2.0 Legislative Update
Like every organisation, we are required to comply with the new EU General Data Protection Regulation, which is in force from 25th May 2018 replacing the 1998 Data Protection Act. The GDPR aims to protect the privacy, rights and freedoms of all EU citizens, and places stricter requirements on organisations relating to how they process personal information. This new law will not be affected by Brexit. The UK Government is currently processing further law (The data Protection Bill), which will enhance the provisions or the GDPR and clarify areas of it which have been left to individual states to govern.
3.0 Personal Information
Personal Information is defined as any information (data) which can be used to directly or indirectly identify a living individual. This can include obvious things like your name; date of birth; National Insurance number; driving licence number; home or work address, postcode, telephone and mobile numbers, email addresses. It also protects your identification through less obvious things like your computer IP address, and device location data. There are also categories of data which are considered as Sensitive Personal Information such as: health and medical details, including biometric and genetic data; political or religious beliefs; sexual preferences and orientation. Processing Sensitive Information is prohibited except under certain circumstances.
4.0 Your Rights
The GDPR brings clarity to your rights whenever an organisation collects information about you. You are entitled to the following:
- To be informed when and how we collect, process or store your data. Ideally, this is done before your data is collected, however there may be times when this is not possible, for example when your data is not collected directly from you. In this case, organisations are now required to inform you that they have acquired your data within one month of its collection.
- To access the information we hold about you. To help us respond in the most efficient and effective way, please email firstname.lastname@example.org with the details of your request.
- To rectify any discrepancies or errors in the information we hold about you. If we have stored any information about you, and you believe it to be incorrect, you may ask that it is be rectified.
- To restrict processing. Other than processing your orders, handling service communications and marketing emails, we do not process your identifiable information. However, you may ask us to stop processing it, for example, if you want to take a break from receiving marketing communications.
- The right to data portability if you want to transfer your data that we hold we can.
- To object to processing, for example to stop receiving direct marketing communications.
- To ask us to erase the data we hold about you. However, you should note that there may be overriding legal statutory or regulatory reasons that prevent us from doing this.
- Where Automated Decision Making is used, there must be an option for human intervention.
5.0 The Principles of Data Protection
In addition to your rights as a “Data Subject”, the GDPR also outlines several specific principles that organisations should adhere to in order to help maintain the integrity and security of your data, these principles are intended to support your rights outlined above. Date processing should be:
- Lawful, Fair and Transparent – In other words, we will have a legal reason for processing your data, we will be fair in processing your data, and we will be transparent in processing your data.
- Limited Purpose – we will only process your data for the purpose that we informed you of, e.g. processing orders, sending product updates and offers, marketing materials, or handling complaints. We will not use data collected for one purpose to fulfil another.
- Data should be Minimal; we won’t ask you to provide us with more information than is necessary to carry out the activity we are collecting it for.
- Accuracy – any data we hold about you should be kept accurate and up to date, we will often rely on you to notify us of any changes that affect our ability to do this. This principle supports your right to rectify discrepancies and errors.
- Storage Limitation – this means that we won’t keep your data for longer than is necessary to perform the purpose for which it was collected, or to satisfy any legal statutory or regulatory requirement to keep it.
- Integrity & Confidentiality – we will take every reasonable organisational effort and technical measure to protect the data we hold about you from unauthorised access, alteration or disclosure.
6.0 What Personal Information we collect and how we use it
Other than the information gathered on you via our website cookies, that you can consent or decline to on the first instance you visit our website, the only other information we collect that you freely give to us via our enquiry form are:
- Your name
- Your contact number
- Your email address
We only use this information to contact you in response to your enquiry and send you email notifications that you have specifically requested, send you non-marketing commercial communications or to manage any contracts we enter with you. We won’t, without your express consent, supply your personal information to any third party for the purpose of their or any other third party’s direct marketing as per the GDPR legislation.
7.0 Disclosing Personal Information
We can disclose your personal information to any of our employees, officers, insurers in order to manage contracts and to the extent that we’re required to do so by law; in connection with any on-going or prospective legal proceedings; in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk); to the purchaser of any business or asset that we’re selling. Except as provided in this policy, we won’t provide your personal information to third parties.
8.0 International Data Transfers
Information that we collect may be transferred to the following countries which don’t have data protection laws equivalent to those in force in the European Economic Area: the United States of America, Russia, Japan, China and India, however we will endeavour to ensure that they store and treat the data according to the GDPR.
9.0 Retaining Personal Information
CDS complies with the GDPR legislation with regards to retaining personal information. Any personal information that we process for any purpose/s won’t be kept for longer than is necessary for that purpose/s, to the extent that we are required to so by law, if we believe that they might be relevant to any on-going or prospective legal proceedings.
10.0 Security of Personal Information
CDS will take all reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. All personal information you give us will be stored under the relevant level of security in our (password and firewall-protected) servers.
11.0 Data Received from other Organisations
If we receive any personal information from a third party we will contact you informing you of the information we received, where it was received from and the reasons for which we would process it within a month of receiving the information. At any time you can exercise your right to inform us you wish for us to stop processing this information, unless we have to retain the information for an overriding legal statutory or regulatory reason.
12.0 How to Contact us
If you wish to contact us regarding your personal information, or raise a query regarding this policy, please do not hesitate in contacting our Data Protection Officer:
By email: email@example.com
Data Protection Officer (DPO),
CDS Group Services,
Tamar House, Thornbury Road,
Estover, Plymouth, Devon
13.0 Policy Amendments
CDS reserve the right to update and amend this policy when they feel there is a need to do so, and each update will be added to the website replacing the old policy. You should check this page occasionally to make sure you’re happy with any changes to this policy.