The reason for this policy
Introduction
The meaning of key Data Protection terms
Summary of the Data Protection Principles
This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. All personal data must be:
Our use of personal data and our purpose
We collect, hold, and process the personal data referred to in Schedule 1 (and the purpose for which we process that personal data is also set out in Schedule 1).
Our data protection measures
When we are working with personal data we take the measures set out in Schedule 2.
Lawful, Fair, and Transparent Data Processing
The Regulation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The processing of personal data is lawful if one (or more) of the following applies:
Processed for Specified, Explicit and Legitimate Purposes
Adequate, Relevant and Limited Data Processing
The Company will only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to data subjects as under Part 5, above.
Accuracy of Data and Keeping Data Up To Date
The Company shall ensure that all personal data collected and processed is kept accurate and up-to-date. The accuracy of data shall be checked when it is collected and at regular intervals thereafter. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
Timely Processing
The Company shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay.
Secure Processing
The Company shall ensure that all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Further details of the data protection and organisational measures which shall be taken are provided in Parts 22 and 23 of this Policy.
Lawful, Fair, and Transparent Data Processing
The Regulation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The processing of personal data is lawful if one (or more) of the following applies:
Processed for Specified, Explicit and Legitimate Purposes
Adequate, Relevant and Limited Data Processing
The Company will only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to data subjects as under Part 5, above.
Accuracy of Data and Keeping Data Up To Date
The Company shall ensure that all personal data collected and processed is kept accurate and up-to-date. The accuracy of data shall be checked when it is collected and at regular intervals thereafter. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
Timely Processing
The Company shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay.
Secure Processing
The Company shall ensure that all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Further details of the data protection and organisational measures which shall be taken are provided in Parts 22 and 23 of this Policy.
The Rights of Data Subjects
The Regulation sets out the following rights applicable to data subjects:
Keeping Data Subjects Informed
Data Subject Access
Rectification of Personal Data
Erasure of Personal Data
Restriction of Personal Data Processing
Data Portability
Objections to Personal Data Processing
Automated Decision-Making
Profiling
Where the Company uses personal data for profiling purposes, the following shall apply:
Accountability
Privacy Impact Assessments
The Company shall carry out Privacy Impact Assessments when and as required under the Regulation. Privacy Impact Assessments shall be overseen by the Company’s data protection officer and shall address the following areas of importance:
Organisational Measures
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
Transferring Personal Data to a Country Outside the EEA
Data Breach Notification
Implementation of Policy
This Policy shall be deemed effective as of 22.05.2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
The following personal data may be collected, held, and processed by the Company:
These are the measures we take when working with personal data:
Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Agnieszka Gajownik to ensure that no data subjects have added their details to any marketing preference databases including, but not limited to, the Telephone Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service.