DATA PROTECTION POLICY THE HOLST GROUP

Similar documents
DATA PROTECTION POLICY

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Subject: Kier Group plc Data Protection Policy

UWTSD Group Data Protection Policy

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Data Protection Policy

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY

Data Protection Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

UWC International Data Protection Policy

Motorola Mobility Binding Corporate Rules (BCRs)

Islam21c.com Data Protection and Privacy Policy

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

PS Mailing Services Ltd Data Protection Policy May 2018

General Data Protection Regulation (GDPR) Key Facts & FAQ s

GDPR Data Protection Policy

DATA PROTECTION IN RESEARCH

HOW WE USE YOUR INFORMATION

ADMA Briefing Summary March

The British Museum. Data Protection Code of Practise. 1 Introduction

Data Protection Policy

Introductory guide to data sharing. lewissilkin.com

Rights of Individuals under the General Data Protection Regulation

Data Protection Policy

Jefferies EMEA Privacy Notice

Creative Funding Solutions Limited Data Protection Policy

Cognizant Careers Portal Privacy Policy ( Policy )

RVC DATA PROTECTION POLICY

A Homeopath Registered Homeopath

About the information we collect We collect and process personal data including but not limited to:-

Brasenose College ICT Systems Privacy Notice (v1.2)

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Element Finance Solutions Ltd Data Protection Policy

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

DATA PROTECTION POLICY

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

Privacy Policy Inhouse Manager Ltd

Arkadin Data protection & privacy white paper. Version May 2018

Data Protection Policy

GLOBAL DATA PROTECTION POLICY

Contract Services Europe

Made In Hackney Data Protection Policy Last Updated:

Privacy Policy Hafliger Films SpA

GLOBAL DATA PROTECTION POLICY

INNOVENT LEASING LIMITED. Privacy Notice

Technical Requirements of the GDPR

Cayman Islands Data Protection Law Guide Book

Privacy Policy Wealth Elements Pty Ltd

Requirements for a Managed System

The isalon GDPR Guide Helping you understand and prepare for the legislation

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

Privacy Notice. General Information Protection Regulation ( GDPR )

Privacy Shield Policy

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

Privacy and Data Protection Policy

1 Privacy Statement INDEX

Privacy Policy GENERAL

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

Data Protection. Guidance Notes

MBNL Landlord Privacy Notice. This notice sets out how we handle landlord personal data as part of our General Data Protection policies (GDPR).

Privacy notice. Last updated: 25 May 2018

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

This policy also applies to personal information about you that the Federation collects from any other third party.

Data Protection Policy

PRIVACY STATEMENT. The Island with Bear Grylls (the Programme ) Introduction and main purposes

VIACOM INC. PRIVACY SHIELD PRIVACY POLICY

THE DATA PROTECTION ACT (1998) AND YOUR CLUB/COUNTY ASSOCIATION

Learning Management System - Privacy Policy

Data Privacy Notice. Madsen Advisory Limited ("Madsen") is committed to protecting and respecting your privacy.

PRINCIPLES OF PROTECTION OF PERSONAL DATA (GDPR) WITH EFFICIENCY FROM

Privacy and Spam Policy Ten Tigers Grain Marketing Pty Ltd

Privacy Notice - General Data Protection Regulation ( GDPR )

BELLISSIMA BEAUTY SALON PRIVACY NOTICE

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy )

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

The Data Protection Act 1998 and the Use of Personal Data for IT Administration

PRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

Depending on the Services or information you request from us, we may ask you to provide the following personal information:

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Strasbourg, 21 December / décembre 2017

1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.

Emsi Privacy Shield Policy

Frequently Asked Questions

Data Subject Requests Procedure

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

CURTIS BANKS LIMITED. Privacy Information Notice. curtisbanks.co.uk

Data Processing Agreement

PRIVACY POLICY BACKGROUND:

Data Protection Policy - Sustainable Hackney

PRIVACY POLICY. 3.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record.

