CA Compliance Limited (the “Company”) needs to gather and use certain information or personal data about individuals whilst providing Services to third parties who retain and employ the services of the Company (a “Client”). The Company acknowledges and agrees that whilst providing such Services a Client remains the Data Controller, with the Company processing the personal data or Information as a Data Processor acting on behalf of a Client.
WHY DOES THIS POLICY EXIST?
This Policy exists to ensure that the Company:
- complies with data protection law and follows good practice;
- protects the rights of staff, clients and partners;
- is open about how it stores and processes individuals’ data;
- protects itself from the risks of data breach.
The Company takes its responsibilities seriously under applicable data protection law, including the General Data Protection Regulation and implementing legislation such as the Data Protection Act 2018. The purpose of this policy notice is to inform Clients of the data relating to them that the Company may collect and use in connection with its Services and the uses (including disclosures to third parties) the Company may make of such data.
If Clients have any questions about the use of their personal data, please contact the Company at email@example.com.
DATA PROTECTION LAW
The General Data Protection Regulation and implementing legislation such as the Data Protection Act 2018 (the “Legislation”) reflect and encompass the relevant data protection law. The Legislation describes how organisations – including the Company – must collect, handle and store personal information or personal data. The Company confirms that it will comply with all Data Protection Legislation applicable to the processing of personal data and will take all such steps as are necessary to ensure that any employee, agent, contractor or other person with any access to personal data complies with all applicable Data Protection Legislation and maintains confidentiality of the personal data. These regulations and rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the legislation, personal information or personal data must be collected and used fairly, stored safely and not disclosed unlawfully.
OBLIGATIONS OF THE COMPANY
The Company warrants that while processing any personal information or personal data on behalf of Clients, the Company shall:
- process the personal information or personal data only to the extent and in such a manner as is necessary to provide the required Service to be provided, to meet its obligations under the Legislation and in accordance with a Client’s express instructions;
- use appropriate operational and technological processes and procedures, to the best of its ability, to keep the personal data or personal information secure and safe from unauthorised use or access, loss, destruction, theft or disclosure;
- ensure that appropriate encryption procedures will be utilised on any mobile device;
- ensure that access to personal information or personal data will be limited to those employees, contractors, workers or agents who require access to it in order to provide the Service to a Client;
- provide adequate training in data Protection legislation, duty of confidentiality and Data handling to all employees providing the Service to a Client;
- ensure that upon receipt of any request, complaint, notice or communication in relation to the processing of the personal information or personal data, the Company shall immediately notify a Client and shall fully co-operate with a Client in relation to such matter;
- other than by operation of Law, the Company will not disclose the personal information or personal data to any third party. The Company will not transfer the personal information or personal data to any country outside of the European Economic Area (the “EEA”) other than with explicit written authority from a Client, such authority will be subject to and given on terms as a Client may in its absolute discretion prescribe;
- ensure that if a Client grants such written authority to transfer the personal information or personal data to a country outside the EEA, the Company shall comply with (a) the obligations of a data controller under the relevant European Union Data Protection and Privacy Directives as applicable, providing evidence, if requested, of the adequate level of protection to a Client; and (b) any reasonable instructions notified to it by a Client (c) ensure that the country or territory also ensures an adequate level of protection is afforded to the personal information or personal data;
- put in place effective record management procedures and processes to ensure that records are securely deleted or destroyed within a reasonable time following the conclusion of the provision of the Service required of the Company or upon termination of the agreement between the Company and a Client, for whatever reason;
- facilitate a Client, at its own expense, on reasonable notice and at any reasonable time, to undertake an audit of the personal information or personal data management practices and the data security practices of the Company or any approved sub-contractor of the Company to ensure compliance with this Policy.
The Company aims to ensure that individuals are aware that their data is being processed and that they understand how the personal information or personal data is being used and how that individual may exercise their rights under the Legislation.
PERSONAL DATA THAT THE COMPANY COLLECTS
The Company will collect and process personal data relating to Clients in connection with its Services. Personal data may include:
- individual names and contact details, including addresses, phone numbers, email addresses and post codes;
- any previous correspondence with the Company that is Service related;
- details and dates of the Services provided; and
- any other personal data which a Client provides to the Company directly.
PERSONAL DATA THAT THE COMPANY COLLECTS FROM OTHER SOURCES
The Company may collect and process personal data relating to the Service contracted and Clients will be aware of this collection.
PURPOSES OF PROCESSING AND LEGAL BASIS
The Company will use personal data relating to Clients for the purposes of fulfilling a contracted Service. The legal bases on which the Company collects, processes and transfers Client’s personal information are that this is necessary for compliance with a legal or regulatory obligation that applies to the Company.
The Company will not hold Client personal data for longer than is necessary.
The Company might need to transfer Client personal data outside the European Economic Area. If so, the Company will ensure that appropriate measures are in place to comply with its obligations under applicable law governing such transfers. These may include entering into a contract governing the transfer that contains the ‘standard contractual clauses’ approved for this purpose by the European Commission.
CLIENTS’ DATA RIGHTS
Clients have the following rights, in certain circumstances and subject to certain restrictions, in relation to their personal data:
- Right to access the data – the right to request a copy of the personal data that the Company holds about them, together with other information about the processing of that personal data.
- Right to rectification – the right to request that any inaccurate data that is held about them is corrected, or if the Company has incomplete information it may request that it updates the information such that it is complete.
- Right to erasure – the right to request the Company to delete personal data that it holds about them. This is sometimes referred to as the right to be forgotten.
- Right to restriction of processing or to object to processing – the right to request that the Company no longer processes its personal data for particular purposes, or to object to the processing of its personal data for particular purposes.
If a Client wishes to exercise any of the rights set out above, please contact the Company at firstname.lastname@example.org.
If a Client has any queries or complaints in connection with the processing of its personal data, it can contact the Company at email@example.com. A Client also has the right to lodge a complaint with the Irish Data Protection Commission if they are not happy with the way the Company has used their information or addressed their rights. Details of how to lodge a complaint can be found at (https://www.dataprotection.ie/docs/Contact-us/11.htm) or they can call the Data Protection Commission at 353 (0)761 104 800.
CA Compliance Limited
Revision date: 25 June 2018
Policy prepared by CA Compliance Limited
Approved by management on 12 April 2017
Policy reviewed on 22 June 2017 and 25 June 2018
Next review date is 25 June 2019