DATA PROTECTION POLICY

Introduction

Dr. Nina Bal, (Facial Sculpting) is required to comply with the law governing the management and storage of personal data, which is set out in the General Data Protection Regulation (GDPR).

Compliance with the GDPR is overseen by the UK data protection regulator which is the Information Commissioner’s Office (ICO).

Purpose

This policy establishes an effective, accountable and transparent framework for ensuring compliance with the requirements of the GDPR (General Data Protection Regulation).

Scope

This policy applies to all staff, consultants and any third party that this policy has been communicated to.

This policy covers all personal data and special categories of personal data, processed on computers, including personal computers, central databases and phones stored in manual (paper based) files.

Responsibility

Dr Nina Bal –, is responsible for monitoring the company’s compliance with this policy.

Everyone in the Company (and any third party to whom this policy applies to) is responsible for ensuring that they comply with this policy. Failure to do so may result in disciplinary action or otherwise.

GDPR

The GDPR is designed to protect individuals and personal data which is held and processed about them by organisations or other individuals.

The GDPR uses some key terms to refer to individuals, those processing personal data about individuals and types of data covered by the Regulation. These key terms are:

Personal data Means any information relating to an identified and identifiable natural person (‘data subject’)
E.g. information from which a person can be identified, directly or indirectly, by reference to an identifier i.e. name; ID number; location data; online identifiers etc.
It also includes information that identified the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

Controller Means the natural or legal person, public authority, agency or other body who alone or jointly with others, determines the purposes and means of processing the personal data.

I.e. the controller is the individual, organisation or other body that decides how personal data will be collected and used.

Processing Means any operation which is performed on personal data such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special categories Means personal data revealing:
of personal data a) racial or ethnic origin;
b) political opinions;
c) religious or philosophical beliefs;
d) trade-union membership;
e) the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person;
f) data concerning health or data concerning a natural person’s sex life or sexual orientation

N.B. data relating to criminal convictions and offences is not included within the special categories however there are additional provisions for processing this type of data (see Regulation 10 of GDPR)

Data Protection Principles

The GDPR is based around 8 principles which are the starting point to ensure compliance with the Regulation. Everybody working for the Company or third parties must adhere to these principles in performing their day-to-day duties. The principles require the business to ensure that all personal data and sensitive personal data are:

1. Processed lawfully, fairly and in a transparent manner in relation to the subject (‘lawfulness, fairness and transparency’)

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)

5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (‘storage limitation’)

6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (‘integrity and confidentiality’)

The Company must be able to demonstrate its compliance with (a) – (f) above (‘accountability’).

Processing personal data and sensitive personal data

All personal data must be processed in a manner that is compliant with the GDPR, and should only be processed as follows:

have legitimate grounds for collecting and using the personal data;
not use the data in ways that have unjustified adverse effects on the individuals concerned.
be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
handle people’s personal data only in ways they would reasonably expect; and
make sure you do not do anything unlawful with the data.

You must ensure that you are aware of the difference between personal data and special categories of personal data and ensure that both types of data are processed in accordance with the GDPR.

The conditions for processing special categories of personal data that are most relevant to our business are:

Explicit consent from the data subject;
The processing is necessary for the purposes of carrying out the business’s obligations in respect of employment and social security and social protection law;
The processing is necessary to protect the vital interests of the data subject or another person;
The processing relates to personal data that has already been made public by the data subject; or
The processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.

Data Protection Impact Assessments (DPIAs)

The Company are undertaken to identify data protection risks; assess the impact of these risks; and determine appropriate action to prevent or mitigate the impact of these risks, when introducing, or making significant changes to, systems or projects involving the processing of personal data.

Data Protection Officer (DPO)

The Company has appointed Dr Nina Bal as the Data Protection Officer.
The Data Protection Officer’s duties include:

Informing and advising the Company and its employees who carry out processing pursuant to data protection regulations, national law or European Union-based data protection provisions.
Ensuring the alignment of this policy with data protection regulations, national law or European Union based data protection provisions.
Providing guidance with regards to carrying out Data Protection Impact Assessments (DPIAs).
Acting as a point of contact for and cooperating with Data Protection Authorities (DPAs).
Determining the need for notifications to one or more DPAs because of the Company’s current or intended personal data processing activities.
Making and keeping current notifications to one or more DPAs because of the Company’s current or intended personal data processing activities.
The establishment and operation of a system providing prompt and appropriate responses to data subject requests.
Informing senior managers, officers, and directors of the Company of any potential corporate, civil and criminal penalties that may be levied the Company and/or its employees for violation of applicable data protection laws.
Ensuring establishment of procedures and standard contractual provisions for obtaining compliance with this policy by any third party who:
• provides personal data to the Company;
• receives personal data from the Company;
• has access to personal data collected or processed by the Company

Data Protection by Design
To ensure that all data protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing. The Company will ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the Data Protection Officer, for all new and/or revised systems or processes for which it has responsibility. Where applicable, the Information Technology (IT) department, as part of its IT system and application design review process, will cooperate with the Data Protection Officer to assess the impact of any new technology uses on the security of personal data.

