Data Protection Policy
The purpose of this policy is to apply the principles of Data Protection regulations to this organisation.
The principles of data protection are outlined in "Data Protection Legislation", which means Directive 95/46/EC, as transposed into domestic legislation of each Member State of the European Economic Area and in each case as amended, replaced or superseded from time to time, including without limitation by the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and any data protection laws substantially amending, replacing or superseding the GDPR following any exit by the United Kingdom from the European Union including the Data Protection Act 2018, and/or other applicable data protection or national/federal or state/provincial privacy legislation in force, including where applicable, statues, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by courts, any Supervisory Authority and other applicable authorities;
The policies look to protect the rights and privacy of living individuals and to ensure that Personal Data is not processed without their knowledge, and, wherever possible, is processed with their consent. To follow the regulations, information about individuals must be collected and used fairly with a lawful basis, stored safely and securely and not disclosed unlawfully to any third party.
This policy is applicable to Trade 4 Less Ltd and to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
3. Risk Appetite
Trade 4 Less Ltd has a low appetite for data protection breaches.
4. Policy Statement
4.1. Data Protection Regulations
At the time of writing, this policy aims to satisfy data protection regulations in the United Kingdom, namely;
- The UK Data Protection Act 2018
- The UK Data Protection (Charges and Information) Regulations 2018
- The EU General Data Protection Regulation (GDPR) (EU 2016/679)
- The EU Privacy and Electronic Communications Regulation 2003 (PECR) (EU 2001/3495)
- The EU ePrivacy Regulation (ePr) (Directive 2002/58/EC) (Due in 2019)
- UK Information Commissioners Office (ICO) Guidance
Data Processing in the United Kingdom is regulated by the Information Commissioners Office (ICO). Trade 4 Less Ltd is registered with the ICO as a data controller under reference number 12169514.
4.2. Data Protection Principles
There are 6 key principles relating to the processing of personal data:
· Lawfulness, fairness and transparency
Data should be processed lawfully, fairly and in a transparent manner in relation to the data subject
· Purpose limitation
Data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
· Data minimisation
Data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
· Storage limitation
Data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
· Integrity and confidentiality
Data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Trade 4 Less Ltd is responsible for and must be able to demonstrate compliance with these conditions to the UK Information Commissioners Office (ICO).
4.4. Lawfulness, fairness, and transparency Basis for processing personal data
Processing of personal data is only permitted if one of the following applies:
- It is done with the expressed consent of the data subject
- It is necessary for the provision of our service or the performance of a
- It is necessary for compliance with a legal
- It is necessary to protect the vital interests of the data subject or of another natural person;
- It is necessary for the performance of a task carried out in the public
- It is necessary for the purposes of the legitimate
When using the lawful basis of Legitimate Interest, A legitimate interest assessment (LIA) should be undertaken to ensure that the interest is demonstrable.
The lawful basis can be identified using Fig.1 below Fig 1 – Informed Consents Decision Tree
4.5. Data Subject Consent Requirements
Where processing is based on consent, Trade 4 Less Ltd must be able to demonstrate that the data subject has consented to processing of personal data.
If the data subject's consent is given in the context of a written declaration, which also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.
Consent shall be as easy to withdraw as to give consent.
Consent relating to Children
Where processing is based on consent and in relation to a child, it should only be undertaken where the child is at least 16 years old.
Where the child is below the age of 16 years, you should only process personal data if consent is given or authorised by the holder of parental responsibility over the child.
You must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child.
Special category data
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation is generally prohibited, but where this processing is vital, it must only be carried out with the explicit consent of the data subject.