VOICE CARE CENTRE Ltd (VCC) Data Protection Policy 2020
This Data Protection policy will lay out the procedures undertaken by VCC Ltd to ensure that VCC Ltd is compliant with relevant data protection legislation. It has been written in accordance with the information provided by the Information Commissioner’s office prior to the release of the GDPR.
1. Establishing a lawful basis for handling data
• In accordance with Article 5 (2), This policy will document the ‘lawful basis’ by VCC Ltd to handle data. This ‘lawful basis’ is set out in Article 6 of GDPR. The lawful basis may be as follows:
(A) Where express consent has been given.
VCC Ltd utilises a mailing list in order to communicate lesson or treatment availability. Express consent must be provided in order to be added to such a mailing list.
(2) No credit card data is stored as all purchases are paid for via BACS.
(3) Legitimate Interests
Data may be collected for legitimate interests such as marketing purposes. This may include the marketing of events.
(4) Legal Obligations
As a service providing manual therapy, a medical form is filled out and signed by any client. This will collect and store data and is documented only in paper form. These files and kept on a secure hard drive.
2. Consent Reviews
Any mailing lists have an express option to ‘opt out’.
3. Gathering data for contractual purposes
In accordance with S6 s(1) b attending a course will require the collection of data to enable contractual obligations to be fulfilled. This is a necessary procedure and only minimal data will be collected to enable this to take place appropriately. Such data will include:
– Email addresses
– Home/business address
– Telephone number
The above specified information enables appropriate invoicing to take place. Data will be stored for accountancy purposes only GDPR compliant software. At no point, will data be passed on to any other organisation.
4. Legal Obligations and the collection of data
In accordance with S6 (1) (C) VCC Ltd will collect relevant data when acting in conjunction with another course provider.
This section also applies to the collection of data from prospective employees and contractors to enable HMRC obligations to be fulfilled appropriately.
5. Safeguarding Privacy
VCC Ltd will ensure privacy by engaging fully with the right to be informed. Privacy notices will include the following:
– The purpose of processing the data
– How long the data will be held for
– Who it will be shared with
This privacy information will be served at the time of data collection in the following foreseeable situations
a) Purchasing a course or event via the website
b) Applying for a course via email or telephone
Privacy notices will be tailored for to suit the purposes of collection but will include in accordance with the guidelines provided by the Information Commissioner’s Office
– The contact details of VCC Ltd
– The name and contact details of the relevant representative
– The purpose of the processing
– The lawful basis of the processing
– The legitimate interests for the processing
– The categories of personal data obtained
– The retention period of the personal data
– Details of the contractual obligations
– Details of transfers of the personal data to any third countries or international organisations
– The right to withdraw consent
– The right to lodge a complaint with a supervisory authority
This content will be contained in ‘just in time notices’ prior to online website purchases or telephone/email purchases.
6. Ensuring right of access to personal data
• VCC Ltd will allow a right of access to both personal data and supplementary information free of charge. Any requests for information will be provided within one month of receiving the request.
• Where requests are complex and numerous the provision of data will be provided within a two-month period.
• Where requests are excessive and repetitive and administration fee of £50 will be charged to cover the administrative costs involved.
• Responses will be provided in an electronic format
7. Ensuring right to rectification
VCC Ltd recognises that an individual has the right to have inaccurate personal data rectified or completed if incomplete.
• Requests for rectification can be made either verbally or in writing
• VCC Ltd will ensure that rectification will occur within one month of the request being made
8. Ensuring right to erasure
• VCC Ltd recognises the rights of individuals to have their personal data erased.
• A request for erasure may be made either verbally or in writing
• VCCs Ltd will respond to the request within one month of it being erased, this time will be extended to two months where the request is complex
• Where data is being processed by VCC Ltd and a request for erasure is made, the processing of the data will cease
9. Rights related to automated decision making including profiling
• Online purchasing is a form of automated decision making as acceptance onto a course occurs at the point of the online purchase. Data will be gathered as a result of this process to enable the fulfilment of the contractual obligation. The extent of information collected will be communicated in an appropriate privacy statement.
• VCCs Ltd does not engage in automated profiling marketing systems. Automated decision-making systems are only used to enable a sale of a course or event
10. Ensuring accountability and governance
In accordance with Article 5 (2) VCC Ltd ensures accountability and governance through the following procedures:
• Regular internal audits
• Appropriate staff training
• Maintenance of relevant processing documentation
• Appointment of a Data Protection Officer: Mr Stephen King
11. Data Protection Impact Assessments
A data protection impact assessment will be carried out where processing is likely to result in a high risk to individual’s interests. This is likely to be where special category information is collected.
VCC Ltd ensures that all data will be processed and stored securely to meet with GDPR requirements
13. Personal data breaches
VCC Ltd will report any personal data breaches that risk rights and freedoms of a data subject to the relevant parties involved. All breaches of data will be recorded.