DisplayNote Technologies Limited Data Protection Policy July 2014

Transcription

1 DisplayNte Technlgies Limited Data Prtectin Plicy July Intrductin This dcument sets ut the bligatins f DisplayNte Technlgies Limited ( the Cmpany ) with regard t data prtectin and the rights f peple with whm it wrks in respect f their persnal data under the Data Prtectin Act 1998 ( the Act ). This Plicy shall set ut prcedures which are t be fllwed when dealing with persnal data. The prcedures set ut herein must be fllwed by the Cmpany, its emplyees, cntractrs, agents, cnsultants, partners r ther parties wrking n behalf f the Cmpany. The Cmpany views the crrect and lawful handling f persnal data as key t its success and dealings with third parties. The Cmpany shall ensure that it handles all persnal data crrectly and lawfully. 2. The Data Prtectin Principles This Plicy aims t ensure cmpliance with the Act. The Act sets ut eight principles with which any party handling persnal data must cmply. All persnal data: 2.1 Must be prcessed fairly and lawfully (and shall nt be prcessed unless certain cnditins are met); 2.2 Must be btained nly fr specified and lawful purpses and shall nt be prcessed in any manner which is incmpatible with thse purpses; 2.3 Must be adequate, relevant and nt excessive with respect t the purpses fr which it is prcessed; 2.4 Must be accurate and, where apprpriate, kept up-t-date; 2.5 Must be kept fr n lnger than is necessary in light f the purpse(s) fr which it is prcessed; 2.6 Must be prcessed in accrdance with the rights f data subjects under the Act; 2.7 Must be prtected against unauthrised r unlawful prcessing, accidental lss, destructin r damage thrugh apprpriate technical and rganisatinal measures; and 2.8 Must nt be transferred t a cuntry r territry utside f the Eurpean Ecnmic Area unless that cuntry r territry ensures an adequate level f prtectin fr the rights and freedms f data subjects in relatin t the prcessing f persnal data. DisplayNte Technlgies Data Prtectin Plicy- July 2014 Page 1 f 6

2 3. Rights f Data Subjects Under the Act, data subjects have the fllwing rights: The right t be infrmed that their persnal data is being prcessed; The right t access any f their persnal data held by the Cmpany within 40 days f making a request; The right t prevent the prcessing f their persnal data in limited circumstances; and The right t rectify, blck, erase r destry incrrect persnal data. 4. Persnal Data Persnal data is defined by the Act as data which relates t a living individual wh can be identified frm that data r frm that data and ther infrmatin which is in the pssessin f, r is likely t cme int the pssessin f, the data cntrller, and includes any expressin f pinin abut the individual and any indicatin f the intentins f the data cntrller r any ther persn in respect f the individual. The Act als defines sensitive persnal data as persnal data relating t the racial r ethnic rigin f the data subject; their plitical pinins; their religius (r similar) beliefs; trade unin membership; their physical r mental health cnditin; their sexual life; the cmmissin r alleged cmmissin by them f any ffence; r any prceedings fr any ffence cmmitted r alleged t have been cmmitted by them, the dispsal f such prceedings r the sentence f any curt in such prceedings. The Cmpany nly hlds persnal data which is directly relevant t its dealings with a given data subject. That data will be held and prcessed in accrdance with the data prtectin principles and with this Plicy. The fllwing data may be cllected, held and prcessed by the Cmpany frm time t time: Name; jb title; prfessin; cntact infrmatin such as addresses and telephne numbers demgraphic infrmatin such as pst cde, preferences and interests; financial infrmatin such as credit / debit card numbers; 5. Prcessing Persnal Data Any and all persnal data cllected by the Cmpany (including that detailed in Sectin 4 f this Plicy) is cllected in rder t ensure that the Cmpany can facilitate efficient transactins with third parties including, but nt limited t, its custmers, partners, assciates and affiliates and efficiently manage its emplyees, cntractrs, agents and cnsultants. Persnal data shall als be used by the Cmpany in meeting any and all relevant bligatins DisplayNte Technlgies Data Prtectin Plicy- July 2014 Page 2 f 6

3 impsed by law. Persnal data may be disclsed within the Cmpany. Persnal data may be passed frm ne department t anther in accrdance with the data prtectin principles and this Plicy. Under n circumstances will persnal data be passed t any department r any individual within the Cmpany that des nt reasnably require access t that persnal data with respect t the purpse(s) fr which it was cllected and is being prcessed. The Cmpany shall ensure that: All persnal data cllected and prcessed fr and n behalf f the Cmpany by any party is cllected and prcessed fairly and lawfully; Data subjects are made fully aware f the reasns fr the cllectin f persnal data and are given details f the purpse fr which the data will be used; Persnal data is nly cllected t the extent that is necessary t fulfil the stated purpse(s); All persnal data is accurate at the time f cllectin and kept accurate and upt-date while it is being held and / r prcessed; N persnal data is held fr any lnger than necessary in light f the stated purpse(s); All persnal data is held in a safe and secure manner, taking all apprpriate technical and rganisatinal measures t prtect the data; All persnal data is transferred using secure means, electrnically r therwise; N persnal data is transferred utside f the UK r EEA (as apprpriate) withut first ensuring that apprpriate safeguards are in place in the destinatin cuntry r territry; and All data subjects can exercise their rights set ut abve in Sectin 3 and mre fully in the Act. 6. Data Prtectin Prcedures The Cmpany shall ensure that all f its emplyees, cntractrs, agents, cnsultants, partners r ther parties wrking n behalf f the Cmpany cmply with the fllwing when prcessing and / r transmitting persnal data: All s cntaining persnal data must be encrypted; Persnal data may be transmitted ver secure netwrks nly transmissin ver unsecured netwrks is nt permitted in any circumstances; Persnal data may nt be transmitted ver a wireless netwrk if there is a wired alternative that is reasnably practicable; Persnal data cntained in the bdy f an , whether sent r received, shuld be cpied frm the bdy f that and stred securely. The itself shuld be deleted. All temprary files assciated therewith shuld als be deleted; Where Persnal data is t be sent by facsimile transmissin the recipient shuld be infrmed in advance f the transmissin and shuld be waiting by the fax DisplayNte Technlgies Data Prtectin Plicy- July 2014 Page 3 f 6

