This statement states what to expect in relation to personal information about you which is collected, handled and processed by your Data Controller Nocturna Limited, Unit 13 West Lane, Full Sutton Airfield, Stamford Bridge, YO41 1HS. We accept and acknowledge that all personal data that is received from you with effect from 25th May 2018 will be controlled and processed in accordance with the General Data Protection Regulations – GDPR which will come into force to replace the Data Protection Act 1998.
What information is collected from you?
Below is the information about you that we may collect, hold and process for purposes of providing you with our products and services.
This information might have been provided by you or from a third party who we do business with.
- Your name
- Date of birth
- Business / company name
- Your addresses
- Your email addresses
- Job title / profession
- Your telephone numbers
- Financial information including bank details
- A log of our communications with you by email, faxes and telephone
- Any information entered on our websites
- Enquiry details
- Information about deliveries; including any signatures provided
- IP address
- web browser type and version
How information is used
Your information is used to provide our products and services to you as per our terms and conditions of a signed agreement with yourselves based on your requirements as set out. Your information may also be used;
- To allow us to store and process your personal data
- To put forward your details to our clients for business purposes i.e. tender submission, audit purposes, marketing purposes extra
- To continue providing you with our services as per our contracts with you
- To keep you informed of available opportunities in our business as they arise
- To allow us to share your data for marketing purposes including Social Media
- To share your data for any client referrals
- To process any orders or after sales services
- To allow us process payments agreed for our services
- Fulfil legal obligations i.e. demonstrating compliance with legislations
How information is stored
Nocturna Limited ensures that all personal data is held in a secure centralised system and access is restricted to Data Controllers and data users. The company has the following security procedures:
- Entry controls. Any stranger seen in entry-controlled areas is reported immediately
- Secure lockable desks and cupboards
- Desks and cupboards are kept locked if they hold confidential information of any kind (Personal information is always considered confidential)
- Methods of disposal. Paper documents are shredded. Floppy disks, hard disks, servers and CD-ROMs are physically destroyed onsite by a secure data and recycling company when they are no longer required
- Equipment’s. Data users ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC’s when left unattended
- Mobile devices and computers/laptops are password protected
Personal Data Disclosure
Your personal information will be revealed to third parties who will generally be located inside the European Economic Area (EEA). This data will not be shared with a country that is outside the EEA unless that country provides the same level of rules which are equivalent to those of GDPR. If this kind of data transfer is to happen, Nocturna Limited will contact you to discuss this in depth.
Legal basis for handling your information
Nocturna Limited will rely on your consent that you have provided to hold and process this information whilst following the legislation governing GDPR. For purposes of paying your invoices, if required, we are legally allowed to share your information to HMRC. In addition, the company will ensure that all Data Controllers and data users are trained and compliant with the requirements of GDPR and the data will be;
- Processed fairly and lawfully
- Processed for limited purposes and in an appropriate way
- Obtained for specified and lawful purposes
- Adequate, relevant and not excessive for the purpose
- Accurate and up to date
- Not kept for longer than necessary for the purpose
- Processed in accordance with the ‘data subject’s’ individual’s rights
- Securely kept
- In any way not transferred to any other country without adequate protection in place
You have the rights to ask for a copy of the data that we hold about you. This information is provided free of charge from 25th May 2018 when the GDPR comes into force. Requests for information can be addressed to the Data Protection Officer on the following email address: firstname.lastname@example.org
In some cases, the company may need to ask for proof of identification before the request can be processed to ensure that we are releasing the data to the right person. We will inform you if we need to verify your identity and the documents that are required. The company will normally respond to requests within a period of one month from the date we received the request. In some cases, for instance where the company processes substantial amounts of the personal data, we may respond within two months from the date when the request is received. We will inform you in writing with in one months of receiving the request if this is the case. If the subject request is of an excessive nature, the company is not obliged to comply with it. Instead, the company can agree to respond but will charge a fee, which will be based on the administrative costs. Such cases may include circumstances where a request that has already been dealt with is repeated. This will be discussed to you before it is processed.
Your data will be retained for no longer than it is needed and in accordance with our Data Retention Policy.
If you have provided us with your consent to continue to hold and process your personal data for the purpose of continuing to provide our products and services to your business based on your requirements, you have the right to withdraw this at any time. In order to do so, you need to send an email to the Data Protection Officer on: email@example.com
Nocturna Limited is committed to being transparent about how it collects and uses the data of its clients, third parties and to meeting its data protection obligations. However, if you have a concern about how your data is collected, stored, processed, or used, you should raise your concern with Nocturna Limited or directly to the Information Commissioner’s Office at: https://ico.org.uk
Nocturna Limited is committed to being transparent about how it collects and uses the data of its clients, workforce, and to meeting its data protection obligations. This policy sets out the company’s commitment to data protection, and procedures to be taken in case of any breach of this data under GDPR guidelines. This policy applies to data collected, processed and stored for employees/ former employees, clients, suppliers, contractors, apprentices, volunteers, interns and all stakeholders whose data is being held by the company and any other personal data processed for business purposes.
