Sinolink Limited Policy Document On General Data Protection Regulation (GDPR)
On 25th May 2018, the current Data Protection Act (DPA) will be replaced with the General Data Protection Regulation (GDPR). Although the main concepts and principles of the GDPR will remain the same as in the current DPA there are new elements and significant enhancements which means we have to do some things for the first time and some things differently. For example, we have now put in place a new transparency and individuals’ rights provision in compliance with the GDPR which was not in the DPA. Hence, with the emphasis firmly on, and our commitment to, your privacy; this is how we collect, process and store your data whether you are an organisation (B2B) or an individual ((B2C). All key people at Sinolink are now fully aware of the changes from DPA to GDPR.
1. The information we hold
We document what personal data we hold, where it came from and who we share it with and why. We now maintain records of all our processing activities. In the unlikely event, we have inaccurate personal data and have shared this with another organisation (which we do not do), we will tell the other organisation about the inaccuracy so it can correct its own records. We are able to do this because we know what personal data we hold, where it came from and who we share it with.
2. How we communicate the information we hold
We have reviewed our current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. Hence, when we collect personal data; on top of the usual information we give, such as our identity and how we intend to use their information (usually done through a privacy notice); there are now additional information we must give, such as the lawful basis for processing the data, our data retention periods and that individuals have a right to complain to the Information Commissioner Office (ICO) if they think there is a problem with the way we are handling their data.
3. The rights of the individual under GDPR
Although on the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA, there are some significant enhancements we have added in compliance with GDPR:
a. Rights under DPA retained in GDPR
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to object; and
the right not to be subject to automated decision-making including profiling.
b. Rights under GDPR
the right to data portability;
which applies only to personal data provided by an individual to a data controller; where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.
4. Request for accessing the information we hold
We have updated our procedures on how we will handle requests to take account of the new rules:
· In most cases we will not charge you for complying with a request.
· We will aim to comply with the request as soon as possible but certainly within one month, rather than the current 40 days.
· We still retain the right to refuse or charge for requests that are manifestly unfounded or excessive.
· If we refuse a request, we will tell you why and that you have the right to complain to the supervisory authority (ICO) and to a judicial remedy.
5. Lawful basis for processing personal data
Under GDPR we will always identify the lawful basis for processing data; we will document it and have updated our privacy notice to explain it. You, the individual, have the right to request that your data be deleted where we have previously obtained and used your consent as our lawful basis for processing it.
6. Individual consent
We have reviewed how we seek, record and manage consent and have made changes accordingly. We have used the ICO’s consent checklist to refresh our existing consents to make sure they meet the GDPR standard. We make sure that consent is freely given, specific, informed and unambiguous. There is a positive opt-in – consent is not inferred from silence, pre-ticked boxes or inactivity. It is separate from other terms and conditions, and there is a simple way for you to withdraw consent.
Although we do not gather, process or store children’s data we have, nevertheless, put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. Sinolink does not offer online services (‘information society services’) to children. We are fully aware that the GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK).
8. Data breaches
Our customers are assured that we have the right procedures in place to detect, report and investigate a personal data breach. We know our duty to notify the ICO (and the individual) when/if we suffer a personal data breach, where it is likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will also have to notify those concerned directly in most cases.
9. Data protection by design and by default
Privacy by design is now an express legal requirement. Therefore, we have carried out a detailed assessment of situations where it might become necessary to conduct a Data Protection Impact Assessment (DPIA). This would seldom become necessary as Sinolink does not carry out profiling operations or carry out processing on a large scale of the special categories of data. And, in any events, Sinolink will always consult the ICO if it (Sinolink) cannot sufficiently address high risk data processing, and to seek its opinion as to whether the processing operation complies with the GDPR.
10. Data protection officer
Sinolink has a designated individual in a senior position who has taken responsibility for data protection compliance. He is Sinolink’s equivalent of a Data Protection Officer (DPO).
Sinolink operates in more than one EU member state, therefore we have determined that, as a mainly UK company with headquarters in London, our lead data protection supervisory authority is the ICO and have documented this (the certificate can be provided on request). This information is relevant as we carry out cross-border processing – we have establishments in more than one EU member state but all significant decisions about Sinolink’s processing activities are made in London.