GENERAL DATA PROTECTION REGULATION (GDPR)
This policy was last updated: (07/03/18)
This policy outlines how Joyful Living Limited handles the data of individuals.
Joyful Living Limited (the “Company”) is committed to maintaining robust privacy protections for its users. We will take the necessary steps to ensure that users information is safeguarded and kept in accordance with applicable laws and regulations.
This Policy is designed to help you understand how we collect, use, share and safeguard the information we receive from you, other organisations and clients.
Information provided to us
- From a Data Controller
Data is held on the grounds that we have a contractual obligation to fulfil.
We undertake to protect all personal and sensitive data that is provided to us and in a manner that is consistent with the requirements of the General Data Protection Regulation (GDPR). We will take reasonable measures to ensure the secure storage of all data, see below.
- From clients
All data given by clients is recorded by us in accordance with the client’s preferences and as permitted under the GDPR. Data will be held on one of the following grounds; with a client’s specific consent; where data retention is necessitated by a contractual relationship; and on the grounds of being a legitimate business interest.
- Information we get from other sources
From time to time, we may need to obtain information from third parties. This will only apply where it is essential for the provision of our services and as permitted by law. Where applicable we will seek the consent of the client or organisation providing the data.
Use of personal information
As a Data Controller
Your information will be used by us to enable us to provide our services to you. Where we act as a Data Controller of your information, we undertake to protect your personal and sensitive data in a manner that is consistent with the requirements of the GDPR. The key 6 principles which we must be able to show for compliance relate to:
- Lawfulness, fairness and transparency;
- Purpose limitation;
- Data minimisation;
- Storage limitation; and
- Integrity and confidentiality.
There are wide-ranging obligations on the Data Controller, which includes the following:
- Comply with the GDPR
- Demonstrate compliance
- Ensure use of any Data Processors is compliant
- Contractual agreement with Data Processors
- Keep records of processing activities
- Co-operate with the supervisory authority – in the UK this is the ICO
- Ensure technical and organisational measures for security of processing
- Notification and communication of data breaches
We will take reasonable measures to ensure that when handling your personal information that we adhere to these obligations.
As a Data Processor
Where we act as a Data Processor, we undertake the following obligations in accordance with the GDPR:
- we only act under the documented instructions of the Data Controller
- we take measures to ensure client confidentiality,
- we will assist with legal compliance of the Data Controller, and respond to requests from data subjects (as instructed by the Data Controller)
- we will make available all information necessary to demonstrate compliance
- we take measures to assist the Data Controller with ensuring security of processing
- we treat personal data after processing as directed by the Data Controller.
Data Processors are not given permission to use our client data for any purpose that is inconsistent with providing our core services to the client.
We don’t share, sell, or distribute your data to third parties, except as provided in our Privacy Notice. Client data is not used by us for any marketing purpose, except with the express consent of the client.
Your data may be shared with subcontractors working on our behalf, who act on our instruction in relation to the management of your data and must adhere to all data protection laws and regulations.
If it is necessary to share your data with a subcontractor or third party working on our behalf, we will take steps to ensure that they adhere to their obligations and all data protection laws and regulations.
We may disclose personal information if we are required to do so by law, in connection with any legal proceedings, and in order to establish, exercise or defend our legal rights.
We keep all personal information in accordance with our Data Retention Policy which reflects our needs to provide our services to you as contracted and also to meet legal, statutory and regulatory obligations. We will only retain data that is necessary and this will include data relating to the therapy that we have provided to clients. The need to hold information is regularly reviewed and information/data will be disposed of when no longer required.
All disposal is carried out securely and records will be destroyed so that they are not retrievable.
We regularly review our procedures for secure data storage to ensure that all appropriate measures are considered and adopted where appropriate. In accordance with data protection legislation, paper data records are stored in a locked cabinet and electronic files are stored on our systems, protected by a user’s login and password that is individual to the user.
Any information that you supply to us may be stored and processed by servers hosting our website. Data will only be transferred outside EEA countries in accordance with the relevant data protection laws.
Data Subject Rights
We understand that we have an obligation under the GDPR to comply with our obligations to the following:
Subject Access Requests
The General Data Protection Regulation (GDPR) gives individuals, known as ‘data subjects’, the right to access personal data that is held by organisations by a subject access request (SAR). We will endeavour to respond quickly to any such requests, which legally require us to respond within one month of receiving the request and necessary information.
Right to Rectification
Data subjects have the right to request that we amend or change personal information that we, that is inaccurate or incorrect. We will act on any request without delay.
Right to erasure
Data subjects have the right to ask us to delete personal information from our systems without giving any reason and at any time. We will act on any request without delay.
Right to restrict processing
Data subjects have the right to rectification or erasure of personal data certain circumstances. We will act on any request without delay.
Right to data portability
Data subjects have the right to obtain and transfer their data to different service providers. We will act on any request without delay.
Right to object
Data subjects have the right to object to the processing of data at any time based on their particular situation. This includes objecting to profiling unless it is in the ‘public interest’ or exercised lawfully by an official authority. We will only process data where we can demonstrate lawful grounds for doing so. We will act on any request without delay.
Right not to be subject to decisions based on automated processing
We do not use any automated processing that results in any automated decision based on a data subject’s personal information.
If you have any concerns about how we handle data, you can contact the Data Controller by writing to us at Joyful Living Joyful Living, 16 Cowden Road, Orpington, Kent BR6 0TR, or by email to email@example.com
We reserve the right to amend this Statement at any time to meet the requirements of the GDPR and our role as either a Data Controller or Data Processor.
You can formally report an issue of concern to the Information Commissioner’s Office, the UK body that governs Data Protection. See https://ico.org.uk
© 2018 Joyful Living Limited | GDPR Statement