GDPR and Data Compliance Summary
Last updated: 19th May 2020.
On 25th May 2018, the European Union’s General Data Protection Regulation (GDPR) takes effect.
The GDPR imposes additional requirements upon companies to strengthen the security around, and enhance the protection of, personal data of EU residents that above and beyond the UK Data Protection Act.
As such, Hightrees Organisation Limited, as a micro/small business feel that it is right to outline our position on GDPR, Data and our understanding of what is required for you, our clients.
Due to the nature of our business where we supply services to clients, either directly or via a 3rd party this can be quite complex however we have tried to outline all of the scenarios that are applicable based on the information and guidance available, based on either our interpretation or advice received.
Preparing For GDPR
We’ve revised data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including but not only:
We have also revised our Terms and Conditions to comply with the GDPR
Legal Basis for Processing – We have looked at our processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our GDPR obligations are met
Obtaining Consent – We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information.
Data Protection Impact Assessments (DPIA) – Where we process personal information that is considered high risk, we have developed procedures for carrying out impact assessments that comply fully with the GDPR.
Our Commitment regard Data Protection/Privacy
Security of both information and privacy are one of Hightrees Organisation Limited.’s most important assets. It is vitally important that you have confidence in how we handle your personal data.
We will always try to ensure that we comply with the GDPR as a processor and controller of data as we understand it, after all you, as a client, are our important assest !
When acting the role as Data Controller.
Hightrees Organisation Limited are responsible for implementing appropriate measures to ensure and demonstrate that any data processing is performed in compliance with GDPR. The measures in place may be technical and organisational based or a combination.
When acting the Role as Data Processor
Hightrees Organisation Limited are responsible for implementing appropriate technical and organisational measures to meet the requirements of GDPR. This means ensuring a level of security appropriate to the risk, and acting in accordance with the relevant data controller’s instructions.
We are committed to safeguarding your privacy online. We will not knowingly support any use of your information which is illegal or which contravenes the laws or common practice in the country of your origin.
Hightrees Organisation Limited will try to ensure that your privacy is protected and that there is transparency with regard to the processing of your information. If we ask you to provide information by which you can be identified, then this will only be used in accordance with this statement.
Roles and 3rd Parties
Hightrees Organisation Limited is a Data Processor and as being in such role means that we process data on behalf of a Controller, I.e you, our client.
As a client of Hightrees Organisation Limited, you operate as the Data Controller when using our products and services. You have the responsibility for ensuring that the personal data you are collecting is being processed in a lawful manner and that you are using processors that are committed to handling the data in a compliant manner.
To supply the services that we offer to you, the client, we work with other sub-processors and we try to adhere to article 28 when working as a processor and/or interacting with other sub-processors.
A sub-processor includes any third party that we share personally identifiable info with.
B&P Interactive Ltd
What We Do With Information We Collect
Hightrees Organisation Limited., as a IT company, is committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have already put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
We will collect and look after your data for the purpose of delivering services, passing on information to you that you have requested and to correspond with you about our the services we offer.
We will never pass your information to any external party outside of Hightrees Organisation Limited. unless required by law to do so or is required by a 3rd Party sub-processor to supply services to you.
We will never, ever, give, sell or lease your personal information to anyone outside of our organisation.
If you have subscribed to our services, signed up for the newsletter, survey or similar, we will include you on our mailing list for our regular newsletter and occasional news of our services.
You can opt out of this communication permanently at any time.
Your Data Subject Rights
Hightrees Organisation Limited. will always respect your rights that concern the protection of your personal data.
1) Right to be informed
You have the right to be informed about the collection and use of your personal data.
We are obligated to provide you with the following information:
- the purposes for processing your personal data
- our retention periods for that personal data
We do not need to provide you with privacy information if you already have them or if it would involve a disproportionate effort to provide it to you.
The information we provide to you will be always concise, transparent, intelligible, easily accessible, clear and easy to understand. We will, of course, be open to feedback on our documents if you feel there is scope for clarification.
We provide individuals with privacy information at the time we collect their personal data from them.
2) Right of Access
You have the right to access your personal data and supplementary information. This right allows you to be aware of and verify the lawfulness of the processing.
You have the right to obtain:
- confirmation that your data is being processed
- access to your personal data; and
We are obligated to provide a copy of the information requested. We will verify the identity of the individual making the request, using “reasonable means”. If the request is made electronically, we will provide the information in a commonly used electronic format.
3) Right to Rectification
Personal data is inaccurate if it is incorrect or misleading. You have the right to have inaccurate personal data rectified, or completed if it is incomplete.
When a request is made, Hightrees Organisation Limited will verify the identity of the individual making the request, using ‘reasonable means’. If the request is made electronically, we will provide the information in a commonly used electronic format.
If we receive a request for rectification, we will take reasonable steps to confirm that the data is accurate and to rectify the data if necessary based on the information provided by the data subject.
4) Right to Erasure
You have the right to have personal data erased, otherwise known as the “right to be forgotten”.
The right is not absolute and only applies in certain circumstances.
If you no longer want to use our services and you want your personal information to be erased, you may request it by contacting us at any time.
It should be noted that Hightrees Organisation Limited may not be able to fulfill these requests when they conflict with legal circumstances and requirements that we are obligated to adhere to.
This will be explained to you, if and when, such a conflict arises.
5) Right to Restrict Processing
You have the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way that we use your data. This is an alternative to requesting the erasure of your data (see above).
Hightrees Organisation Limited will endevour to respond to a request for restriction as soon as possible.
5) Right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
- to personal data you have provided to a controller
- where the processing is based on your consent or for the performance of a contract
- when processing is carried out by automated means.
We are obligated to provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
The information provided is free of charge.
If you request it, we may be required to transmit the data directly to another organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other organisations. This only relates only to your personally identifiable data.
6) Right to Object
You have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing (including profiling)
- processing for purposes of scientific/historical research and statistics
You must have “grounds relating to your particular situation” in order to exercise your right to object to processing for research purposes.
We are obligated to halt processing personal data for direct marketing purposes as soon as we receive an objection.
7) Rights related to automated decision making including profiling
Automated individual decision-making is a decision made by automated means without any human involvement. It does not have to involve profiling, although it often will do.
We do not currently use your personal data to make automatic decisions about you. If this changes in the future you will be notified.
How You Can Exercise Your Rights
You are always welcome to get on touch with us about your rights concerning the protection of your personal data.
We only accept written requests since we cannot deal with verbal requests immediately without first:
- analysing the content of the request; and
- Adequately verifying your identity.
Your request should contain a detailed, accurate description of which right you want to exercise.
We will respond to your request without delay and at the latest within one month of receipt.
We will extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
We do not charge a fee to comply with your request.
How To Contact Us
If you have any questions regarding our implementation of GDPR requirements, please feel free to contact us by:
- using Contact Us section of our website
- sending email to email@example.com
- call 01264 532024