GDPR
SABE will always adhere to UK Data Protection Legislation which, from 25 May 2018, includes EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
See also our privacy Policy
The assigned Data Protection Officer is Mr K Schofield
At a glance
- The GDPR introduces a right for individuals to have personal data erased.
- The right to erasure is also known as ‘the right to be forgotten’.
- Individuals can make a request for erasure verbally or in writing.
- We have one month to respond to a request.
- The right is not absolute and only applies in certain circumstances.
- This right is not the only way in which the GDPR places an obligation on us to consider whether to delete personal data.
Description of Processing
The following is a very broad description of the way this organisation/data controller processes personal information.
To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation directly to ask about your personal circumstances.
Type/Classes of information processed
We process information relevant to the above reasons/purposes which may include:
* personal details
* family details
* lifestyle and social circumstances
* goods and services * financial details
* employment and education details
* details of complaints, incidents and grievances
* visual images, personal appearance and behaviour
* responses to surveys
We process personal information about:
* customers
* witnesses
* employees
* students
* suppliers
* complainants or their representatives
* subject of an investigation or complaint or their representatives
* individuals who we may contact when carrying out a complaint or enquiry
* services providers
* lobbyists
* offenders and suspected offenders
* applicants for a registration
* authors publishers and other creators
* individuals captured by CCTV images
* consultants and advisers
* survey and consultation respondents
* journalists and the media
* relatives of the data subject
* individuals identified in evidence
* solicitors and legal counsel
* MP's, MSP's, AM's, MLA's, MEP's
* DP and FOI Privacy Commissioners
Who the information may be shared with
We sometimes need to share information with other organisations.
Where this is necessary we are required to comply with all aspects of the data protection act.
What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons. Where necessary or required we share information with:
* data subjects listed above
* family, associates and representatives of the person whose personal data we are processing
* professional advisers and consultants
* services providers
* credit reference agencies
* police forces
* current, past or prospective employers
* examining bodies
, education and training organisations
* financial organisations, auditors * central government
* suppliers
* persons making an enquiry or complaint
* organisation subject to a complaint or assessment,
* prosecuting authorities, courts, tribunals
* other ombudsman, regulatory authorities and investigating bodies
* media
* Scottish Executive
* Executive Arms of the Welsh and N I Assemblies
* DP and FOI Privacy Commissioners
* National Audit Office
* trade unions
* healthcare, social and welfare advisers or practitioners
* The National Archives
* survey and research organisations
1.Include a GDPR compliance line
2.Specify what information you collect and store from website visitors. ( e.g. ip addresses, device information, access information, cookies, visit duration and tracking, mouse and swipe actions, email, phone, name, address and billing addresses )
3.Specify how and where you process the personal information. ( accounting, marketing, UX research, sales reporting etc.)
4.Specify who you has access to this personal data. (E.G. you, mailchimp, google, salesforce etc )
5.Specify the contact details of the assigned Data Protection Officer in your organisation
6.Specify how to lodge a data subject access request.
7.Specify how long you hold personal information.
Consent
We review how we seek,record and manage consent
We are not required t0 automatically "Repaper" or refresh all our existing consents under GDPR
We use a positive opt in which is verifable
Our organisation operates Globally ie in more than one Eu member state
Our lead data protection supervisory authority is the
Information Commisioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Data Breach - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed.
▪ implement technical and organisational measures to ensure a level of security which is appropriate to the risk presented by processing the Customer Personal Data including having regard to the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, in particular from a Data Breach;
▪ notify the other party promptly when it becomes aware of a Data Breach and provide it with all relevant information relating to the same as soon as is reasonably possible (insofar as this can be done without compromising the confidentiality obligations owed by the party who has suffered the Data Breach to Customers or other persons or organisations) including:
• the nature of the Data Breach and details of the likely consequences of the Data Security Incident;
• the categories and approximate number of Data Subjects and Agreement Personal Data records concerned; and
• any measure(s) proposed to be taken to address the Data Breach and to mitigate its possible adverse effects;
▪
8.Note : Using phrases like “we may use your information” is not compliant, because it is not explicit. Permission must be explicit and recorded. 2. Remove all automatic opt-ins on your site.