GDPR

General Data Protection Regulations

Scope and Purpose.

This policy applies to all personal data that we collect, use, store, or share in the course of our activities, whether online or offline. Personal data means any information relating to an identified or identifiable individual, such as name, email address, phone number, etc. The purpose of this policy is to ensure that we respect the privacy rights of individuals and protect their personal data from unauthorized or unlawful use.

Data Protection Principles.

We adhere to the following data protection principles when processing personal data:

  • Lawfulness, fairness, and transparency.

We process personal data only for lawful purposes and in a fair and transparent manner. We inform individuals about how and why we use their personal data and obtain their consent where required.

  • Purpose limitation.

We process personal data only for specific, explicit, and legitimate purposes and do not use it in a way that is incompatible with those purposes.

  • Data minimisation.

We process personal data only to the extent that is necessary and relevant for the purposes for which we collected it. We do not collect or retain more personal data than we need.

  • Accuracy.

We ensure that the personal data we process is accurate, complete, and up to date. We take reasonable steps to correct or delete any inaccurate or outdated personal data.

  • Storage limitation.

We keep personal data only for as long as we need it for the purposes for which we collected it. We delete or anonymize personal data when it is no longer required or when requested by the individual.

  • Integrity and confidentiality.

We protect personal data from unauthorized or unlawful access, use, disclosure, alteration, or destruction. We implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data.

  • Accountability.

We are responsible for complying with the UK GDPR and the DPA 2018 and can demonstrate our compliance. We maintain records of our data processing activities and conduct regular audits and reviews of our data protection practices.

Data Subjects’ Rights.

We respect the rights of individuals whose personal data we process. These rights include:

  • The right to be informed.

We provide clear and concise information about how and why we process personal data and what rights individuals have.

  • The right of access.

We allow individuals to access their personal data and provide them with a copy upon request.

  • The right to rectification.

We correct any inaccurate or incomplete personal data upon request.

  • The right to erasure.

We delete any personal data that we no longer need or that the individual asks us to erase, unless we have a legal obligation or a legitimate interest to keep it.

  • The right to restrict processing.

We limit the processing of personal data that the individual objects to or that is inaccurate, pending verification or correction.

  • The right to data portability.

We provide individuals with a copy of their personal data in a structured, commonly used, and machine-readable format, or transfer it to another organization, where technically feasible and requested by the individual.

  • The right to object.

We stop processing personal data that the individual objects to, unless we have a compelling reason to continue or a legal obligation to do so.

  • The right not to be subject to automated decision-making.

We do not use personal data to make decisions that have a significant or legal effect on individuals without human intervention, unless we have their explicit consent or a legal basis to do so.

Data Protection Officer.

We have appointed a data protection officer (DPO) who is responsible for overseeing our data protection compliance and ensuring that we follow this policy. The DPO can be contacted at [email protected] for any questions or concerns regarding this policy or our data protection practices.

Data Protection Impact Assessment.

We conduct a data protection impact assessment (DPIA) whenever we plan to introduce a new system, process, or activity that involves the processing of personal data that may pose a high risk to the rights and freedoms of individuals. A DPIA is a systematic process that identifies and evaluates the potential impact of the processing on the privacy of individuals and the measures that can be taken to mitigate those risks.

Data Breach Notification.

We report any personal data breach to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. We also notify the affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Data Sharing and Transfers.

We do not share or transfer personal data to any third parties, unless we have a valid legal basis to do so and we have obtained the individual’s consent where required. We ensure that any third parties that we share or transfer personal data to have adequate data protection safeguards in place and comply with the UK GDPR and the DPA 2018. We do not transfer personal data outside the UK or the EEA (European Economic Area), unless we have ensured that the recipient country or organization provides an adequate level of data protection or we have obtained the individual’s explicit consent.

Review and Update.

We review and update this policy regularly to reflect any changes in our data processing activities or the applicable laws and regulations. We communicate any changes to this policy to our staff and stakeholders and publish the latest version on our website.

Date of last update: January 19, 2024

Griots © 2024. All rights reserved.