Christopher Farr Cloth Ltd. (“CFC”) needs to gather certain information about individuals or companies and other entities for the purpose of conducting its business. These can include actual and potential suppliers, customers and agents, as well as competitors and third parties the organisation has a relationship with or may need to contact for this purpose. (“Business Contacts”)
The information CFC needs to gather is only such personal information as would normally appear on a business card or in a published directory, for example name, organisation, position, email address, postal address and telephone numbers as well as financial information when the individual, company or other entity has purchased products or services from CFC. (“Personal Data”)
This policy describes how Personal Data will be collected, handled and stored to meet the CFC’s data protection standards and to comply with applicable law.
WHY THIS POLICY EXISTS
This Data Protection Policy is to ensure that CFC complies with data protection laws and good practice, protects the rights of Business Contacts, is open about how it stores and processes Personal Data and how it protects itself from the risks of data breach.
DATA PROTECTION ACT
The Data Protection Act 1998 (“DPA”) describes how organisations must collect, handle and store Personal Data. These rules apply regardless of whether Personal Data is stored electronically, on paper or on other materials. To comply with the law, Personal Data must be collected and used fairly, stored safely and not disclosed unlawfully.
The DPA is underpinned by eight important principles. As we understand them, they provide that Personal Data must:
Be processed fairly and lawfully
Be obtained only for specific, lawful purposes
Be adequate, relevant and not excessive
Be accurate and kept up to date
Not be held for any longer than necessary
Processed in accordance with the rights of data subjects
Be protected in appropriate ways, and
Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of legal compliance.
GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (“GDPR”) is EU Regulation 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data in force as of 25 May 2018.
The purposes of GDPR, as we understand them, are to ensure that organisations which hold certain types of information about persons:
Have a legal basis for doing so
Follow good practice in holding that information
The persons are aware that such information is being held and for what use and on what conditions
The persons can have access to that information and certain rights with respect to its holding; and
The persons can require that it no longer be so held.
The DPA and GDPR, as they are now and as they may be amended or superseded from time to time, are jointly referred to herein as the “Legislation”.
PEOPLE, RISKS AND RESPONSIBILIITES
This policy applies to CFC, its directors and shareholders, as well as its employees and all consultants working on its behalf.
It applies to all Personal Data which CFC holds relating to identifiable individuals, even if that information technically falls outside of the scope of the Legislation.
This policy helps to protect CFC from data security risks including breaches of confidentiality, failing to offer individuals the choice how CFC uses data relating to them, and reputational damage from unauthorised persons gaining access to personal data.
The CFC directors are ultimately responsible for the ensuring that CFC meets its legal obligations as such.
They are responsible for: keeping employees and consultants updated about data protection responsibilities, risks and issues; reviewing on a timely basis all data protection procedures and related policies and updating data protection procedures and policies as required; ensuring compliance with the Legislation; arranging data protection training when appropriate; handling data protection questions from clients and suppliers as well as inquiries from individuals with respect to their personal data being held by CFC; and including appropriate data protection provisions in CFC’s Terms and Conditions as well as checking for data protection compliance in all contracts and agreements with third parties who either may handle CFC’s Personal Data or CFC may handle their personal data.
All Personal Data should be kept secure and sensible precautions taken in a manner consistent with security standards for organisations of CFC’s type and size including: strong passwords should be used and never shared; Personal Data should not be disclosed to unauthorised persons; and Personal Data should be regularly reviewed and updated for accuracy.
When Personal Data is stored on paper (either as a result of the printing of data formerly electronically held or otherwise), it should be kept in a secure place where unauthorised persons cannot see it.
When Personal Data is stored electronically, it must be protected from unauthorised access, accidental deletion, and malicious hacking attempts including: strong passwords that are changed regularly and never shared; any removable storage should be kept securely; only approved cloud computing services should be used; and data should be backed up frequently. All servers and computers should be protected by approved security software.
Personal Data should not be disclosed to any unauthorised person and ideally should be encrypted before being transferred electronically. It should not be transferred outside the United Kingdom unless that country or territory also ensures an adequate level of legal compliance.
SUBJECT ACCESS REQUESTS
All individuals who are the subject of Personal Data held by CFC have the right to:
Request access to their Personal Data
Request correction of their Personal Data
Request erasure of their Personal Data
Object to the processing of their Personal Data
Request restriction of processing of their Personal Data
Request transfer of their Personal Data
Withdraw their consent to CFC holding their Personal Data
Such requests from individuals should be made by email to the Managing Director of CFC at firstname.lastname@example.org who will take such steps as she deems necessary to first verify the identity of the person making the request and then satisfy their request. Unless advised otherwise, there will not be a charge for providing this service and it should be provided within 14 days.
When a request for information is from any source for which applicable legislation allows disclosure of personal data without the consent of the relevant person, the Managing Director will ensure that the request is legitimate and, if in doubt, seek legal advice.