Within our firm are two nominated individuals responsible for data under the GDPR. The roles undertaken are twofold, namely; The Data Controller and the Data Processor.
A Controller determines the purposes and means of processing personal data and a Processor is responsible for processing personal data on behalf of a controller.
As of 25th May 2018 the relevant persons within our organisation are:
Data controller: Mike Clare (firstname.lastname@example.org) and
Data Processor: Mike Clare (email@example.com).
To control and process data requires one of six recognised legal bases under GDPR to do so. The six bases are as follows:
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and simple ways for the withdrawal of consent will be required.
Processing is necessary for a contract with an individual, or because that individual has asked that specific steps be taken before entering into a contract.
- Legal obligation:
Processing is necessary to comply with the law (not including contractual obligations).
- Vital interests:
Processing is necessary to protect an individual’s life.
- Public task:
Processing is necessary for the performance of a task in the public interest or for official functions, and the task or function has a clear basis in law.
- Legitimate interests:
Processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
In order to rely on a ‘legitimate interest’ basis we undertake a three-part test which must be satisfied:
- A legitimate interest has been identified;
- It can be shown that processing is necessary to achieve it; and
- Such processing has been balanced against the individual’s [data subject’s] interests, rights and freedoms.
Furthermore under the GDPR the Data Subject [individual] has a number of rights [seven] regarding the collection and processing of their data. For the purposes of the GDPR Data is identified under two categories:
Personal Data: Any ‘personal data’ relating to an identifiable person held automatically or manually.
Sensitive Personal Data: Including genetic & biometric where processed to uniquely identify an individual.
The seven rights of the Data subject are:
- Right to be informed;
The right to be informed encompasses the obligation to provide “fair processing information”. It emphasises the need for transparency in the use of personal data.
- Right of access;
Data Subjects have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
Such a Data Access Request will be provided free of charge within one month, with the following exceptions/provisos:
- Such a request is manifestly unfounded or excessive;
- Such a request is repetitive;
- Such a request requires copies of previously provided information.
In the event of charges being raised the firm will notify in advance such costs which in any event will be based on the administrative cost of providing the requested information.
In the event of manifestly unfair or excessive requests we may refuse to respond to the request and any such refusal will be notified to the requester [data subject] with a reason for the refusal and, in addition, information as to the data subject’s rights to complain to the supervisory body or judicial authority within one month of such a request being received.
- Right to rectification;
The GDPR gives Data Subjects the right to have personal data rectified. Personal data can be rectified if it is inaccurate or incomplete.
- Right to erasure;
This right is to enables a Data Subject to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
- Right to restrict processing;
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, storage of the personal data is permitted, but not to further process it.
Information can be retained just enough for the individual to ensure that the restriction is respected in future.
- Right to data portability;
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- Right to object;
The right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. As well as this notice to the Right to Object in this policy, we will, in all initial communications with a data subject, inform them of this right separately from any other information.
In addition a Data Subject has the right to make a complaint to the Information Commissioner’s Office [ICO] on-line, by phone or in writing at the following:
T: 0303 123 1113;
Information Commissioner’s Office, Wycliffe house, Water Lane, Wilmslow, Cheshire. SK9 5AF.
The following table identifies the types of data we collect, control and process; and the legal basis we rely upon for doing so:
|Type of information collected.||Purpose[s]||Legal basis for processing|
|Data Subject’s name, address, telephone numbers, e-mail address(es).||Managing the Data Subject’s relationship with the firm.||Performing the Firm’s contract with the Data Subject.|
|The names and ages of the Data Subject’s dependants.||Managing the Data Subject’s and their dependants’
|Performing the Firm’s contract with the Data Subject.|
|Emergency contact details||Contacting next of kin in the event of emergency.||Protecting the Data Subject’s vital interests and those of their dependants.
|Date of birth / age related information.||Managing membership categories which are age related.
|Performing the Firm’s contract with the Data Subject’s.|
|Gender.||Provision of adequate facilities for members.||For the purposes of our legitimate interests in making sure that the Firm provides sufficient and suitable facilities (including changing rooms and toilets) for each gender.|
|Photos and videos of the Data Subject||To promote the firm on the Firm’s website and marketing activities||Consent. The firm will seek the Data Subject’s explicit consent via the firm’s website or other forms of authorisation. The Data Subject may withdraw their consent at any time via the website; email, letter or similar method used to obtain the Data Subject’s consent.|
|Data Subject’s name and email address.||Mail shot and marketing purposes.||Consent. The firm will seek the Data Subject’s explicit consent via the firm’s website or other forms of authorisation. The Data Subject may withdraw their consent at any time via the website; email, letter or similar method used to obtain the Data Subject’s consent.|
|Bank account details or payment details||To pay, be paid, or to refund monies.||To fulfil the contract between the Firm and the Data Subject.|
The Firm will protect the data we collect in the following ways:
The Data Subject’s data will not be transferred outside the European Economic Area [EEA] without the explicit consent of the Data Subject;
The Firm has in place general recognised standards of technology including operational security including, but not limited to, data encryption thereby enabling the protection of relevant data from misuse, loss, damage, alteration, destruction or unauthorised access.
Any receipt or transfer of funds will be via recognised secure payment systems. The firm will securely destroy any financial information once used and longer needed other than required by law.
The firm’s website will adhere to SSL encryption protocols.
Any breach of data which may pose a serious risk will be notified to the Data Subject without delay.
The Firm will not sell, pass on or contract with third parties Data Subject’s data without prior written [withdrawable] consent other than where required to by law; or otherwise provided for in the above table; or as follows:
A Data subject’s data may be passed to third parties which are under contract with the Firm to provide services to the Data Subject on the firm’s behalf. In such an event the data shared is only that necessary to fulfil the service requirement under the terms of the contract with the Firm. Within such a contract an express condition will be that the third party keep any data secure and not to use in any other way, such data, for their own or other parties purposes.
The Firm will retain the Data Subject information for as long as necessary under the legal bases as identified in the table above or to comply with any legal obligation on the Firm’s part. The firm will re view annually the data it holds to establish whether it continues to have the right to process it. Should such a right fail to continue to apply the Firm will cease from processing such data. Data may be retained thereafter in order to comply with any legal obligations which may arise.