GDPR Policy
GDPR Policy
1. Introduction
1.1 Purpose:
This policy outlines the principles and practices our organization follows to comply with the General Data Protection Regulation (GDPR) and protect the rights of data subjects.
1.2 Scope:
This policy applies to all employees, contractors, and third parties who process personal data on behalf of the organization.
2. Data Protection Principles
Our organization adheres to the following GDPR principles:
2.1 Lawfulness, Fairness, and Transparency:
All processing of personal data is conducted lawfully, fairly, and transparently. Data subjects are informed of the processing activities through clear and accessible privacy notices.
2.2 Purpose Limitation:
Personal data is collected for specified, explicit, and legitimate purposes. Any subsequent processing is compatible with these purposes.
2.3 Data Minimization:
We only process personal data that is necessary for the intended purposes. We avoid collecting excessive or irrelevant information.
2.4 Accuracy:
We take reasonable steps to ensure the accuracy of personal data and update it promptly when notified of inaccuracies.
2.5 Storage Limitation:
Personal data is kept in a form that permits identification for no longer than is necessary for the purposes for which it is processed.
2.6 Integrity and Confidentiality:
Appropriate technical and organizational measures are in place to ensure the security, integrity, and confidentiality of personal data.
2.7 Accountability:
We demonstrate compliance with the GDPR by maintaining detailed records of data processing activities, conducting impact assessments, and implementing appropriate measures to protect data subjects' rights.
3. Data Subject Rights
We recognize and respect the following rights of data subjects:
3.1 Right to Information:
Data subjects have the right to be informed about the processing of their personal data.
3.2 Right of Access:
Data subjects can request access to their personal data and receive information about how it is processed.
3.3 Right to Rectification:
Data subjects can request the correction of inaccurate or incomplete personal data.
3.4 Right to Erasure:
Data subjects have the right to request the deletion of their personal data under certain circumstances.
3.5 Right to Restriction of Processing:
Data subjects can request the restriction of processing under specific conditions.
3.6 Right to Data Portability:
Data subjects can receive their personal data in a structured, commonly used, and machine-readable format.
3.7 Right to Object:
Data subjects have the right to object to the processing of their personal data.
4. Consent Management
4.1 Consent Collection:
We obtain explicit and informed consent before processing personal data, and the purpose of processing is clearly communicated.
4.2 Consent Records:
A record of consents, including the time and purpose, is maintained, and individuals can withdraw their consent at any time.
5. Data Security
5.1 Data Security Measures:
Appropriate technical and organizational measures are in place to protect personal data from unauthorized access, disclosure, alteration, and destruction.
5.2 Data Breach Response:
In the event of a data breach, we have established procedures to promptly assess and address the breach and to notify the relevant supervisory authority and affected data subjects when required.
6. International Data Transfers
6.1 Legitimate Transfers:
Any international transfer of personal data outside the EU is conducted in accordance with GDPR requirements, such as using Standard Contractual Clauses (SCCs) or other legally accepted mechanisms.
7. Data Processing Records
7.1 Record of Processing Activities:
We maintain a comprehensive record of all data processing activities, including the purposes of processing, categories of data, recipients, and any international transfers.
8. Training and Awareness
8.1 Employee Training:
Employees and relevant third parties receive training on data protection principles, GDPR compliance, and their responsibilities.
8.2 Awareness Programs:
We conduct awareness programs to keep employees informed about the importance of data protection and their role in ensuring compliance.
9. Regular Audits and Assessments
9.1 Privacy Impact Assessments (PIAs):
We conduct PIAs to identify and mitigate privacy risks associated with data processing activities.
9.2 Regular Audits:
We regularly audit our data protection measures to assess their effectiveness and identify areas for improvement.
10. Policy Review and Updates
10.1 Review Frequency:
This policy is reviewed regularly and updated as necessary to ensure ongoing compliance with GDPR and any relevant changes in data protection laws.
10.2 Communication of Changes:
Any updates to this policy are communicated to employees, contractors, and relevant third parties.
11. Data Protection Officer (DPO)
11.1 DPO Appointment:
If required by GDPR, a Data Protection Officer is appointed to oversee and advise on data protection matters.
11.2 Contact Information:
Contact information for the DPO is provided for inquiries related to data protection.
12. Enforcement and Accountability
12.1 Compliance Monitoring:
We monitor compliance with this policy and take corrective actions as necessary.
12.2 Accountability:
Individuals responsible for processing personal data are held accountable for their actions in accordance with applicable laws and regulations.
13. Contact Information
For inquiries related to data protection or to exercise data subject rights, contact:
enquiries@cchrecruitment.co.uk
14. Document Control
14.1 Version Control:
This policy is assigned a version number and date, and changes are documented in a version history.
14.2 Document Distribution:
This policy is distributed to all relevant stakeholders and is accessible to employees.
By adhering to the principles and practices outlined in this policy, our organization aims to ensure compliance with the GDPR and uphold the rights and privacy of data subjects.
CCH Solutions Limited
01.09.2023