Data Protection Policy

ECups Ltd

 

 

Policy Statement

 

ECups Ltd is fully committed to complying with all relevant data protection laws in relation to the personal data we collect and use.  Annex A sets out what those laws are.

 

Scope

 

This policy applies to:

 

●      all our staff which includes permanent, temporary and agency staff; and

●      all consultants, contractors and other individuals who undertake work on our behalf.

 

Everyone should ensure they read this policy.

 

Responsibilities

 

Our Company Director has overall responsibility for ensuring our compliance with this policy and all relevant data protection laws.

 

Everyone who works for us, including agency and temporary staff, partners, associates, consultants and contractors have a responsibility for ensuring the personal data they process is done so in line with this policy and all relevant data protection laws.

 

Everyone must ensure they have an appropriate level of data protection knowledge in relation to the role they undertake.

 

We may from time to time use the services of external data protection professionals to help us with our compliance obligations.

 

Notification with ICO

 

We have notified the Information Commissioners Office that we process personal data and our data protection registration number is ZB399293; this is renewed annually in October.

Data Protection Principles

 

We will always comply with the data protection principles in respect of the personal data we process.  All personal data will be:

 

●      processed in a lawful, fair and transparent way;

●      collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

●      adequate, relevant and limited to what is necessary;

●      accurate and kept up to date;

●      kept for no longer than is necessary; and

●      processed in a manner that ensures appropriate security using appropriate technical or organisational measures.

 

Furthermore, we will be able to demonstrate our compliance with these principles.

 

Data Controller / Data Processor

 

We are the Data Controller for the purposes of processing all the personal data we collect and use. 

 

We do not operate jointly with other Data Controllers for the processing of the personal data we obtain.

 

We are not a Data Processor; we do not process personal data on behalf of other Data Controllers.

 

Category of Individuals & Personal Data Processed

 

We only collect and use “personal data” as defined in GDPR.  We do not collect and use any of the “special categories of personal data”.

 

We only process personal data about the following types of individual:

 

●      Employees;

●      Customers;

●      Suppliers.

 

 

 

 

Lawful ground to process personal data

 

We have identified an appropriate lawful ground to rely on to undertake all our personal data processing activities.  We keep these under review and if anything changes in how we process personal data we always check that the lawful ground still applies. 

 

The lawful grounds we rely on are documented in our Records of Processing Activities document and are also published in our privacy notice which is available on our website.

 

Records of processing activities

 

We have documented the personal data processing activities we undertake and will keep this up to date. 

 

Data Protection Officer

 

We do not have a legal obligation under GDPR to appoint a Data Protection Officer.  Instead our Company Director is responsible for overseeing our compliance with GDPR and DPA18 and their tasks are: 

 

Privacy Notices

 

To ensure compliance with the GDPR fairness and transparency requirements we always ensure that before personal data is collected directly from individuals they are provided with a privacy notice which tells them why we are collecting their personal data and what we will do with it.

 

Furthermore, when personal data is obtained from a third party and not directly from an individual we issue the individual with a privacy notice within one month from obtaining their personal data.

 

Our privacy notice is published on our website and is presented in a way that is concise, transparent, intelligible, easily accessible, and written in clear and plain language so that an individual can easily understand what happens to their personal data.

 

 

 

 

Individuals rights

 

GDPR gives the following rights to individuals:

 

●      Right of access to their personal data, commonly known as a Subject Access Request;

●      Right to rectify inaccurate personal data;

●      Right to erase their personal data, commonly known as the right to be forgotten;

●      Right to restrict the processing of their personal data;

●      Right to data portability, i.e. to transfer data from one provider to another;

●      Right to object to the processing; and

●      Right not to be subject to a decision based solely on automated processing

 

We will ensure that any request submitted by an individual in relation to any of their rights is responded to without any undue delay and at the very latest within one month of receiving a valid request.

 

All correspondence with the individual and any information provided to them will be done in a concise, transparent, intelligible and easily accessible format using clear and plain language.

 

Data Processors

 

If we use a data processor to undertake the processing of any of our personal data we will only use processors who can provide sufficient guarantees to implement the appropriate technical and organisational measures to be able to comply with GDPR and protect the rights of the individuals.

 

Before appointing a data processor we may seek further information from them about their data protection compliance. 

 

A written data processor contract will be in place with a data processor before any processing begins.  We will ensure that any such contract complies with the requirements of GDPR. 

