The company has committed to processing data in compliance with its GDPR obligations.
collected for specific, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes; processed lawfully, fairly, and transparently in relation to individuals; collected for specific, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes;
Further processing for the objectives of public interest archiving, scientific or historical research, or statistical purposes is not regarded incompatible with the original purposes;
adequate, relevant, and restricted to what is necessary for connection to the purposes for which they are processed; accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified as soon as possible;
Personal data must be kept in a form that allows data subjects to be identified for no longer than is necessary for the purposes for which they are processed; personal data may be stored for longer periods if they are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of the appropriate technical and organizational measures required by the GDPR in each case.
processed in a way that ensures the personal data’s proper security, including protection against unauthorized or unlawful processing, as well as accidental loss, deletion, or damage, by employing relevant technical or organizational measures.”
- GENERAL PROVISIONS
This policy applies to all of the Company’s personal data processing.
The Responsible Person is responsible for the Company’s continued adherence to this policy.
At least once a year, this policy will be reviewed.
As an organization that processes personal data, the Company must register with the Information Commissioner’s Office.
- LAWFUL, FAIR AND TRANSPARENT PROCESSING
The Company will keep a Register of Systems to guarantee that its data processing is legal, fair, and transparent.
At least once a year, the Register of Systems must be reviewed.
Individuals have the right to view their personal information, and any requests made to the charity will be handled promptly.
- LAWFUL PURPOSES
Consent, contract, legal obligation, vital interests, public task, or legitimate interests are all legal bases on which the charity may process data (see ICO guidance for more information).
In the Register of Systems, the Company will record the appropriate legal basis.
When consent is used as a legal basis for processing personal data, proof of opt-in consent must be stored with the personal data.
Individuals should have the ability to revoke their consent when communications are made to them based on their consent, and systems should be in place to guarantee that such revocation is appropriately reflected in the Company’s systems.
- DATA MINIMISATION
Personal data must be adequate, relevant, and limited to what is essential for the purposes for which they are processed, according to the Company.
The Company will take reasonable steps to ensure the accuracy of personal data.
Steps must be taken to ensure that personal data is kept up to date if appropriate for the lawful basis on which data is processed.
- ARCHIVING / REMOVAL
To ensure that personal data is stored for no longer than is necessary, the Company will implement an archiving policy for each area where personal data is processed, which will be reviewed once a year.
What data should/must be retained, for how long, and why will be considered in the archiving policy.
Personal data will be securely held by the Company using current software that is kept up to date.
Personal data should only be accessible to those who require it, and sufficient security should be in place to prevent unauthorised information sharing.
When personal data is removed, it should be done in a secure manner so that it cannot be recovered.
d. Appropriate disaster recovery and backup solutions must be in place.
BREACH NO. 9
In the case of a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, the Company must assess the risk to people’s rights and freedoms as soon as possible and, if necessary, disclose the breach to the ICO (more information on the ICO website).