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

Notification regarding the processing of personal data within ABOGAR SRL Hotel Lido

What personal data or information do we collect? The personal information we collect may include:

PRIVACY POLICY PRIVACY POLICY

Transcription:

DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller with reference to the personal data which it manages, processes and stores. Employees/clients of The Holst Group should refer to the guidance provided by the Information Commissioner s Office (https://ico.org.uk) as well as seeking professional advice regarding best practice in this area. RATIONALE As a data controller, The Holst Group and its staff (hereafter referred-to collectively as The Holst Group) must comply with the data protection rules set out in the relevant UK legislation. This Policy applies to all personal data collected, processed and stored by The Holst Group in the course of its activities. We process personal information to enable us to provide training to our customers and clients; to promote our services, to maintain our own accounts and records, and to support and manage our employees. In its role as an employer, The Holst Group may keep information relating to a staff member s physical, physiological or mental well-being, as well as their economic, cultural or social identity. Personal data also include a combination of identification elements such as physical characteristics, pseudonyms, occupation, home address, etc. To the extent that The Holst Group s use of personal data qualifies as business to customer processing, including the organisation s communications to its staff members, the organisation is mindful of its obligations under the relevant UK legislation, namely the Data Protection Act (1998). SCOPE The policy covers both personal and sensitive personal data held in relation to its data subjects by The Holst Group. The policy applies equally to personal data held in manual and automated form. All personal and sensitive personal data will be treated with equal care by The Holst Group. Both categories will be equally referred to as personal data in this policy, unless specifically stated otherwise. DEFINITIONS For the avoidance of doubt, and for consistency in terminology, the following definitions apply within this Policy. Data This includes both automated and manual data. Automated data means data held on computer, or stored with the intention that it is processed on computer. Manual data means data that is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system.

Personal Data Information that relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of The Holst Group. Sensitive Personal Data Sensitive personal data is personal data which relates to specific aspects of one s identity or personality, and includes information relating to ethnic or racial identity, political or ideological beliefs, religious beliefs, trade union membership, mental or physical well-being, sexual orientation, or criminal record. Data Controller The legal entity responsible for the acquisition, processing and use of the personal data. In the context of this policy; The Holst Group is the data controller. Data Subject A living individual who is the subject of the personal data, i.e. to whom the data relates either directly or indirectly. Data Processor A person or entity who processes personal data on behalf of The Holst Group on the basis of a formal, written contract, but who is not an employee of The Holst Group. Data Protection Officer A person appointed by The Holst Group to monitor compliance with the appropriate data protection legislation, to deal with Subject Access Requests, and to respond to data protection queries from staff members and the general public. The Holst Group as a Data Controller In the course of its daily organisational activities, The Holst Group acquires, processes and stores personal data in relation to living individuals. To that extent, The Holst Group is a data controller, and has obligations under the Data Protection legislation, which are reflected in this document. In accordance with UK Data Protection legislation, this data must be processed fairly and lawfully. The Holst Group is committed to ensuring that all staff members have sufficient awareness of the legislation in order to be able to anticipate and identify a data protection issue, should one arise. In such circumstances, staff members must ensure that the Data Protection Officer (DPO) is informed, in order that appropriate corrective action is taken. Due to the nature of the services provided by The Holst Group, there is a regular and active exchange of personal data between The Holst Group and its data subjects. In addition, The Holst

Group exchanges personal data with data processors on the data subjects behalf. This is consistent with The Holst Group s obligations under the terms of its contracts with its data processors. This policy provides the guidelines for this exchange of information, as well as the procedure to follow in the event that a staff member is unsure whether such data can be disclosed. In general terms, the staff member should consult with the Data Protection Officer to seek clarification. THIRD-PARTY PROCESSORS (WHERE APPLICABLE) In the course of its role as data controller, The Holst Group engages third-party service providers, or data processors, to process personal data on its behalf. In each case, a formal, written contract is in place with the processor, outlining their obligations in relation to the personal data, the security measures that they must have in place to protect the data, the specific purpose or purposes for which they are engaged, and the understanding that they will only process the data in compliance with the UK Data Protection legislation. The contract will also include reference to the fact that the data controller is entitled, from time to time, to audit or inspect the data management activities of the data processor, and to ensure that they remain compliant with the legislation, and with the terms of the contract. THE EIGHT DATA PROTECTION PRINCIPLES The following key principles are enshrined in UK legislation and are fundamental to The Holst Group s data protection policy. 1. Fair and Lawful: Personal data is processed fairly and lawfully: For data to be processed fairly, a data controller must: have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about the intention to use the data, and give individuals appropriate privacy notices when collecting their personal data; handle people s personal data only in ways they would reasonably expect; and ensure they do not do anything unlawful with the data. Where possible, the informed consent of the data subject is sought before their data is processed; Where it is not possible to seek consent, The Holst Group ensure that collection of the data is justified under one of the other lawful processing conditions legal obligation, contractual necessity, etc.;

