Person responsible: Benjamin Maddrell
Version number and date: Version 1, 24 May 2018
Next review date: May 2019
DATA PROTECTION POLICY
1 POLICY statement
1.2 The Company's Data Protection Officer (“DPO”) is responsible for ensuring that the Company complies with the Data Protection Laws and this Policy. The DPO is Benjamin Maddrell, who can be contacted at 917-292-8049 or at firstname.lastname@example.org. Any questions, concerns or notices regarding the Company’s data processing, sharing and/or protection policies and practices, including the interpretation or operation of this Policy, as well as any related complaints, should be addressed to the DPO.
1.3 The DPO will conduct a “data protection impact assessment” (as defined in the GDPR) for any new technology or personal data processing activity to be adopted by the Company, and ensure that such new technology or personal data processing activity, as applicable, fully complies with this Policy and all applicable Data Protection Laws.
1.4 This Policy is not part of any contract of employment with the Company and the Company may amend this Policy at any time. However, it is a condition of employment that employees adhere to this Policy at all times.
1.5 The Company holds and processes the personal data of consumers for the following purposes:
1.5.1 We process personal data to enable us to:
- provide foreign language tutorial products and/or services to our customers;
- maintain our accounts and records;
- promote our foreign language tutorial products and/or services;
- undertake research; and
- support and manage our employees.
2 Types of Data
2.1 There are two types of data that are protected under the Data Protection Laws: personal data and sensitive personal data.
2.2 Personal data is data that relates to a living individual who can be identified from that data or from that data together with other information which is in the possession of, or is likely to come into the control of, a data controller. Examples of personal data include name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural and/or social identity of a particular person. It also includes any expression of opinion concerning a person.
2.3 Sensitive personal data is personal data consisting of information as to:
2.3.1 Racial or ethnic origin;
2.3.1 Political opinions;
2.3.3 Religious or other similar philosophical beliefs;
2.3.4 Trade union membership;
2.3.5 Genetic or biometric data;
2.3.6 Physical or mental health or condition;
2.3.7 Sexual life and/or sexual orientation;
2.3.8 The commission or alleged commission of any offence; or
2.3.9 Criminal proceedings for any offense committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceeding.
2.4 There are more stringent restrictions for the processing of sensitive personal data under the Data Protection Laws. Although we will not ordinarily be acquiring sensitive personal data from our customers, if we do, then in all cases and subject to the provisions of the Data Protection Laws, sensitive personal data must not be processed without the consent of the data subject.
3 Acquisition and use of Personal Data
3.1 The Company needs to collect personal data from certain individuals and business entities in order to carry out its business of assisting individuals in obtaining foreign language tutorial products and/or services.
3.2 In the course of its business activities, the Company collects and uses personal data about:
3.2.1 Its employees, and the employees of its agents, associates and advertising partners;
3.2.2 The individuals who come into contact with the Company via its websites, or otherwise; and
3.2.3 Consumers who subscribe to receive information directly from the Company.
3.3 Where the Company uses personal data to contact individuals for marketing purposes, or where we provide personal data to third parties to use for marketing purposes, we will do so in compliance with the Data Protection Laws.
3.4 In addition, we may occasionally be required to collect and use certain types of personal data to comply with the requirements of applicable law. No matter how it is collected, recorded and/or used (e.g. on a computer or on paper), this personal data must be handled and used properly to ensure compliance with the Data Protection Laws.
3.5 The lawful and proper treatment of personal data by the Company is extremely important to the success of our business and in order to maintain the confidence of our employees and customers. All employees of the Company have a responsibility for ensuring that the Company respects personal data and deals with it in a lawful and correct manner.
3.6 Because we determine the purpose for which, and the manner in which, personal data is processed, the Company is considered a data controller under the GDPR.
