DATA PROTECTION POLICY
This is the Data Protection Policy of Stationery by After Hours Creative who is the data controller, and responsible for all personal data processed by Stationery by After Hours Creative (collectively referred to as the "Company," "we," "us" or "our").
The Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR) came into force on 25th May 2018, respectively. Once in effect, they repeal the current Data Protection Directive (Directive 95/46/EC) and override Data Protection Act 1998.
The GDPR contains strict principles and legal requirements that must be adhered to before and during any processing of any personal information.
A living individual to whom data pertains
The person or organisation determining the means and purpose of collecting and processing the personal data
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Data protection legislation
The General Data Protection Regulation (GDPR) and any national implementing laws, regulations and secondary legislation, for so long as the GDPR is effective in the UK; and any supplemental legislation to the GDPR, in particular the Data Protection Bill 2017-2019 and the E-Privacy Directive (and its proposed replacement), once it becomes law.
Data or information that identifies a living individual (data subject) either directly or indirectly. This also includes special categories of personal data.
Personal data does not include data which is entirely anonymous or the identity has been permanently removed making it impossible to link back to the data subject.
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Special category data
Includes any personal data which reveals a data subject’s, ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic, biometric or health data, sex life and sexual orientation.
The Data Protection Principles
As a data controller, we are required by law to ensure that everyone who processes personal data during the course of their work with us does so in accordance with data protection legislation, including the GDPR principles. In brief, the principles say that personal data must be:
- processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Purpose limitation);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Data minimisation);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate data, are erased or rectified without delay (Accuracy);
- kept in a form which permits identification of data subjects for no longer than is necessary (Storage limitation); and
- processed in a manner that ensures appropriate security, using appropriate technical or organisational measures (Integrity and confidentiality).
The GDPR requires that, as data controller, we also:
- effectively uphold Individual’s Rights;
- ensure that the necessary measures and safeguards are in place if data is transferred outside the European Economic Area; and
- be able to demonstrate effective accountability and compliance with the GDPR.
The Company and its employees must comply with these principles at all times.
We will not use personal data for activities where our interests are overridden by the impact on data subjects (unless we have their consent or are otherwise required or permitted to by law).
In any instance where we’re processing personal data based on legitimate interests, data subject’s still have the right to object to their data being processed in that manner.
Only collecting data that is adequate and relevant - data minimisation
Any data collected by the Company must be adequate and relevant to meet the identified purpose. We must not collect any personal data that is over and above our identified need.
Ensuring personal data is accurate and up to date
We have a responsibility to make sure that the personal data we hold across all our systems is up to date and accurate. Data subjects have an explicit right to be able to update their details.
Keeping Data for no longer than is necessary - storage limitation
The personal data should not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which it is used.
Different categories of personal data will be retained for different periods of time, depending on legal, operational and financial requirements.
Any data which the Company decides it does not need to hold will be destroyed in accordance with its Data Retention Policy and associated Retention Schedule
Personal data must be kept confidential and secure
We have a responsibility to ensure personal data must be kept confidential and secure and is only accessed and processed by authorised personnel.
To achieve this, we instituted these steps:
- The Company has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to data. These procedures must always be adhered to and not overridden or ignored.
- Where the Company provides employees with passwords to be used before releasing personal information, for example by telephone, staff must strictly follow the Company’s requirements in this regard.
- Only transmit personal information between locations by e-mail if a secure network is in place
- Ensure that any personal data which an employee holds is kept securely, either in a locked filing cabinet or, if it is an electronic file, ensure it is password protected to prevent unintended destruction or change, and is not seen by unauthorised persons.
- Do not write down (in electronic or hard copy form) opinions or facts concerning a data subject which would be inappropriate to share with that data subject.
- Do not remove personal information from the workplace with the intention of processing it elsewhere.
- Ensure that when working on personal information, employees will continue to observe the terms of this policy and the data protection legislation, in particular in matters of data security.
- Ensure that hard copy personal information is disposed of securely, for example cross-shredded.
- Manual personnel files and data subject files are confidential and are stored in locked filing cabinets.
- Only authorised employees have access to these files. For a list of authorised employees, please contact the Director.
- Data stored on Company approved memory sticks, discs, portable hard drives or other removable storage media is kept in locked filing cabinets or secured server rooms.
- Data held on computers are stored confidentially by means of password protection.
- The Company has network back-up procedures to ensure that data on computers cannot be accidentally lost or destroyed.
We use a GDPR compliant service provider based in the United States of America to support some of our ecommerce and marketing functions. This provider is Mailchimp.
Data subject rights
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
At any time a data subject can request that we take action to support their aforementioned rights, with regard to their personal data.
Data subjects also have the right to be notified of a data security breach in certain circumstances.
There are different rules and procedural timeframes that we must adhere to when a data subject exercises their rights. Whenever we process or receive a request in relation to any of the above rights, employees must immediately advise the Director.
Subject Access Requests
Stationery by After Hours Creative is responsible for coordinating and managing the Company’s response to all subject access requests. This is to ensure that we properly and compliantly meet all requirements of the Company under data protection legislation which include:
- Verifying the identity of the person making the subject access request
- In addition to providing them with their personal data, we must also provide individuals with the following information:
- The purposes of processing;
- The categories of personal data concerned;
- The recipients or categories of recipient we disclose the personal data to;
- The retention period for storing the personal data;
- The existence of their right to request rectification, erasure or restriction or to object to such processing;
- The right to lodge a complaint with supervisory authority;
- Information about the source of the data, where it was not obtained directly from the individual;
- The existence of automated decision-making (including profiling); and
- The safeguards provided when personal data is transferred to a third country or international organisation.
- Not disclosing the personal data of third parties unless you have received the express consent from the data subject
- Not disclosing personal data to third parties, unless the data subject has given their explicit consent to do so. This is any party who is not the data subject and can include family members of the data subject
A personal data breach will arise whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on a data subject.
In the event of a security incident or breach, the Director shall be informed and these steps taken:
- Contain the breach;
- Assess the risk posed to data subjects as a result of that breach; and
- To limit the scope of the breach by taking steps to mitigate its impact on both the data subject, and the Company.
The Director will determine within 72 hours the seriousness of the breach, and if the data subjects need to be notified of the breach.
In order to demonstrate our compliance with the GDPR, we keep records of all our processing activities. This means that our Director must be aware, at all times, of all activities in relation to data processing.
All employees that handle personal information of individuals must have a basic understanding of the data protection legislation, including the GDPR. Appropriate training will be deployed by the Company to all staff.
Staff with duties such as computer and internet security, marketing and database management may need specialist training to make them aware of particular data protection requirements in their work area.
Sharing personal data
Stationery by After Hours Creative is subject to specific rules under the GDPR and the Privacy and Electronic Communications Regulations (PECR) in relation to marketing our services. Data subjects have the right to reject direct marketing, and we must ensure that data subjects are given this option at first point of contact.
When a data subject exercises their right to reject marketing, we must desist immediately from sending further communications.