1. Scope

All processing of information about data subjects within or by Helpdesq is within the scope of this procedure.

 

  1. Responsibilities

2.1 The Data Protection Officer / GDPR Owner is responsible for ensuring that the Fair Processing Notice is correct and that mechanisms exist for making all data subjects aware of the contents of this notice prior to Helpdesq commencing collection of the data.

2.2 All staff who may need to collect personal data are required to follow this procedure.

 

  1. Procedure

3.1. Those responsible for processing personal data may only do so where this activity has been authorised by the Data Protection Officer / GDPR Owner.

3.2. Data subjects must be informed, prior to the collection of data, of the following information:

3.2.1.    The identity of Helpdesq (name & contact details);

3.2.2.    The purposes for which personal information will be processed;

3.2.3.    How long the personal data will be stored, or the criteria under which it is stored;

3.2.4.    A description of how (if at all) this information will be disclosed to third parties;

3.2.5.    Information about the individual’s rights relating to their personal data, including the right of access to personal information, right to withdraw consent, right to rectify personal data, right to have personal data erased, right to strict processing, the right to lodge a complaint with the supervisory authority the ICO;

3.2.6.    Whether personal information is transferred outside the European Union, and whether the destination has been the subject of an adequacy decision or a reference to the safeguards in place;

3.2.7.    Details of any automated processing, such as profiling, that will be performed on the personal data supplied;

3.2.8.    Whether the personal data must be supplied to fulfil or enter into a contract, as well as whether there are any possible consequences of failing to provide personal data;

3.2.9.    Any other information that would make the processing fair.

3.3. All such information provided to data subjects is in clear, plain language.

3.4. This information is contained in the Toolkit Ref 13_Fair Processing Notice issued to all data subjects before Helpdesq processes their data.

3.5. Where personal information is collected for marketing purposes or might be used in the future for marketing purposes, the Toolkit Ref 13_Fair Processing Notice shall include the following statement:

‘Marketing use:

Your personal information may be used for marketing purpose. You do not have to agree to this. If you object to the use of your personal data for this purpose, please email role@organisation.com and ask for removal of your details. All our electronic marketing material carries an unsubscribe option, so you can also unsubscribe at any time.’

  • Where Helpdesq is collecting personal data for marketing purposes and has sought the specific consent of the data subject to this purpose, the Fair Processing Notice must carry the following clause:

‘Explicit consent to marketing use: you have given Helpdesq explicit consent to use your personal information for marketing purposes. You may withdraw this consent at any time, simply by emailing name@organisation.com. We will immediately withdraw your name from our marketing lists.’

3.7. The Data Protection Officer / GDPR Owner shall incorporate procedures that indicate, where processing has been based upon consent and the consent is withdrawn, that consent has been withdrawn and that processing based on that consent will cease.

3.8. The Data Protection Officer / GDPR Owner is responsible for monitoring all requests for removal of withdrawals of consent and maintains a register of all such requests and ensures that all removals are completed within 24 hours.

3.9. The Data Protection Officer / GDPR Owner is responsible for ensuring that, where other sectoral requirements or legislation require explicit consent for marketing, the Fair Processing Notice shall contain procedures for collecting this consent.

3.10. Where sensitive personal information is being collected for a particular purpose(s), the Data Protection Officer / GDPR Owner shall ensure that the Fair Processing Notice explicitly states the purpose(s) for which sensitive personal information is or might be used.

3.11. Where data processing relates to a child (16 years or younger) the Data Protection Officer / GDPR Owner shall ensure Helpdesq has obtained and recorded consent provided by the holder of parental responsibility over the child.

3.12. The Data Protection Officer / GDPR Owner is responsible for ensuring that all new data collection methods are reviewed and signed off to ensure that such methods can be demonstrated as compliant with data protection legislation and good practice.

3.13. Specified Purposes

3.13.1.  Personal data may only be processed for the purpose for which it was originally corrected. All requests for changes to the use of personal data must be put in writing using plain language that is clear and concise which sets out the original purpose, the proposed new or additional purpose and the reason for the change.

The request must be approved by the Data Protection Officer / GDPR Owner, who is also responsible for determining if additional consent must be sought from the data subject. Where additional consent is required, the Data Protection Officer / GDPR Owner will determine the form that this consent must take and the process to be followed by Helpdesq in informing the data subject about the new purpose and obtaining the data subject’s consequent consent. Where a relevant exemption applies, the Data Protection Officer / GDPR Owner will identify this exemption in the authorisation to process.

In all cases, the Data Protection Officer / GDPR Owner is responsible for amending theH116_Helpdesq Data Mapping  Privacy Impact Assessment Against GDPR Principles.xlsx  with details of the new purpose, cross-referenced to the Authorisation to Process.

 

3.14. Data Sharing

3.14.1.  The Data Protection Officer / GDPR Owner is responsible for ensuring that, where personal data is to be shared with a third-party organisation, this sharing is compatible with Helpdesq’s notification to the ICO and with the terms contained in its Fair Processing Notice.

3.14.2.  The Data Protection Officer / GDPR Owner is responsible for ensuring, where information is to be shared with a third party, that this sharing is compatible with the Fair Processing Notice previously made available to the data subject and any consent given by the data subject, and that a written agreement is drafted by Helpdesq’s legal advisers and entered into by the third party, and that this agreement:

3.14.2.1. Describes both the purposes for which the information may be used and any limitations or restriction on the further use of the personal information for other purposes.

3.14.2.2. Includes an undertaking from the third party or other evidence of its commitment to processing the information in a manner which will not contravene the DPA.

3.14.2.3. Where the law allows data to be shared without the data subject’s consent, the agreement contains specific safeguards/controls to protect the personal information in the context of the GDPR.

3.14.3.  The Data Protection Officer / GDPR Owner is responsible for ensuring, where data collected by Helpdesq is matched with other data to create data profiles that these profiles are only used within the context of its notification to the ICO and with what the data subject has consented to.