GDPR Data Protection Policy

GDPR Data Protection Policy

Introduction

Cambridge Kayaks is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all of our legal obligations.  We hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes.

Scope

This policy applies to all staff, who must be familiar with this policy and comply with its terms.  This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.

The principles

Cambridge Kayaks shall comply with the principles of data protection outlined within the EU General Data Protection Regulation. We will make every effort possible in everything we do to comply with these.

  1. Lawful, fair and transparent

Data collection must be fair, and we must be open and transparent as to how the data will be used. We will communicate to individuals whose data we capture, what we capture, how it will be used and how we will destroy this upon their request.

  1. Limited for its purpose

Data can only be collected for a specific purpose, we do not hold sensitive personal data. 

  1. Data minimisation

Any data collected will be necessary and not excessive for its purpose.

  1. Accurate

The data we hold will be accurate and kept up to date.

  1. Retention

We will not store data longer than necessary.

  1. Integrity and confidentiality

The data we hold will be kept safe and secure.

Data security 

We will ensure data is kept secure against loss or misuse. Where other organisations process personal data as a service on our behalf, we will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.

Storing data securely

  • In cases when data is stored on printed paper, it will be kept in a secure place where unauthorised personnel cannot access it
  • Printed data will be shredded when it is no longer needed
  • Data stored on a computer should be protected by strong passwords that are changed regularly. We encourage all staff to use a password manager to create and store their passwords.
  • Data stored on CDs or memory sticks will be encrypted or password protected and locked away securely when they are not being used
  • Servers containing personal data will be kept in a secure location, away from general office space
  • Data will be regularly backed up in line with the company’s backup procedures
  • All servers containing sensitive data will be approved and protected by security software
  • All possible technical measures will be put in place to keep data secure

Data retention

We will only retain personal data for as long is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained.

Privacy Notices

We will supply a Privacy Notice when obtaining data from an individual

Access Request

When access is requested by an individual to their own data we will give it to them

Rights of individuals

Individuals have rights to their data which we must respect and comply with to the best of our ability. We will ensure individuals can exercise their rights in the following ways:

  1. Right to be informed
  • Providing privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, that are written in clear and plain language, particularly if aimed at children.
  • Keeping a record of how we use personal data to demonstrate compliance with the need for accountability and transparency.
  1. Right of access
  • Enabling individuals to access their personal data and supplementary information
  • Allowing individuals to be aware of and verify the lawfulness of the processing activities
  1. Right to rectification
  • We will rectify or amend the personal data of the individual if requested because it is inaccurate or incomplete.
  • This will be done without delay, and no later than one month.
  1. Right to erasure
  • We will delete or remove an individual’s data if requested and there is no compelling reason for its continued processing.
  1. Right to restrict processing
  • We will comply with any request to restrict, block, or otherwise suppress the processing of personal data. We will not process this further.
  1. Right to data portability
  • We will provide individuals with their data so that they can reuse it for their own purposes or across different services.
  • We will provide it in a commonly used, machine-readable format.
  1. Right to object
  • We respect the right of an individual to object to data processing based on legitimate interest or the performance of a public interest task.
  • We respect the right of an individual to object to direct marketing, including profiling.
  • We respect the right of an individual to object to processing their data for scientific and historical research and statistics.
  • Individuals have the right to object to their data being used on grounds relating to their particular situation.
  1. Rights in relation to automated decision making and profiling
  • We respect the rights of individuals in relation to automated decision making and profiling.
  • Individuals retain their right to object to such automated processing, have the rationale explained to them, and request human intervention.