Advantages of Age Ltd is referred to as “the Company”.
The Privacy Officer for the Company is Suzanne Noble (email: firstname.lastname@example.org).
This Data Protection Policy (“Policy”) (and any related policies and guidelines) is an internal document and should not be shared with members/users, third parties or regulators without prior approval from the Privacy Officer.
The Company needs to collect and use certain information about individuals in order to run its business effectively. The UK Data Protection Act 2018, the EU General Data Protection Regulation (“EU GDPR”) and UK General Data Protection Regulation (“UK GDPR”) (together, we refer to the EU GDPR and UK GDPR as “GDPR”), the Privacy and Electronic Communications Regulations and/or, depending on the circumstances, all laws supplementing these laws or implementing them into domestic laws (the “Data Protection Laws”) govern the way in which the Company may collect, use, store, disclose, transfer and delete information that identifies these and other individuals.
The purpose of this Policy is to establish rules governing the Company’s collection, handling and disclosure of personal data in the United Kingdom (and, where applicable, more globally) in order to ensure that our practices comply with the Data Protection Laws. It is supported by individual policies that implement the objectives of each key area set out below.
This Policy and all related documents apply to all employees, workers and contractors that process personal data on the Company’s behalf (“you” or “your”). The Policy applies to all personal data held physically and electronically by the Company, on our own systems and networks as well as personal data held by our vendors and cloud-based service providers.
This Policy does not apply to:
- Information or data that cannot be attributed to an individual — for example, where it has been aggregated with other information (such as statistical data) or anonymised so that the Company cannot attribute the information to an individual using reasonable means.
- Personal data that is held in paper files that are not structured by reference to specific individuals or criteria relating to individuals (e.g., employee start dates) such that information relating to a specific individual cannot be readily accessed.
- Real-time monitoring or surveillance of the Company’s IT systems (such as email and phone), except to the extent that personal data captured by such systems are temporarily or permanently recorded.
4.1 General principles
You must be aware of your own data protection responsibilities under the Data Protection Laws, which include the need to follow the guidelines and processes set out in this Policy.
- Consider your responsibilities under the Data Protection Laws and this Policy and how they impact on your day-to-day activities. You have an obligation to comply with the Data Protection Laws as well as helping the Company to do the same.
- Only share personal data on a need to know basis. For example, don’t share an entire database where only an element of it is required, and double check a recipient’s details before sharing personal data.
- Use password protection for documents and files, wherever appropriate.
- Only use personal data in the way that the individual concerned has agreed to or as set out in this Policy.
- Take a common sense approach when deciding how to protect, use and dispose of personal data. Think about how you would like your personal data to be treated and treat others’ personal data accordingly.
Note: This section is intended to provide general guidance and is not a comprehensive or exhaustive guide. Depending on the precise nature of your job, you may have additional responsibilities to others under the Data Protection Laws. The Privacy Officer will provide guidance if you are uncertain.
4.2 Data protection principles
In processing any personal data, the Company must adhere to certain data protection principles contained within the Data Protection Laws. These include that personal data must be:
- Processed fairly and lawfully.
- Processed only for one or more specified and lawful purposes, and not further processed in any manner incompatible with such purposes unless expressly permitted under applicable laws.
- Adequate, relevant and not excessive in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date.
- Kept no longer than is necessary for the purposes for which is was processed.
- Processed in accordance with an individual’s rights, including a right in certain circumstances: to access personal data, to have it ported to a third party, for it to be erased if inaccurate or no longer required and not to be subject to significant automated decision making processes.
- Kept secure.
- Transferred to or accessed from a country or territory outside the UK or EEA only if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data or where adequate contractual safeguards to protect the data are in place.
4.3 Obtaining personal data
4.3.1 Privacy Notices
The Company must ensure that an information notice is provided to each data subject before or at the time of collecting their personal data setting out how and why their information will be used (“Privacy Notice”). For example, a Privacy Notice must be provided to applicants for employment as part of the application process.
The Company posts a Privacy Notice on all of its websites, which informs individuals (amongst other things) about the categories of personal data collected; the purposes of processing; the legal bases for use, the recipients of and retention periods for the personal data and their rights under the Data Protection Laws. You are required to review to ensure you collect, use, disclose and protect personal data in accordance with the Privacy Notice and this Policy.
All collection, use and disclosure of personal data requires a legal basis. Consent is one such possible legal basis. In addition to providing the data subject with a Privacy Notice, the consent the Company obtains:
- Must be an affirmative, unambiguous action by the data subject indicating their agreement (inferred consent is not valid).
- Cannot be obtained through pre-checked boxes.
- Cannot be obtained where the Company has influence over the data subject (such as in the employment relationship).
- Must include a description of how the data subject can withdraw consent at any time.
Note: You must contact the Privacy Officer if you plan, or think you need, to obtain an individual’s consent before collecting their personal data.
4.4 Using personal data
The Company must only use personal data for the purposes that have been notified to data subjects in the applicable Privacy Notice. If the Company wants to use personal data for a new purpose that is not described in the Privacy Notice, the Company must verify that it has notified the data subjects of that purpose. Personal data must not be used for any new purpose that has not been notified to data subjects without the approval of the Privacy Officer.
4.4.2 Legal Basis
Before using personal data, the Company must verify that a legal basis exists under the Data Protection Laws for the intended use. The legal bases that are available depend on whether the Company is processing personal data or sensitive personal data.
|Key||YES / NO|
|Legal basis is appropriate||Yes|
|Legal basis is not appropriate||No|
|Legal Basis||Personal data||Sensitive Personal data|
|The data subject has given consent||Yes||Yes|
|Processing is necessary for the entry into/performance of a contract||Yes||No|
|Processing is necessary for compliance with a legal obligation||Yes||No|
|Processing is necessary to protect the vital interests of the data subject or another person||Yes||Yes|
|Processing is necessary for the performance of a task carried out in the public interest||Yes||Yes|
|Processing is necessary for legitimate interests of the controller or a third party (and these are not outweighed by the interests of the data subject)||Yes||Yes|
|Processing is necessary for carrying out obligations and exercising rights of the controller under employment, social security or social protection law||No||Yes|
|Processing relates to personal data which are manifestly made public by the data subject||No||Yes|
|Processing is necessary for the establishment, exercise or defence of legal claims||No||Yes|
|Processing is necessary for reasons of substantial public interest||No||Yes|
|Processing is necessary for the purposes of preventative or occupational medicine, the assessment of an employee’s working capacity or medical diagnosis||No||Yes|
|Processing is necessary for reasons of public interest in the area of health||No||Yes|
|Processing is necessary for archiving purposes in the public interest or for scientific, historical research or statistical purposes||No||Yes|
The Company is required to take reasonable steps to ensure the accuracy of all personal data it processes. If you learn that personal data held by the Company is incorrect, inaccurate or out of date, you should correct or amend the personal data as soon as reasonably practicable. Whenever possible, personal data will be used in a de-identified form to protect the privacy of the data subject to whom the data relates. If you have any doubts about whether or how to correct or amend personal data, you should contact the Privacy Officer before doing so.
The Company must ensure that it only collects and processes personal data that is relevant and proportionate to the purposes for processing. Where the collection or use of personal data is shown to be clearly excessive or disproportionate to the Company’s legitimate needs, the personal data will be deleted, destroyed or redacted as soon as possible unless this is prohibited by law or another Company policy.
4.4.5 Retention and Destruction
If personal data is not necessary for a business or legal purpose, the Company will delete or destroy it as promptly as possible and will not retain the personal data for longer than is required for these purposes. To the extent reasonably possible, the Company will establish defined retention periods for the categories of personal data it retains. If it proves impractical or impossible to delete or destroy personal data, the Company will endeavour to aggregate or anonymise the personal data so that it no longer refers to specific individuals. Where personal data must be retained, but is no longer processed regularly, it should be archived and segregated from personal data that is routinely processed.
4.5 Sharing personal data
In certain circumstances, the Company may share personal data with third parties such as service providers, local councils, regulatory authorities and law enforcement — provided that certain safeguards and contractual arrangements have been put in place. You may only share the personal data the Company holds if:
- The third party has a need to know the personal data for the purposes of providing the contracted services.
- Sharing the personal data complies with the Privacy Notice provided to the data subject and, if required, the data subject’s consent has been obtained.
- The third party has agreed to comply with the Company’s data security standards, policies and procedures and put adequate security measures in place.
- The transfer is in compliance with any applicable cross-border transfer restrictions.
- A fully executed written contract that contains GDPR-approved third party clauses has been obtained.
The Company is required to implement appropriate technical and organisational measures to ensure that the personal data it processes is protected from unauthorised or accidental access, disclosure, use or loss. The measures the Company adopts will reflect the sensitivity of the personal data in question, but will as a minimum include:
- Technical measures — These will include access and authentication controls for electronic systems and databases; and firewalls and other anti-intrusion technologies.
- Organisational measures — These will include policies, procedures and internal trainings.
- Environmental measures — These will include appropriate restrictions on physical access to personal data (such as locked and limited-access files).
4.7 Personal data breaches
The Data Protection Laws require the Company to report certain incidents involving personal data to regulators and, in serious cases, also to affected individuals. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If you discover, suspect or otherwise learn about an actual, potential or suspected personal data breach, you must immediately report the issue to the Privacy Officer, even if you are not sure whether a personal data breach has happened or is happening and/or whether the breach involves any personal data.
4.8 Data subject rights
The Data Protection Laws give individuals a number of rights in respect of the Company’s processing of their personal data. The Company, in its capacity as a controller, is required to comply with requests to exercise their data protection rights (“Subject Rights Requests”) — although in some cases these are subject to exemptions. Any type of contact where a data subject is asking about their personal data should be treated as a Subject Rights Request and sent to the Privacy Officer within 24 hours of receipt.
Note: You can find further details about these rights and how to handle Subject Rights Requests in the Company’s Data Subject Rights GDPR Protocol, which is available at [xxx].
If you contravene (or are suspected of having contravened) any aspect of this Policy, appropriate disciplinary action may be taken in accordance with the Company’s disciplinary procedure. Depending on the seriousness of the conduct, disciplinary action may result in dismissal without notice.
The Company also reserves the right to take action against you short of dismissal (including removing the right of authorised access to personal data) as may be appropriate in the circumstances. If you have any doubts about whether you are processing personal data fairly and lawfully, you should contact the Privacy Officer before carrying out any processing.
|Personal data||Any information that can be used to identify an individual. This is a broad concept, and includes: name, email address, phone number, interests, clickstream data and unique identifiers such as device ID, advertising ID, unique ID and IP address.|
|Sensitive personal data||Any personal data relating to an individual’s racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, sexual life and orientation, or health data.|
|Processing / Process||Any use of personal data. This is a broad concept, and includes collecting, storing, analysing, accessing, sharing, destroying, etc.|
|Controller||The party that, alone or jointly with others, determines the purposes and means (the “why and how”) of the processing.|
|Processor||The party that processes personal data on behalf of the controller. It will have no independent reason for processing the personal data for its own purposes and will only process personal data on the controller’s instructions.|
|Data subject||An identified or identifiable natural person about who The Company processes personal data.|
|Personal data beach||A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.|
7.0 Further information
If you have any questions about this Policy, please contact the Privacy Officer.
8.0 Revision History