Compliance Monitoring
To confirm that an adequate level of compliance is being achieved in relation to this policy, the Data Protection Officer will carry out an annual data protection compliance audit which will assess the following:
• Compliance with policy in relation to the protection of personal data, including:
The assignment of responsibilities.
Raising awareness.
Training of employees
Security procedures

• The effectiveness of data protection-related operational practices, including:
– Data subject rights.
– Personal data transfers.
– Personal data incident management
– Personal data complaints handling
– The level of understanding of data protection policies and privacy notices.
– The currency of data protection policies and privacy notices.
– The accuracy of personal data being stored.
– The conformity of data processor activities.

Rights of the data subject

The GDPR gives rights to individuals in respect of the personal data that organisations hold about them. Everybody working for the Company must be familiar with these rights and adhere to the Company’s procedures to uphold these rights.

These rights include:

Right of information and access to confirm details about the personal data that is being processed about them and to obtain a copy;
Right to rectification of any inaccurate personal data;
Right to erasure of personal data held about them (in certain circumstances);
Right to restriction on the use of personal data held about them (in certain circumstances);
Right to portability – right to receive data processed by automated means and have it transferred to another data controller;
Right to object to the processing of their personal data.

If anybody receives a request from a data subject to exercise any of these rights, the request must immediately be referred to the Data Protection Officer.

Note: There is only one month to respond to a request to access a copy of personal data.

Law Enforcement Requests & Disclosures

In certain circumstances, it is permitted that personal data be shared without the knowledge or consent of a data subject. This is the case where the disclosure of the personal data is necessary for any of the following purposes:

• The prevention or detection of crime
• The apprehension or prosecution of offenders.
• The assessment or collection of a tax or duty
• By the order of a court or by any rule of law.

If the Company processes personal data for one of these purposes, then it may apply an exception to the processing rules outlined in this policy but only to the extent that not doing so would be likely to prejudice the case in question. If the Company receives a request from a court or any regulatory or law enforcement authority for information relating to a contact, you must immediately notify the Data Protection Officer who will provide comprehensive guidance and assistance.

Confidentiality and data sharing

The Company may transfer personal data to internal or third-party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects. Where transfers need to be made to countries lacking an adequate level of legal protection (i.e. third countries), they must be made in compliance with an approved transfer mechanism. The Company may only transfer personal data where one of the transfer scenarios listed below applies:
• The data subject has given consent to the proposed transfer.

• The transfer is necessary for the performance of a contract with the data subject

• The transfer is necessary for the implementation of pre-contractual
measures taken in response to the data subject’s request.

• The transfer is necessary for the conclusion or performance of a contract concluded
with a third party in the interest of the data subject.

• The transfer is legally required on important public interest grounds

• The transfer is necessary for the establishment, exercise or defense of legal claims.

• The transfer is necessary in order to protect the vital interests of the data subject

Data Retention

To ensure fair processing, personal data will not be retained by the Company for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.

Data Protection

The Company will adopt physical, technical, and organisational measures to ensure the security of personal data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment. A summary of personal data-related security measures is provided below:

• Prevent unauthorised persons from gaining access to data processing systems in
which personal data is processed.

• Prevent persons entitled to use a data processing system from accessing personal
data beyond their needs and authorisations.
• Ensure that personal data in the course of electronic transmission during transport
cannot be read, copied, modified or removed without authorisation.

• Ensure that access logs are in place to establish whether, and by whom, the
personal data was entered into, modified on or removed from a data processing
system.

• Ensure that in the case where processing is carried out by a Data Processor, the
data can be processed only in accordance with the instructions of the Data
Controller

• Ensure that personal data is protected against undesired destruction or loss

• Ensure that personal data collected for different purposes can and is processed
separately.

• Ensure that personal data is not kept longer than necessary

Breaches

A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Everybody working for the Company has a duty to report any actual or suspected data protection breach without delay to the Data Protection Officer where feasible, not later than 72 hours after having become aware of the breach. Unless, the Compnay is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.

The Data Protection Officer will maintain a central register of the details of any data protection breaches.

Complaints

Complaints relating to breaches of the GDPR and/ or complaints that an individual’s personal data is not being processed in line with the data protection principles should be referred to the Data Protection Officer without delay.

Penalties

It is important to understand the implications for the Company if anyone at the company fails to meet our data protection obligations. Failure to comply could result in:

Criminal and civil action;
Fines and damages which may be extremely substantial.
Personal accountability and liability;
Suspension/ withdrawal of the right to process personal data by the ICO;
Loss of confidence in the integrity of the Company’s systems and procedures;
Irreparable damage to the Company’s reputation.

Contact:

Dr Nina Bal

Facialsculpting.co.uk

07340093939