Blackpool Expo
Data Protection Policy
1. Introduction
Launch North West Ltd are committed to safeguarding any personal data which is stored or processed. We take the privacy and security of such information very seriously. This data protection policy explains which information is collected about you and why, what we do with it and how we handle and store that information.
The policy also outlines our responsibilities under The General Data Protection Regulation (GDPR) and how we will comply with it.
2. Purpose
This policy sets out how Launch North West Ltd will process the personal data of its staff, suppliers and other third parties.
This policy applies to all the personal data Launch North West Ltd process regardless of the format or media on which the data is stored on or who it relates to.
This data protection policy ensures Launch North West Ltd:
- Comply with data protection laws and follow good practice.
- Protects the rights of staff, customers and partners.
- Is transparent about how it stores and processes individuals’ data.
- Protects itself from the risks of a data breach.
3. Scope
This policy applies to all members of staff who are employed by Launch North West Ltd including honorary staff and associates, contractors, or any third parties who carry out work on behalf of Launch North West Ltd involving the handling of personal data.
4. Policy Statements
- Processed in a lawful, fair and transparent manner.
- Collected only for specific, explicit and limited purposes (‘purpose limitation’).
- Adequate, relevant and not excessive (‘data minimisation’).
- Accurate and kept up-to-date where necessary.
- Kept for no longer than necessary (‘retention’).
4.1. Data Protection Principles
There are six data protection principles defined in Article 5 of the GDPR. These require that all personal data be:
- Processed in a lawful, fair and transparent manner.
- Collected only for specific, explicit and limited purposes (‘purpose limitation’).
- Adequate, relevant and not excessive (‘data minimisation’).
- Accurate and kept up-to-date where necessary.
- Kept for no longer than necessary (‘retention’).
- The Data Processing Register will be reviewed at least every 6 months by the Data Protection Officer with the involvement of the Data Governance Group.
- Handled with appropriate security and confidentiality.
We are committed to upholding the Data Protection Principles. All personal data under our control must be processed in accordance with these principles.
4.2. Lawful Processing
- All processing of personal data must meet one of the six lawful bases defined in Article 6(2) of the GDPR:
- Where we have the consent of the data subject
- Where it is in our legitimate interests and this is not overridden by the rights and freedoms of the data subject.
- Where necessary to meet a legal obligation.
- Where necessary to fulfil a contract or pre-contractual obligation.
- Where we are protecting someone’s vital interests.
- Where we are fulfilling a public task or acting under official authority.
- Any special category data (sensitive types of personal data as defined in Article 9(1) of the GDPR) must further be processed only in accordance with one of the conditions specified in Article 9(2).
- The most appropriate lawful basis will be noted in the Data Processing Register (see Section 5. Accountability) Version 1.0 26/07/2018 10:11.
- Where processing is based on consent, the data subject has the option to easily withdraw their consent.
- Where electronic direct marketing communications are being sent, the recipient should have the option to opt-out in each communication sent and this choice should be recognised and adhered to by us.
4.3. Consent
We only process personal data on the grounds of one or more of the lawful bases set out in the GDPR. These include the consent of the data subject.
Consent must be freely given, specific, informed and unambiguous.
A data subject should indicate their agreement either by statement or a positive action (double opt in). Assumptions are not to be made given the absence of any express agreement.
Data subjects are able to withdraw their consent at any time. Launch North West Ltd will keep records of all consents to demonstrate compliance with GDPR requirement.
4.4. Accountability
We, as the Data Controller for your data, are responsible for implementing appropriate technical and organisational measures to ensure compliance with the data protection principles listed above.
As part of this responsibility we appoint Jo Leigh to be Launch North West Ltd Data Protection Officer. We will also implement controls to:
- Ensure and document GDPR compliance.
- Train company personnel on the GDPR and our associated policies and procedures.
4.5. Purpose Limitation
Personal data we collect is only for explicit and legitimate purposes. We will not process the data in any manner that is incompatible with these purposes.
