collecting their details and in every subsequent message.
If a data subject objects to direct marketing, it is essential that this is actioned in a timely manner and their details should be suppressed as soon as possible. We will retain just enough information to ensure that marketing preferences are respected in the future.
TRANSFERRING PERSONAL DATA TO THIRD COUNTRIES
The data protection legislation restricts transfers of personal data to third countries and international organisations in order to ensure that the level of data protection afforded to data subjects is maintained.
DATA SUBJECT RIGHTS TO ACCESS PERSONAL DATA
Under the data protection legislation, data subjects have the right, on request, to obtain a copy of the personal data that the Company holds about them by making a written data subject access request (DSAR). This allows the data subject to check that we are lawfully processing their personal data. The data subject has the right to obtain:
• confirmation as to whether or not their personal data are being processed
• access to copies of their specified personal data
• other additional information. The other additional information (which should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language) comprises:
• the purposes of the processing and the categories of personal data concerned
• the recipients, or categories of recipients, to whom the personal data have been or will be disclosed
• the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
• the existence of the data subject’s rights to request rectification or erasure of their personal data or restriction of processing of their personal data or to object to such processing
• their right to lodge a complaint with the Information Commissioner’s Office if they think the Company has failed to comply with their data protection rights
• where the personal data was not collected from the data subject, any available information as to their source
• the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the envisaged consequences of such processing for them.
When a data subject makes a DSAR, we will log the date on which the request was received and confirm their identity. Where we have reasonable doubts concerning the data subject’s identity, we will request them to provide such additional information necessary to confirm their identity before complying with their DSAR. We will then search databases, systems and other places where the personal data which are the subject of the DSAR may be held. Where we process a large quantity of personal data about a data subject, we may ask them to first specify the information that their DSAR relates to.
If the data subject makes their DSAR electronically, the Company must provide a copy of the personal data in a commonly used electronic format, unless they specifically request otherwise. If the data subject wants additional copies of the personal data, the Company will charge a reasonable fee, which is based on our administrative costs of providing the additional copies.
The Company will normally respond to a DSAR and provide copies of the personal data within one month of the date of receipt of the request. This time limit is calculated from the day we receive the request, whether it is a working day or not, until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding calendar date, the date for response is the last day of the following month. If the corresponding date falls on a weekend or public holiday, we have until the next working day to respond. However, we may extend this time limit for responding by a further two months if the request is complex or there are a number of requests made by the data subject. If we intend to extend the time limit, we will contact the data subject within one month of the DSAR’s receipt to inform them of the extension and to explain why it is necessary.
Before providing the personal data to the data subject making the DSAR, we will review the personal data requested to see if they contain the personal data of other data subjects. If they do, we may redact the personal data of those other data subjects prior to providing the data subject with their personal data, unless those other data subjects have consented to the disclosure of their personal data. We will also check whether there are any statutory exemptions from disclosure that apply to the personal data that are the subject of the DSAR. If a statutory exemption applies to any of the personal data, those personal data may not be disclosed.
Whilst we will normally provide a copy of the personal data in response to a DSAR free of charge, we reserve the right to charge a reasonable fee, based on our administrative costs of providing the personal data, when a DSAR is manifestly unfounded or manifestly excessive, particularly if it repeats a DSAR to which we have already responded. Alternatively, where a DSAR is manifestly unfounded or manifestly excessive, we reserve 14 the right to refuse to respond altogether. Where we refuse to act on a request in this way, we will set out our written reasons why to the data subject within one month of receipt of their DSAR. We will also inform them of their right to complain to the Information Commissioner’s Office or to seek a judicial remedy in the courts.
If you wish to exercise your data subject access rights, please complete our data subject access request form, or put the request in an email, and send it to our Managing Director. ,We will inform you if we need to further verify your identity.
If you receive a DSAR from another data subject, you must immediately forward it to our Managing Director and they will deal with responding to it.
OTHER DATA SUBJECT RIGHTS IN RELATION TO THEIR PERSONAL DATA
Data subjects have a number of other rights in relation to their personal data. When we process data subjects’ personal data, we will respect those rights. It is the Company’s policy to ensure that requests by data subjects to exercise their rights in respect of their personal data are handled in accordance with the data protection legislation.
