COOKIE “POLICY”
There is provision for a separate “Cookie Policy” on the website. There is no legal requirement for such a policy, and I recommend that this page and link be removed.
“DATA PROTECTION”
The Privacy Notice as drafted above meets all the legal requirements for the business in terms of data protection, together with everything else drafted in this document. Therefore, I recommend that this page and link be removed as well.
“COOKIE BAR”
The cookie bar is only required when the website has “first party cookies” (ie owned by the website owner themselves) on it that are considered “intrusive” such as targeted marketing/advertising. There are no such cookies on this website – the only first party cookies on this website are for a cookie bar itself which appears to have been turned “off”. Therefore, I recommend deleting these cookies if possible, or uninstalling the cookie bar.
EMAIL PRIVACY NOTICE
Email privacy notices are required to meet the Privacy and Telecommunications Regulations 2003, the Companies Act 2007 and the GDPR. Therefore, I respectfully suggest that the following be added to the existing footer on all outgoing emails as a default:
“All personal data/special category data herein are processed in accordance with UK data protection legislation, including UK GDPR. Further details are available on our Privacy Notice from the Company.”
FORMS – GENERAL
There may be more forms utilised on behalf of the company. Such forms may require the following text to be added:
“All personal data/special category data herein are processed in accordance with UK data protection legislation. Further details are available from the Company”
ELECTRONIC FORMS
Electronic forms, such as the Contact form on the website, require a disclaimer near the “submit” button. I recommend the following text be put in place:
“All personal data/special category data herein are processed in accordance with UK data protection legislation. All feasible security measures are in place. Further details are available from the Company”
DIRECT MARKETING
One of the services offered by the company is “marketing. In order to comply with the new regulation, I recommend the following text be included in the body of marketing emails to “prospects”:
“Protection of personal data is very important to us, and we do not wish to bombard you. Therefore, please indicate below whether or not you are happy to receive further marketing from us:
YES NO
If yes, by email or telephone or both”
This can be used by the company for its own marketing or for clients. The responses should be recorded by the company – nil responses are considered negative.
ACCOUNTABILITY
Under the UK GDPR, Companies are now required to keep an “Accountability” document within their administrative documentation. This document needs to contain certain elements and can be issued if required. To meet these requirements, I recommend that the text below is kept in a folder in the Company administration.
“ACCOUNTABILITY
Pängels Virtual and Personal Assistants is based in Maldon, Essex. We may be contacted via the website, email info@pangels.co.uk or by telephone 0844 500 7818. We may process “personal data” and/or “special category personal data” (as defined in UK data protection legislation) as part of our contracted services and/or on our administration supporting these contracted services (“legitimate interests”). We may process data on staff and/or contacts (either in client companies or suppliers). We process data on behalf of suppliers under contract. Processing may be electronic (on our systems or those of our client) or on paper. The security of all data is important to us as a company and all feasible security measures are in place. Data are held as long as they remain relevant to the purpose for collection. Once no longer required, data are deleted by secure means.
Data may be shared with third parties as part of our contracted services and/or if we are required by law to do so. “Third parties” may include specialist contractors for whom we process data, or we may include in specific projects for clients. We cannot accept any liability for any processing conducted by a third party outside our remit – whether this is a supplier of data or a contractor we may utilise.
There is a data retention schedule in place. This will allow the company to locate data quickly if required as well as documenting the Retention Policy for data.
There are technical security measures in place – encryption where necessary and restriction of access to data to maintain integrity and privacy. This is in place for both manual data and electronically held data. Where we utilise a private cloud-based system (a portal), particular care has been taken to assess the privacy of data. This is true also where we may process data on the systems of a client – hence being a “data processor” in this scenario.
Organisational measures such as policies and directions for staff when entering data or marketing are also in place. “
PROCEDURES FOR RESPONDING TO REQUEST FOR SUBJECT ACCESS
Any written request for personal information - by a customer for their information or a member of staff – should be processed in accordance with data protection legislation.
This document is designed to help you through the process.
Once a request for personal information is received by the company, the time limit for responding starts! This is only 28 days under the General Data Protection Regulation, so it is important that the request is passed to a central co-ordinator as soon as possible. The receipt should be acknowledged.
Do you have enough information in the Request to identify the subject of the data to be found? Are you sure that the person making the request has the legal right to do so? You can ask for more information if you need it.
Search through all systems (manual or electronic) for information. Then go through all the documents to extract the personal information to be disclosed. Remember that expressions of opinion count. It is not about disclosing whole documents, but the relevant data within those documents.
THIRD PARTIES – any data about someone other than the data subject is a third party. You should seek the consent of a third party to disclose their data IF it cannot be deleted from the data without destroying the data itself. In most cases this should be possible. You are responsible for the information the company holds so just make sure that the Response includes details of where you got the information from.
You need to assess what is disclosable in each case.
RESPONSE
In the Response, you need to state that you are disclosing what is held and possible to disclose under the legislation. You can withhold anything given to you by the requester but offer a copy if they wish it. You can decide to include it but make sure the Requester is aware of what is the source of the data.
You should give the Requester the opportunity to request a review by the company on what’s been disclosed if they think you haven’t released everything you should. They also have the right to go to the Information Commissioner’s Office as well and you should provide contact details for them.
Please contact info@pangels.co.uk to find out more information.