RegXchange - Data protection policy
Policy Statement
Everyone has rights with regard to the way in which their personal data is handled. During the course of our activities we will collect, store and process personal data about our end users, customers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.
Data users (i.e. employees of the company) are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.
About This Policy
The types of personal data that RegXchange Limited (We or RegXchange) may be required to handle include information about current, past and prospective end users, customers and others with whom we communicate. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the General Data Protection Regulation 2018 (the GDPR) and other regulations.
This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
This policy does not form part of any employee’s contract of employment and may be amended at any time.
This policy has been approved by the legal department. It sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.
The Data Protection Compliance Manager is responsible for ensuring compliance with the GDPR and with this policy. That post is held by Rashika Melwani, Compliance and Administration, rmelwani@regxchange.com. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager.
Definition of Data Protection Terms
Anonymisation is data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person.
Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.
Data Subject is the identified or Identifiable Natural Person to which the data refers.
Data Controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Act. We are the data controller of all personal data used in our business for our own commercial purposes.
Data Users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
Data Processors include any person or organisation that is not a data user that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on RegXchange’s behalf.
Data Protection is the process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.
DPIA is a data protection impact assessment.
Employee is an individual who works part-time or full-time for RegXchange under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary employees and independent contractors.
Identifiable Natural Person is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. Personal Data Breaches include, inter alia:
- Hacks, phishing campaigns and other unauthorised access to our computer systems.
- Emails accidentally sent to the wrong external recipient.
- Phones, laptops and papers being left in a public place such as a train or a café.
- Employees emailing work information to their personal email address.
Processing is any activity that involves use of the data. It includes collecting, obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, structuring, adapting, altering, amending, retrieving, using, disclosing by transmission, disseminating, erasing, making otherwise available or destroying it. Processing also includes transferring personal data to third parties.
Profiling any form of automated processing of personal data where personal data is used to evaluate specific or general characteristics relating to an Identifiable Natural Person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.
Pseudonymisation is data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a “key” that allows the data to be re-identified.
Third Country is any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Special Categories of Data includes information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition or sexual life, genetic data or biometric data.
Third Party is an external organisation which RegXchange conducts business.
Data Protection Principles
Anyone processing personal data must comply with the following enforceable principles of good practice, unless a relevant exemption can be relied upon. These provide that personal data must be:
- Processed fairly, lawfully and in a transparent manner in relation to the data subject.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and up to date.
- Not kept longer than necessary for the purpose for which the personal data was obtained and processed.
- Secure.
- Not transferred to people or organisations situated in countries without adequate protection.
Data Collection
Personal Data should be collected only from the Data Subject unless one of the following apply:
- The nature of the business purpose necessitates collection of the Personal Data from other persons or bodies.
- The collection must be carried out under emergency circumstances in order to protect the vital interests of the Data Subject or to prevent serious loss or injury to another person.
If Personal Data is collected from someone other than the Data Subject, the Data Subject must be informed of the collection unless one of the following apply:
- The Data Subject has received the required information by other means.
- The information must remain confidential due to a professional secrecy obligation.
- A national law expressly provides for the collection, Processing or transfer of the Personal Data
Where it has been determined that notification to a Data Subject is required, notification should occur promptly, but in no case later than:
- One calendar month from the first collection or recording of the Personal Data.
- At the time of first communication if used for communication with the Data Subject.
- At the time of disclosure if disclosed to another recipient.
Processing for Limited Purposes
In the course of our business, we may collect and process the personal data set out in the Schedule 1. This may include data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
We will only process personal data for the specific purposes set out in the Schedule 1 or for any other purposes specifically permitted by the Act. We will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter.
Special Categories of Data
We will only Process Special Categories of Data where the Data Subject expressly consents to such Processing or where one of the following conditions apply:
- The Processing relates to Personal Data which has already been made public by theData Subject.
- The Processing is necessary for the establishment, exercise or defence of legal claims.
- The Processing is specifically authorised or required by law.
- The Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent.
- Further conditions, including limitations, based upon national law related to the Processing of genetic data, biometric data or data concerning health.
In any situation where Special Categories of Data are to be Processed, prior approval must be obtained from the Office of Data Protection and the basis for the Processing clearly recorded with the Personal Data in question.
Where Special Categories of Data are being Processed, RegXchange will adopt additional protection measures.
Data Subject Consent
We will only obtain Personal Data by lawful and fair means and, where appropriate with the knowledge and Consent of the individual concerned. Where a need exists to request and receive the Consent of an individual prior to the collection, use or disclosure of their Personal Data, RegXchange is committed to seeking such Consent.
We shall establish a system for obtaining and documenting Data Subject Consent for the collection, Processing, and/or transfer of their Personal Data. The system must include provisions for:
- Determining what disclosures should be made in order to obtain valid Consent.
- Ensuring the request for consent is presented in a manner which is clearly distinguishable from any other matters, is made in an intelligible and easily accessible form, and uses clear and plain language.
- Ensuring the Consent is freely given (i.e. is not based on a contract that is conditional to the Processing of Personal Data that is unnecessary for the performance of that contract).
- Document the date, method and content of the disclosures made, as well as the validity, scope and volition of the Consents given.
- Providing a simple method for a Data Subject to withdraw their Consent at any time.
Notifying Data Protection Principles
If we collect personal data directly from data subjects, we will inform them about:
- The purpose or purposes for which we intend to process that personal data.
- The types of third parties, if any, with which we will share or to which we will disclose that personal data.
- The means, if any, with which data subjects can limit our use and disclosure of their personal data.
If we receive personal data about a data subject from the other sources, we will provide the data subject with this information as soon as possible thereafter.
We will also inform the data subjects whose personal data we process that we are the data controller with regard to that data.
Adequate, Relevant and Non-Excessive Processing
We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject.
Accurate Data
We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
Timely Processing
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
Processing in Line with Data Subject’s Rights
We will process all personal data in line with data subjects’ rights, in particular their right to:
- Request access to any data held about them by a data controller (see also Dealing with Data Subject Requests section).
- Prevent the processing of their data for direct-marketing purposes.
- Ask to have inaccurate data amended (see also Accurate Data section).
- Prevent processing that is likely to cause damage or distress to themselves or anyone else.
Data Security
We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who are authorised to use the data can access it.
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on the RegXchange’s central computer system instead of individual PCs.
Security procedures include:
- Entry controls. Any stranger seen in entry-controlled areas should be reported.
- Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
- Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
- Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
Profiling and Automated Decision-Making
RegXchange will only engage in Profiling and automated decision-making where it is necessary to enter into, or to perform, a contract with the Data Subject or where it is authorised by law. In circumstances where Profiling and automated decision-making take place, it will be disclosed to the relevant Data Subjects. In such cases the Data Subject will be given the opportunity to:
- Express their point of view.
- Obtain an explanation for the automated system.
- Review the logic used by the automated system.
- Supplement the automated system with additional data
- Have a human carry out a review of the automated system
- Content the automated decision.
- Object to the automated decision-making being carried out.
RegXchange must ensure that all Profiling and automated decision-making relating to a Data Subject is based on accurate data.
Transferring Personal Data to a Country Outside the EEA
We may transfer any personal data we hold to a country outside the European Economic Area (”EEA”), provided that one of the following conditions applies:
- The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
- The data subject has given his consent.
- The transfer is necessary for one of the reasons set out in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
- The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
- The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
Subject to the requirements set out above, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. That staff maybe engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.
Disclosure and Sharing of Personal Information
We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may also disclose personal data we hold to third parties:
- In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.
- If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
If we are under a duty to disclose or share a data subject’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We may also share personal data we hold with selected third parties for the purposes set out in the Schedule 1.
Dealing with Data Subject Requests
Subject Access Requests
Data subjects are entitled to make a formal request for information we hold about them. This can be made orally or in writing.
- Employees who receive a written request should forward it to the Data Protection Compliance Manager immediately. The Data Protection Compliance Manager will request that the data subject makes their request in writing using our form, and will ask them to clarify the scope and purpose of the request. In the event that the data subject refuses to put their request using our form, we still need to respond to subject access requests.
- Employees who receive an oral subject access request should ask that the data subject make their request using our form. In the event that the data subject refuses to put their request using our form, we still need to respond to subject access requests.
When an employee is uncertain of the identity of the data subject, we will request their ID documents. Examples of where an employee might be uncertain of the identity of the data subject making the request are:
- We have more than one person with the data subject’s name on our records.
- The data subject is contacting us using a different email address or phone number than usual.
Employees will be trained to recognise subject access requests.
We will respond to subject access requests as soon as possible, and in any event within a calendar month from the date the request was made.
We will not comply with subject access requests where they are manifestly unfounded and excessive, for example where a data subject, without good cause, makes repeated requests over a short period of time. Where we refuse to respond to a subject access request we will inform the data subject of the reasons, inform them of their right to complain to the ICO and the courts as soon as possible and in any event within one calendar month.
The Data Protection Compliance Manager shall maintain a log of all subject access requests received. This will record the following information:
- The name of the data subject
- The date when the subject access request was made and the deadline for response
- Whether identity verification was required
- Whether the request was complied with
- The searches carried out pursuant to the request
- The date and a summary of all correspondence with the data subject
Rectification Requests
Data subjects are entitled to request that personal data which we hold about them be rectified if it is inaccurate or incomplete. This request can be made orally or in writing.
- Employees who receive a written request should forward it to the Data Protection Compliance Manager immediately. The Data Protection Compliance Manager will request that the data subject makes their request in writing using our form, and will ask them to clarify the scope and purpose of the request. In the event that the data subject refuses to put their request using our form, we still need to respond to rectification requests.
- Employees who receive an oral rectification request should ask that the data subject make their request using our form. In the event that the data subject refuses to put their request using our form, we still need to respond to rectification requests.
We shall verify the identity of the person making a rectification request when the circumstances set out in the Subject Access Requests above apply.
We will respond to rectification requests as soon as possible, and in any event within a calendar month from the date the request was made, or two calendar months where the request is particularly complex.
We will assess whether it is appropriate to comply with the rectification request. It may be inappropriate to comply with a rectification request where, for example, the data is in an archive. Where we decide not to take action in response to a request for rectification, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.
Where we determine that it is appropriate to comply with a rectification request, we will request that data processors also rectify their records.
The Data Protection Compliance Manager shall maintain a log of all rectification requests received. This will record the same categories of information which we record in the Subject Access Request log, set out in the Subject Access Requests above.
Right to Erasure
Data subjects are entitled to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This request can be made orally or in writing.
- Employees who receive a written request should forward it to the Data Protection Compliance Manager immediately. The Data Protection Compliance Manager will request that the data subject makes their request in writing using our form, and will ask them to clarify the scope and purpose of the request. In the event that the data subject refuses to put their request using our form, we still need to respond to erasure requests.
- Employees who receive an oral erasure request should ask that the data subject make their request using our form. In the event that the data subject refuses to put their request using our form, we still need to respond to erasure requests.
] We shall verify the identity of the person making an erasure request when the circumstances set out in the Subject Access Requests above apply.
We will respond to erasure requests as soon as possible, and in any event within a calendar month from the date the request was made, or two calendar months where the request is particularly complex.
We will assess whether it is appropriate to comply with the erasure request. It may be appropriate to comply with an erasure request where:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
It may not be appropriate to comply with an erasure request where the data is processed for one of the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority; or
- The exercise or defence of legal claims
The Data Protection Compliance Manager shall maintain a log of all erasure requests received. This will record the same categories of information which we record in the Subject Access Request log, set out in the Subject Access Requests above.
Personal Data Breach Policy
Employees will report all Personal Data Breaches to the Data Protection Compliance Manager as soon as they become aware of them.
The Data Protection Compliance Manager shall promptly undertake his best endeavours to minimise the impact of the Personal Data Breach.
The Data Protection Compliance Manager shall notify the data subject of the Personal Data Breach where it is likely to result in a high risk to the rights and freedoms of individuals.
The Data Protection Compliance Manager will notify the ICO of a Personal Data Breach where it is likely to result in a risk to the rights and freedoms of data subjects – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
The Data Protection Compliance Manager shall maintain a log of all Personal Data Breaches recording the following information:
- The date of the Personal Data Breach;
- The Personal Data disclosed as a result of the Personal Data Breach;
- Where known, the person responsible for the Personal Data Breach;
- Action taken to rectify the Personal Data Breach;
- Whether the data subject and/or the ICO has been notified of the Personal Data Breach; and
- The reasoning behind the assessment of whether to notify the Personal Data Breach to the data subject and/or the ICO.
Whether the data subject and/or the ICO will be notified of the Personal Data Breach will be determined in consideration of the risk matrix formulated by the Data Protection Compliance Manager.
Employees will be trained in recognising and responding to Personal Data Protection Breaches.
Data Audits and Deletion
We will carry out data audits every six months. As part of our data audits we will investigate:
- All personal data which we hold;
- The medium in which our personal data is held; and
- The date on which our personal data should be deleted in accordance with this policy.
We shall delete personal data when it is no longer than is necessary for the purpose we obtained it for.
The period for which we will retain personal data is set out in the schedule.
DPIAs
We will carry out a DPIA where data processing is likely to result in high risk to individuals, for example:
- Where a new technology is being deployed;
- Where a profiling operation is likely to significantly affect individuals; or
- Where there is processing on a large scale of the special categories of data.
Projects which are likely to require a DPIA include:
- A new IT system for storing and accessing personal data.
- A data sharing initiative where two or more organisations seek to pool or link sets of personal data.
- A proposal to identify people in a particular group or demographic and initiate a course of action.
- Using existing data for a new and unexpected or more intrusive purpose.
- A new surveillance system (especially one which monitors members of the public) or the application of new technology to an existing system (for example adding facial recognition capabilities to existing CCTV).
- A new database which consolidates information held by separate parts of an organisation.
- Legislation, policy or strategies which will impact on privacy through the collection of use of information, or through surveillance or other monitoring.
DPIAs will be carried out in accordance with the latest guidance from the ICO.
Reporting to the Board
The Data Protection Compliance Manager will report to the Board on a monthly basis.
The report of the Data Protection Compliance Manager will include:
- Overall compliance with this policy;
- An update on recent data breaches;
- The outcome of any recent DPIAs; and
- Any developments which could threaten compliance with this policy.
Data Protection Training
All Employees that have access to Personal Data will have their responsibilities under this policy outlined to them as part of their staff induction training. In addition, RegXchange will provide regular Data Protection training and procedural guidance for staff.
Anonymisation/Pseudonymisation
Where appropriate, we will anonymise or pseudonymise personal data.
Changes to this Policy
RegXchange reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or email.
The Schedule
Data Processing Activities
TYPE OF DATA | TYPE OF DATA SUBJECT | TYPE OF PROCESSING | PURPOSE OF PROCESSING | TYPE OF RECIPIENT TO WHOM PERSONAL DATA IS TRANSFERRED | RETENTION PERIOD |
---|---|---|---|---|---|
Web activity logs | 3 days | ||||
Emails | 3 years | ||||
Client date, including document templates, structures and term sheets | 7 years | ||||
Articles of Association and relates corporate documents | Permanently | ||||
Mission statements, strategic plans, corporate polices | Permanently | ||||
Contracts | 7 years after expiration | ||||
Correspondence, administrative | 3 years | ||||
Correspondence, general | 1 years | ||||
Correspondence, legal and important matters | Permanently | ||||
Bank statements | 7 years | ||||
Insurance policies | 3 years after expiration | ||||
Financial statements | Permanently | ||||
Audit reports | Permanently | ||||
Invoices to customers/from vendors | 7 years | ||||
Payroll records | 7 years | ||||
Tax returns | Permanently | ||||
Inventory records | 7 years | ||||
Other | 3 years |