Data Protection Policy
Protecting personal data
Protecting personal data is very important. Whether it belongs to you or individuals we work with we take our responsibilities very seriously.
Not only do we need to ensure that we protect your personal data but you also need to help us to protect other personal data that we hold.
If you have any questions or concerns about this policy or the processing of personal data please email to email@example.com.
When dealing with personal data there are eight principles that you and we need to follow. The personal data needs to be:
- Processed fairly and lawfully
- Relevant and not excessive
- Processed for limited purposes and in an appropriate way
- Not kept longer than necessary
- Processed in accordance with the laws dealing with personal data
- Kept secure
- Not transferred to people or organisations in countries without adequate protection
There is a lot to understand in respect of these principles. This policy should help you to ensure that your and our treatment of personal data is appropriate and lawful. If you have any questions please direct them to firstname.lastname@example.org.
A lawful purpose for processing your personal data
We process personal data fairly and lawfully. Grounds for processing personal data include: with your consent, to comply with a legal obligation, in your vital interests, in the performance of a contract with you or in our legitimate interests (or a third party processing your personal data). If the personal data is sensitive additional conditions will be met.
At the end of this policy we identify the categories of personal data that we collect and the reasons for processing it along with a privacy notice explaining more about what we do with your personal data.
Where we process the following data we will secure your consent before doing so:
transferring your personal data to a county outside of the European Economic Area provided that we are satisfied with the protections that they have in place to protect your data (unless it’s a one off transfer of data);
Requests to see your personal data
If you want us to show you personal data that we hold on you then you need to make a request in writing to email@example.com. We might ask you for more details about the request or give you a template letter to help with your request. Where the request isn’t made in person we will always ask for two forms of identity to confirm that it is you making the request.
We’ll always try and acknowledge your request when we receive it. We have between 30 days and three months to respond in full to your request.
Your rights to deletion, freezing data processing and corrections
You can ask us to delete your personal data where:
Processing it is no longer necessary bearing in mind the reason it was collected;
It is being processed unlawfully;
You object to us processing your personal data
Where information we hold on you is inaccurate or incomplete you can ask us to rectify the data.
You can ask us to stop processing your data where:
Processing is unlawful;
You say that the information that we hold is inaccurate;
You don’t consider we have a ‘legitimate interest’ for processing the data.
Limitations and obligations
We have processes in place to ensure that the accuracy of the personal data that we hold is up to date. Obviously, if personal data that we hold on you is out of date or inaccurate please update the information yourself, and if you are unable to, email me at firstname.lastname@example.org.
Wherever possible you should always encrypt personal data so that it is not easily accessible to others. Equally, you and we should not capture more personal data than is needed for the purpose identified.
We will retain your personal data in accordance with our ‘policy on retaining your personal data’. We have processes in place to ensure that personal data isn’t kept for longer than necessary. Once it’s no longer necessary for processing purposes we will delete it.
We have put appropriate security measures in place to stop accidental loss of, or damage to personal data. Where we ask third parties to process your personal data we will ensure that they have appropriate security measures in place too and that they comply with data protection legislation.
A data breach is a breach of data security that leads to accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. It includes sending emails to the wrong person, carelessness with passwords and leaving personal data on desks.
We will only process or share your personal data for the purpose it was collected.
This policy may be changed from time to time. We will notify you of any changes.