4 machine t receive the data; Where Persnal data is t be transferred in hardcpy frm it shuld be passed directly t the recipient. Using an intermediary is nt permitted; All hardcpies f persnal data shuld be stred securely in a lcked bx, drawer, cabinet r similar; All electrnic cpies f persnal data shuld be stred securely using passwrds and suitable data encryptin, where pssible n a drive r server which cannt be accessed via the internet; and All passwrds used t prtect persnal data shuld be changed regularly and shuld nt use wrds r phrases which can be easily guessed r therwise cmprmised. 7. Organisatinal Measures The Cmpany shall ensure that the fllwing measures are taken with respect t the cllectin, hlding and prcessing f persnal data: A designated fficer ( the Designated Officer ) within the Cmpany shall be appinted with the specific respnsibility f verseeing data prtectin and ensuring cmpliance with the Act. All emplyees, cntractrs, agents, cnsultants, partners r ther parties wrking n behalf f the Cmpany are made fully aware f bth their individual respnsibilities and the Cmpany s respnsibilities under the Act and shall be furnished with a cpy f this Plicy. All emplyees, cntractrs, agents, cnsultants, partners r ther parties wrking n behalf f the Cmpany handling persnal data will be apprpriately trained t d s. All emplyees, cntractrs, agents, cnsultants, partners r ther parties wrking n behalf f the Cmpany handling persnal data will be apprpriately supervised. Methds f cllecting, hlding and prcessing persnal data shall be regularly evaluated and reviewed. The Perfrmance f thse emplyees, cntractrs, agents, cnsultants, partners r ther parties wrking n behalf f the Cmpany handling persnal data shall be regularly evaluated and reviewed. All emplyees, cntractrs, agents, cnsultants, partners r ther parties wrking n behalf f the Cmpany handling persnal data will be bund t d s in accrdance with the principles f the Act and this Plicy by cntract. Failure by any emplyee t cmply with the principles r this Plicy shall cnstitute a disciplinary ffence. Failure by any cntractr, agent, cnsultant, partner r ther party t cmply with the principles r this Plicy shall cnstitute a breach f cntract. In all cases, failure t cmply with the principles r this Plicy may als cnstitute a criminal ffence under the Act. All cntractrs, agents, cnsultants, partners r ther parties wrking n behalf DisplayNte Technlgies Data Prtectin Plicy- July 2014 Page 4 f 6

5 f the Cmpany handling persnal data must ensure that any and all f their emplyees wh are invlved in the prcessing f persnal data are held t the same cnditins as thse relevant emplyees f the Cmpany arising ut f this Plicy and the Act. Where any cntractr, agent, cnsultant, partner r ther party wrking n behalf f the Cmpany handling persnal data fails in their bligatins under this Plicy that party shall indemnify and hld harmless the Cmpany against any csts, liability, damages, lss, claims r prceedings which may arise ut f that failure. 8. Access by Data Subjects A data subject may make a subject access request ( SAR ) at any time t see the infrmatin which the Cmpany hlds abut them. SARs must be made in writing, accmpanied by the crrect fee. The Cmpany currently requires a fee f 10 (the statutry maximum) with all SARs. [A fee f 2 shall be required fr access t a credit file.] Upn receipt f a SAR the Cmpany shall have a maximum perid f 40 days within which t respnd. The fllwing infrmatin will be prvided t the data subject: Whether r nt the Cmpany hlds any persnal data n the data subject; A descriptin f any persnal data held n the data subject; Details f what that persnal data is used fr; Details f any third-party rganisatins that persnal data is passed t; and Details f any technical terminlgy r cdes. 9. Ntificatin t the Infrmatin Cmmissiner s Office As a data cntrller, the Cmpany is required t ntify the Infrmatin Cmmissiner s Office that it is prcessing persnal data. The Cmpany is registered in the register f data cntrllers. Data cntrllers must renew their ntificatin with the Infrmatin Cmmissiner s Office n an annual basis. Failure t ntify cnstitutes a criminal ffence. Any changes t the register must be ntified t the Infrmatin Cmmissiner s Office within 28 days f taking place. The Designated Officer shall be respnsible fr ntifying and updating the Infrmatin Cmmissiner s Office. 10. Implementatin f Plicy This Plicy shall be deemed effective as f Jul N part f this Plicy shall have retractive effect and shall thus apply nly t matters ccurring n r after this date. DisplayNte Technlgies Data Prtectin Plicy- July 2014 Page 5 f 6

6 This Plicy has been apprved & authrised by: Name: Psitin: Paul Brwn CEO Date: 09/07/2014 Signature: DisplayNte Technlgies Data Prtectin Plicy- July 2014 Page 6 f 6