4 Data Protection Principles
4.1 We support fully and comply with the following eight data protection principles:
4.1.1 Personal data shall be processed fairly and lawfully;
4.1.2 Personal data shall be obtained for one or more specific purpose(s) and strictly processed in a manner compatible with that or those purpose(s);
4.1.3 Personal data held must be adequate, relevant and not excessive;
4.1.4 Personal data must be accurate and kept up to date;
4.1.5 Personal data shall not be kept for longer than necessary;
4.1.6 Personal data shall be processed in accordance with the rights of data subjects;
4.1.7 Personal data must be kept secure; and
4.1.8 Personal data shall not be transferred to a country or territory outside of the European Economic Area (“EEA”) unless that country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data.
4.2 For guidance as to when personal data can be processed, please contact the DPO.
5 FAIR AND LAWFUL PROCESSING
5.1 Our employees, customers and any third parties whose data we acquire and process must be fully informed of the fair and lawful processing that the Company will undertake with respect to that data. We must ensure that they are provided with:
5.1.1 The identity of the data controller, i.e. the Company;
5.1.2 The purposes for which the data is intended to be processed; and
5.1.3 Any further information necessary to enable data processing in a fair way, for example, who the data may be disclosed or transferred to.
5.3 For personal data to be processed lawfully, certain conditions have to be met. These conditions may include, among other things, requirements that the data subject has consented to each specific processing activity, and that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, different conditions must be met. In most cases, the data subject's explicit consent to the processing of sensitive personal data will be required.
5.4 In particular, consent must be expressly given, through a statement or clear affirmative action of the data subject. Silence, pre-checked boxes and inactivity are not sufficient means to obtain valid consent under the Data Protection Laws. Further, consent will not be deemed freely given under the Data Protection Laws where the consumer is not offered a genuine choice to refuse consent and still receive the underlying products/services. Data subjects must be informed of their right to withdraw consent, and Company must make available an easy, efficient way to do so. Records of consent must be maintained by the Company and provided to any applicable supervisory authority upon request.
6 PROCESSING FOR SPECIFIED PURPOSES
6.1 We will always have a clear reason for processing personal data and this reason will be communicated to the data subject, normally by:
6.1.2 Any notifications provided when a data subject uses the Company’s website; and
6.1.3 Any internal documents in relation to employees.
6.2 We are not permitted to collect personal data for one purpose and start to process it for a different purpose.
7 adequate, relevant and not excessive
7.1 Personal data will only be collected to the extent that it is required for the specific purpose(s) disclosed to data subjects. Any personal data which is not necessary for that purpose will not be collected in the first place. Personal data will only be processed in accordance with the limited purposes described above and will not be processed in a fashion that is excessive.
7.2 We will not collect personal data from a data subject on the off-chance that it may be needed in the future.
8 accurate data
8.1 Personal data will be accurate and kept up to date. Personal data that is incorrect or misleading is not accurate and steps will, therefore, be taken to check the accuracy of any personal data at the point of collection and at regular intervals thereafter.
8.2 In the context of its commercial marketing operations, the Company will work with its third-party marketing partners to ensure that personal data forming part of a marketing database/contact list is regularly checked and updated.
8.3 Personal data that is identified as out-of-date or inaccurate will be either updated or suppressed and destroyed.
9 data retention
9.1 Personal data will not be kept longer than is necessary for the purpose for which it was collected and/or processed. This means that personal data will be archived, and ultimately destroyed or erased from our systems, when it is no longer required.
9.2 For guidance on how long certain data is likely to be kept before being destroyed, please contact the DPO.
10 processing in accordance with the rights of data subjects
10.1 Personal data will be processed in accordance with the data subject's rights. Data subjects are entitled to:
10.1.1 Request access to a machine-readable copy of any personal data held about them by the Company (known as a data subject access request (“DSAR”);
10.1.2 Prevent the processing of their personal data for direct-marketing purposes;
10.1.3 Ask to have inaccurate personal data modified and/or amended;
10.1.4 Ask to have their personal data deleted from all Company servers, databases and other data storage media, as well as the servers, databases and other data storage media of any third party with whom Company shared such personal data;
10.1.5 Prevent processing that is likely to cause unwarranted substantial damage or distress to themselves or anyone else; and
10.1.6 Object to any decision that significantly affects them, where such decision is the result of an automated process with no human input.
