Sandstone Communications Limited - Data Protection Policy

Context

Data protection legislation in the UK (including but not necessarily limited to the Data Protection Act 2018 and the GDPR) (collectively the Legislation) seeks to protect identifiable living individuals (the Individual(s)) by establishing standards for the processing of their personal data. The Legislation:

(a) requires personal data to be processed lawfully and fairly, on the basis of an individual’s expressed consent, or on another specified basis; and

(b) confers rights on an individual to obtain information about the processing of his or her personal data, and to require that inaccurate personal data be rectified; and

(c) establishes the rights of the Information Commissioner (the Commissioner), and also assigns to the holder of that office responsibility for monitoring and enforcing the Legislation.

Purpose

The purpose of this policy is to implement the requirements of the Legislation as far as it applies to Sandstone Communications Limited (the Company).

Definition of Data Processing

Data processing for the purposes of this policy shall comprise any one of the following actions by the Company relating to an individual’s personal data:
(a) its collection, recording, organisation, structuring or storage

(b) its adaptation or alteration

(c) its retrieval, consultation or use

(d) its disclosure by transmission, dissemination or otherwise making it available

(e) its alignment or combination

(f) its restriction, erasure or destruction.

The definition applies to data however held, including paper files and computer storage systems or programs.

Statement of Policy
Whenever the Company collects and records personal data (the Data) relating to any Individual it shall:

1. Make a clear statement at the time of collection of the purpose for which the Data is to be collected, and proceed with the express permission of the Individual unless:

  • such permission is implicit in contractual arrangements or pre-contractual negotiations; or
  • if such processing is necessary for compliance with a legal obligation to which the Company is subject
  • Only use the Data for the purpose for which it has been collected, unless the Individual agrees to a new purpose
  • Collect and maintain only the minimum Data required for the purposes for which it has been collected
  • Make every reasonable attempt to ensure that Data is accurate
  • Not maintain Data beyond the period which the purpose for which it is collected requires, or beyond the period for which the Company is required to maintain books and records of account, whichever is longer
  • Apply reasonable security measures to ensure the safeguarding of the Data.

2. The Company shall not collect:

  • special category data as defined in the Legislation, such as data relating to race, religious beliefs or ethnicity, or
  • data relating to criminal convictions or offences.

Right of Access

The Company acknowledges an Individual’s right to access his or her personal data held by the Company. Requests may be made either by mail to the Company’s registered office or by email to: pd@sandstonecommunications.co.uk.

The Company undertakes to respond to all reasonable data access requests within the time-frame set out in the Legislation (generally within one month of receipt of the request).

No fee shall be charged for the response to a data access request, unless it is manifestly unfounded or excessive, or if it is a repeat request for the same data already supplied; as an alternative to charging a fee in such circumstances, the Company may elect not to comply with the request.

The Company reserves the right to require someone requesting access to their Data to prove their identity before the Data is supplied.

Rights of rectification
The Company acknowledges an Individual’s right to have incomplete or incorrect Data completed or rectified. Requests may be made either by mail to the Company’s registered office or by email to: pd@sandstonecommunications.co.uk.

The Company undertakes to respond to all reasonable requests within the time-frame set out in the Legislation (generally within one month of receipt of the request).

No fee shall be charged for the response to a rectification request, unless it is manifestly unfounded or excessive, or if it is a repeat request for the same data already supplied; as an alternative to charging a fee in such circumstances, the Company may elect not to comply with the request.

The Company reserves the right to require someone requesting access to their Data to prove their identity before the Data is supplied, and to prove the accuracy of the date which they wish the Company to record.

Right of erasure

The Company acknowledges an Individual’s right to request that Data relating to them be erased. Requests may be made either by mail to the Company’s registered office or by email to: pd@sandstonecommunications.co.uk.

The Company undertakes to respond to all reasonable requests within the time-frame set out in the Legislation (generally within one month of receipt of the request).

No fee shall be charged for the response to an erasure request.

The Company shall in all cases require that someone requesting that Data relating to them be erased must prove their identity before the Data is erased, and also to provide a valid reason for the request.

The Company recognised the following valid reasons for requesting the erasure of Data:

  • the personal data is no longer necessary for the purpose which it was collected
  • the Company relied on the consent of the Individual for the recording of data, and the Individual has withdrawn such consent
  • the Company believed that it had a ‘legitimate interest’ to record the Data, but an Individual has objected to the processing of their data, and internal review establishes that such legitimate interest is inapplicable in the case of the Individual
  • the Company is holding the Data for direct marketing purposes, and the individual has objected
  • it can be proven that the Company has recorded the personal data unlawfully
  • there is a legal obligation other than the Legislation which require the Data to be deleted.

In accordance with the Legislation Company shall not erase Data when requested if any of the following applies:

  • the request is manifestly unfounded or excessive
  • the Data must remain recorded in order that the right of freedom of expression and information may be exercised
  • there is a legal obligation on the Company to maintain the Data
  • for the performance of a task carried out in the public interest or in the exercise of official authority;
  • where the Data is required for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
  • where the Data is required for the establishment, exercise or defence of legal claims upon the Company.

When Data is erased in response to a request, it shall be deleted from Live systems only. Any request to delete such data from backup files not in current use is considered to be excessive and will not be complied with unless the Requestor can supply a valid reason why this constitutes an unwarranted risk to him or her.

Right to restrict the use of data

The Company acknowledges an Individual’s right to request that Data relating to them not be used by the Company, without the requirement that it be deleted. Requests may be made either by mail to the Company’s registered office or by email to: pd@sandstonecommunications.co.uk.

The Company undertakes to respond to all reasonable requests within the time-frame set out in the Legislation (generally within one month of receipt of the request).

No fee shall be charged for the response such a request.

The Company shall in all cases requires that someone requesting that Data relating to them not be used must prove their identity before the Data is erased, and also to provide a valid reason for the request.

The Company undertakes only to store and not to process such restricted Data unless:

  • the Individual’s consent to reinstate processing of the Data has been received
  • such data must be processed for the establishment, exercise or defence of legal claims
  • such data must be processed for the protection of the rights of another person (natural or legal)
  • such data must be processed for reasons of important public interest.

The Company acknowledges an Individual’s absolute right to request that his/her Data not be used for direct marketing purposes, and will implement such request promptly after receipt.

Other rights

The Company acknowledges the following rights in the legislation and draws Individuals’ attention thereto:

  • the right of an Individual to request that Data relating to him/her and held by the Company be transmitted directly to a third party, subject to restrictions, possible fees and exceptions
  • the right of an Individual to object to the use of Data relating to them in automated individual decision making and profiling, subject to restrictions, possible fees and exceptions.

Where Data will be held

Data may be held in or transferred to the UK, Switzerland, any other EU or EEA country and any other country for which a ’finding of adequacy’ has been made under the GDPR (qv).

V 1.1 16-11-2018