FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449 Email: hirett.co.uk@gmail.com
1. PURPOSE AND SCOPE
1.1. These internal guidelines (the Guidelines) establish the standards for the processing of personal data by Hirett Ltd (the Company or HIRETT).
1.2. Applicable Data Protection Law means the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable data protection legislation.
1.3. HIRETT is committed to protecting personal data. The Company must process personal data in accordance with Applicable Data Protection Law.
1.4. The Guidelines describe how the Company must process personal data: what are the data protection principles to follow and the measures to take to ensure appropriate level of personal data protection. In addition, the Guidelines describe how the Company must handle data breaches and requests made by data subjects.
1.5. All employees, contractors, management board members and other individuals of the Company (the Employees) are required to comply with the Guidelines and keep the personal data they process confidential.
1.6. The Guidelines must be introduced to every Employee. An Employee will give his/her signature to confirm that he/she has read through and understands the Guidelines.
2. PRINCIPLES
2.1. The collection and processing of personal data may be done to the extent permitted by Applicable Data Protection Law. In general, only such personal data will be processed that is required or linked to the business processes of the Company.
2.2. The processing of personal data is governed by the following principles:
2.2.1. Lawfulness: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject;
2.2.2. Transparency: the data subject must be informed of how his/her data is being processed;
2.2.3. Purpose limitation: personal data can be processed only for the purposes that were defined before the data was collected;
2.2.4. Storage limitation: as a general rule, personal data must be deleted when it is no longer needed for the purposes for which it was processed;
2.2.5. Data minimisation: only personal data which is necessary for each specific purpose of processing will be processed. Therefore, before processing personal data, it must be determined which personal data categories and to what extent are necessary in order to achieve the relevant purpose;
2.2.6. Data accuracy: personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
2.2.7. Confidentiality and data security: personal data must be treated as confidential by every Employee and secured with suitable organisational and technical measures to prevent unauthorised access, illegal processing or distribution, as well as accidental loss, modification or destruction. Documents in paper format that contain personal data must be stored securely.
2.2.8. Accountability: HIRETT acting as a data controller is responsible for, and must be able to demonstrate compliance with these governing principles and applicable data protection requirements.
3. ROLES
3.1. The data protection officer (the DPO) will monitor compliance with Applicable Data Protection Law, the Guidelines and other relevant guidelines/policies in all structural units (branches) of HIRETT or in other relevant Company in relation to the protection of personal data. This includes the assignment of responsibilities, awareness-raising and training of staff, conducting audits, and other activities.
3.2. The contact details of the DPO are the following: Roman Vdovychenko, address: 3rd Floor, 10 Foster lane, London EC2V 6HH, e-mail: roman.vdovychenko@Hirett.uk.com.
3.3. HIRETT maintains records of data processing activities as required under Article 30 in the GDPR (the Records). The Records are regularly reviewed by the DPO or another Employee appointed by the DPO, in order to determine necessary updates. The Employees of the Company must provide the DPO with the necessary information in order to arrange the updating of the Records.
4. DATA SUBJECTS’ RIGHTS AND RESPONDING TO REQUESTS
4.1. Subject to the specifications stipulated in Applicable Data Protection Law, a data subject has the right to:
4.1.1. receive information about the personal data processing;
4.1.2. access the personal data about him/her;
4.1.3. ask for inaccurate personal data to be corrected;
4.1.4. ask for his/her personal data to be erased;
4.1.5. exercise the right to data portability;
4.1.6. restrict the processing of his/her personal data;
4.1.7. object to the processing his/her personal data.
4.2. In case an Employee receives a request from a data subject for exercising his/her rights, the Employee must refer this request to the DPO. The contact details of the DPO are provided in section 3.2. above.
4.3. In case an Employee receives any other type of request from a data subject, regarding the processing of personal data, the person must refer this request to the DPO. The instructions of the DPO are mandatory and the Employee must offer all reasonable assistance to and cooperate with the DPO. It is prohibited to respond to requests from data subjects without approval from the DPO.
4.4. Regarding the implementation of rights at the request of data subject information shall be provided and actions shall be taken free of charge except for data subject’s requests that are manifestly unfounded or excessive. In this case, the Company may either:
4.4.1. charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
4.4.2. refuse to act on the request.
4.5. Requests are manifestly unfounded or excessive, in particular, because of their repetitive character, as well as the level of detail required for the response, if achievement of such a level of detail involves implementation or development of technical measures imposing significant costs to the Company.