Definition of GDPR and its terms
The EU General Data Protection Regulation (GDPR) is the most important change to data protection and privacy law in two decades. It was approved by the EU Parliament in April 2016 and comes into force in the UK on 25th May 2018. The GDPR (2018) will replace the Data Protection Act 1998 on the handling of data. While it is similar to the current regime under the 1998 Act in many ways, it is a great deal more modern, taking into account major advances in science and technology. Most importantly for businesses, it is more demanding.
1. GDPR terms under personal data in reference to Article 4 of the EU General Data Protection Regulation (GDPR)
1.1 Data is the information which is stored electronically, on a computer, or in certain paper-based filing system.
1.2 Data subjects this refers to the subject of personal data. For the purpose of this policy, it includes all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
1.3 Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.4 Data Controllers are the decision makers. Under GDPR, this is the legal or natural person, agency, public authority or any other regulatory body which alone or together with others, determine the means or purposes of processing personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; they have a responsibility to establish practices and policies in line with the regulation.
Data Controllers are obliged to:
- Be able to prove that your data processing measures are in the line with the regulation which include complying with data protection principles listed in section 3 of this document
- Ensure data subjects can exercise their rights as elaborated in section 2 below
- Implement methods that will support compliance with GDPR (privacy by design) and also ensure that processing is limited to obligatory minimum (privacy by default)
- Notify the supervisory authority and every affected party in case of personal data breaches or possible risks as per section 6 below
- Be able to establish data subject’s consent to processing their personal data as explained in section 5 below
- Appoint a Data Protection Officer (DPO) – someone whose responsibility is to ensure that the company complies with the regulation.
1.5 Data users include employees whose work involves using personal data. Data users have a duty to protect the information they handle by following the company data protection and security policies at all times.
1.6 Data Processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. This person acts only under instructions from the Data Controller, keeping personal data secure from loss or destruction and unauthorised access.
1.7 Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Any activity that involves use of the data.
1.8 Sensitive personal data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, biometric data, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions and will usually require the express consent of the person concerned.
1.9 Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
1.10 Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
1.11 Cross-border processing means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
1.12 International Organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or based on, an agreement between two or more countries.
1.13 Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This may include: hacking attack, human error, equipment failure, inappropriate access controls (not using passcodes) which give rights to authorisation use, Unforeseen circumstances like flood or fire, loss of equipment’s like mobile phones, laptops extra.
2. Data Subject Rights
In this context, employees/ former employees, clients, suppliers, contractors, apprentices, volunteers, interns and all stakeholders whose personal data is held by the company have the following rights:
a. The right to be informed; as a key transparency prerequisite under the GDPR, data subjects have the right to be informed about the collection and use of their personal data. This include: purposes for processing personal data, your retention periods and who their data will be shared with. This communication provided to a data subject must be transparent, concise, intelligible, and easily accessible, in clear and plain language.
b. The right to access; data subject has the right to request from the Data Controller confirmation as to whether or not personal data concerning him/her are being processed; and, where that is the case, access to the personal data and the information below;
- Categories of personal data involved
- Purposes for processing
- Categories of recipient to whom personal data have been or will be disclosed including recipients in international organizations
- Expected period for which personal data will be stored
- Right to request rectification or erasure of personal data
- Right to log a complaint with the authority
- Where personal data is being transferred to an international organization, the data subject has the right to be informed of suitable safeguards relating to the transfer
c. The right of rectification; data subjects are entitled to have inaccurate data rectified by the controller without undue delay. Taking into account the purposes of the processing, the data subject must have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
d. The right to erasure (Right to be forgotten); this gives the data subject the right to request the controller that personal data concerning him/her can be removed without delay and the controller has the obligation to erase personal data without undue delay. This can be in situations whereby;
- Personal data is no longer necessary in relation to the purpose for which it was originally collected or processed
- The data subject withdraws consent on which the processing is based and there are no other legal grounds
- Personal data has been unlawfully processed
- Personal data must be erased for compliance with a legal obligation in a Union or Member State law to which the controller is subject
e. The right to restrict processing; data subjects have the right to request the restriction of processing their personal data. This only applies in certain circumstances. When processing is restricted, the controller is permitted to store personal data, but not use it. Data subjects can make a request for restriction verbally or in writing. This is responded to in 1 month.
f. The right to data portability; this allows data subjects to obtain and reuse their personal data for their own purposes across different services. These include moving, copying or transferring personal data easily from one IT environment to another in a safe and secure way, without interruption to usability.
g. The right to object; data subjects have the right to object to processing based on legitimate interests, direct marketing (including profiling), processing for purposes of historical /scientific research and statistics or the performance of a task in the public interest of an official authority (including profiling).
h. Rights in relation to automated decision making and profiling; GDPR has provisions on automated decision making (making an individual decision only by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual). The later can be part of an automated decision-making process. In this case, GDPR applies to all. Article 22 of GDPR has additional guidelines to protect individuals if you are carrying out solely automated decision making that has legal or equally substantial effects on them. This type of decision making can only be carried out where the decision is:
- Necessary for the entry into a contract
- Authorised by a Union or Member state law applicable to the controller
- Based on the individual’s explicit consent
3. The main data protection principles
The main responsibilities for organisations with reference to Article 5(2) of the legislation state that for ‘Data Controllers’ to be compliant with personal data, the following principles must be established.
