Data Protection Policy
This policy sets out how Cartwright P R Limited (t/a Cartwright Communications) manages its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR).
The Company obtains, uses, stores and otherwise processes personal data relating to potential staff and applicants, current staff, former staff, current and former workers, contractors, clients, website users and contacts, collectively referred to in this policy as data subjects. When processing personal data, the Company is obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).
This policy therefore seeks to ensure that the Company:
This policy applies to all personal data the Company processes regardless of the location where that personal data is stored (e.g. on an employee’s own device) and regardless of the data subject. All staff and others processing personal data on the Company’s behalf must read it. A failure to comply with this policy may result in disciplinary action.
All members of the senior team are responsible for ensuring that all staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.
The Managing Director is responsible for overseeing this policy and is the Data Protection Officer (DPO).
Personal data protection principles
When you process personal data, you should be guided by the following principles, which are set out in the GDPR. The Company is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:
Those principles require personal data to be:
Data Subjects’ Rights
Data subjects have rights in relation to the way the Company handles their personal data. These include the following rights:
Requests (including for data subject access – see below) must be complied with, usually within one month of receipt. Any Data Subject Access Request received must be passed to the DPO. A charge can be made for dealing with requests relating to these rights only if the request is excessive or burdensome.
The Company must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. The Company is responsible for, and must be able to demonstrate compliance with, the data protection principles.
We must therefore apply adequate resources and controls to ensure and to document GDPR compliance including:
As the Data Controller, the Company is responsible for establishing policies and procedures in order to comply with data protection law.
The DPO is responsible for:
(a) advising the Company and its staff of its obligations under GDPR.
(b) monitoring compliance with this Regulation and other relevant data protection law, the Company policies with respect to this and monitoring training and audit activities relate to GDPR compliance.
(c) to provide advice where requested on data protection impact assessments
(d) to cooperate with and act as the contact point for the Information Commissioner’s Office.
(e) having due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Staff members who process personal data must comply with the requirements of this policy. Staff members must ensure that:
(a) all personal data is kept securely;
(b) no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
(c) personal data is kept in accordance with the Company’s retention schedule;
(d) any queries regarding data protection, including subject access requests and complaints, are promptly directed to the DPO;
(e) any data protection breaches are swiftly brought to the attention of the DPO and that they support the DPO in resolving breaches;
(f) where there is uncertainty around a data protection matter advice is sought from the DPO.
Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the DPO.
Where external companies are used to process personal data on behalf of the Company, responsibility for the security and appropriate use of that data remains with the Company.
Where a third-party data processor is used:
(a) a data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data;
(b) reasonable steps must be taken to ensure that such security measures are in place;
(c) a written contract establishing what personal data will be processed and for what purpose must be set out;
For further guidance about the use of third-party data processors please contact the DPO.
Data subject Access Requests
Data subjects have the right to receive copy of their personal data which is held by the Company. In addition, an individual is entitled to receive further information about the Company’s processing of their personal data as follows:
No-one should allow third parties to persuade them into disclosing personal data without proper authorisation.
The entitlement is not to documents per se, but to such personal data as is contained in the document. The right relates to personal data held electronically and to limited manual records.
No-one should alter, conceal, block or destroy personal data once a request for access has been made.
Reporting a personal data breach
The GDPR requires that we report to the Information Commissioner’s Office (ICO) any personal data breach where there is a risk to the rights and freedoms of the data subject. Where the Personal data breach results in a high risk to the data subject, he/she also has to be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialise, security measures were applied to render the personal data unintelligible (e.g. encryption) or it would amount to disproportionate effort to inform the data subject directly. We have put in place procedures to deal with any suspected personal data breach and will notify data subjects or the ICO where we are legally required to do so.
If you know or suspect that a personal data breach has occurred, you should immediately contact the DPO. The Company must retain all evidence relating to personal data breaches in particular to enable the Company to maintain a record of such breaches, as required by the GDPR.
Limitations on the transfer of personal data
The GDPR restricts data transfers to countries outside the EU in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. Personal data originating in one country is transmitted across borders when anyone transmits or sends that data to a different country or views/accesses it in a different country.
No-one may transfer personal data outside the EU unless one of the following conditions applies:
The GDPR requires us to keep full and accurate records of all our data processing activities. You must keep and maintain accurate corporate records reflecting our processing, including records of data subjects’ Consents and procedures for obtaining Consents, where Consent is the legal basis of processing.
These records should include, at a minimum, the name and contact details of the Company as Data Controller and the DPO, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.