4.6. Upon receipt of the data subject’s request, the DPO verifies the identity of the data subject, in order to ensure that information regarding data processing is not provided to unauthorised persons, who are not entitled to access it.
4.7. The Company is not required to exercise the rights of data subjects, if the purposes for which the Company processes personal data do not or do no longer require the identification of a data subject by the Company, and the Company is able to demonstrate that it is not in a position to identify the data subject. If the data subject provides additional information enabling his or her identification for the purpose of exercising his or her rights under those articles, the Company shall act on the request of the data subject unless the Company demonstrates that it is not in a position to identify the data subject based on the additional data provided.
4.8. The DPO shall ensure that all requests received are registered with the number of the request, date of the receipt, the type of the request (for what particular right data subjects applies), the name and surname of data subject. The register may as well include records regarding the process and status of the examination of request. Records of the register may only be used for the purpose of observing and ensuring appropriate terms to provide response.
4.9. The DPO is responsible for examining, implementing and responding to the data subject’s request. Requested information or information on actions taken on a request is provided, or action is taken within one month of receipt of the request from the data subject. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. However, the Company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
4.10. When the implementation of the data subject request affects the data transferred to the Company’s data recipients, DPO notifies each recipient of the data no later than within one month after the data subject’s request has been implemented, unless this would be feasible or would result in disproportionate efforts.
4.11. Upon the request of the data subject, DPO shall inform the data subject about those recipients of data within one month.
5. THIRD PARTY REQUESTS FOR DISCLOSURE OF PERSONAL DATA PROCESSED BY THE COMPANY
5.1. Any Employee who receives a request from the third party asking to disclose personal data processed by the Company must ensure the validity of legal basis for disclosure prior to transferring data.
5.2. If the Employee who is responding to the request for disclosure of personal data is in doubt as to the legal basis for the disclosure of personal data, he or she should consult with the DPO.
5.3. While disclosing data to third parties it must be limited to the minimal scope necessary to fulfil the request ensuring a safe data transfer procedure (e.g. sharing data under the password via cloud server and disclosing the password separately via e-mail).
6. DATA BREACH NOTIFICATION
6.1. In case an Employee suspects or knows that a personal data breach has happened, the Employee must notify the DPO of this immediately but not later than within 24 hours of becoming aware of the data breach. The DPO will:
6.1.1. address the incident and determine whether a personal data breach has occurred;
6.1.2. assess the risk to individuals as a result of a breach (no risk, risk or high risk);
6.1.3. notify the data breach to the supervisory authority if required, and to the affected data subjects if required, according to Articles 33 and 34 in the GDPR;
6.1.4. ensure that actions are taken to contain and recover the breach;
6.1.5. document the data breach;
6.1.6. document the risk assessment regarding the data breach;
6.1.7. in case the data subject is notified of the breach, document the communication with the data subject.
6.2. The data breach notification template to be used when notifying the supervisory authority (if necessary) is included in Appendix 1.
6.3. The Company shall be deemed to be aware of the data breach when the Company is sufficiently convinced that a security incident violating the security of personal data took place.
6.4. When the data breach relates to the data that the Company processes as a data processor, the procedures outlined in the data processing agreement concluded with the controller shall be performed.
6.5. If the provisions on actions in the event of data breach are not provided for in the data processing agreement, the Company shall, on its own initiative, provide the controller with a notification of data breach no later than within 48 hours.
7. DATA RETENTION
7.1. The retention periods for personal data are stipulated in the Records. The DPO will ensure that these retention periods are periodically reviewed and amended if necessary. The DPO shall also ensure that respective procedures are in place to delete, close or archive the data (as appropriate) once the retention term has been reached.
7.2. Any Employee who decides upon the introduction of new personal data processing activities at the Company is responsible for determining the suitable legal basis for the processing and how long will such personal data be retained. Before the Records are updated the relevant Employee must consult with the DPO.
8. GUIDELINES FOR ENGAGING DATA PROCESSORS
8.1. A data processor is an individual or an entity who processes personal data on behalf of the Company, according to the instructions given by the Company.
8.2. The Company may only engage such data processors that provide sufficient guarantees for the protection of personal data being processed and implements appropriate technical and organisational measures. It is the responsibility of the Company to verify that the data processors engaged by it meet such conditions.