3.1 To process personal data in a fairly, lawfully and in a transparency manner.
3.2 Personal data must be processed for limited purposes and in an appropriate way.
3.3 To process, obtained personal data for specified and lawful purposes.
3.4 Personal data must be adequate, relevant and not excessive for the purpose for which it is being processed.
3.5 Personal data must be accurate and up to date.
3.6 Personal data must not be kept for longer than necessary for the purpose.
3.7 Personal data must be processed in accordance with the ‘data subject’s’ individual’s rights.
3.8 Personal data must be processed in a way that guarantees appropriate security including protection against unauthorised or unlawful processing/access, alternation, accidental loss, disclosure, damage or destruction using appropriate organisational measures.
3.9 Personal data must be erased or rectified without delay, having accomplished the purposes for which it is processed.
3.10 Personal data must not in any way be shared with a country that is outside the EEA unless that country encounters the same level of rules which are equivalent to those of GDPR. If this kind of data transfer is to happen, the Data Controller must contact the data subject to discuss this in depth.
3.11 Accountability; Data Controller must be accountable for personal data and must comply with all the principles governing it.
4. Lawful bases for processing
These are set out in Article 6 of the GDPR. Data Controllers must at least apply one of these whenever personal data is processed.
a. Consent: data subject has given clear consent for you to process their personal data for a specific purpose.
b. Contract: processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
c. Legal obligation: processing is necessary for you if you are to comply with the law (not including contractual obligations).
d. Vital interests: processing is obligatory it is to protect someone’s life.
e. Public task: processing is essential for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
f. Legitimate interests: processing is compulsory for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
5. Obtaining and withdrawing consent
According to article 6 of the GDPR, consent is one of the six legal bases to process personal data. For a company to process any kind personal data you must obtain consent from the data subject or the controller should consider any lawful grounds on which this data should be processed. Consent can only be on applicable lawful basis if the data subject is offered control and a genuine choice to either accepting or declining the terms are offered without detriment. When asking for consent, a Data Controller has the responsibility to assess whether it will meet all the requirements to obtain valid consent. If acquired in full compliance with the GDPR, it gives data subjects control over whether or not personal data about them will be processed. If not, the data subject’s control becomes deceptive and consent will be an invalid basis for processing, rendering the processing of data to be unlawful. It is the duty of the data protection officer to obtain and maintain a record of this consent and must inform the data subject all elements that are critical to make a choice. Once consent is received, personal data must be processed, stored and used following GDPR principles. Below is some of the information required for obtaining valid consent:
- Data Controller’s identity
- Purpose of each of the processing processes for which consent is required
- Types of data that will be collected and used
- Existence of the right to withdraw consent
- Information about the use of the data for decisions based exclusively on automated processing, including profiling
- If the consent relates to personal data transfers, information about the possible risks of data transfers to third parties including international countries in the absence of adequate decisions and appropriate safeguards. In addition, a Data Controller must also ensure that consent can be withdrawn by the data subject as easy as giving consent at any given time. For example; if consent was obtained via electronic means such as emails, data subjects must, in practice, be able to withdraw that consent equally the same way. Data subject should be able to withdraw his/her consent without detriment and this must be done by the Data Controller immediately at no cost.
6. Personal data breaches
It is the duty of all organisations to report personal data breach to the relevant supervisory authority. This must be done within 72 hours of becoming aware of the breach, where possible. If the breach is likely to result in a substantial risk of unfavourably affecting individual rights and freedoms, the Data Controller must also inform those individuals without undue delay. A record of any kind of personal data breaches must be kept, regardless of whether you are required to notify or not.
7. Privacy notices
The EU General Data Protection Regulation (GDPR) contains rules on giving privacy information to data subjects that are more detailed and specific. An emphasis is placed on making privacy notices comprehensible and accessible. Private notices must be communicated to a data subject by a Data Controller before or at the time of collecting personal data in a simple and understandable language.
Privacy notices must include sufficient information which contain; rights of data subjects in relation to their personal data, purposes of processing personal data, retention period, types of personal data collected, methods of processing, any international transfers and if this data will be shared by third parties. Conditions on which personal data is transferred and security measures for data protection.
Privacy notices must clearly specify ways in which personal data is going to be used. For example; if personal data is going to be transferred to a third party or international organisation, privacy notice must highlight this and state the destination where personal data is going to be transferred.
Differences in what you are required to provide depending on where you are collecting data including collecting personal data direct from the data subject or from a third party must also be emphasized.