DATA PROTECTION POLICY
This policy document applies to the data you submit to Angel Eye Media Ltd (“the Organisation”).
1. Your Individual Rights
The Organisation complies with the General Data Protection Regulation (GDPR) and all the Articles of the Regulation, this means:
The right to be informed - this policy details the information to be collected and how it will be processed and used. Your data and personal information will be fairly and lawfully processed.
The right of access - you are entitled to confirm that your data is being processed. You also have the right to see your personal data.
The right to rectification - you are entitled to have any inaccurate or incomplete personal data corrected. Where possible any third parties that have access to such data should be informed by the Organisation of any subsequent correction or addition.
The right to erase - also known as the "right to be forgotten". You are entitled to have your data erased and to prevent any further processing where:
- The use of your personal data is no longer necessary
- Where you withdraw your consent
- Where you object to the processing and no overriding legitimate interest exists - Your data was unlawfully processed
- Your data has to be erased to comply with a legal obligation or court order
The right to restrict processing - you have the right to block further data processing in the following circumstances:
- Where you contest the accuracy of the data
- Where you have objected to processing, but a legitimate public interest may exist - Where processing was unlawful, but you have requested restriction, not erasure
- Where the Organisation no longer needs the data, but you require it to establish, exercise or defend a legal claim, (this can include an employment-related claim).
In this situation, the Organisation will continue to hold your data, but cease to process it further. The Organisation will continue to hold such data as is necessary to respect your request to prevent further processing.
The right to data portability - you have the right to request that electronic personal data provided by you to the Organisation be provided by the Organisation back to you in an open format (and free of charge) that allows such data to be readily transferred back to you or a third party. This can only be personal data related to you, and not any data related to another party or employee.
The right to object - you have the right to object to any personal data used:
- As part of the performance of a task within the Organisation or where done in a legitimate
public interest or in the exercise of an official duty.
- In direct marketing, including profiling.
- Any processing for scientific or historical research and statistical analysis.
Rights in relation to automated decision-making and profiling - you have the right not to be subject to a decision based upon an automated process where that decision has a significant (including legal) effect on you. In this situation you are entitled to human intervention in the decision, to express your views and receive an explanation of the decision and have the right to challenge the decision.
The exceptions to this are where the process is necessary:
- To enter into a contract with the Organisation
- Where authorised by law, for example, to prevent fraud or tax evasion
- You have already given your explicit consent under Article 9 (2) of the GDPR.
2. GDPR Data Protection Principles
Under Article 5 of the GDPR the Organisation will comply with the following principles to ensure your personal data will be:
- Processed for limited purposes and not in any way incompatible with those purposes- Adequate, relevant and will not be excessive
- Not kept for longer than necessary
- Processed in accordance with your individual rights- Secure
- Not transferred to countries without adequate data protection
3. Your Personal Data
3.1 The Organisation only holds personal data directly relevant to your employment or potential employment. This data is collected as, and when required from your first employment application form or emails and any ongoing relationship to the Organisation.
3.2 This information is only collected to assist our personnel department in the smooth running of the Organisation and to ensure that the Organisation complies with other statutory responsibilities such as equal opportunities employment.
3.3 Your personal data may be disclosed within the Organisation to those within the personnel department and management, including those responsible for recruitment.
4. Data Security
4.1 The Organisation is committed to the secure storage and where undertaken, the secure transmission of employees' personal data. Only management and employees within the personnel department or those responsible for recruitment have access to such data. All such data is protected by physical security, such as locks, and technical security, such as usernames and passwords to access computer records and data. Such data is only disclosed on a "need to know" basis. To further ensure the security of such records the Organisation reserves the right to monitor and keep detailed log files and computer data analysis of all accesses to employees' personal data. The Organisation also reserves the right to vet all employees who have access to such data in the course of their normal employment within the Organisation.
4.2 The following rules apply:
1. If data is transmitted by email, it will be sent in an encrypted form.
2. If data is transmitted via a network, it will be done using a secure network.
3. If data is to be passed in hard copy form, it should be handed to the recipient personally. The recipient should ensure that the data is stored securely.
5. Data Breaches & Reporting
5.1 Where the Organisation suspects that a data breach has occurred the Organisation has a duty to report the breach to the Information Commissioner's Office (ICO) within 72 hours of discovery of the breach.
