BROOKS PERSONAL TRAINING

Similar documents
DATA PROTECTION POLICY

General Data Protection Regulation. What should community energy organisations be doing to prepare?

Sample Data Management Policy Structure

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

GENERAL DATA PROTECTION REGULATION.

Bulkington, Nuneaton & Bedworth (BNB) BNB U3A Data Protection Policy

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

What does the GDPR mean for recruitment?

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

DATA PROTECTION POLICY 2018

Sir William Perkins s School Data Protection Policy

UK Research and Innovation (UKRI) Data Protection Policy

General Personal Data Protection Policy

Baptist Union of Scotland DATA PROTECTION POLICY

Tourettes Action Data Protection Policy

Nissa Consultancy Ltd Data Protection Policy

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

Data Protection Policy

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

CHANNING SCHOOL DATA PROTECTION POLICY

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

VMS Software Ltd- Data Protection Privacy Policy

Data Protection Policy

Brasenose College Data Protection Policy Statement v1.2

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

RAW MARKETING DATA PROTECTION POLICY

Data Protection Policy

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

GENERAL DATA PROTECTION REGULATION Guidance Notes

DATA PROTECTION POLICY VERSION 1.0

Data Protection Strategy Version 1.2

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

General Data Protection Regulation (GDPR) A brief guide

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

Data Protection Act Policy Statement Status/Version: 0.1 Review Information Classification: Unclassified Effective:

This personal information must be dealt with properly, with appropriate safeguards in place to ensure the rights and freedoms of data subjects.

DATA PROTECTION POLICY WINCHESTER CITY COUNCIL. Data Protection Policy

UoW takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018

Data Protection Policy

Royal Irish Academy: Data Protection Policy, Procedures and Guidelines in relation to CCTV

INFORMATION SECURITY AND DATA PROTECTION

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

The General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2017

Self-Assessment Questionnaire Controllers

The SENAD Group. Section 5 Data Protection Protocol

DATA PROTECTION POLICY

HEAVERS FARM PRIMARY SCHOOL. GDPR Data Protection Policy

Foundation trust membership and GDPR

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

DATA PROTECTION POLICY

As members will be aware new General Data Protection Regulations (GDPR) come into effect on May 25 th this year.

FPSS GDPR Data Protection Policy

APPLICATION FORM SCAFFOLDING LTD POSITION APPLIED FOR PERSONAL DETAILS NEXT OF KIN DRIVING LICENCE DETAILS YES YES. T Offence code. Date.

The Society of St Stephen s House Site Security and Monitoring Privacy Notice

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.

PREPARING FOR THE GENERAL DATA PROTECTION REGULATION. SELF-ASSESSMENT QUESTIONNAIRE Data Controllers

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

GDPR Impacts on Digital Transformation

Privacy Policy & Data Protection

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

General Optical Council. Data Protection Policy

GDPR: What Every MSP Needs to Know

Functional area. F Hallinan, C Abad, W Andrews Approver (s) Version 001 Effective date 25 May Privacy Notice for Emergency Contacts

Privacy Notice for Clients of RISDON HOSEGOOD Solicitors

DATA PROTECTION POLICY

DATA PROTECTION POLICY 2016

General Data Protection Regulation - Explained

The Sage quick start guide for businesses

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

Brasenose College is committed to protecting the privacy and security of personal data.

South Farnham Educational Trust. GDPR Data Protection Policy

GDPR General Data Protection Regulation

Getting Ready for the GDPR

THINK LEGAL RECRUITMENT PRIVACY POLICY ONLINE AND GENERAL USE

GDPR AN OVERVIEW OF THE REGULATIONS AND THEIR LIKELY IMPACT ON APPRENTICESHIPS

Data Protection Policy

THE COMPETITION AND CONSUMER PROTECTION COMMISSION JOB APPLICANT PRIVACY NOTICE 1. INTRODUCTION... 2

Wellington College Belfast

Supplemental guide to the GDPR for HR professionals

Data subject access policy

Trinity is committed to protecting the privacy and security of personal data.

