General Data Protections Regulations (GPDR) Policy & Procedure


1.0 Introduction


This document set out the details and requirements with regard to the General Data Protection Regulation and how we as a company will comply with collation, storage, access and supply of data, including data and subject access requests (SAR).


The Open World Technology Group Ltd. (hereinafter referred to as the “Company”) set out below the process for individuals to use when making a data or access request, along with the protocols followed by the Company when such request(s) are received.


The Company needs to collect personal information to effectively and compliantly carry out our everyday business functions and services and, in some circumstances, to comply with the requirements of the law and/or regulations. 


As the Company processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (GDPR) to protect such information, and to obtain, use, process, store and destroy it, only in compliance with the GDPR and its principles. 
 
1.1 The General Data Protection Regulation


The General Data Protection Regulation (GDPR) gives individuals the right to know what information is held about them, to access this information and to exercise other rights, including the rectification of inaccurate data. The GDPR is a standardised regulatory framework which ensures that personal information is obtained, handled and disposed of properly.


As the Company are obligated under the GDPR and EU data protection laws, we abide by the Regulations’ principles, which ensure that personal information shall be:


A.    processed lawfully, fairly and in a transparent manner in relation to the data subject 
(‘lawfulness, fairness and transparency’)


B.    collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)


C.    adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)


D.    accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)


E.    kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’)


F.    processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).


The Regulation also requires that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the GDPR principles’ (‘accountability’). The Company have adequate and effective measures, controls and procedures in place, that protect and secure personal information and guarantee that it is only ever obtained, processed and disclosed in accordance with the relevant data protection laws and regulations. 
 

2. What is personal information?


Information protected under the GDPR is known as “personal data” and is defined as: 
 

“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”


Further information on what constitutes personal information and your rights under the data protection regulation and laws can be found on the Data Protection Commissioner website: dataprotection.ie.
 

3. The right of access


Under Article 15 of the GDPR, an individual has the right to obtain from the controller, confirmation as to whether personal data concerning them is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information. Where requested, we will provide the following information:


•    the purposes of the processing 
•    the categories of personal data 
•    the recipient(s) or categories of recipient(s) to whom the personal data have been or will be disclosed 
•    If the data has been transferred to a third country or international organisation(s) (and if applicable, the appropriate safeguards used) 
•    the envisaged period for which the personal data will be stored, or the criteria used to determine that period 
•    where the personal data was not collected directly from the individual, any available information as to its source


3.1 How to make a Subject Access Request (SAR)?


A subject access request (SAR) is a request for access to the personal information that the Company holds about individuals, which we are required to provide under the GDPR (unless an exemption applies). The information that we provide is covered in section 3 of this document. This request can be made in writing using the details provided in section 7, or can be submitted electronically. Where a request is received by electronic means, we will provide the requested information in a commonly used electronic form (unless otherwise requested by the data subject).


3.2 What we do when we receive an access request


Identity verification:


Subject Access Requests (SAR) are passed to the Data Protection Officer as soon as received and a record of the request is made. The person in charge will use all reasonable measures to verify the identity of the individual making the access request, especially where the request is made using online services.


We will utilise the request information to ensure that we can verify requester’s identity and where we are unable to do so, we may contact the requester for further information, or request further evidence of identity prior to actioning any request. This is to protect all individuals’ information and rights.


Information gathering:


If enough information is provided on the SAR to collate the personal information held, we will gather  all documents relating to the request and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate records, we may contact requester for further details. This will be done as soon as possible and within the timeframes set out below. 
 
Information provision:

 
Once we have collated all the personal information held, we will send this to requester in writing (or in a commonly used electronic form if requested). The information will be in a concise, transparent, intelligible and easily accessible format, using clear and plain language. 
 

4. Timeframes


SARs are always completed within 30-days. Where the request is made by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested.


The Company will aim to provide the requested information at the earliest convenience, but at a maximum of 30 working days from the date the request is received. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to the requester within 30 working days and keep them informed of the delay and provide the reasons. 
 

5. Individual additional rights


5.1 The right to be informed


The Company shall ensure that the following information is provided to every data subject when personal data is collected:


A.    Details of the Company including, but not limited to, the identity of its Data Protection Officer; 
B.    The purpose for which the personal data is being collected and will be processed and the legal basis justifying that collection and processing; 
C.    Where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the personal data; 
D.    Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed; 
E.    Where the personal data is to be transferred to one or more third parties, details of those parties; 
F.    Where the personal data is to be transferred to a third party that is located outside of the 
European Economic Area (the “EEA”), details of that transfer; 
G.    Details of the length of time the personal data will be held by the Company (or, where there is no predetermined period, details of how that length of time will be determined); h. Details of the data subject’s rights under the Regulation; 
H.    Details of the data subject’s right to withdraw their consent to the Company’s processing of their personal data at any time; 
I.    Details of the data subject’s right to complain to the Office of the Data Protection Commissioner 
J.    Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; 
K.    The Company does not use automated decision-making (including but not limited to profiling.


5.1.1 The information set out above in Part 5.1 shall be provided to the data subject at the following applicable time:


5.1.2 Where the personal data is obtained from the data subject directly, at the time of collection; 5.1.3 Where the personal data is not obtained from the data subject directly (i.e. from another party):


A.    If the personal data is used to communicate with the data subject, at the time of the first communication; or 
B.    If the personal data is to be disclosed to another party, before the personal data is disclosed; or 
C.    In any event, not more than one month after the time at which the Company obtains the personal data.


