Data Controller Information
- Name: Hayley Wood
- Email: firstname.lastname@example.org
Compliance with the GDPR is overseen by the UK data protection regulator which is the Information Commissioner’s Office (ICO).
On the 25 May 2018 and in-line with the General Data Protection Regulation (EU) 2016/679, our designated data controller halted the processing of customer data, in order to determine whether or not a Data Protection Impact Assessment (DPIA) was required.
The GDPR specifies four examples of when processing is likely to result in a high risk to the rights and freedoms of an individual and when a DPIA must, therefore, be carried out:
- A systematic monitoring of a publicly accessible area on a large scale (eg CCTV, drones and body-worn devices);
- A systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing and on which decisions are based that produce legal effects concerning individuals or similarly significantly affect them (eg such as automatic refusal of an online credit application or e-recruiting practices without any human intervention);
- Processing on a large scale of special categories of data (eg health, religion or ethnic origin);
- Processing on a large scale of personal data relating to criminal convictions and offences.
Article 29 Working Party (A29WP)A29WP provides guidance on other triggers:
- Where an individual is being evaluated or scored (in particular, where it relates to health, work, behaviour, location or movements) or subjected to automated decision making (see Automated decision making under the GDPR);
- Where processing is carried out on vulnerable individuals (eg employees, children and the elderly) because their relationship with the data controller is imbalanced, meaning they can’t consent or oppose to their personal data being processed;
- Where the processing in itself might prevent individuals from exercising a right, using a service or entering into a contract and using a new technology where it involves novel forms of data collection and usage.
The A29WP guidance also states: “as a rule of thumb, a processing operation meeting less than two [of the] criteria may not require a DPIA due to the lower level of risk, and processing operations which meet at least two of these criteria will require a DPIA … However, in some cases, a processing meeting only one of these criteria will require a DPIA”.
So, taking this into consideration, the data controller determined that a DPIA assessment was not required at that stage, but will review the policy, and determine whether a DPIA needs to be exercised, every 3 years.
Personal Data This Website Collects
- Full name.
- Email Address.
- Whether the individual would like to volunteer with our group.
How We Use The Data
- This data is provided by the individual in order for us to contact them.
- We do not use the data for marketing, advertising or promotional purposes. Any marketing, advertising or promotion we conduct is done so independently. It is purely coincidental if an individual (of which we hold data for) receives any marketing/advertising or promotion that is being run at the time.
Where The Data Is Stored
- It is stored electronically on our local network.
How Long The Data Is Held
- Electronic data will be held for a maximum of 5 years and then permanently erased from our local network.
Who Will Have Access To The Data
- Our designated data controller.
- Staff with knowledge of our GDPR Policy and that have had the relevant training.
- Data we store is never passed onto third parties. We retain sole ownership of data until it is destroyed or erased (see “how long the information will be held”).
The Right To Be Forgotten
- If, at any time, an individual wants us to delete the information we store on them, or to lodge a complaint about the way we store/use their information, they can email our designated data controller, Rachel Rule, at email@example.com with the subject line: “GDPR - Request For Erasure of Data”.
- When instigating a request for erasure of data, a residential customer or commercial business must prove that we, the data controller, are no longer in need of their data for the purpose that it was originally collected.
- We reserve the right to refuse to comply with a request for erasure of data if the requester fails to satisfy the point above, or if it leaves the organisation unable to exercise or defend legal claims.