Subject to certain conditions, and in certain circumstances, data subjects have the right to:
• be informed – this is normally satisfied by issuing them with an appropriate privacy notice
• request rectification of their personal data - this enables them to have any inaccurate or incomplete personal data we hold about them corrected or completed, including by their providing a supplementary statement
• request the erasure of their personal data - this enables them to ask us to delete or remove their personal data where there’s no compelling reason for their continued processing, e.g. it’s no longer necessary in relation to the purpose for which they were originally collected or if there are no overriding legitimate grounds for the processing
• restrict the processing of their personal data - this enables them to ask us to suspend the processing of their personal data, e.g. if they contest the accuracy and so want us to verify the accuracy or the processing is unlawful but they don’t want the personal data to be erased
• object to the processing of their personal data - this enables them to ask us to stop processing their personal data where we are relying on the legitimate interests of the business as our lawful basis for processing and there is something relating to 15 their particular situation which makes them decide to object to processing on this ground
• data portability - this gives them the right to request the transfer of their personal data to another party so that they can reuse them across different services for their own purposes
• not be subject to automated decision-making, including profiling - this gives them the right not to be subject to a decision based solely on the automated processing of their personal data, if such decision produces legal effects concerning them or similarly significantly affects them • prevent direct marketing - this enables them to prevent our use of their personal data for direct marketing purposes
• be notified of a data breach which is likely to result in a high risk to their rights and freedoms.
If, as a data subject, you wish to exercise any of these rights, please contact our Managing Director.
If a data subject invokes any of these rights, staff must take steps to verify their identity, log the date on which the request was received and seek advice from our Managing Director for assistance in dealing with the matter. The following response procedures apply as applicable:
​
• response to requests to rectify personal data - unless there is an applicable exemption, we will rectify the personal data without undue delay and we will also communicate the rectification of the personal data to each recipient to whom the personal data have been disclosed, e.g. our third-party service providers, unless this is impossible or involves disproportionate effort
• response to requests for the erasure of personal data - we will erase the personal data without undue delay provided one of the grounds set out in the data protection legislation applies and there is no applicable exemption (and, where the personal data are to be erased, a similar timetable and procedure to that applying to responding to DSARs will be followed). We will also communicate the erasure of the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort. Where we have made the personal data public, we will take reasonable steps to inform those who are processing the personal data that the data subject has requested the erasure by them of any links to, or copies or replications of, those personal data
• response to requests to restrict the processing of personal data - where processing has been restricted in accordance with the grounds set out in the data protection legislation, we will only process the personal data (excluding storing them) with the data subject’s consent, for the establishment, exercise or defence of legal claims, for the protection of the rights of another person, or for reasons of important public interest. Prior to lifting the restriction, we will inform the data subject that it is to be lifted. We will also communicate the restriction of processing of the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort
• response to objections to the processing of personal data - where such an objection is made in accordance with the data protection legislation and there is no applicable exemption, we will no longer process the data subject’s personal data unless we can show compelling legitimate grounds for the processing which overrides the data subject’s interests, rights and freedoms or we are processing the personal data for the establishment, exercise or defence of legal claims.
If a data subject objects to the processing of their personal data for direct marketing purposes, we will stop processing the personal data for such purposes
• response to requests for data portability - unless there is an applicable exemption, we will provide the personal data without undue delay if the lawful basis for the processing of the personal data is consent or pursuant to a contract and our processing of those data is carried out by automated means (and a similar timetable and procedure to that applying to responding to DSARs will be followed)
• response to requests not to be subject to automated decision-making - where such a request is made we will, unless there is an applicable exemption, no longer make such a decision unless it’s necessary for entering into, or the performance of, a contract between us and the data subject, is authorised by applicable law which lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, or is based on the data subject’s explicit consent. In these circumstances, the data subject will still be given the right to obtain human intervention, to express their point of view and to contest the decision.
In the limited circumstances where the data subject has provided their consent to the processing of their personal data for a specific purpose, they have the right to withdraw their consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on consent before its withdrawal.
If, as a data subject, you wish to withdraw your consent to the processing of your personal data for a specific purpose, please contact our Managing Director. Once we have 17 received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose you originally agreed to, unless we have another lawful basis for processing.
Data subjects also have the right to make a complaint to the Information Commissioner’s Office at any time.
STAFF OBLIGATIONS IN RELATION TO PERSONAL DATA
Staff must comply with this policy and the data protection principles at all times in their personal data processing activities where they are acting on behalf of the Company in the proper performance of their job duties and responsibilities.
Where unlawful activity is suspected, the Company will report the matter to the Information Commissioner’s Office for investigation into the alleged breach of the data protection legislation. The Company may also need to report the alleged breach to a regulatory body.
CHANGES TO THIS POLICY
The Company will review this policy at regular intervals and we reserve the right to update or amend it at any time.
It is intended that this policy is fully compliant with the data protection legislation. However, if any conflict arises between the data protection legislation and this policy, the Company will comply with the data protection legislation.
This policy may also be made available to the Information Commissioner’s Office on request.