5.2  The right to erasure


In specific circumstances, data subjects’ have the right to request that their personal data is erased, however the Company recognise that this is not an absolute ‘right to be forgotten’. Data subjects only have a right to have personal data erased and to prevent processing if one of the below conditions applies:


•    Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed 
•    When the individual withdraws consent 
•    When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing 
•    The personal data was unlawfully processed 
•    The personal data must be erased in order to comply with a legal obligation


Where one of the above conditions applies and the Company received a request to erase data, we first ensure that no other legal obligation or legitimate interest applies. If we are confident that the data subject has the right to have their data erased, this is carried out by the Data Protection Officer to ensure that all data relating to that individual has been erased.


These measures enable us to comply with a data subject’s right to erasure, whereby an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing. Whilst our standard procedures already remove data that is no longer necessary, we still ensure that all rights are complied with and that no data has been retained for longer than is needed.


Where we receive a request to erase and/or remove personal information from a data subject, the below process is followed:


1.    The request is allocated to the Data Protection Officer (DPO) and recorded  
2.    The DPO locates all personal information relating to the data subject and reviews it to see if it is still being processed and is still necessary for the legal basis and purpose it was originally intended
3.    The request is reviewed to ensure it complies with one or more of the grounds for erasure:


A.    the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed 
B.    the data subject has withdrawn consent on which the processing is based and where there is no other legal ground for the processing 
C.    the data subject objects to the processing and there are no overriding legitimate grounds for the processing 
D.    the personal data has been unlawfully processed 
E.    the personal data must be erased for compliance with a legal obligation
 
4.    If the erasure request complies with one of the above grounds, it is erased within one month of the request being received (this can be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for the extension.) 
5.    The DPO writes to the data subject and notifies them in writing that the right to erasure has been granted and provides details of the information erased and the date of erasure 6. Where the Company has made any of the personal data public and erasure is granted, we will take every reasonable step and measure to remove public references, links and copies of data and to contact related controllers and/or processors and inform them of the data subjects request to erase such personal data 
If for any reason, we are unable to act in response to a request for erasure, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy. Such refusals to erase data include:

 

A. For the establishment, exercise or defence of legal claims: Individuals can use the contact details in section 7 to make such requests


5.3 The right to rectification


•    If a data subject informs the Company that personal data held by the Company is inaccurate or incomplete, requesting that it be rectified, the personal data in question shall be rectified immediately, and the data subject informed of that rectification, within one month of receipt the data subject’s notice (this can be extended by up to two months in the case of complex requests, and in such cases we will inform you of the need for the extension).
•    In the event that any affected personal data has been lawfully disclosed to third parties, we will notify you and those parties shall be informed of any rectification of that personal data. 
•    If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you and inform you of your right to complain to the Supervisory Authority and to seek a judicial remedy. Individuals can use the contact details in section 7 to make such requests


5.4 The right to restrict processing 


In certain circumstances, individuals may also have the right to request from the Company to restrict the processing of personal data where it concerns your personal information. Individuals can use the contact details in section 7 to make such requests.


5.5 The right to data portability


•    Where data subjects have given their consent to the Company to process their personal data in such a manner or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the legal right under the Regulation to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers, e.g. other organisations). 
•    To facilitate the right of data portability, the Company shall make available all applicable personal data to data subjects 
•    Where technically feasible, if requested by a data subject, personal data shall be sent directly to another data controller. 
•    All requests for copies of personal data shall be complied with within one month of the data subject’s request (this can be extended by up to two months in the case of complex requests in the case of complex or numerous requests, and in such cases the data subject shall be informed of the need for the extension).


Individuals can use the contact details in section 7 to make such requests.


5.6 The right to object


Data subjects have the right to object to the Company processing their personal data based on legitimate interests. Where a data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing forthwith, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the data subject’s interests, rights and freedoms; or the processing is necessary for the conduct of legal claims. Individuals can use the contact details in section 7 to make such requests.
 

6. Exemptions and refusals


The GDPR contains certain exemptions from the provision of personal information. If one or more of these exemptions applies to the requester’s subject access request or where the Company does not act upon the request, we shall inform the requester at the earliest convenience, or at the latest, within one month of receipt of the request.


Where possible, we will provide requester with the reasons for not acting and any possibility of lodging a complaint with the Supervisory Authority and the right to seek a judicial remedy. Details of how to contact the Supervisory Authority are laid out in section 7 of this document.

7. Submission and lodging a complaint


To submit a Data or Subject Access Request (using form in Appendix 1), individuals can contact us at info@towtg.com
Individuals can also submit a request in writing, sending the request to:


Data Protection Officer:


The Open World Technology Group Limited (TOWTG Ltd.), 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

If individuals are unsatisfied with our actions or wish to make an internal complaint, you can contact us in writing at:


Data Protection Officer, The Open World Technology Group Limited (TOWTG Ltd.), 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
 
7.1 Supervisory authority

 
If individuals remain dissatisfied with our actions, they have the right to complain to the local Data Protection Authority, a full list can be found at: ec.europa.eu/justice/dataprotection/article29/structure/data-protectionauthorities/index_en.

 

8. Data and/or subject access request form

 

Click here to get the Access Request Form.