Data Protection Policy
Definitions
GDPR | the General Data Protection Regulation (EU) 2016/679). |
Data Controller | the person or organisation that determines the means and the purpose of processing the personal data. |
Data Subject | a living individual. |
Personal Data | is any information that identifies a living individual (data subject) either directly or indirectly. This also includes special categories of personal data. Personal data does not include data which is entirely anonymous or the identity has been permanently removed making it impossible to link back to the data subject. |
Processing | is any activity relating to personal data which can include collecting, recording, storing, amending, disclosing, transferring, retrieving, using or destruction. |
Responsible Person | means Lorna Denby. Email: mail [@] sunnysidered.com |
Register of Systems | means a register of all systems or contexts in which personal data is processed by Sunnyside Red. |
1. Data protection principles
Sunnyside Red is a Data Controller. Sunnyside Red is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to individuals;
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
2. Personal Data
Sunnyside Red treats very seriously both the personal data it stores and processes about its network which is made up of a wide range of people from across a number of industry sectors, government agencies and others who it works with and has had or has contact with. These include, for example, people who we have worked with and currently work with on projects and programmes and those who have attended our events and forums.
Sunnyside Red has been and is continuing to work hard to comply fully with the new General Data Protection Regulation (GDPR) which was enforceable from 25 May 2018. The GDPR makes a number of key changes to data protection law in the United Kingdom and within the European Union (EU) and potentially beyond the EU. More information on these changes, which include strengthening of some individual rights and some new individual rights can be found on The Information Commissioners’ Office (ICO) website at: https://ico.org.uk/
The ICO will enforce compliance with the GDPR from 25 May 2018.
Sunnyside Red processes personal data and sensitive personal data under a range of different ‘lawful bases’ depending on the nature of the respective ‘processing purposes’.
For ‘personal data’, these ‘lawful bases’ include one or more of:
- ‘Public task’ (as Sunnyside Red is designated as a ‘public authority’ in law).
- Contract
- Legal obligation.
- Vital interests.
- Consent; and
- Legitimate interests.
In addition, for sensitive personal data, Sunnyside Red processes under one or more of the ‘lawful bases’ conditions listed in Article 9(2) of the GDPR.
The ‘purposes of the processing’ range from for example sending people who enquire about our services or are seeking a place on one of our programmes or events, information about Sunnyside Red, to complying with legal obligations where Sunnyside Red is required to provide personal data under for example a Freedom of Information Act request.
When communicating with key audiences such as potential event or forum attendees or employees of organisations that Sunnyside Red is working with, ‘Legitimate interests’ is the lawful basis used by Sunnyside Red for specific processing purposes in line with ICO guidance.
Such ‘Legitimate interests’ for the processing of data are included under the generally accepted three-part test for this ‘lawful basis’ as follows:
a. Purpose test: are you pursuing a legitimate interest?– Sunnyside Red has a legitimate interest in processing and storing details of people who have attended our events or training, or with whom we have worked or are working with, in order to enable them to hear about Sunnyside Red’s work and consider attending Sunnyside Red events, or training, or work with us. Thus, we would be communicating with a range of individuals and organisations whilst pursuing a legitimate interest via direct marketing (email, SMS, postal) and indirect marketing (Facebook, Twitter, LinkedIn)
b. Necessity test: is the processing necessary for that purpose?– It is necessary for Sunnyside Red to process data for the purpose of (a) ensuring that people get to hear about what Sunnyside Red is doing and to receive news about our events and training or about our services via direct marketing (email, SMS, postal) and there is no other realistic alternative which is as effective; and
c. Balancing test: do the individual’s interests override the legitimate interest?– Sunnyside Red believes prospective (and current) users of our events etc. would reasonably expect Sunnyside Red to use their personal data in these ways, as summarised in the respective processing purposes. In addition, we do not believe that it would cause them (prospective and current users) unwarranted harm for Sunnyside Red to use their personal data in these ways, as summarised in the processing purposes. The personal data is provided by those who have used our services or made contact with us through an online or phone enquiry by booking a place on one of our events or attending a training day or a forum. The personal data collected includes first name, last name, job title, email address, phone number and address information and, where this exists, the relevant website.
3. General provisions
a. This policy applies to all personal data processed by Sunnyside Red.
b. The Responsible Person shall take responsibility for Sunnyside Red’s ongoing compliance with this policy.
c. This policy shall be reviewed at least annually.
4. Lawful, fair and transparent processing
a. To ensure its processing of data is lawful, fair and transparent, Sunnyside Red shall maintain a Register of Systems.
b. The Register of Systems shall be reviewed at least annually.
c. Individuals have the right to access their personal data and any such requests made to Sunnyside Red shall be dealt with in a timely manner.
5. Lawful purposes
a. All data processed by Sunnyside Red must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests as mentioned in section 2 above (see ICO guidance for more information).
b. Sunnyside Red shall note the appropriate lawful basis in the Register of Systems.
c. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
d. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in Sunnyside Red’s systems.
6. Data minimisation
a. Sunnyside Red shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
b. Sunnyside Red shall ensure that data is held for no longer than is deemed necessary, once the data is not required it shall be removed (see section 8 archiving/removal).
c. Sunnyside Red may share information with those who are involved with interviewing candidates for a position at Sunnyside Red. Personal data and sensitive personal data will be kept for no longer than necessary.
7. Accuracy
a. Sunnyside Red shall take reasonable steps to ensure personal data is accurate.
b. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
8. Archiving / removal
a. To ensure that personal data is kept for no longer than necessary, Sunnyside Red shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
b. The archiving policy shall consider what data should/must be retained, for how long, and why.
c. Sunnyside Red will ensure that the mailing list sign up statements follow requirements for unambiguous and specific options for choosing what an individual receives information on, by what method and has clear unsubscribe links in every mailout.
9. Security
a. Sunnyside Red shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
b. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
c. When personal data is deleted this should be done safely such that the data is irrecoverable.
d. Appropriate back-up and disaster recovery solutions shall be in place.
10. Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Sunnyside Red shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
11. Complaints
There is a right to lodge a complaint with a supervisory authority. This is the ICO, who can be contacted in various ways as listed at: https://ico.org.uk/global/contact-us/
Last Updated: 15.02.2019
Next Review 15.02.2020