Data Protection Policy

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

Humber Information Sharing Charter

Transcription:

BROOKS PERSONAL TRAINING Data Protection Policy Data Protection Policy Lent 2017 0

DATA PROTECTION POLICY Table of Contents: 1. Document Control... 2 2. Introduction... 3 3. General Statement of Scope... 3 4. Contracts with 3 rd Party Data Processors... 3 5. Data Protection Officer... 3 6. Data Protection Training... 3 7. The Principles... 3 8. Personal Data... 4 9. Processing of Personal Data... 4 10. Sensitive Personal Data... 5 11. Rights of Access to Information... 5 12. Data Sharing... 5 13. Data Transferability... 5 14. Automated Decision Making... 5 15. Accuracy... 6 16. Enforcement and Personal Data Breaches... 6 17. Information Risk... 6 18. Data Protection Impact Assessment (DPIA)... 7 19. Information Security... 7 20. External Processors... 7 21. Secure Destruction... 7 22. Data Processing Suppression Requests... 8 23. Retention of Data... 8 24. CCTV... 8 Data Protection Policy 2018 1

1. Document Control Document owner Kyle Brooks, Owner, Brooks Personal Training Prepared by Glow Virtual Assistants Reviewed by Approved by Kyle Brooks, Owner, Brooks Personal Training Kyle Brooks, Owner, Brooks Personal Training Approved on 1st July 2018 Next review date 1st June 2019 Reference DPP_001 Version 1.0 Classification Public Distribution list Kyle Brooks, Owner, Brooks Personal Training To approve and authorise Communication The Data Protection Policy is published on public facing websites. Data Protection Policy 2018 2

2. Introduction Brooks Personal Training recognises the General Data Protection Regulation (GDPR) and will endeavour to ensure that all personal data is processed in compliance with this regulation. This Data Protection Policy is written specifically to ensure appropriate compliance with the GDPR and has used the ICO self-assessment guidance for small organisations as at February 2018 for guidance as to the requirements. Brooks Personal Training has adopted the GDPR compliance requirements of the Data Controller and Data Processor. 3. General Statement of Scope This Policy applies to Brooks Personal Training, 17b Alston Road, Hellesdon Business Park, Hellesdon, Norwich, NR6 5DS. Brooks Personal Training processes relevant personal data regarding its clients as part of its operation and shall take all reasonable steps to do so in accordance with this Policy. Should the scope of the business undertaken by Brooks Personal Training change, this Policy will be updated to reflect the changes in relation to compliance with the GDPR. Brooks Personal Training only operates within the European Union. 4. Contracts with 3 rd Party Data Processors Brooks Personal Training maintains signed contracts with 3 rd parties who are operating as Data Processors under the GDPR for the purpose of this Policy. Such processors are striving to be GDPR compliant and are generally based within the EU. 5. Data Protection Officer Brooks Personal Training has not appointed a Data Protection Officer as it is not required to do so under the GDPR. 6. Data Protection Training Brooks Personal Training undertakes appropriate and reasonable data protection training including the day to day aspects of data protection in the context of the GDPR. 7. The Principles Brooks Personal Training shall so far as is appropriate, and is reasonably practicable, comply with the GDPR principles contained in Article 5 of the regulation which sets out the main responsibilities for organisations. These state that personal data should be: a) processed lawfully, fairly and in a transparent manner in relation to individuals; Data Protection Policy 2018 3

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 8. Personal Data Personal data covers facts about an individual where that data identifies an individual. For example, it includes information necessary for: raising of client invoices for the payment of activity undertaken on behalf of the client; and the identification of customers and prospective customers for marketing purposes. 9. Processing of Personal Data Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent. Where Brooks Personal Training processes personal data for direct marketing purposes either for its own benefit or under the instruction of clients, data subjects have the right to request an opt-out to these activities, which will be respected. Brooks Personal Training client direct marketing lists have been constructed using the double opt-in approach. Data Protection Policy 2018 4

