As of 01/09/2020 the relevant person with responsibility for data under the GDPR within our organisation is:
Data Controller: Mike Moran, Head Of Data Operations, firstname.lastname@example.org
What is Personal Data?
For the purposes of the GDPR Data is identified under two categories:
Personal data is a term used to describe the data relating to an individual held by Datascope Consulting & Solutions Ltd from which they are identified or can be identified in conjunction with other information that is in, or is likely to come into, the possession of Datascope Consulting & Solutions Ltd. Examples of personal data includes forename, surname and online identifiers e.g. email address.
Special Categories of Personal Data is a term used to describe personal data of a sensitive nature such as data relating to a person’s racial or ethnic origin, political opinions or religious or other philosophical beliefs, physical or mental health, sexual life, criminal convictions, your genetic or biometric data or the alleged commission of an offence and/or trade union membership.
What are the legal bases for processing Data?
We may collect personal data either from individuals directly or from a third party supplier. To control and process data requires one of six recognised legal bases under GDPR to do so. The six bases are as follows:
(1) Consent: the individual has given clear consent to process their personal data for a specific purpose.
(2) Contract: the processing is necessary for a contract we have with the individual, or because the individual has asked us to take specific steps before entering into a contract.
(3) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
(4) Vital interests: the processing is necessary to protect someone’s life.
(5) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(6) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Legitimate Interest is determined by a three-part test as follows:
Purpose test – is there a legitimate interest behind the processing?
Necessity test – is the processing necessary for that purpose?
Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
Rights of Individuals.
The GDPR provides the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
More detail on these rights can be found here - https://ico.org.uk/your-data-matters/
In addition a Data Subject has the right to make a complaint to the Information Commissioner’s Office online, by phone or in writing at the following:
Tel: 0303 123 1113;
Information Commissioner’s Office, Wycliffe house, Water Lane, Wilmslow, Cheshire. SK9 5AF.
The following table identifies the types of data we collect, control and process; and the legal basis we rely upon for doing so:
Type of information collected
Data Subject’s name, address, telephone numbers, e-mail address(es).
Data Subject’s name, address, telephone numbers and email address.
Bank account details or payment details
Data subject’s name, address, email, next of kin
Data subjects name, address, bank details.
Managing the Data Subject’s relationship with the firm.
To pay, be paid, or to refund monies.
To perform HR functions within organisation.
Maintain records for tax & NI purposes
Legal basis for processing
Performing the Firm’s contract with the Data Subject.
Legitimate interest. The Data Subject may object at any time and will be informed accordingly.
To fulfil the contract between the Firm and the Data Subject.
Contract with employee