Why we have this policy
The purpose of this policy is to set out how we comply with our obligations as a Data Controller when Processing Personal Data relating to Well Organised Marketing.
We need to process Personal Data about people are signing up for our newsletter, downloading files and clients who sign up for the online blogging course.
Why data protection is important
Protecting the confidentiality and integrity of Personal Data is a key responsibility.
The correct and lawful treatment of Personal Data supports our relationship with members. It also helps to ensure that the Personal Data we hold is accurate and up to date.
In addition, as Data Controller we are responsible for complying with data protection law and must be able to demonstrate compliance with it.
If we do not protect the confidentiality and integrity of Personal Data or otherwise fail to comply with (or demonstrate compliance with) data protection laws, this could result in any or all of the following:
- regulatory intervention and possible fines;
- claims for compensation from Data Subjects or bodies acting on their behalf;
- adverse publicity and reputational damage for Well Organised Marketing
- loss of trust from members and an increase in member complaints.
This policy applies any past and future employee of Well Organised Marketing delegated to handle personal data.
Key terms used in this policy
In this policy:
Data Controller means anyone who, alone or jointly with others, decides the purposes and means of the Processing of Personal Data. We are a Data Controller. There can be more than one Data Controller in respect of the same Personal Data; some of our service providers may also be Data Controllers.
Data Processor means anyone who Processes Personal Data on behalf of a Data Controller. Some of our service providers are Data Processors.
Data Subject means an identified or identifiable natural person. In the context of Well Organised Marketing, this will usually be a person signing up for our newsletter, downloading files and clients who sign up for the online blogging course.
Personal Data means any information (in any format, including in electronic or hard copy) relating to a Data Subject who is directly or indirectly identifiable from that information. Personal Data may or may not name the Data Subject. However, if, taken together with other information that Well Organised Marketing holds, a Data Subject is identifiable, that information will be deemed to be Personal Data. It can be factual (for example, a name, address or date of birth), or a decision or opinion about a person, their actions and behaviour.
Processing means any activity that involves use of Personal Data. It includes collecting, recording, holding, transferring, organising, amending, retrieving, viewing information on a screen, storing it on a back-up server or printing or carrying out any other operation on the data. Even the act of destroying or erasing data will be Processing. Process, Processes and Processed shall be construed accordingly.
Special Categories of Personal Data means Personal Data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying an individual, data concerning health, sex life or sexual orientation. Special Categories of Personal Data are subject to additional protection, as set out in this policy.
Data protection law
When we Process Personal Data, we will comply with data protection law.
Data protection law is based on a set of core principles. The principles are that Personal Data must be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and only Processed in ways that are consistent with those purposes;
- adequate, relevant and limited to what is necessary for the purposes for which the Personal Data is being Processed;
- accurate and, where necessary, kept up to date;
- kept in a form which does not allow individuals to be identified for any longer than is necessary for the purposes for which the Personal Data is being Processed;
- processed in a way that ensures the security, integrity and confidentiality of the Personal Data by using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage; and
- not transferred to another country without appropriate safeguards being put in place.
We will comply with these principles and the requirements that support them.
We will Process Personal Data lawfully. By this we mean that we will only Process Personal Data on grounds that are permitted by data protection law.
For Personal Data other than Special Categories of Personal Data, the grounds permitted by data protection law include the grounds that the Processing is necessary for us to comply with our legal obligations as a business or is necessary for the purposes of legitimate interests pursued by us or by a third party.
For Special Categories of Personal Data, the grounds permitted by data protection law include that the Data Subject has given their explicit consent to Processing for one or more specified purposes, or that the Processing is necessary for reasons of ‘substantial public interest’ within the meaning of a specific exemption that applies to pension schemes).
Fairness and transparency
We will Process Personal Data in a fair and transparent manner. To achieve this, we will provide Data Subjects with a detailed privacy notice that meets the requirements of data protection law.
