This policy sets out how Tech Access collects, stores, analyses, uses or does anything else with personal data. It is supplemented by (and should be read alongside) the more detailed processes and policies listed at the end of this document.
Why are you reading this policy?
The General Data Protection Regulation (GDPR) applies to the processing of personal data of individuals, replacing many local or national laws. Global data protection and data privacy laws, including the GDPR, take a stringent position regarding how businesses handle and process data. GDPR protects the rights and freedoms of living individuals (data subjects) in relation to their personal data. It imposes obligations, restrictions and controls over the way organisations collect, process, transfer and store this information.
What is personal data?
Personal data is very broadly defined and includes any offline or online data that makes a person identifiable. It does not have to be particularly “personal” or “private” in nature and includes information, facts or opinions about living individuals by reference to:
- an identifier such as name, identification number, location data, online identifier (e.g. IP address); or
- one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
How do we handle sensitive personal data?
Additional restrictions apply to the processing of special categories of sensitive personal data such as:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs, or trade union membership;
- data concerning health or a person’s sex life or sexual orientation;
- genetic / biometric data for the purpose of uniquely identifying a person;
- data relating to criminal convictions and offences.
We must take particular care in the processing of personal data in these special categories as the law requires us to take further steps to safeguard this sensitive and special category information.
It is Tech Access’s policy that personal data must be:
- collected and processed in a lawful, fair and transparent manner;
- collected for a specified, explicit and legitimate purpose;
- minimised (to limit use of personal data to what is adequate and relevant, in relation to the specified purpose);
- accurate and where necessary kept up to date;
- kept no longer than is necessary to fulfil the specified purpose; and
- kept secure – by using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage.
If you need more information, guidance or have any questions please contact email@example.com
Collecting and Processing Data
When collecting personal data from an individual, we must ensure there is a lawful basis and provide that person with transparent information about the processing of their data (this is usually done via a privacy notice).
Where the lawful processing is based on consent from the individual, this must be freely given, unambiguous, separate from other matters using clear and plain language. It should be as easy to withdraw consent as to give it. Where the data subject is a child below the age of consent in the relevant country, processing is only lawful with parental consent. Please note that although GDPR requires parental consent where the child is below 16 years old, it allows national law to lower this as long as it is not below 13 years.
There are strict conditions around processing the special categories of sensitive personal data and data relating to criminal convictions and offences (see above).
We will complete a Data Protection Impact Assessment where necessary (see below).
Transferring Data to Third Parties
When transferring personal data to, or outsourcing processing activities to a third party, we will make sure that:
- the third party will handle the data in compliance with the relevant legislation and regulations,
- the processing is governed by a contract or legal processing agreement.
Requests from individuals
In addition to the information that must be provided to individuals before processing, data subjects have numerous other rights over their personal data, such as:
- Right of access (also called a ‘Subject Access Request’)
- Right to rectification
- Right to request erasure (also known as ‘right to be forgotten’)
- Right to restriction of processing
- Right to be notified and informed
- Right to data portability
- Right to object
- Right against automated decision making (including profiling)
- Right to complain to the relevant supervisory authority (e.g. the Information Commissioner’s Office in the UK).
Records of Processing / Retention
Tech Access is responsible for maintaining an up-to-date inventory of all the personal data it processes.
Tech Access must not process more personal data than it needs to. Our policy is to delete or anonymise personal data when no longer needed.
Data Protection by design and by default
When a new process or system involving the processing of personal data is designed, there must be by default, technical and organisational measures implemented to process personal data to comply with the data protection principles and protect the rights and freedoms of data subjects. Privacy by design and default will also be important when a significant change is made to an existing process or system.
Data Protection Impact Assessment (DPIA)
Where processing is likely to result in high risk to the privacy of data subjects, a DPIA must to be completed prior to commencement of the processing. This includes new system implementation or changes to existing data processing.
Personal data breaches can result in a risk to the rights and freedoms of the individuals, as well reputational damage for Tech Access.