Data Protection Policy

1. Purpose

This Data Protection Policy outlines the principles and guidelines our organisation follows to protect personal data in compliance with applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR) and any local data protection laws. The policy aims to ensure that personal data is processed fairly, lawfully, and transparently, and that it is protected against unauthorised access, use, disclosure, or destruction.

2. Scope

This policy applies to all employees, contractors, consultants, and other workers at our organisation who have access to personal data. It covers all personal data processed by the organisation, regardless of the form in which it is held (electronic, paper-based, or other).

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, erasure, or destruction.
  • Data Subject: The individual to whom personal data relates.
  • Data Controller: The organisation or individual who determines the purposes and means of processing personal data.
  • Data Processor: The organisation or individual who processes personal data on behalf of the Data Controller.

4. Principles

Our organisation adheres to the following data protection principles:

  • Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  • Purpose Limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data Minimization: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
  • Storage Limitation: Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
  • Integrity and Confidentiality: Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

5. Data Subject Rights

Data subjects have the following rights concerning their personal data:

  • Right to Access: The right to obtain confirmation as to whether personal data concerning them is being processed, and, if so, access to that data.
  • Right to Rectification: The right to request correction of inaccurate personal data and to have incomplete data completed.
  • Right to Erasure: The right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  • Right to Restrict Processing: The right to restrict the processing of personal data in certain circumstances, such as when the accuracy of the data is contested.
  • Right to Data Portability: The right to receive the personal data provided to the organisation in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to Object: The right to object to the processing of personal data, particularly where the data is processed for direct marketing purposes.

6. Data Security

Our organisation implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data. These measures include, but are not limited to:

  • Access Controls: Only authorised personnel have access to personal data.
  • Encryption: Personal data is encrypted both at rest and in transit where appropriate.
  • Regular Audits: Periodic audits are conducted to ensure ongoing compliance with this policy and data protection regulations.
  • Incident Response: Procedures are in place to promptly respond to and mitigate data breaches or other security incidents.

7. Data Processing

  • Data Collection: Personal data is collected only for specific, legitimate purposes and is processed in accordance with the principles outlined in this policy.
  • Data Sharing: Personal data is not shared with third parties unless there is a lawful basis for doing so, and appropriate safeguards are in place.
  • International Transfers: Personal data transferred outside the European Economic Area (EEA) is subject to appropriate safeguards, such as standard contractual clauses or binding corporate rules, to ensure it is protected.

8. Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. When personal data is no longer needed, it is securely deleted or anonymized.

9. Training and Awareness

All employees, contractors, and other relevant personnel receive regular training on data protection principles and practices. This training ensures that they understand their responsibilities under this policy and are equipped to handle personal data appropriately.

10. Data Breach Management

In the event of a data breach, our organisation will follow a predefined incident response plan that includes:

  • Immediate Containment and Recovery: Steps to limit the breach and recover data.
  • Risk Assessment: Assessing the risk to individuals and determining the need to notify relevant authorities and affected individuals.
  • Notification: Notifying the relevant data protection authority within 72 hours of becoming aware of the breach, where required, and communicating with affected individuals if the breach is likely to result in a high risk to their rights and freedoms.
  • Evaluation and Response: Investigating the cause of the breach and implementing measures to prevent future incidents.

11. Roles and Responsibilities

  • Data Protection Officer (DPO): Our organisation has appointed a DPO responsible for overseeing compliance with data protection laws and this policy. The DPO also serves as the point of contact for data subjects and supervisory authorities.
  • Management: Senior management is responsible for ensuring that data protection is a core consideration in all organisational processes and that resources are available for compliance efforts.
  • Employees: All employees are responsible for adhering to this policy and ensuring that personal data is handled in accordance with the principles and practices outlined.

12. Policy Review

This policy is reviewed annually or as required to ensure its continued relevance and compliance with applicable laws and regulations. Updates will be communicated to all relevant parties.

13. Contact Information

For questions or concerns regarding this policy or data protection practices, please contact our Data Protection Officer on 01904 500500 or via email dpo@seegreen.uk.