8.3. When engaging a data processor, a data processing agreement (the DPA) must be concluded with the data processor. When concluding a DPA, the DPA template for HIRETT must be used if possible. The DPA template can be obtained from the DPO.
8.4. The Company must ensure that the data processors engaged by the Company shall not receive any personal data prior to the conclusion of the respective DPA.
8.5. In cases when a data processor that may be engaged by the Company suggests concluding provisions different from a DPA template provided by the DPO, the Employee responsible for the conclusion of the DPA shall address the DPO with all the related information. Data processing agreement different from the DPA template may be concluded only after the approval of the DPO.
9. DATA PROTECTION BY DESIGN AND BY DEFAULT
9.1. When developing, selecting or starting to use new applications or programmes involving the processing of personal data, or in case of commencing other new activities which involve the processing of personal data, the Company and their respective Employees must consider how to ensure appropriate personal data protection. In case of doubt about personal data protection requirements the relevant Employee must consult with the DPO.
9.2. When the Company makes fundamental changes to its data processing activities, in particular by starting to use new technologies, the DPO shall be engaged to carry out a review to determine whether it is necessary to carry out a data protection impact assessment.
9.3. Company aims to apply data protection by design and by default, including but not limited to the following principles:
9.3.1. data minimisation;
9.3.2. prompt application of pseudonymisation to personal data;
9.3.3. transparency of functions and data processing;
9.3.4. availability to monitor data processing activities for the data subject;
9.3.5. integrated privacy enhancing measures;
9.3.6. authentication;
9.3.7. encryption;
9.3.8. anonymity.
10. CONTROL MECHANISMS
10.1. Compliance with the requirements resulting from the Guidelines must be demonstrable at any time (accountability) by written documentation.
10.2. The DPO shall review the Guidelines annually and propose amendments as necessary.
Appendix 1
Data breach notification template
- Contact details
Name of the organisation:______________________________________________
Name and title of the contact person
(data protection officer):__________________
______________________________________________________________
Contact details (phone, e-mail address): ________________________________
______________________________________________________________
Field of activity: ________________________________________________
- Type of notification (check boxes, one or multiple)
☐ Final notification
☐ Advance notification
☐ Updating a previous notification
- Time (insert a date and check a box)
I discovered the breach on (day/month/year):_______________________________
The breach took place during a longer period (start date and end date/month/year):__________________________________________________
☐ A single breach
☐ A continuing breach
Reasons for late notification (if the notification was not submitted within 72 hours):
_________________________________________________________________________
______________________________________________________________
_____________________________________________________________
____________________________________________________________
- Breach details (check boxes, one or multiple)
Circumstances of the breach
☐ Device containing personal data is lost or stolen
☐ Paper document is stolen, lost or left to an unsafe environment
☐ Disclosing personal data without permission
☐ An unauthorised person saw personal data
☐ Personal data was transferred to an unauthorised person
☐ Unauthorised or unlawful entrance to the information system (e.g. hacking, malware, ransomware, phishing attack)
☐ Personal data was obtainable due to insufficient destruction of data storage mediums
Other circumstances (please explain): ________________________________________
__________________________________________________________________________
______________________________________________________________
Why breach took place (check boxes, one or multiple)
☐ Infringement on the organisation’s operational arrangements, internal rules
☐ Insufficient awareness of staff (e.g. insufficient internal rules and operational arrangements, insufficient training)
☐ Human error
☐ Technical error
Other (name cooperation partner(s), e.g. the processor if the breach happened there):_____
__________________________________________________________________________
__________________________________________________________________________
☐ Circumstances are unknown
- Personal data involved with the breach
Number of records containing personal data involved with the breach
(e.g. number of folders, documents, files that contain personal data. Check a box, choosing a range or insert precise number or check „unknown yet“)
☐ 1-9
☐ 10-49
☐ 50-99
☐ 100-499
☐ 500-999
☐ 1,000-4,999
☐ 5,000 – 9,999
☐ 10,000 and more
If known, insert exact number: ______
☐ Unknown yet
Next choose which categories of personal data were involved (choose boxes, one or multiple)
☐ Name, surname
☐ Date of birth
☐ Personal identification code
☐ Contact details (e-mail, phone number)
☐ Postal address
☐ User names, passwords, data of payment instruments (i.e. data that enables to take over person’s payment instrument)
☐ Economic or financial data (transaction history, data reflecting economic status or credit worthiness)
☐ Documents containing data for internal use (incl. information relating to secrets of trade or profession, or state secrets and classified foreign information)
☐ Geolocation data
☐ Communication data (e.g. who talked, wrote to whom and when)
☐ Data relating to criminal convictions and offences
☐ Data regarding adoption secret
☐ Data regarding the need of social protection
☐ Racial or ethnic origin
☐ Political opinions
☐ Religious or philosophical beliefs
☐ Trade union membership
☐ Genetic data
☐ Biometric data
☐ Data concerning health
☐ Sex life or sexual orientation
Other (please specify): __________________________________________________
_______________________________________________________________________
Was personal data adequately encrypted? (encryption capability is not compromised and under data processor’s control. Choose one box)
☐ Yes
☐ No
- Persons affected by the breach
Number of persons affected by the breach (Check a box, choosing a range or insert precise number or check „unknown yet“)
☐ 1-9
☐ 10-49
☐ 50-99
☐ 100-499
☐ 500-999
☐ 1,000-4,999
☐ 5,000-9,999
☐ 10,000 and more
If known, insert exact number: ______
☐ Unknown yet
Next choose which categories of persons were affected by the breach (Check boxes, one or multiple)
☐ Employees
☐ Clients
☐ Minors (e.g. students, children).
