Data protection policy.

Introduction.

This Policy outlines my responsibilities regarding the protection and safeguarding of your personal data that I collect, process and hold.I adhere to the principles relating to the processing of Personal data set out in the GDPR as my guide to ensure to the best of my ability that I protect the data you have entrusted me with.

Lawfulness, fairness & transparency.

I process your data in accordance to GDPR lawful grounds, these limitations ensure that you are treated fairly and the details of the grounds and purpose of my collecting your data are outlined in my Privacy Policy.

Data Subjects’ Rights & Requests.

I set up systems that allow me to comply with your requests to correct, erase and have access to your data; to allow you to withdraw consent and request your data not be transferred or processed as is your right.

Security, Integrity & confidentiality.

I develop, implement and maintain safeguards appropriate to the size, scope and business, my available resources, the amount of personal data that I own or maintain on behalf of others and identified risks.

Purpose Limitation.

I will only collect and process personal data for specified, explicit and legitimate purposes as explained in my Privacy Policy.
I do not use personal data for new, different or incompatible purposes from from the original ones you agreed to without your express permission.

Storage Limitation.

Your data must not be stored for any longer than is strictly required by the purpose for which it was collected and to fulfil legal obligations. I take all reasonable steps to destroy or erase from my systems all personal data that I no longer require in accordance with my data retention guidelines.

Transfer Limitation.

I only transfer your data to countries outside the UK and the EEA when there are safeguards in place that guarantee the equivalent safety for your data, to fulfil legal requirements or when you have given express consent.

Accuracy.

Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate. I take all reasonable steps to destroy or amend inaccurate or out-of-date personal data.

Data Minimization.

Personal data must be adequate, relevant and limited to limited to what is necessary for the purposes for which it is processed. When it is no longer needed for those purposes it is deleted or anonymised as stated in my data retention guidelines.

Data Security.

I implement Privacy by Design measures when processing personal data by implementing appropriate technical and organisational measures (like pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.Personal data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

I have developed, implemented and maintain safeguards appropriate to my size, scope and business, my available resources, the amount of personal data that I own or maintain on behalf of others and identified risks. I will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.

I may only transfer personal data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

I will follow all procedures and technologies put in place to maintain the security of all personal data from the point of collection to the point of destruction.

I will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

Confidentiality means that only people who have a need to know and are authorised to use the personal data can access it;

Integrity means that personal data is accurate and suitable for the purpose for which it is processed; and

Availability means that authorised users are able to access the personal data when they need it for authorised purposes.

Reporting a Data Breach.

The GDPR requires me as a Data Controller to notify any personal data breach to the applicable regulator and to you.

I have put in place procedures to deal with any suspected personal data breach and will notify you or any applicable regulator where we are legally required to do so.