Records of personal data breaches must also be kept, setting out:
Training and Audit
We are required to ensure that all Company staff undergo adequate training to enable them to comply with data protection law. We must also regularly test our systems and processes to assess compliance. You must undergo all mandatory data privacy related training.
We are subject to certain rules and privacy laws when marketing to any potential user of our services.
The right to object to direct marketing must be explicitly offered to the data subject in an intelligible manner so that it is clearly distinguishable from other information.
A data subject’s objection to direct marketing must be promptly honoured. If a data subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
Sharing Personal Data
In the absence of Consent, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties unrelated to the Company.
Some bodies have a statutory power to obtain information (e.g. regulatory bodies, government agencies such as the Child Support Agency). Confirmation of any such power should be sought before disclosing personal data in response to a request.
Further, without a warrant, the police have no automatic right of access to records of personal data, though voluntary disclosure may be permitted for the purposes of preventing/detecting crime or for apprehending offenders.
Changes to this policy
This policy may change from time to time without notice to you, as circumstances, regulations and guidance require.
Principle 1 of GDPR – Processing personal data lawfully, fairly and transparently
We may only process personal data fairly and lawfully and for specified purposes.
The legal bases for processing non-sensitive personal data are as follows:
You should only obtain a data subject’s Consent if there is no other legal basis for the processing. Consent requires genuine choice and genuine control.
A data subject consents to processing of his/her personal data if he/she indicates agreement clearly either by a statement or positive action to the processing. Data subjects must be able to withdraw Consent to processing easily at any time. Withdrawal of Consent must be promptly honoured. Consent may need to be renewed if you intend to process personal data for a different and incompatible purpose which was not disclosed when the data subject first consented, or if the Consent is historic.
You will need to ensure that you have evidence of Consent and you should keep a record of all Consents obtained so that we can demonstrate compliance.
Consent is required for some electronic marketing and some research purposes.
(b) Legal bases for Processing Sensitive Personal Data.
The processing of sensitive personal data by the Company must be based on one of a number of specific bases (together with one of the legal bases for processing non-sensitive personal data as listed above). Guidance from the DPO must be sought in all cases
Processing sensitive personal data represents a greater intrusion into individual privacy than when processing non-sensitive personal data. We must therefore take special care when processing sensitive personal data and ensure that we comply with the data protection principles (as set out in the main body of this policy) and with this policy, in particular in ensuring the security of the sensitive personal data.
Under the GDPR the Company is required to provide detailed, specific information to data subjects depending on whether the information was collected directly from data subjects or from elsewhere. That information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a data subject can easily understand what happens to their personal data.
Whenever we collect personal data directly from data subjects, for example for the recruitment and employment of staff, at the time of collection we must provide the data subject with all the prescribed information which includes:
Principle 2 of GDPR – Purpose Limitation
Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
You cannot therefore use personal data for entirely new, different or incompatible purposes from those disclosed when it was first obtained unless you have informed the data subject of the new purposes.
Principle 3 of the GDPR – Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You should not therefore amass large volumes of personal data that are not relevant for the purposes for which they are intended to be processed.
You must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Company’s data retention policy.
Principle 4 of the GDPR – Accuracy
Personal data must be accurate and, where necessary, kept up to date. You should ensure that personal data is recorded in the correct files.
Principle 5 of the GDPR – Storage limitation
You must not keep personal data in a form that allows data subjects to be identified for longer than needed for the legitimate educational/research or Company business purposes or other purposes for which the Company collected it. Those purposes include satisfying any legal, accounting or reporting requirements. Records of personal data can be kept for longer than necessary if anonymised.
Principle 6 of the GDPR – Security, Integrity and Confidentiality
The Company is required to implement and maintain appropriate safeguards to protect personal data, taking into account in particular the risks to data subjects presented by unauthorised or unlawful processing or accidental loss, destruction of, or damage to their personal data.
You may only transfer personal data to third-party service providers (i.e. data processors) who provide sufficient guarantees to implement appropriate technical and organisational measures to comply with Data Protection Law and who agree to act only on the Company’s instructions. Data processors should therefore be appointed subject to the Company’s standard contractual requirements for data processors.
Glossary of Terms
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
Data Controller: the person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the GDPR. The Company is the Data Controller of all personal data relating to it and used delivering education and training, conducting research and all other purposes connected with it including business purposes. .
Data Subject: a living, identified or identifiable individual about whom we hold personal data.
Personal Data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Privacy Notices: separate notices setting out information that may be provided to data subjects when the Company collects information about them.