Guide Data Protection Policy

Show all parts of this guide

3. Policy Statement

Data Protection Principles

            We will, by putting in place appropriate policies and procedures, be responsible for ensuring that an individual’s personal data is;

  • Processed lawfully, fairly and in a transparent manner by ensuring that at least one of the conditions in Article 6 of UKGDPR is met and, in the case of special categories of personal data that at least one of the conditions in Article 9 is also met.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes,
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed,
  • Accurate and kept up to date (where necessary) and every reasonable step taken to ensure that inaccurate personal data (having regard to purposes for which it is processed) is erased or rectified without delay,
  • Kept in a form which permits identification for no longer than is necessary for the purpose for which it is being processed,
  • Processed with appropriate security which will include protection against unauthorised or unlawful processing and against accidental loss, destruction / damage using appropriate technical or organisational measures.
  • In addition we will, through this policy and other measures, ensure that we are accountable in that we can demonstrate compliance with the responsibilities detailed above.  

Lawful basis for processing

We will ensure that we establish and document our lawful basis for processing all personal data and will only process where we meet one of the following conditions:

  • The data subject gives consent for one or more specific purposes
  • The processing is necessary to meet contractual obligations entered into by the data subject
  • The processing is necessary to comply with the legal obligations of the data controller (EDDC)
  • The processing is necessary to meet the vital interests of the data subject
  • The processing is necessary for tasks in the public interest or exercise of authority vested in the controller (EDDC)
  • There is a legitimate interest for the controller in processing the data