Following the changes in the GDPR as of the 1st of January 2021 this policy will provide an overview of the requirements required to be compliant with the following Acts and Regulations:
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018 (the DPA)
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)
All of the above provide rules and guidance in how 3D Technical Design UK Ltd (3DTD) will collect, store and process personal data collected through its business practices. We aim always to handle your data fairly and lawfully.
Definition of Key Terms
- Personal Data – Personal data is information about who you are, where you live, what you do and more. ‘It’s any and all information that identifies you as a data subject.
- Data Subject – A data subject is someone who can be identified from personal data. The data could be their name, address, telephone number or something else – but if ‘about a person, then ‘they’re the data subject. This applies to customers, employees, volunteers and service users. Anyone else whose personal data you use will be a data subject, too.
- Processing – Processing means taking any action with ‘someone’s personal data. This begins when a data controller starts making a record of information about someone and continues until you no longer need the information and ‘it’s been securely destroyed. If you hold information on someone, it counts as processing even if you ‘don’t do anything else with it.
- Data Controller – A data controller has the responsibility of deciding how personal data is processed and protecting it from harm. Controllers ‘aren’t usually individual people. They can be a limited company, an organisation, charity, association, club, volunteer group or business of any size – including sole traders and people who work for themselves. Controllers can delegate the processing of personal data to data processors, but the responsibility for keeping it safe will still rest with the controller.
- Data Processor – In a similar way to data controllers, data processors have to protect ‘people’s personal data – but they only process it in the first place on behalf of the controller. They ‘wouldn’t have any reason to have the data if the controller ‘hadn’t asked them to do something with it.
- Personal Data Breach – If any personal data that ‘you’re responsible for has been lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it ‘shouldn’t have been, this could be a personal data breach.
- Lawful Basis – A lawful basis is a reason or legal grounds you can rely on for using ‘people’s personal data.
- Individual Rights – In data protection law, people have rights over their data. These generally allow them to ask you to do something or stop doing something, with their personal data.
- Information ‘Commissioner’s Office – The Information ‘Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights, covering laws including the Data Protection Act 2018, Freedom of Information and Privacy and Electronic Communications Regulations.
- Special Category – the UK GDPR defines special category data as personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health; a ‘person’s sex life and a ‘person’s sexual orientation.
At the heart of the UK GDPR lies seven principles; they ‘don’t provide hard and fast rules but rather embody the spirit of the regime, and as such, there are very limited exceptions. Compliance with the spirit of these key principles is, therefore, a fundamental building block for good data protection practices. Whilst the Data Controller has overall accountability for processing Personal Data, all employees have a responsibility to ensure where relevant the use of Personal Data is conducted in a compliant way. Accountability is not a box-ticking exercise.
Failure to comply with the principles may leave 3DTD open to substantial fines of up to £17.5 million, or 4% of our total worldwide annual turnover, whichever is higher.
Privacy by design has long been seen as a good practice approach and has always been part of data protection law; the key change with the UK GDPR is that it is now a legal requirement. The UK GDPR requires all organisations to put in place appropriate technical and organisations measures to implement the data protection principles effectively and safeguard individual rights. This is ‘data protection by design and by ‘default’.
Key Principles and Lawful Basis for processing
The UK GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These principles should lie at the heart of our approach to processing personal data and our commitment to meeting these principles.
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness, transparency)
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. (purpose limitation)
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy)
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (storage limitation)
- ensure that you have appropriate security measures in place to protect the personal data you hold (integrity and confidentiality (security))
- have appropriate measures and records in place to be able to demonstrate compliance (accountability)
We must have a lawful basis to process personal data. There are six lawful bases for processing and no single basis is better or more important than the others. At least one of these must apply whenever we process personal data, when processing special category data is necessary, we will identify both a lawful basis and an additional condition for processing this type of data.
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect ‘someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the ‘individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
We must always ensure that our processing is generally lawful, fair and transparent and complies with all of the other principles and requirements of the UK GDPR. In addition, we can only process special category data if we meet one of the specific conditions below.
- Explicit consent
- Employment, social security and social protection (if authorised by law)
- Vital interests
- Not-for-profit bodies
- Made public by the data subject
- Legal claims or judicial acts
- Reasons of substantial public interest (with a basis in law)
- Health or social care (with a basis in law)
- Public health (with a basis in law)
- Archiving, research and statistics (with a basis in law)
Individual rights to personal data
The UK GDPR provides the following rights for individuals:
- The right to be informed – We will inform you at the time of collection of your personal data and provide information relating to the purposes, retention period and who it will be shared with. We undertake information audits regularly to assess what data we hold and what we do with it
- The right of access – If you ask us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data and other supplementary information. This request can be made verbally or in writing, including via social media. We will aim to complete the request within one month of receipt and will provide the information securely in an accessible, concise and intelligible format.
- The right to rectification – If the personal data we hold about you is inaccurate or incomplete, you are entitled to have it rectified. This request can be made verbally or in writing, we will aim to process this request in one month.
- The right to erasure – You can ask us to delete or remove your personal data in some circumstances, such as where we no longer need it or where you withdraw your consent (where applicable). This will only apply to data we hold at the time of the request; This request can be made verbally or in writing, and we will aim to process this request in one month.
- The right to restrict processing – You can ask us to restrict the processing of your personal data where you have a particular reason for wanting the restriction, when data has been restricted, we will store the data but not use it. This request can be made verbally or in writing, we will aim to process this request in one month.
- The right to data portability – You have the right, in certain circumstances, to obtain personal data you have provided to us in a structured commonly used and machine-readable format and to reuse it elsewhere or to ask us to transfer it to your chosen third party.
- The right to object – You can ask us to stop processing your personal data in certain circumstances which are Direct Marketing, tasks carried out in the public interest, or if we are relying on our own or someone ‘else’s legitimate interest to process your personal data. This request can be made verbally or in writing, we will aim to process this request in one month.
- Rights in relation to automated decision-making and profiling – You have the right not to be subject to a decision when it is based on automatic processing including profiling unless such profiling is necessary when entering into a contract between you and us.
If you wish to express one of your rights, please contact our Data Protection Officer in the first instance who is David Underwood you can use the contact methods listed here email email@example.com or call 07802 955903
You can lodge a complaint with the supervisory authority if you have a concern about any aspect of our privacy practices, including the way we have handled your personal data,
As we are incorporated in the UK, our regulatory authority is the Information ‘Commissioner’s Office. Contact details can be found on its website at https://ico.org.uk/ If you are based in the Isle of Man, you may also lodge a complaint with the Isle of Man Information ‘Commissioner’s Office. Contact details can be found on its website at https://www.inforights.im.
Which areas affect 3D TD
- Direct marketing to existing customers, new customers, potential customers
- Web Analytics
- ‘Employees’ Personal Data
- Corporate individual contact email addresses and telephone numbers
This policy has been approved and authorised by: