logo
AI
HomeAboutResourcesGlossaryLegislationContactBlog
Demo

GDPR Short Form Data Protection Policy

16th August 2024

GDPR Compliant Data Protection and Privacy Policy

Veopolis Ltd

Introduction

This Policy outlines the obligations of Veopolis Ltd, a company registered in the United Kingdom under number 10391504 whose registered office is at 111 Piccadilly, Ducie Street, Manchester, M1 2HY, UK (hereafter referred to as “the Company”) regarding data protection and the rights of employees, customers, partners, concerning their personal data under the General Data Protection Regulation (GDPR) and other applicable data protection legislation.

The Policy sets out the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data, and the rights of data subjects. It applies to all personal data the Company processes and must be adhered to by all employees, agents, contractors, or other parties working on behalf of the Company.

Definitions

  1. “Data Controller”: The person or organization that determines the purposes and means of processing personal data.
  2. “Data Processor”: The person or organization that processes personal data on behalf of the Data Controller.
  3. “Data Protection Legislation”: Refers to all applicable data protection and privacy laws, including but not limited to the GDPR and the Data Protection Act 2018.
  4. “Personal Data”: Any information relating to an identified or identifiable natural person.
  5. “Processing”: Any operation performed on personal data, including but not limited to collection, storage, use, and destruction.
  6. “Special Category Data”: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sex life, sexual orientation, or biometric and genetic data.
  7. “Data Subject”: A living individual about whom the Company holds personal data.
  8. “Supervisory Authority”: An independent public authority established by an EU Member State under Article 51 of the GDPR, e.g., the UK Information Commissioner's Office (ICO).


Data Protection Officer & Scope of Policy

The Company’s Data Protection Officer (DPO) is Joel Billington, who can be contacted at [email protected]. The DPO is responsible for overseeing this Policy, ensuring compliance with GDPR, and handling related inquiries. All department heads are responsible for ensuring their teams comply with this Policy through appropriate training and procedural controls.

The Data Protection Principles

The Company is committed to complying with the GDPR, which is based on the following principles:

  1. Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently.
  2. Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes.
  3. Data Minimisation: Only data that is necessary for the purposes stated should be collected and processed.
  4. Accuracy: Personal data must be accurate and kept up-to-date.
  5. Storage Limitation: Data must be stored only as long as necessary for the purposes for which it is processed.
  6. Integrity and Confidentiality: Data must be processed securely, ensuring protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
  7. Accountability: The Data Controller is responsible for and must be able to demonstrate compliance with these principles.

Rights of Data Subjects

Under the GDPR, data subjects have the following rights:

  1. The right to be informed;
  2. The right of access;
  3. The right to rectification;
  4. The right to erasure (the “right to be forgotten”);
  5. The right to restrict processing;
  6. The right to data portability;
  7. The right to object;
  8. Rights related to automated decision-making and profiling.

Lawful, Fair, and Transparent Data Processing 

Personal data must be processed lawfully, fairly, and in a transparent manner. Processing is only lawful if at least one of the following applies:

  1. The data subject has given clear consent for one or more specific purposes;
  2. Processing is necessary for the performance of a contract with the data subject;
  3. Processing is necessary for compliance with a legal obligation;
  4. Processing is necessary to protect the vital interests of the data subject or another natural person;
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
  6. Processing is necessary for legitimate interests pursued by the Data Controller or a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject.

For special category data, additional conditions must be met, such as obtaining explicit consent or processing based on substantial public interest.

Consent

Where consent is relied upon as the lawful basis for processing personal data:

  1. Consent must be freely given, specific, informed, and unambiguous.
  2. Data subjects must be able to withdraw consent at any time, and it must be as easy to withdraw consent as to give it.
  3. Consent must be recorded and stored to demonstrate compliance. Specified, Explicit, and Legitimate Purposes.

Personal data shall only be collected and processed for specified, explicit, and legitimate purposes communicated to the data subject at the time of collection.

Adequate, Relevant, and Limited Data Processing

The Company shall only collect and process personal data that is adequate, relevant, and limited to what is necessary for the intended purposes.

Accuracy of Data and Keeping Data Up-to-Date 

The Company shall ensure that personal data is accurate and kept up-to-date. Data subjects have the right to request correction of inaccurate data.

Data Retention

Personal data shall be retained only as long as necessary for the purposes for which it was collected. After the retention period, data will be securely deleted or anonymised. Specific retention periods are detailed in the Company’s Data Retention Policy.

Secure Processing

The Company shall implement appropriate technical and organisational measures to ensure the security of personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Regular reviews will be conducted to ensure ongoing effectiveness.

Accountability and Record-Keeping

The Company shall maintain comprehensive records of all data processing activities in compliance with Article 30 of the GDPR. This includes details of processing purposes, data sharing, and data retention. Regular audits shall be conducted to ensure compliance.

Data Protection Impact Assessments and Privacy by Design

The Company shall carry out Data Protection Impact Assessments (DPIAs) for any high-risk processing activities. The principles of privacy by design and by default shall be integrated into all processing activities.

Keeping Data Subjects Informed

The Company shall provide data subjects with a comprehensive privacy notice at the time of data collection, detailing the purposes of processing, the legal basis, retention periods, data subject rights, and information on data sharing and transfers.

Data Subject Access Requests

Data subjects may submit Subject Access Requests (SARs) to obtain information about the personal data the Company holds about them. The Company shall respond to SARs within one month, with a possible extension of two months for complex requests.

Rectification of Personal Data

Data subjects have the right to request the correction of inaccurate or incomplete personal data.

The Company shall comply with such requests within one month, extendable to two months if necessary.

Erasure of Personal Data

Data subjects have the right to request the erasure of their personal data (right to be forgotten) under certain circumstances, such as when the data is no longer necessary for the purposes it was collected or when consent is withdrawn. The Company shall honour these requests unless it has a legitimate reason or legal obligation to retain the data.

Restriction of Personal Data Processing

Data subjects have the right to request a restriction on the processing of their data under specific circumstances, such as when the accuracy of the data is contested. The Company shall notify any third parties if a restriction is applied.

Data Portability

Where processing is based on consent or contract and carried out by automated means, data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another Data Controller.

Objections to Personal Data Processing

Data subjects have the right to object to the processing of their personal data, particularly in cases involving direct marketing. The Company shall cease processing personal data for such purposes immediately upon receiving an objection.

Automated Decision-Making and Profiling

The Company does not engage in decision-making based solely on automated processing thatnproduces legal or similarly significant effects on individuals, unless it is necessary for a contract,nauthorised by law, or based on explicit consent. Data subjects have the right to request human intervention, express their views, and contest decisions.

Direct Marketing

The Company shall obtain explicit opt-in consent before sending direct marketing communications to individuals. Data subjects must be given a clear and easy option to withdraw consent at any time.

International Data Transfers

Personal data shall only be transferred to countries outside the European Economic Area (EEA) if appropriate safeguards are in place, such as an adequacy decision by the European Commission, Standard Contractual Clauses, or Binding Corporate Rules.

Data Breach Notification

In the event of a personal data breach, the Company shall notify the relevant Supervisory Authority within 72 hours if the breach is likely to result in a risk to the rights and freedoms of individuals. If the breach poses a high risk, the Company shall also inform the affected data subjects without undue delay.

Implementation of Policy

This Policy is effective as of 16th August 2024 and applies to all personal data processed by the Company from this date forward. The Policy shall be reviewed annually and updated as necessary to ensure continued compliance with the GDPR and other applicable laws.

This Policy has been approved by:

Name: Joe Darwen

Position: Founder CEO

Date: 16th August 2024

Due for Review by: 16th August 2025