If there are any changes to the purposes of data collection and processing, we will inform the data subject of these new purposes and, if necessary, we will request their renewed consent.
4.6. Data Minimisation
The data we collect and process will be limited to what is strictly necessary and relevant for the intended purposes. If and when data is no longer required for these purposes, we will delete or anonymise it in accordance with our data protection procedures.
4.7. Accuracy
We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Any inaccurate or out of date information with be either corrected or deleted in accordance with our data protection procedures.
4.8. Storage Limitation
Unless a longer retention period is required or permitted by law, personal data will not be kept in an identifiable form for any longer than is deemed necessary for the stated purposed for which the data is processed. We will ensure that when personal data is no longer required, it will be deleted or anonymised in accordance with our data protection procedures. We will require third parties to also delete or anonymise data where and when applicable.
4.9. Data Security Integrity And Confidentiality
Launch North West Ltd are committed to taking reasonable and appropriate steps to protect the personal data we hold from misuse, loss or unauthorised access. This is implemented by using a range of technical and organisational measures against unauthorised or unlawful processing, against accidental loss, destruction or damage.
4.10. Personal Data Breaches
In the event of a data breach, Launch North West Ltd will notify the appropriate regulator (unless the breach is unlikely to result in a risk to the right and freedoms of individuals) and in certain instances the data subject. We will also keep records of all personal data breaches.
4.11. Data Subject Rights
Data Subjects are people who Launch North West Ltd hold personal data on. Data subjects have many rights regarding the processing of their personal data. These rights include, but are not limited to the following:
- To withdraw consent to the processing of their data.
- To request access to their personal data the company holds.
- To prevent use of their personal data being used for direct marketing purposes.
- To request deletion of any personal data which is no longer necessary to be stored.
- To have any inaccurate or out of date information corrected.
- To prevent processing of data which could cause damage or distress to the data subject or another.
- To be notified of a data breach which may result in a high risk to their rights and freedoms.
4.12. Record Keeping
By law Launch North West Ltd are required to keep full and accurate records of all our data processing activities. These records include:
- Data subject consents to processing of their personal data.
- The name and contact details of our Data Protection Officer.
- Clear descriptions of types of data we hold and of the types of data subjects whose date we hold.
- The purposes of our data processing.
- The categories of recipients to whom the personal data has or will be disclosed to.
- Details of any third party recipients of personal data.
- Where possible the envisaged time limits for deletion of different categories of data.
- Where possible a description of the security measures in place.
4.13. Direct Marketing
Launch North West Ltd are subject to rules and privacy laws when marketing to our customers. We will only market to our customer who have consented for such communications via emails, text or automated calls. If or when a customer opts out or un-subscribes, we will no longer send marketing communications to them.
4.14. Personal Information Access And Disclosure
Launch North West Ltd will only disclose personal information to third parties under the following circumstances:
- If we use third party vendors, lawyers and service providers to assist in us meeting the business or operating needs. These service providers may only access, process or store personal information pursuant to our instructions and to perform their duties to us and in accordance with applicable laws and regulations.
- When we have your explicit consent to share your personal information.
- If we determine that the disclosure is required to protect the rights, property, or personal safety of Launch North West Ltd and its customers, or to respond to lawful subpoenas, warrants, or requests by public or regulatory authorities including requites by law enforcement authorities.
- In the event where we sell some or all of our business assets, we may disclose your personal information to the prospective seller or buyer of such business assets and if the transaction closes, your personal information may be transferred to the buyer.
- There exists a GDPR compliant contract between both parties.
- The third party has agreed to comply with the necessary data security standards and procedures.
- The transfer of data complies with cross-country transfer restrictions.
We will only share personal data with other employees or agents of the company if the recipient requires this data in order to fulfil their role.
5. Policy Review
As part of the Information Security Management System, this policy will be reviewed on a continual basis by Launch North West Ltd Management team. This policy will also be reviewed as part of the biennial review of the ISMS.