☐ Patients
☐ Persons needing social protection
Other (please specify): ______________________________________________________
________________________________________________________________________
______________________________________________________________
- Possible consequences for the persons affected by the breach
Loss of confidentiality (data was accessed by unauthorised persons. Check boxes, one or multiple)
☐ Risk of processing exceeding the scope of initial purpose or person’s consent
☐ Risk of connecting personal data to other data concerning the person
☐ Risk of personal data being used for other purposes and/or unlawfully
Other (please specify): _______________________________________________
______________________________________________________________
______________________________________________________________
Loss of integrity (unauthorised alteration of data. Check boxes, one or multiple)
☐ Risk that personal data is altered and used, even though they might not be valid anymore
☐ Risk, that personal data has been altered in other ways to become valid and has been used later for other purposes
Other (please specify): ____________________________________________________
__________________________________________________________________________
______________________________________________________________
Loss of availability (lack of timely and unobstructed access to data. Check a box.)
☐ Lack of capability to provide critical (vital) service to the affected person
Other (please specify): ________________________________________________
______________________________________________________________
______________________________________________________________
Physical, material (tangible) or non-material (intangible) damage or other equal consequence (check boxes, one or multiple)
☐ Losing control over one’s personal data
☐ Person’s rights are being restricted (e.g. cannot use a service or exercise contractual rights)
☐ Legal consequences (e.g. person cannot receive his/her benefits, or a permit for some kind of action)
☐ Discrimination
☐ Identity theft
☐ Fraud
☐ Monetary damage
☐ Damage to health
☐ Risk of losing one’s life
☐ Annulment of pseudonymisation without a permission
☐ Damage to one’s reputation
☐ Loss of trust
☐ Loss of information for internal use or information relating to secrets of trade or profession, or protected information or state secrets and classified foreign information
Other (please specify): _______________________________________________
- Follow-up activities relating to the breach
Notification of a personal data breach to the person (insert a date or check boxes, one or multiple)
Already been notified on (day/month/year):_____________
How person was notified:
☐ Text message (SMS)
☐ Phone call
☐ Media, incl. social media
☐ Organisation’s/company’s online webpage
Other (please specify): ______________________________________________________
Content of the notification: ____________________________________
______________________________________________________________
______________________________________________________________
Have not been notified yet, but will notify on (day/month/year):_____________
☐ Unclear if there is need to notify
☐ No need to notify
Explanation why there is no need: __________________________________
______________________________________________________________
______________________________________________________________
Describe the measures proposed to be taken to address the personal data breach, mitigate its possible adverse effects and to prevent such breach in the future:________________________________________________________
______________________________________________________________
______________________________________________________________
- Breach’s cross-border effect
In which country is your main place of business?
(name of the country):______________
Persons of other EU member states are affected by the breach as well:
☐ Yes (please specify which countries):__________________________________________
☐ No
Have you notified the data protection supervisory authority of other EU member states?
☐ Yes (please specify which organisation): ____________________________________
☐ No
Have you notified other national and/or EU member states’ supervisory authorities (not data protection authority, but e.g. cyber protection authority, consumer protection authority)?
☐ Yes (please specify which authorities):_________________________________________
__________________________________________________________________________
☐ No