Data Protection Policy
Charlie Robinson Ltd
Auctioneers, Valuers & Estate Agents, 30 Port Rd., Letterkenny, Co. Donegal
|Policy Prepared By||Martina McIntyre|
|Approved by BOD on||27th March 2019|
|Last updated||26th March 2019|
|Next Review Date||26th March 2020|
|Company||means Charlie Robinson Ltd, a PSRA Licenced Company|
|GDPR||means the General Data Protection Regulation.|
|DPO||Means Data Protection Officer namely Boyd Robinson (Director)|
|Register of Systems||means a register of all systems or contexts in which personal data is processed by the Company.|
The Company needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
Why this policy exists
This data protection policy ensures the Company:
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data protection law
The Data Protection Act 2018 describes how organisations including Charlie Robinson Ltd must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
GDPR requires that the processing of personal data is conducted in accordance with the data protection principles outlined below. The company therefore has designed its policies and procedures to ensure compliance with these principles.
Data protection principles
The Company is committed to processing data in accordance with its responsibilities under the GDPR.
The six principles of the General Data Protection Regulation require that personal data is:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of the personal data. Article 5(2) of the GDPR also obliges that the company be “responsible for and able to demonstrate compliance with the principles”.
GDPR – Rights of data subjects
Subject to Section 60 of the data protection act 2018 and any associated Regulations, the GDPR specifies the following rights for data subjects:
- right to be informed / right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object to processing
- rights in relation to automated decision making and profiling
Responsibilities of Charlie Robinson Ltd.
The Company is responsible for the following:
- Implementing and maintaining appropriate technical and organisational measures for the protection of personal data
The Company has implemented technical and organisational measures to ensure that all data held under its control is secure and is not at risk from unauthorised access either internal or external. These measures are reviewed and upgraded where appropriate on an on-going basis
- Maintaining a record of data processing activities
The Company maintains a written record of all categories of written activities for which it is responsible in accordance with GDPR Article 30
- Data protection agreements with Personal Data Recipients
Where required the Company puts in place appropriate contracts with third parties with which personal data is shared. The agreements specify the purpose of sharing the data, the requirements for security of the data and the requirements for termination of the agreement and the deletion of the shared data
- Data protection by design and default
In accordance with Article 25 of the GDPR the Company implements technical and organisational measures to ensure that all measures are implemented and by default only personal data necessary for each specific purpose of the processing are processed.
- Data Protection Impact Assessment (DIPA)
The Company will, where deemed necessary on an ongoing basis carry out DIPA’s to ensure new technologies or newly introduced organisational procedures will not impact on the rights and freedoms of the data subjects involved.
- Transfer of personal data outside the EU
The company will ensure that where any instance arises in which personal data is required to be transferred outside of the EU, pre-requisite measures will be implemented to ensure the appropriate safeguards are in place
- Personal Data breaches
A breach in personal data may be defined as: ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” All staff in the company will notify the Company Director where they identify or suspect a breach of personal data.
- Personal Data Governance
Compliance with the GDPR is a key requirement for the Company. The Company compliance framework will oversee, monitor and ensure compliance with data protection legislation.
- Data Protection Officer
In compliance with GDPR Article 37.1(a) of GDPR, the Company has a designated a Company Director as the Data Protection Officer (DPO). In accordance with Article 38, the Company will involve the DPO in a timely manner in all issues which relate to the protection of personal data and will support the DPO in performing the tasks referred to in Article 39 Tasks of the Data Protection Officer
Data Protection Officer:
Mr Boyd Robinson,
Charlie Robinson Ltd.,
30 Port Road,
Key definitions used in Data Protection legislation
Below are definitions of the key terminology used in the GDPR.
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Subject is an individual whose personal data is processed.
Processing means any operation or set of operations which is performed on personal data, by manual or automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.