 

Any data processor will be subject to ongoing reviews and monitoring of their GDPR compliance by us.

 

 

 

Data sharing

 

Any sharing of personal data with third parties will be done so legitimately and in line with GDPR and DPA18. 

 

A Data Sharing Agreement will normally be in place for all routine personal data sharing activities.

 

Disclosure of personal data to third parties

 

In certain circumstances, GDPR and the DPA18 allow personal data to be disclosed to third parties who have requested it without obtaining the consent of the data subject.

 

Should we receive any such requests we will always:

 

●      review the request and make a decision on whether to release the personal data; and

●      maintain a log of requests from third parties and document the outcome of the decision-making process.

 

Security of personal data

 

We will implement the most appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the personal data we process.

 

Everyone must ensure that they process personal data securely and do not disclose it to any unauthorised third party either accidentally, negligently or intentionally.  The organisational and technical measures we have in place are shown at Annex B

 

If an approved code of conduct or certification scheme becomes available that relates to our processing activities, we will consider obtaining accreditation as a way to demonstrate compliance with our GDPR security of processing obligations.

 

Transfer of data to a third country

 

We will only transfer personal data outside of the UK when there are appropriate safeguards in place to ensure an adequate level of protection for the personal data as is our obligation under GDPR.

 

 

Personal data breaches

 

We are responsible for implementing the most appropriate organisational and technical security measures to safeguard personal data we process from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to.

 

We will make every effort to protect the personal data we process and reduce the risk of a data breach however we recognise that we cannot entirely eliminate this risk.

 

We will deal with all personal data breaches in line with our Personal Data Breaches Procedure.

 

All personal data breaches will be assessed on a case by case basis to determine, within the first 72 hours of discovery, if they are reportable to the Information Commissioners Office and the individuals affected.

 

Data Protection Impact Assessments

 

Should any of our processing activities require us to undertake a Data Protection Impact Assessment (DPIA) we will always ensure that we do undertake and fully document the DPIA process.

 

Training

 

All staff will receive annual data protection awareness training.

 

Where necessary, staff in specialist roles that handle personal data or any of the special categories of personal data on a daily basis will receive specific data protection relating to the type of personal data they process.

 

Training will be provided either in-house or externally. 

 

Completion of data protection training is compulsory.

 

Failure to comply

 

We take our compliance with data protection laws and this policy very seriously. Failure to comply puts our business at risk from enforcement action, monetary penalties and reputational damage. 

 

If we fail to comply with GDPR or the DPA18 and that failure causes significant damage or distress to an individual the Information Commissioners Office can, under GDPR, impose a maximum monetary penalty of up to of up to £17,500,000 or 4% of our world-wide annual turnover.

 

Any breaches of either this policy or the GDPR and DPA18 will be investigated.

 

Any member of staff who is found to be in breach of GDPR, the DPA18 or this policy may be subject to formal proceedings under our disciplinary process and, where necessary, may have their access to personal data withdrawn.

 

Review of Policy

 

This policy will be reviewed on an annual basis.

 

The next review is due March 2023.

 


 

Annex A

Data Protection Laws

 

General Data Protection Regulation (UK)

Data Protection Act 2018

Privacy & Electronic Communications Regulations 2003


 

Annex B

Organisational & Technical Measures

 

Personal data will be processed in a secure environment on safe servers.

 

Servers containing personal data will be kept in a secure location, away from general office space.

 

Personal data will not be freely accessible by individuals who do not need to see it.

 

Personal data stored on paper will be kept in a secure place where unauthorised personnel cannot access it.

 

Printed personal data will be shredded when no longer needed.

 

Personal data held electronically will be protected by strong passwords.

 

Passwords must never be shared.

 

Mobile devices will be kept out of sight or securely locked away when they are not being used.

 

Personal data will be regularly backed up.

 

PCs, laptops and mobile devices will be encrypted, especially if personal data is stored on the hard drive.

 

Computer screens will be locked when left unattended.

 

No unauthorised disclosures of personal data must be made, either within the company or externally.

 

Personal data must never be misused.

 

Personal data must be securely disposed of when no longer required and in line with retention periods.

 

Annual data protection refresher training will be undertaken.


 

Revision History

 

Version

Revision Date

Revised by

Revisions made

0.1

28.2.22

Dunwell Data Protection

New policy drafted

0.2

18.4.22

Dunwell Data Protection

ECups Ltd branding added to draft policy

0.3

3.10.22

H Greenwood

ICO Registration