10.2 A DSAR request must be made in writing. Therefore, if any Company employee receives an oral request, that employee should ask for it to be put in writing. Any written request for personal data from a data subject should be treated as a DSAR. If a Company employee receives a DSAR, that employee should pass it immediately to the DPO, who will deal with it appropriately or authorize the recipient to respond to it in accordance with this Policy. It is important that the request is passed to the DPO immediately as the Company is required by law to respond to a DSAR within forty (40) days.
11.1 The Company must ensure that appropriate security measures are taken against unlawful or unauthorized processing of personal data, and against the accidental loss of, or damage to, personal data. Individuals may apply to the courts for compensation if they have suffered damage from such a loss.
11.2 The Data Protection Laws require the Company to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability of personal data, defined as follows:
11.3 Confidentiality means that only people who are authorized to use personal data can access it.
11.4 Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
11.5 Availability means that authorized users should be able to access personal data if they need it for authorized purposes. Personal data should, therefore, only be stored on the Company's central computer system and not on individual IT equipment (such as laptops).
11.6 The following measures are taken by the Company to protect its physical manifestations of personal data (i.e. printed paper documents) from unauthorized access:
11.6.1 When not required, the paper or files should be kept in a locked drawer or filing cabinet;
11.6.2 Employees should make sure paper and printouts are not left where unauthorized people could see them, such as on a printer; and
11.6.3 Data printouts should be shredded and disposed of securely when no longer required.
11.7 The following measures are taken by the Company to protect personal data that is stored on its IT systems so that unauthorized access does not occur:
11.7.1 All employees with computer access have their own user-id and passwords in order to log into the system. Within one (1) business day of the date that an employee is terminated, or voluntarily terminates employment with the Company, the user-id and password utilized by such employee shall be deactivated;
11.7.2 All passwords must be strong, changed regularly and never shared between employees;
11.7.3 Employees should always lock or log off their computer, laptop, iPad, tablet, mobile device or other electronic device when left unattended;
11.7.4 If personal data is stored on removable media (such as a CD, DVD or USB stick), these should be kept locked away securely when not being used;
11.7.5 Personal data should, at all times, be encrypted using a new version of Transport Layer Security (“TLS”) technology, not Secure Socket Layer (“SSL”) technology or older versions of TLS, including when such personal data is collected, distributed and/or stored;
11.7.6 Personal data should only be stored on designated drives and servers;
11.7.8 Personal data is backed up frequently. Those backups are regularly tested, in line with the Company’s standard backup procedures;
11.7.9 Personal data should never be saved directly to IT equipment (such as laptops). Personal data should always be stored centrally;
11.7.10 All servers and computers containing personal data are protected by approved security software and a firewall; and
11.7.11 Where appropriate, data must be encrypted before being transferred electronically. The ICT director/manager can explain how to send data to authorized external contacts.
11.8 Any stranger seen in entry-controlled areas should be reported.
11.9 The DPO will conduct an annual review and audit of the cyber security and physical security measures implemented by the Company, and update same, as applicable.
11.10 The DPO has established a comprehensive cyber security incident response plan, and regularly tests and updates same, as applicable, on an annual basis, or sooner if necessary.
11.11 The DPO has established policies/technology for detecting, responding to and reporting “personal data breaches,” which are defined under the GDPR as breaches of “security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The DPO will regularly test and update these policies/technology, as applicable, on an annual basis, or sooner if necessary. The DPO will ensure that all personal data breaches are reported to the “supervisory authority” of each EU Member State in which a data subject involved in a personal data breach resides within seventy-two (72) hours of the applicable personal data breach.
11.12 The DPO has established business continuity/disaster recovery policies, and regularly tests and updates same on an annual basis, or sooner if necessary.