If we (or one of our Data Processors) collect Personal Data directly from a Data Subject, we (or the Data Processor on our behalf) will provide them with the detailed privacy notice. The notice will be provided before or at the same time as we ask for the Personal Data. If the Data Subject has already received a detailed privacy notice, we will remind them of it and where they can find it.
If we (or one of our Data Processors) receive Personal Data about Data Subjects from another source, then we need to make sure that this is addressed in our privacy notice.
Processing for specified, explicit and legitimate purposes
We will only collect Personal Data for specified, explicit and legitimate purposes and we will not Process it in any way that is incompatible with those purposes.
The purposes for which we currently Process Personal Data are set out in the “How do we use your personal data” section of our separate privacy notice.
If we think we will need to Process Personal Data in a new way or for a new purpose, then we will take legal advice.
Data that is adequate, relevant and non-excessive
We will only collect Personal Data that is adequate, relevant and limited to what is necessary for the purposes for which the data is being Processed.
The types of Personal Data that we currently Process are listed in the “Personal data we Process” and “What personal data do we collect about you and how?” sections of our separate privacy notice.
We will seek legal advice if we are going to need to Process any other types of Personal Data.
Data that is accurate and up to date
We will make sure that the Personal Data we hold is accurate and, where necessary, kept up to date. We will also take steps to correct or delete data without delay when we find it is inaccurate.
We will not keep Personal Data in an identifiable form for longer than is necessary for the purposes for which the data is Processed. We will also take all reasonable steps to securely destroy or erase any Personal Data which is no longer required.
The section of our privacy notice titled “how long do we retain your personal data” sets out how long Well Organised Marketing expects to retain Personal Data.
Data security and accountability
We will take appropriate technical and organisational measures against the unauthorised or unlawful Processing, and against the accidental loss, destruction or damage of Personal Data by us as individual committee members when we personally collect, access and otherwise Process Personal Data.
We will keep these measures under review to make sure they are appropriate given available technology, the costs of implementation and the nature, scope, context and purposes of Processing as well as the potential severity and likelihood of risk to a Data Subjects’ rights and freedoms if certain measures are not in place or are inadequate.
We will also:
- ensure that we receive suitable training or undertake learning on our duties under data protection law; and
- ensure that our internal controls procedures and risk register reflect data protection and cyber security risk.
Personal data breach
If we identify, or are informed that there has been a personal data breach, we will consider the circumstances that led to the breach and seek legal advice immediately.
Data subject’s rights
Data Subjects are afforded various rights in relation to their Personal Data; specifically, Data Subjects can:
- withdraw consent to Processing (where we are relying upon consent);
- object to our Processing of their Personal Data in a certain way;
- ask for access to and information about the Personal Data that we hold (more widely known as a Data Subject access request);
- ask us to correct (rectify) inaccurate date and complete incomplete Personal Data;
- ask us to erase Personal Data (more widely known as the ‘right to be forgotten’);
- restrict Processing; and
- ask for their Personal data to be transferred to a third party in a structured, commonly used and machine readable format.
Those rights are not absolute; some only apply in certain circumstances and even where they do apply, there may be exceptions to them.
What personal data we collect and why we collect it
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Who we share your data with
We will never sell data to anyone.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
Point of contact
Any questions or complaints about our collection, use or other Processing of personal data should be made in writing by email or post using the contact details set out below.
Well Organised Marketing, 67 Dorset Gardens, West Bridgford, NG2 7UH
Or by email: firstname.lastname@example.org
We have not appointed a data protection officer because, at the moment, our core activities do not include Processing personal data in a way that includes or requires:
- the regular and systematic monitoring of individuals on a large scale; or
- the Processing, on a large scale, of special categories of personal data and personal data relating to criminal convictions and offences.
If this changes, we will consider the need to appoint a data protection officer.
How often will this policy be reviewed?
We will review this policy annually, or in the event of any key changes to data protection law.
This policy was last reviewed and updated on 20thth May 2018.