The General Data Protection Regulation (GDPR) applies from 25 May 2018, replacing the UK Data Protection Act 1998. It expands the rights of individuals (referred to as ‘data subjects’ giving them more control on how their personal information is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection. Its purpose is to protect the ‘rights and freedoms’ of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
2. Definitions commonly used
Definitions for terms commonly used within this policy are given below;.
Personal Data – any information relating to an identified or identifiable 'data subject'. Very simply, an identifiable data subject is an individual who can be identified, directly or indirectly by the personal data in question, such as a name, an identification number, location data, an online identifier (social media) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
Sensitive or Special Categories of personal data – personal data revealing racial or ethnic origin, political opinions, health, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a person's sex life or sexual orientation
Data Controller – the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Sturrock Comb & Davidson Ltd (and any of its subsidiaries) is a Data Controller.
Data Processor – any external organisation that we appoint to process personal data on our behalf on our instruction. Examples might include Sturrock Comb & Davidson Ltd acts as a Data Processor for Golden Charter, who is the Data Controller, in relation to pre-paid funeral plans
Data Subject – any living identifiable individual who is the subject of personal data held by an organisation
Processing – anything you do to data. This includes but is not limited to recording, accessing, storing, analysing and transferring data
Data Subject Consent – any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data. Simply, we need clear agreement from the customer through an action, such as ticking a box or verbally agreeing
Third Party – a legal person, public authority, agency or body other than the data subject, who under the direct authority of the controller, processor, or data subject are authorised to access or process personal data
3. Policy statement
All staff of Sturrock Comb & Davidson Ltd located at 34a Forfar Road, Dundee, DD4 7AY(Head Office), 135 South Road, Dundee, DD2 3EP, 150a Lochee Road, Dundee, DD2 2LD and 102 St Vincent Street, Broughty Ferry, DD5 2EY are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the ‘rights and freedoms’ of individuals whose information Sturrock Comb & Davidson Ltd collects and processes in accordance with the General Data Protection Regulation (GDPR).
• The GDPR and this policy apply to all of Sturrock Comb & Davidson Ltd personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data and any other personal data the organisation processes from any source
• The Data Protection Officer is responsible for reviewing the Data Protection Policy to ensure it remains up to date and relevant as a result of any changes to Sturrock Comb & Davidson Ltd activities
• This policy applies to all staff and contractors of Sturrock Comb & Davidson Ltd. Any breach of the Data Protection Policy will be dealt with under Sturrock Comb & Davidson Ltd’s disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities
4. Responsibilities and roles under the General Data Protection Regulation
• Sturrock Comb & Davidson Ltd is both a Data Controller and a Data Processor under the GDPR
• The Data Protection Officer is responsible for the management of personal data within Sturrock Comb & Davidson Ltd and for ensuring that compliance with data protection legislation and good practice can be demonstrated.
• Compliance with data protection legislation is the responsibility of all staff of Sturrock Comb & Davidson Ltd who process personal data.
• Sturrock Comb & Davidson Ltd undertakes to provide training on data protection obligations under the GDPR to all staff as required.
• Staff of Sturrock Comb & Davidson Ltd are responsible for ensuring that any personal data about them and supplied by them to Sturrock Comb & Davidson Ltd is accurate and up to date.
5. Data protection principles
All processing of personal data must be conducted in accordance with the data protection principles of Article 5 of the GDPR. These principles are detailed below:
Principle 1: Lawfulness, Fairness and Transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Principe 2: Purpose Limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principles 3: Data Minimisation: Personal data shall be adequate, relevant and limited to which is necessary in relation to the purposes for which they are processed.
Principle 4: Accuracy: Personal data shall be accurate and kept up to date.
Principle 5: Storage Limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Principle 6: Integrity & Confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
Principle 7: Accountability: The Data Controller shall be responsible for and be able to demonstrate compliance with the GDPR.
6. Data Subjects’ Rights
All data subjects have the following rights regarding data processing, and the data that is recorded about them:
• The right to be informed;
• The right of access;
• The right to rectification;
• The right to erasure;
• The right to restrict processing;
• The right to object;
• The right to data portability;
• Rights in relation to automated decision making and profiling.
Sturrock Comb & Davidson Ltd ensures that individuals may exercise these rights orally or in writing and will respond to any such requests within the timescales specified in the applicable legislation.
•Sturrock Comb & Davidson Ltd understands ‘consent’ to mean that it has been explicitly and freely given by the individual, and a specific statement or action signifies agreement for Sturrock Comb & Davidson Ltd to process personal data relating to them
• Sturrock Comb & Davidson Ltd understands ‘consent’ to mean that the individual has been fully informed of the intended reason for processing and has given agreement whilst in a fit state of mind to do so, and without pressure being exerted on them. Any consent obtained under duress or on the basis of misleading information will not be a valid basis for processing
• Sturrock Comb & Davidson Ltd must be able to demonstrate how and when the consent was obtained for the processing operation
• For sensitive ‘special category data’ such as religious beliefs, explicit consent must be obtained unless an alternative legitimate basis for processing exists
• In most instances, consent to process personal and sensitive data is obtained routinely by Sturrock Comb & Davidson Ltd using standard consent documents, for example, when a new customer signs a contract
8. Security of data
All staff are responsible for ensuring that any personal data that Sturrock Comb & Davidson Ltd holds and for which they are responsible is kept securely and is not under any condition disclosed to any third party unless that third party has been specifically authorised by Sturrock Comb & Davidson Ltd to receive that information. Sturrock Comb & Davidson Ltd has implemented appropriate procedures to ensure personal data is protected.
9. Disclosure of data
Sturrock Comb & Davidson Ltd will ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies and in certain circumstances, the Police. All staff should exercise caution when asked to disclose personal data held on another individual to a third party and will be required to complete adequate data protection checks with the third party prior to disclosing any information.
All requests from government bodies, the Police and regulatory authorities must be sent to the Data Protection Officer to respond to Sturrock Comb & Davidson Ltd may release information to the relevant authorities in the following circumstances:
• The prevention or detection of crime;
• The capture or prosecution of offenders; and
• The assessment or collection of tax or duty.
10. Retention and disposal of data
Sturrock Comb & Davidson Ltd shall not keep personal data in a form that permits identification of data subjects for longer than is necessary, in relation to the purpose(s) for which the data was originally collected. The retention period for each category of personal data will be set out in the Document Retention Policy along with the criteria used to determine this period including any statutory obligations Sturrock Comb & Davidson Ltd has to retain the data.
11. Data transfers outside the EU/EEA
All exports of data from within the European Economic Area (EEA) to non-European Economic Area countries (referred to in the GDPR as ‘third countries’) are unlawful unless there is an appropriate level of protection for the fundamental rights of the data subjects. Sturrock Comb & Davidson Ltd does not routinely transfer personal data outside the EEA except in the case of repatriation to a ‘third country’ when explicit consent is obtained from the data subject.