Context
Data protection legislation in the UK (including but not necessarily limited to the Data Protection Act 2018 and the GDPR) (collectively the Legislation) seeks to protect identifiable living individuals (the Individual(s)) by establishing standards for the processing of their personal data. The Legislation:
(a) requires personal data to be processed lawfully and fairly, on the basis of an Individual’s expressed consent, or on another specified basis; and
(b) confers rights on an Individual to obtain information about the processing of his or her personal data, and to require that inaccurate personal data be rectified; and
(c) establishes the rights of the Information Commissioner (the Commissioner), and also assigns to the holder of that office responsibility for monitoring and enforcing the Legislation.
Purpose
The purpose of this policy is to implement the requirements of the Legislation as far as it applies to Sandstone Communications Limited (the Company).
Definition of Data Processing
Data processing for the purposes of this policy shall comprise any one of the following actions by the Company relating to an Individual’s personal data:
(a) its collection, recording, organisation, structuring or storage
(b) its adaptation or alteration
(c) its retrieval, consultation or use
(d) its disclosure by transmission, dissemination or otherwise making it available
(e) its alignment or combination
(f) its restriction, erasure or destruction.
The definition applies to data however held, including paper files and computer storage systems or programs.
Statement of Policy
Right of Access
The Company acknowledges an Individual’s right to access his or her personal data held by the Company. Requests may be made either by mail to the Company’s registered office or by email to: pd@sandstonecommunications.co.uk.
The Company undertakes to respond to all reasonable data access requests within the time-frame set out in the Legislation (generally within one month of receipt of the request).
No fee shall be charged for the response to a data access request, unless it is manifestly unfounded or excessive, or if it is a repeat request for the same data already supplied; as an alternative to charging a fee in such circumstances, the Company may elect not to comply with the request.
The Company reserves the right to require someone requesting access to their Data to prove their identity before the Data is supplied.
Rights of rectification
The Company acknowledges an Individual’s right to have incomplete or incorrect Data completed or rectified. Requests may be made either by mail to the Company’s registered office or by email to: pd@sandstonecommunications.co.uk.
The Company undertakes to respond to all reasonable requests within the time-frame set out in the Legislation (generally within one month of receipt of the request).
No fee shall be charged for the response to a rectification request, unless it is manifestly unfounded or excessive, or if it is a repeat request for the same data already supplied; as an alternative to charging a fee in such circumstances, the Company may elect not to comply with the request.
The Company reserves the right to require someone requesting access to their Data to prove their identity before the Data is supplied, and to prove the accuracy of the date which they wish the Company to record.
Right of erasure
The Company acknowledges an Individual’s right to request that Data relating to them be erased. Requests may be made either by mail to the Company’s registered office or by email to: pd@sandstonecommunications.co.uk.
The Company undertakes to respond to all reasonable requests within the time-frame set out in the Legislation (generally within one month of receipt of the request).
No fee shall be charged for the response to an erasure request.
The Company shall in all cases require that someone requesting that Data relating to them be erased must prove their identity before the Data is erased, and also to provide a valid reason for the request.
The Company recognised the following valid reasons for requesting the erasure of Data:
In accordance with the Legislation Company shall not erase Data when requested if any of the following applies:
When Data is erased in response to a request, it shall be deleted from Live system s only. Any request to delete such data from backup files not in current use is considered to be excessive and will not be complied with unless the Requestor can supply a valid reason why this constitutes an unwarranted risk to him or her.
Right to restrict the use of data
The Company acknowledges an Individual’s right to request that Data relating to them not be used by the Company, without the requirement that it be deleted. Requests may be made either by mail to the Company’s registered office or by email to: pd@sandstonecommunications.co.uk
The Company undertakes to respond to all reasonable requests within the time-frame set out in the Legislation (generally within one month of receipt of the request).
No fee shall be charged for the response such a request.
The Company shall in all cases requires that someone requesting that Data relating to them not be used must prove their identity before the Data is erased, and also to provide a valid reason for the request.
The Company undertakes only to store and not to process such restricted Data unless:
The Company acknowledges an Individual’s absolute right to request that his/her Data not be used for direct marketing purposes, and will implement such request promptly after receipt.
Other rights
The Company acknowledges the following rights in the legislation and draws Individuals’ attention thereto:
Where Data will be held
Data may be held in or transferred to the UK, Switzerland, any other EU or EEA country and any other country for which a ’finding of adequacy’ has been made under the GDPR (qv).
The ICO
The Company is registered with the UK’s Information Commissioner’s Office. This registration obliges the Company to pay a fee, but confers no additional rights or protections either on the Company or on Individuals.
V 2 10-08-2020