10. Sensitive Personal Data Brooks Personal Training does not process sensitive personal data as is defined in the GDPR. If this position changes, this Policy will be updated. 11. Rights of Access to Information Data subjects (clients and prospective clients) have the right of access to information held by Brooks Personal Training, subject to the provisions of the GDPR and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the Brooks Personal Training. Brooks Personal Training will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 40 days for access to records and 21 days to provide a reply to an access to information request. The information will be imparted to the data subject as soon as is reasonably possible after it has come to the attention of Brooks Personal Training and in compliance with the regulation. Brooks Personal Training is to be notified of all requests for information access. 12. Data Sharing Brooks Personal Training recognises that it is important that data entrusted to the business is only used for the purposes intended and that it is not shared beyond the consent received. Where data relates to Brooks Personal Training clients or prospective clients, the individuals are informed at outset as to how their data will be used and whether it will be shared. Sharing of data would require consent. Where a contractually bound client requests the sharing of their data in the normal course of business, this request will be fulfilled. Any other form of data request should be referred to Brooks Personal Training for review. A log will be maintained of data sharing requests which fall outside of the normal business processing. 13. Data Transferability Brooks Personal Training supports the ability of data subjects to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability. The process to be employed to facilitate such requests would be assessed at the time to ensure they were appropriate and reasonable whilst maintaining compliance under the GDPR. 14. Automated Decision Making Brooks Personal Training does not undertake personal data automated decision making including profiling. Data Protection Policy 2018 5

15. Accuracy Brooks Personal Training will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply. Periodically, client and prospective client marketing lists will be reviewed to ensure the data remains appropriate and up to date. This process may involve the prospective client being contacted to ascertain whether they wish to remain on the lists, or to be deleted. In addition, an annual Information Audit is undertaken to identify all sources of data, how and where the data is stored, used and deleted. This information audit is used to ensure that data held remains relevant, accurate and up to date. 16. Enforcement and Personal Data Breaches If an individual believes that Brooks Personal Training has not complied with this Policy or acted otherwise than in accordance with the GDPR, the grievance should be raised with Brooks Personal Training. The grievance should also be notified to the ICO. The grievance will then be monitored to a satisfactory conclusion by Brooks Personal Training with any remedial actions and training being identified and implemented. Satisfactory closure includes closure of the grievance by the ICO. 17. Information Risk Brooks Personal Training manages information risk through the identification of areas of risk and the adoption of appropriate measures and processes to mitigate the risk. For example, the annual Information Audit is used to identify what data is stored, where, how it is used etc. One audit output is the identification of data flows from which information risk assessments are completed. Brooks Personal Training manages information risks in a structured way and understands the business impact of personal data related risks and manages them effectively, applying appropriate and reasonable mitigation processes. Attention is also drawn to the existence of the Information Security Policy and the Records Management Policy, which provide more specific information on data protection processes and risk mitigation. Data Protection Policy 2018 6

18. Data Protection Impact Assessment (DPIA) Brooks Personal Training will undertake DPIA s implementing appropriate and reasonable measures as a matter of its ongoing business and as developments occur, such as new clients, technology or processes. 19. Information Security Brooks Personal Training will take appropriate technical and organisational steps to ensure the security of personal data. Brooks Personal Training are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data. An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems. Attention is also drawn to the existence of the Information Security Policy and the Records Management Policy, which provide more specific information on data protection processes. 20. External Processors Brooks Personal Training must take reasonable and appropriate steps to ensure that data processed by external processors, for example, 3 rd party service providers, Cloud services including storage, web sites etc. are compliant with this Policy and the relevant legislation. 21. Secure Destruction When data held in accordance with this Policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction. Secure destruction of data will take place within the timescales agreed between Brooks Personal Training and the client, including contractual timescales, if this is appropriate. The frequency of the secure destruction of data will depend upon it being an adhoc request from a Brooks Personal Training client, or during the Information Audit. Data Protection Policy 2018 7

22. Data Processing Suppression Requests Brooks Personal Training clients may request Brooks Personal Training to suppress the processing of specific data at any point. Brooks Personal Training will react to these requests as is reasonable and appropriate ensuring that the clients wish is met. It is not in the commercial interests of Brooks Personal Training to continue processing data which is not required, nor would it be compliant with the GDPR. 23. Retention of Data Brooks Personal Training may retain data for differing periods of time for different purposes as required by the business, best practice or regulation. Brooks Personal Training will retain electronic and hard copies of data for 2 years to allow for the trend of clients returning within that period. In addition, general documentation relating to clients e.g. records of meetings, may be retained for up to 5 years as these records do not contain any private or confidential information. Brooks Personal Training may store some data indefinitely, such as client invoices. 24. CCTV Brooks Personal Training does not currently operate CCTV. Data Protection Policy 2018 8

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback