Initial Search

Search Compliance Statements by keyword


You searched for ""
Additional Highlighting

Highlight additional keywords as you type:


You searched for ""

Found matches: 































































































Data Subject Consent


1. We display, at the time of collection, the identity of our Controller and a mandatory link to and acknowledgement of the relevant Privacy Notice 


2. The relevant Privacy Notice displays at the time of collection, using clear and plain language, the specific and detailed purposes for processing which explain the scope and consequences of the data processing 


3. The relevant Privacy Notice informs Data Subjects prior to their giving consent of their right to withdraw consent at any time 


4. In relation to the offer of information society services directly to a child, before we collect Personal Data of a child, we always seek the consent of a parent or legal guardian 


5. Any consent requested covers all processing activities carried out for the same purpose 


6. When the processing has multiple purposes, consent is requested for each individual purpose 


7. We do not incentivise or impose any conditions upon the giving of consent 


8. We provide mechanisms, for both written and oral statements to be made when giving consent 


9. Where relevant we provide mechanisms for a Data Subject to easily withdraw consent 


10. We do not use silence, inactivity or pre-ticked boxes as mechanisms to demonstrate consent 


11. We retain evidence of all consent given 


12. Where such circumstances prevail, and in the absence of appropriate safeguards, that Personal Data must be transferred outside of the EEA, we seek the explicit consent of the Data Subject





Direct Electronic Marketing & Profiling


Existing Customers


1. The Purpose for direct marketing is to market our organisation's own products or services 


2. Where our organisation makes use of a 'do-not-contact' service, before a customer is contacted telephonically, we verify whether the customer has objected to receiving direct marketing calls 


3. Where the 'do-not-contact' registry confirms that a customer has objected to receiving such calls, that customer is excluded from any direct marketing telephone calls 


4. Each method or medium used to market electronically makes use of our appropriate Privacy Notices, including a separate notice which specifically and explicitly draws attention to the Data Subject's right to object to the processing of his or her Personal Information for the purposes of direct marketing, including profiling, to the extent that it relates to such direct marketing 


5. Where a customer has objected to further direct marketing communications, our systems have been amended to reflect this objection and to cease processing of such customer's Personal Data for the purposes of direct marketing and/ profiling; as soon as is practicable or at least within 1 month of receiving the objection 


6. Each method or medium that we use to market electronically to existing customers provides an option for the customers to, through a clear, affirmative action, unambiguously indicate his or her agreement to receiving such communication. 


7. We do not use silence, inactivity or pre-ticked boxes as mechanisms to demonstrate consent 


8. We do not incentivise consent and we inform our customers that the consent we speak is specifically for direct marketing purposes 


9. We retain evidence of customers having provided consent 


10. We do not process the Personal Information of a child for the purposes of direct marketing


Prospective Customers


1. The Purpose for direct marketing is to market our organisation's own products or services 


2. Where our organisation makes use of a 'do-not-contact' service, such as the Telephone Preference Service (TPS) in the UK, and for as long as such a service is permissible under the GDPR, before a Data Subject is contacted telephonically, we verify whether the Data Subject has objected to receiving direct marketing calls 


3. Where the 'do-not-contact' registry confirms that a Data Subject has objected to receiving such calls, that Data Subject is excluded from any direct marketing telephone calls 


4. Where our organisation has not obtained the Personal Information directly from a Data Subject, our organisation fully informs the Data Subject of the source or sources of such Personal Information 


5. Where our organisation has NOT obtained the Personal Information directly from a Data Subject, our organisation, together with the source (third party), is able to provide the proof of the Data Subject having given the appropriate consent for our organisation to approach him or her 


6. Each method or medium used to market electronically makes use of our appropriate Privacy Notices, including a separate notice which specifically and explicitly draws attention to the Data Subject's right to object to the processing of his or her Personal Information for the purposes of direct marketing, including profiling, to the extent that it relates to such direct marketing 


7. Where a Data Subject has objected to further direct marketing communications, our systems have been amended to reflect this objection and to cease processing of such Data Subject's Personal Data for the purposes of direct marketing and/ profiling; as soon as is practicable or at least, within 1 month of receiving the objection 


8. Each method or medium that we use to market electronically provides an option for Data Subjects, through a clear, affirmative action, unambiguously indicate his or her agreement to receiving such communication 


9. We do not use silence, inactivity or pre-ticked boxes as mechanisms to demonstrate consent 


10. We do not incentivise consent and we inform Data Subjects that the consent we seek is specifically for direct marketing purposes 


11. We retain evidence of Data Subjects having provided consent 


12. We do not process the Personal Information of a child for the purposes of direct marketing





HR Practices


Recruitment


1. Whether we use an agency or personally handle our recruiting, using our Privacy Notice, we ensure that applicants are fully aware of our organisation details and also how their Personal Data will be collected, used and protected 


 2. We only collect the Personal Data necessary for processing the job application 


 3. All relevant employees and agencies are aware of the GDPR and the fact that Personal Data must be protected 


 4. We only request Special Categories of Personal Data where we are legally abled or required to 


5. We only collect Special Categories of Personal Data for specific purposes and we try as far as practicable to anonymise the data 


6. We only request information about an applicant's criminal convictions if, and to the extent that, the information can be justified in terms of the role offered and we only do this through the appropriate Country or EU authority 


7. Unless requested by an applicant, we discard all non-relevant Personal Data once the recruitment exercise is complete


Employment Records


1. Through our Privacy Notice, our employees are aware of their rights under the General Data Protection Regulation 


2. Our HR employees in particular, understand their job responsibilities in upholding these rights 


3. Our employees' data files are kept on secure systems with limited and controlled access to these systems 


4. Our employees' physical personal files are securely locked away 


5. Together with our employees we endeavour to maintain their data as current as possible 


6. Where there is the need to process sensitive Personal Data, such as trade union membership, race or the information of employees' children, we fully inform employees of that organisation need and we restrict the access to and processing of such categories of Personal Data 


7. Our employees understand who in our organisation may make decisions to disclose Personal Data, when a disclosure may be made and how the disclosure may be made 


8. We keep sickness records separate from absentee records 


9. Where employee Personal Data needs to be transferred or transmitted off our premises, we ensure that this is securely done 


10. We ensure that when employment is terminated the reason for this is accurately recorded, and that the record reflects properly what the employee has been told about the termination 





Monitoring at Work


1. Where there might be a organisation requirement to monitor employees', we perform a data protection impact assessment to justify such monitoring and we fully inform our employees as to the reasons for monitoring 


2. Where there is the need to use the biometric information of employees we fully inform employees 


3. We restrict access to and the processing of data collected through monitoring 


4. Our employees understand that monitoring of our computer systems may be required to ensure proper usage of our systems or perhaps to support an enquiry into a security incident


Employees� Health Information


1. We have identified who within our organisation, can authorise or carry out the collection of information about employees' health and we ensure their awareness of our organisation's responsibilities under the GDPR 


 2. We only obtain information through medical examination or testing of applicants or other potential employees where there is a likelihood of appointing them 


 3. Before obtaining information through drug or alcohol testing we ensure that the benefits justify any adverse impact, unless the testing is required by law 


 4. We ensure the criteria used for selecting employees for drug and alcohol testing are justified, properly documented, adhered to and are communicated to employees 


5. We ensure that employees are fully aware that drug or alcohol testing is taking place, and of the possible consequences of being tested





Information Use & Security


Retention & Restriction


1. We have identified all processing operations where Personal Data is processed 


2. Where practicable, we have identified time limits for the erasure of Personal Data for each of these processing operations 


3. Our organisation's Data Retention Policy and associated Schedules have been amended to incorporate the requirements for the retention of Personal Data 


4. Our organisation has provided the appropriate mechanisms for Data Subjects to raise requests for erasure of their Personal Data 


5. Where appropriate, we take reasonable steps to inform other Controllers which are processing such Personal Data, that the Data Subject has requested such erasure 


6. Where a Data Subject has contested the processing of his or her Personal Data, we restrict the processing of such Personal Data while we investigate the matter 


7. Where we have restricted the processing of Personal Data we will only continue the processing of such Personal Data for the purposes of proof or with the Data Subject's consent or for the protection of the rights of other people or if such processing is in the public interest 


8. Where we have restricted the processing of Personal Data we will always inform the Data Subject BEFORE we lift such restriction 


9. We communicate any rectification or erasure of Personal Data or restriction of processing to each to person to whom the Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort


Use of IT


1. That we treat personal and sensitive information as being confidential and expect it to be handled as such 


2. How to identify and what to do with potentially dangerous emails and associated links and files 


3. The need to regularly change their passwords and the requirement to NOT share their passwords 


4. Why it is important not to leave sensitive and confidential information unattended 


5. How to professionally conduct themselves, whether on the phone, via email and social media, or out in the public space 


6. That they shall not use mobile phones, flash-drives, social media, faxes, voicemail or text messaging for storing or transmitting confidential organisation information 


7. That our organisation systems are for organisation use and that our systems may be monitored for security purposes 


8. That our systems may be used for their limited personal use and that they understand what 'limited personal use' means 


9. That, during their limited personal use they will not access, download or share material such as streaming audio and video or any unlicensed software which could negatively impact our systems


Security Controls


1. Our computer networks, including wireless, are adequately protected against intrusion 


2. Our anti-virus and anti-malware software is up to date 


3. Our disaster recovery and organisation continuity plans are relevant and up to date 


4. We ensure that we have adequate and current, off-site backup of our organisation-critical and sensitive data 


5. We ensure that our software versions are up to date and any unused software and services have been removed from our systems 


6. We ensure that any data files which are transferred beyond our networks are transferred securely 


7. We ensure that our organisation laptops and any removable media are adequately protected e.g. via encryption. 


8. Where relevant, we prohibit the saving of confidential or personal data onto removable media. 


9. We ensure that the right employees have the right access to the right systems, for the correct length of time 


10. We conduct regular housekeeping to ensure that files and data which are no longer needed are securely deleted or, where we are unable to delete, appropriately de-identified / secured 


11. We ensure that we securely dispose of any redundant hardware 


12. We ensure that all our physical files are securely locked away and we shred any sensitive or Personal Information when no longer required 


13. We are aware of what we need to do in the event that someone gains unauthorised access to a Data Subject's Personal Data


Information Quality


1. We understand where exactly we collect, use and store Personal Data 


2. We always ensure that we collect and use Personal Data specific to our organisation purpose 


3. We always ensure that the Personal Data we collect and use is adequate and not excessive to the purpose for which it was collected 


4. Together with our Data Subjects we endeavour to keep Personal Data updated 


5. We retain Personal Data only for as long as it is necessary to fulfil the specified purpose AND in accordance with other relevant legislation or regulation. 


6. Where a Data Subject has contested the accuracy of his or her Personal Data, we restrict the processing of such Personal Data while we verify its accuracy 


7. Where we are no longer authorised to retain records of Personal Data we destroy or delete those records 


8. Where it is impractical to delete or destroy records, such as in archiving, we pseudonymise data 


9. Where we cannot pseudonymise archived data, we employ other safeguards such as encryption 


10. We have a system which facilitates Data Subjects' requests to access their Personal Data 


11. Where we have restricted the processing of Personal Data we will only continue the processing of such Personal Data for the purposes of proof or with the Data Subject's consent or for the protection of the rights of other people or if such processing is in the public interest 


12. Where we have restricted the processing of Personal Data we will always inform the Data Subject BEFORE we lift such restriction