- KEY DETAILS
Policy prepared by: Liz Aitken
Effective from: 25thMay 2018
Next review date: 25thMay 2019
Scope: This document applies to Liz Aitken and Julia Durand trading as Carefully Sorted
Data Processors: Liz Aitken and Julia Durand trading as Carefully Sorted
Purpose of Policy
- To ensure that Carefully Sorted complies with the law
- To ensure that Carefully Sorted follows good practice
- To protect Carefully Sorted’s clients
- To protect the organisation
- TYPES OF DATA
Potential clients contact Carefully Sorted in three direct ways:
- By phone or text
- By email
- Face to face
Carefully Sorted has its own domain name. Our email addresses (email@example.com and firstname.lastname@example.org) and our mobile numbers are published on our website – www.carefullysorted.com.
Our email addresses and mobile numbers are also listed on the directory of our professional body, APDO Association of Professional Declutterers & Organisers (APDO UK), on our Carefully Sorted Facebook, Instagram and Twitter pages, on our individual LinkedIn profiles and, from time to time, on listings and advertisements on online business directories e.g. Google, Yellow Pages, Cyclex, and NextDoor.
When potential clients contact us, we ask them to provide us with the following basic information:
- Phone Number
- Email address
However, it is up to the potential client to decide what details they provide to us. We simply need a way of getting in touch and agreeing the scope of work, dates, location, terms, and so on.
We do not email potential clients looking for assignments; all the approaches come from our clients.
We do not circulate details of offers or marketing events via email, only via our Facebook, Twitter, LinkedIn and Instagram pages.
Some of our clients offer us a short description of the service they are seeking from us; others simply say that they need help, and we note the details when we undertake a face-to-face consultation with them.
The contact and other details set out above are the only pieces of personal data we collect from clients.
Data is stored on our individual mobile phones, both of which are pass-word protected, and on an Excel spreadsheet which is held by Liz Aitken, in her capacity as Data Controller and Data Processor. This spreadsheet is password protected and is held on Liz Aitken’s password-protected laptop. This document is never shared with a third party.
Carefully Sorted does not outsource any data processing.
- POLICY STATEMENT
Liz Aitken and Julia Durand, trading as Carefully Sorted, comply with both the law and good practice when processing personal data, with a commitment to respect individuals’ rights, to be open and honest with individuals whose data is processed.
We have undertaken specific GDPR training so that we can act confidently and consistently, and undertake to notify the Information Commissioner voluntarily in the event of a breach.
- KEY RISKS
Liz Aitken and Julia Durand acknowledge that the key risks in the handling of personal data are:
- Data getting into the wrong hands, through poor security or inappropriate disclosure of information
- Individuals being harmed through data being inaccurate or insufficient
- Loss of trust with individuals whose data is being processed
Liz Aitken and Julia Durand, trading as Carefully Sorted, share responsibility for ensuring that the organisation complies with its legal obligations.
The Data Protection Officer is Liz Aitken.
Liz Aitken and Julia Durand both ensure and affirm that all devices used which process emails containing personal data have appropriate password protection, that those passwords are not divulged to any other person, that the devices used to access email are likewise protected and kept physically secure.
- BUSINESS CONTINUITY
Liz Aitken backs up the data to two external, password-protected and encrypted external hard drives on alternate weeks. These drives are kept in a locked drawer.
- SPECIFIC RISKS
- Vishing (divulging personal data over the phone): Neither Liz Aitken nor Julia Durand of Carefully Sorted will ever divulge personal data over the phone.
- Phishing (obtaining data via email accounts): Liz Aitken and Julia Durand use dedicated business email addresses – email@example.com firstname.lastname@example.org reduce this risk.
- USB sticks: We believe that the risks of data transfer by USB sticks (e.g. risk of mislaying) are high, so we will never transfer data in this way.
- Documents: When we write a proposal to a potential client, this document is kept secure in a password protected file on one of our two pass-word protected laptops. We convert our proposals to PDF when we send them to clients. Similarly, copies of our invoices to our clients are held in password protected files on one of our two password-protected laptops. As with proposals, these are sent to clients as PDFs.
- DATA RECORDING AND STORAGE
- Accuracy: The personal data of our clients is retained only in the form of an email archive. We do not keep email addresses, phone number of any data relating to our clients in paper address books.
- Updating: Personal data in the email archive will not be updated as this would undermine its accuracy as an historical record.
- Storage: We do not use storage systems such as Dropbox.
- Retention periods: Personal data in the form of email headers and content is held by Liz Aitken and Julia Durand of Carefully Sorted for up to 5 years so that Carefully Sorted can fulfil its obligations to its clients. After this time, all personal data will be deleted.