5.2 The Organisation has a duty to report a breach if the breach is likely to result in a risk to the rights and freedoms of the individual(s) concerned, and where not acted upon is likely to have a significant detrimental effect on the individual(s) concerned, for example the data accessed could result in identity theft, loss of confidentiality or other significant loss.
5.3 Where any such breach is potentially of high risk to the individual(s) concerned, they too should be notified of the breach as soon as the Organisation discovers the breach.
5.4 A breach of data includes the destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
6. External Data Processing
6.1 Where the Organisation uses third parties to process data and provide services or administer schemes around such data the Organisation will take all reasonable steps to ensure that such third parties have in place their own data protection policies.
6.2 The Organisation will have in place and regularly review individual contracts with all third party data processors.
6.3 The Organisation will not use any third party data processor that does not comply with the General Data Protection Regulation (GDPR) as a minimum standard.
7. Data Transfers Outside The European Economic Area
If the Organisation seeks to transfer data outside the European Economic Area such data will only be transferred to countries deemed by the European Commission to provide adequate data protection. Furthermore, the Organisation will obtain the prior consent of all employees whose data is likely to be transferred.
8. Data Access & Disclosure
8.1 All prospective, current or past employees have the right to request access to data directly relating to them, which is held by the Organisation. The Organisation will provide such information free of charge, subject to the right to charge for further requests where such requests are duplicated or excessive. The Organisation can request further information from the person making the request in order to provide accurate and relevant results and to check the identity of the person making the request. The Organisation seeks to provide such information within 30 days of receiving a request. The Organisation will provide the person making the request with the following information:
1. Whether they hold any information regarding them, and if they do:2. Descriptions of that information.
3. What it is used for.
4. The type of third party Organisations it is passed to.
5. Provide a breakdown of any technical terms or codes.
8.2 The information where reasonably possible will be provided in a hard copy or permanent
The Organisation will not disclose details of confidential references where to do so would disclose the identity of the author or where it may cause harm or detriment to the author.
10. External Disclosure Requests
10.1 Where employees receive external requests for the disclosure of data the following guidelines should be observed:
1. Verify the identity of the person requesting the information.
2. Be on the lookout for fraud or deception.
3. Seek a written request.
4. Check any telephone numbers where an oral request is received.5. Inform Richard Osborne if any request appears suspicious.
6. Richard Osborne should also be contacted where the party requesting the data states that disclosure is required by law.
7. Remember that a duty is owed to the employee whose data is to be disclosed, seek their prior permission unless doing so would alert them to a criminal investigation.
8. If the disclosure of the data is non-routine where possible provide the employee in question with a copy of the data disclosed. A record of all non-routine data disclosures should also be kept.
9. Date of Implementation
This policy is effective from 25th May 2018 and shall not apply to any actions that occurred prior to this date.
If you have any questions regarding this policy document and how it applies to you, including how to request access to your personal data, please consult Richard Osborne.
11. Data Protection Impact Assessments (DPIAs)
11.1 The Organisation will carry out Data Protection Impact Assessments (DPIAs) where the Organisation intends to use new technologies, platforms or software and the processing of the data is likely to result in a potentially high risk to the rights and freedoms of individuals.
11.2 Any DPIA should include the following:
- A description of the new process and the purpose behind it
- Assessment of necessity and proportionality of the data processing
- Assessment of risks to individuals
- The measures and security in place to address and minimise any such risk
11.3 The person in charge of this Data Protection Policy will conduct any required DPIAs.
12. Data Protection Officer
Where required the Organisation shall appoint the manager in charge of this Policy as the Organisation Data Protection Officer. This will be a board level post. Where the current Policy manager does not have the required seniority the Organisation will either promote the manager to a board level post or appoint a current director to the post of Data Protection Officer.
YOUR DATA – PROVIDING YOUR CONSENT
On agreeing to submit data to Angel Eye Media via our website you...
confirm that you have access to the Data Protection Policy and am aware of my enhanced data protection rights under the General Data Protection Regulation (GDPR).
You give you consent for the Organisation to collect my data subject to this Data Protection Policy and General Data Protection Regulation (GDPR).