Processing of the personal data is carried out only as part of The Holst Group s lawful activities, and it safeguards the rights and freedoms of the data subject; The data subject s data is not disclosed to a third party other than to a party contracted to The Holst Group and operating on its behalf, or where The Holst Group is required to do so by law. 2. Purposes: Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes: The Holst Group obtain data for purposes which are specific, lawful and clearly stated. A data subject has the right to question the purpose(s) for which The Holst Group holds their data, and The Holst Group is able to clearly state that purpose or purposes. 3. Adequacy: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed The Holst Group ensures that the data it processes in relation to data subjects are relevant to the purposes for which the data are collected. Data which are not relevant to such processing are not acquired or maintained. 4. Accuracy: Personal data shall be accurate and, where necessary, kept up to date. Ensuring that administrative and IT validation processes are in place to conduct regular assessments of data accuracy; Conducting periodic reviews and audits to ensure that relevant data is kept accurate and up-to-date. The Holst Group conducts a review of sample data every six months to ensure accuracy; Ensuring that staff contact details and details on next-of-kin are reviewed and updated every two years, or on an ad hoc basis where staff members inform the office of such changes; Conducting regular assessments in order to validate the need to keep certain personal data. 5. Retention: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes

As a data controller, The Holst Group must: review the length of time personal data is retained; consider the purpose or purposes for holding the information and in deciding whether (and for how long) to retain it; securely delete information that is no longer needed for this purpose or these purposes; and update, archive or securely delete information if it goes out of date. If data is being retained indefinitely, a justification is provided; Once the respective retention period has elapsed, The Holst Group undertakes to destroy, erase or otherwise put this data beyond use; Data is destroyed as per the Data Destruction Policy in place at The Holst Group; Access to, and management of, staff and customer records is limited to those staff members who have appropriate authorisation and password access. 6. Rights: Personal data shall be processed in accordance with the rights of data subjects under this Act. As a Data Controller, The Holst Group has the following obligation: A right of access to a copy of the information comprised in their personal data; a right to object to processing that is likely to cause or is causing damage or distress; A right to prevent processing for direct marketing; A right to object to decisions being taken by automated means; A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and A right to claim compensation for damages caused by a breach of the Act. A Subject Access Request procedure is in place; A mechanism is in place to capture data subject preferences; If using Direct Marketing, we ensure Opt-ins and Opt outs are as per current data protection legislation; If using Profiling, we ensure the data subject is aware that they are being profiled and have the opportunity to object to such activity; We have mechanisms in place to capture communication from data subjects that refer to amending their personal data;

We agree to pay in the instance where compensation has been awarded for breach of the Act. 7. Security: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The Holst Group use a risk based approach to security of data. The level of security in place shall commensurate with the level of risk to security of the data; The Holst Group employ high standards of security in order to protect the personal data under its care; The Holst Group s Password Policy and Data & Destruction Policies guarantee protection against unauthorised access to, or alteration, destruction or disclosure of any personal data held by The Holst Group in its capacity as data controller; In the event of a data security breach affecting the personal data being processed on behalf of the data controller, the relevant third-party processor notifies the data controller without undue delay; Iain Chalmers of The Holst Group is responsible for ensuring information security. 8. International: Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Assess whether or not the data can be anonymized prior to transfer; Map the process to clearly establish if the data transits through the non-eea country or is the data actually processed in the non EEA country; Ensure that there is no personal data whatsoever on the website; Establish if the destination country is on the EU Commission s list of countries or territories who provide adequate protection for the rights and freedoms of data subjects. Personal data may be shared with country s on this list; In any case, we undertake to map the transfer process to establish the risks to personal o o data that may arise. We undertake to mitigate those risks to an acceptable risk level prior to transfer by means of adequate safeguards: Adequate safeguards include Model Contract Clauses, Binding Corporate Rules, or other contractual arrangements; Where adequate safeguards are established, the rights of data subjects continue to be protected even after their data has been transferred outside the EEA.

IMPLEMENTATION As a data controller, The Holst Group ensures that any entity which processes personal data on its behalf (a data processor) does so in a manner compliant with the Data Protection legislation through a formal Data Processor Agreement. Regular audit trail monitoring will be done by the Data Protection Officer to ensure compliance with this Agreement by any third-party entity which processes personal data on behalf of The Holst Group. Failure of a data processor to manage The Holst Group s data in a compliant manner will be viewed as a breach of contract, and will be pursued through the courts. Failure of The Holst Group s staff to process personal data in compliance with this policy may result in disciplinary proceedings.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback