The Regulation defines “personal data” as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (a “Data Subject”, “you” or “your”).
The Regulation sets out the following principles with which any party handling personal data must comply. Accordingly, we intend for all personal data to be:
The Regulation seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The Regulation states that processing of personal data shall be lawful if at least one of the following applies:
We will only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to you as under Part 4, above.
We will ensure that all personal data collected and processed is kept accurate and up-to-date. The accuracy of data shall be checked when it is collected and at regular intervals thereafter. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
We will not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay.
We will keep written internal records of all personal data collection where the data being processed could risk the data subjects’ rights and/or freedoms, or where the data is related to criminal convictions or offences.
We will carry out Privacy Impact Assessments to address the following areas of importance: We will carry out Privacy Impact Assessments to address the following areas of importance:
10.1 The purpose(s) for which personal data is being processed and the processing operations to be carried out on that data;
10.2 Details of the legitimate interests being pursued by us;
10.3 An assessment of the necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;
10.4 An assessment of the risks posed to individual data subjects; and
10.5 Details of the measures in place to minimize and handle risks including safeguards, data security, and other measures and mechanisms to ensure the protection of personal data, sufficient to demonstrate compliance with the Regulation.
The Regulation sets out the following rights applicable to data subjects:
12.1 You may make a subject access request (“SAR”) at any time to find out more about the personal data which we hold about them. We normally required to respond to SARs within one month of receipt (this can be extended by up to two months in the case of complex and/or numerous requests, and in such cases you will be informed of the need for the extension).
12.2 We do not charge a fee for the handling of normal SARs. We reserve the right to charge reasonable fees for additional copies of information that has already been supplied to you, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
13.1 If you inform us that personal data held by us is inaccurate or incomplete, requesting that it be rectified, the personal data in question shall be rectified, and you will be informed of that rectification, within one month of receipt the your notice (this can be extended by up to two months in the case of complex requests, and in such cases you will be informed of the need for the extension).
13.2 In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification of that personal data.
14.1 You may request that we erase the personal data we hold about you in the following circumstances:
14.2 Unless we have reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and you will be informed of the erasure, within one month of receipt of your request (this can be extended by up to two months in the case of complex requests, and in such cases you will be informed of the need for the extension).
14.3 In the event that any personal data that is to be erased in response to your request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
15.1 You may request that we cease processing the personal data we hold about you. If you make such a request, we will retain only the amount of personal data pertaining to you that is necessary to ensure that no further processing of your personal data takes place.
15.2 In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
16.1 Where you have given your consent to us to process your personal data in such a manner or the processing is otherwise required for the performance of a contract between us and you, you have a right to receive a copy of your personal data and to use it for other purposes (namely transmitting it to other data controllers, e.g. other organizations).
16.2 To facilitate the right of data portability, we will make available all applicable personal data to data subjects in the following formats:
16.3 Where technically feasible, if requested by you, personal data shall be sent directly to another data controller.
16.4 All requests for copies of personal data shall be complied with within one month of your request (this can be extended by up to two months in the case of complex requests in the case of complex or numerous requests, and in such case you will be informed of the need for the extension).
17.1 You have the right to object to us processing your personal data based on legitimate interests (including profiling), direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.
17.2 If you object to us processing your personal data based on your legitimate interests, we will cease such processing forthwith, unless it can be demonstrated that our legitimate grounds for such processing; or the processing is necessary for the conduct of legal claims.
17.3 Where you object to us processing your personal data for direct marketing purposes, we will cease such processing forthwith.
18.1 In the event that we use personal data for the purposes of automated decision-making and those decisions have a legal or similarly significant effect on data subjects, data subjects have the right to challenge to such decisions under the Regulation, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from us.
18.2 The right described in Part 18.1 does not apply in the following circumstances:
The following personal data may be collected, held, and processed by us:
We will ensure that, to the extent possible and practicable that we comply with the following when working with personal data and that the following measures are taken with respect to the collection, holding, and processing of personal data:
We will ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
Any material changes will be notified by way of email or will be effective from the date they are published on our website.
If you would like to get in touch regarding your personal data, you can contact us at the numbers provided under the Contact section of our website.