We adhere to the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:
We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
We only collect, Process and share Personal Data fairly and lawfully and for specified purposes. The GDPR restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing, but ensure that we Process Personal Data fairly and without adversely affecting the Data Subject.
The GDPR allows Processing for specific purposes, some of which are set out below:
We identify and document the legal ground being relied on for each Processing activity.
We only process Personal Data on the basis of one or more of the lawful bases set out in the GDPR, which include Consent.
A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing.
You keep evidence Consent captured and keep records of all Consents so that the Company can demonstrate compliance with Consent requirements.
Personal Data is only collected for specified, explicit and legitimate purposes. It is not further Processed in any manner incompatible with those purposes.
Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
You will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
Personal Data must is not kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
We do not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.
The Company will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time.
We take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with all the Company's applicable records retention schedules and policies. This includes requiring third parties to delete such data where applicable.
Personal Data is secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.
We develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data. We implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data.
The GDPR requires Data Controllers to notify any Personal Data Breach to the applicable regulator and, in certain instances, the Data Subject.
We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.
The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.
We only transfer Personal Data outside the EEA if one of the following conditions applies:
Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
We keep and maintain accurate corporate records reflecting our Processing including records of Data Subjects' Consents and procedures for obtaining Consents.
Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
We only share the Personal Data we hold with another employee, agent or representative of our group (which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
We only share the Personal Data we hold with third parties, such as our service providers if:
This Privacy Standard does not override any applicable national data privacy laws and regulations in countries where the Company operates.