- Annual audit: Liz Aitken will ensure an annual audit is undertaken during which any emails older than 5 years will be deleted.
- RIGHT OF ACCESS
- Responsibility for this lies with Liz Aitken.
- Procedure for making a request: Right of access requests must be in writing however they do not need a specific form of words. Julia Durand will therefore pass on anything which might be a subject access request (SAR) to Liz Aitken without delay.
- Provision for verifying identity: Liz Aitken would verify the identity of the person making the SAR by ensuring that it was a written request from the known email address of the data subject.
- Charging: The personal data on clients stored by Liz Aitken and Julia Durand for the purpose of conducting their business, is kept in a very simple email archive and one Excel spreadsheet. For this reason, we will not charge for processing any SARs.
- Procedure for granting access: The data request would be provided in standard email form.
- TRANSPARENCY & OTHER DATA RIGHTS
Liz Aitken and Julia Durand, trading as Carefully Sorted, are committed to ensuring that Data Subjects are aware that their data is being processed and that it is being processed in order that Carefully Sorted can fulfil its obligations to clients.
- Right to be informed: Data subjects can be informed about how we use their data by reading this policy on our website.
- Right to rectification: As emails are held as an historical record, rectification of existing data is not appropriate.
- Right to erasure: All personal data will be erased once the data is deemed no longer necessary for its original purpose, therefore the right to erasure is not applicable.
- Right to restrict processing: All personal data will be erased once the data is deemed no longer necessary for its original purpose, therefore the right to restrict processing is not applicable
- Right to object: All personal data will be erased once the data is deemed no longer necessary for its original purpose, therefore the right to object is not applicable.
- Rights related to automated decision making and profiling: The personal data collected by Carefully Sorted is never used for automated decision making, nor for profiling, therefore these rights are not applicable.
- Right to Data Portability: The right to data portability is not applicable as the transfer of data from Liz Aitken of Carefully Sorted to another data controller is not possible.
- DATA SHARING
- Data Processors: Carefully Sorted does not outsource data processing.
- Data Transfers: Data may be disclosed to third parties such as waste disposal companies, storage providers, etc. but only with the explicit, fully articulated permission of the client in a written email.
- PERSONAL DATA BREACHES
Should there occur a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed Carefully Sorted then any breaches will be immediately escalated to Liz Aitken in her capacity as Data Protection Officer. Liz Aitken will:
- Inform any affected individuals without undue delay
- Assess the likely risk to affected individuals’ rights and freedoms
- Decide whether to inform the Information Commissioner’s Office of the breach
- If informing the Information Commissioner’s Office of the breach, do so within 72 hours
- Assess whether the breach could have been prevented and put measures in place to ensure it does not recur
- Document the breach even if not reported to the Information Commissioner’s Office
- LAWFUL BASIS
- Underlying principles: As per Article 6(1)(b) of the General Data Protection Regulations, Carefully Sorted’s basis for processing personal data of its clients is that processing is necessary for the performance of a contract (the agreed scope of the work being undertaken) to which the data subject is party.
- Opting out/withdrawing consent: As consent is not required for the processing, there is no option for data subjects to opt out of having their data processed.
- TRAINING AND ACCEPTANCE OF RESPONSIBILITIES
- Liz Aitken and Julia Durand of Carefully Sorted who, in the course of their duties, will have access to or be in receipt of their client’s personal data, confirm that they have both read and understood this policy.
- Liz Aitken and Julia Durand guarantee to keep themselves up to date with any amendments to the regulations or the way in which they are enforced
- POLICY REVIEW
- Responsibility: Liz Aitken
- Procedure: Julia Durand will be consulted during the review
- Timing: So that the review can be completed by the 26thMay 2019, the process must begin by 30thApril 2019
© Carefully Sorted
SECTION 1 – WHAT DO WE DO WITH YOUR INFORMATION?
When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address.
When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.
Email marketing: With your permission, we may send you emails about our store, new products and other updates.
SECTION 2 – CONSENT
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.
If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.
How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at anytime, by contacting us at email@example.com
SECTION 3 – DISCLOSURE
We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service.
SECTION 4 – THIRD-PARTY SERVICES
In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.
For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
In particular, remember that certain providers may be located in or have facilities that are located in a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
As an example, if you are located in Canada and your transaction is processed by a payment gateway located in the United States, then your personal information used in completing that transaction may be subject to disclosure under United States legislation, including the Patriot Act.
When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
SECTION 5 – SECURITY
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
Here is a list of cookies that we use. We’ve listed them here so you can choose if you want to opt-out of cookies or not.
Google analytics session tracking
SECTION 6 – AGE OF CONSENT
By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.
If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.
QUESTIONS AND CONTACT INFORMATION
If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Privacy Compliance Officer at firstname.lastname@example.org