1.1 CyPro Ltd has a commitment to protect all processing of personal data.
1.2 Cypro Ltd have appointed Rob McBride as their designated Data Protection officer (Controller of Data). The DPO reports directly to CyPro’s Senior Management Board.
2. Notice Dissemination and Enforcement
2.1 CyPro Ltd’s management team are committed to ensuring that all their employees responsible for the processing of personal data are aware of and comply with the contents of this policy. In addition, CyPro Ltd will make sure all Third Parties engaged to process personal data on their behalf (i.e. their own Data Processors) are aware of and comply with the contents of this policy. Assurance of such compliance must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to personal data controlled by CyPro Ltd.
3. Data Protection & Privacy by Design
3.1 Under “EU GDPR Article 25”, CyPro Ltd have an obligation to implement technical and organisational measures to show that data protection has been considered and integrated into processing activities. To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes. when reviewing or expanding existing systems or processes, each new system implementation undertakes an approval process before continuing.
3.2 CyPro Ltd maintain management systems in place, aimed at protecting the personal data processed which meet Article 42 requirements.
4. Data Collection & Sources
4.1 Personal data should be collected only from the data subject unless one of the following apply:
- The nature of the business purpose necessitates collection of the personal data from other persons or bodies.
- Periodic collection must be carried out under emergency circumstances, in order to protect the vital interests of the data subject or to prevent serious loss or injury to another person or CyPro.
4.2 If personal data is collected from someone other than the data subject, the data subject must be informed of the collection unless one of the following apply:
- The data subject has received the required information by other means.
- The information must remain confidential due to a professional secrecy obligation.
- A national law expressly provides for the collection, processing or transfer of the personal data.
- Where it has been determined that notification to a data subject is required, notification should occur promptly, but in no case later than one month from the first collection or recording of the personal data.
- At the time of first communication, if used for communication, with the data subject.
- At the time of disclosure, if disclosed, to another recipient.
5.1 Data subjects have the right to be informed about the collection and use of their personal data, when required by applicable law, contract or where it considers that it is reasonably appropriate to do so, CyPro Ltd will provide this information to data subjects.
5.2 When the data subject is asked to give consent to the processing of personal data and when any personal data is collected from the data subject, all appropriate disclosures will be made in a manner that draws attention to them, unless one of the following apply:
- The data subject already has the information.
- A legal exemption applies to the requirements for disclosure and/or consent.
5.3 These disclosures may be given orally, electronically or in writing. If given orally, the person making the disclosures should use a suitable script or form approved in advance by the DPO. The associated receipt or form should be retained, along with a record of the facts, date, content and method of disclosure.
6. Data Use & Processing
6.1 CyPro Ltd collects and processes personal data such as a contact name, phone number, business name, email address and small personal identifying data for the following purposes:
- Sales and Marketing account management and communications for existing contacts.
- The ongoing administration and management of customer services.
6.2 CyPro Ltd will process personal data in accordance with all applicable laws and applicable contractual obligations. Specifically, CyPro Ltd will not process personal data unless the data subject has given consent to the processing of his or her personal data for one or more specific purposes:
- Processing is necessary for the performance of a contract to which the data subject is party to, or to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child).
6.3 There are some circumstances in which personal data may be further processed for purposes that go beyond the original purpose for which the personal data was collected. When deciding as to the compatibility of the new reason for processing, guidance and approval must be obtained from the DPO before any such processing may commence.
6.4 If consent has not been gained for the specific processing in question, CyPro Ltd will address the following additional conditions to determine fairness and transparency of any processing beyond the original purpose for which the personal data was collected:
- Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing.
- The context in which the personal data has been collected, in particular regarding the relationship between data subject and the data controller.
- The nature of the personal data, in particular whether special categories of data are being processed, or whether personal data related to criminal convictions and offences are being processed.
- The possible consequences of the intended further processing for data subjects.
- The existence of appropriate safeguards, which may include encryption or pseudonymisation.
7. Child Data
7.1 Due to the nature of CyPro Ltd as a business, Children’s data is not processed.
8. Data Accuracy
8.1 To ensure that the personal data it collects, and processes is complete and accurate in the first instance and is updated to reflect the current situation of the data subject, CyPro Ltd shall adopt all necessary measures.
8.2 The measures adopted by CyPro Ltd to ensure data quality include:
- Ensuring personal data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated is corrected, even if the data subject does not request rectification.
- Ensuring personal data is held only for the period necessary to satisfy the permitted uses.
- Ensuring the removal of personal data if in violation of any of the data protection principles or if the personal data is no longer required.
9. Data Retention
9.1 CyPro Ltd will not retain personal data for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
10. Data Security
10.1 CyPro Ltd shall adopt physical, technical and organisational security measures to protect data subjects’ Confidentiality, Integrity and Availability.
10.2 This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks affecting the confidentiality, integrity and availability of the personal data.
10.3 The minimum set of security measures to be adopted are set out in CyPro Ltd’s Information Security Policy and includes the following:
- Prevent unauthorised persons from gaining access to data processing systems in which personal data is processed.
- Prevent persons entitled to use a data processing system from accessing personal data beyond their needs and authorisations.
- Ensure the integrity and confidentiality of Personal Data in the course of electronic transmission is maintained meaning that it cannot be read, copied, modified or removed without authorisation.
- Ensure that a system for maintaining accountability is in place. This means access logs are used to establish whether the personal data was entered into, modified or removed from a data processing system and by whom.
- Ensure the availability of personal data is maintained, meaning that it is protected against undesired destruction or loss.
- Ensure that personal data collected for different purposes can and is processed separately.
- Ensure that personal data is not kept longer than necessary.
11. Data Subject Rights
11.1 The DPO will establish a system which will enable the exercise of rights granted to the data subjects, which under the EU GDPR are:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right of data portability.
- The right to object.
- The right in relation to automated decision making and profiling.
11.2 Legal requirements may override the rights of EU GDPR which shall be taken into consideration if a data subject’s rights are to be exercised.
11.3 Based upon a written subject access request to the DPO by contacting email@example.com and upon a successful confirmation of identity, data subjects are entitled to obtain the following information about their own personal data:
- The purposes of the collection, processing, use and storage of their personal data.
- The sources of the personal data, if it did not come directly from the data subject.
- The categories of personal data stored for the data subject.
- The recipients or categories of recipients to whom the personal data has been or may be transmitted, along with the location of those recipients.
- The predicted period of storage for the personal data or the rationale for determining the storage period.
11.4 The person subject to Data Subject Review has a right to:
- Object to processing of their personal data.
- Lodge a complaint with the data protection authority.
- Request rectification or erasure of their personal data.
- Request restriction of processing of their personal data.
11.5 It should be noted that situations may arise where providing the information requested by a data subject would disclose personal data about another individual. In such cases, information must be redacted or withheld as necessary or appropriate to protect that person’s rights.
12. Legitimate Law Enforcement Requests
12.1 In rare circumstances, it is permitted by UK Law that personal data be shared without the knowledge or consent of a data subject. These are the cases where the disclosure of the personal data is necessary for:
- The prevention or detection of crime.
- The apprehension or prosecution of offenders.
- The assessment or collection of a tax or duty.
- By the order of a court or by any rule of law.
13.1 All CyPro Ltd entities must obtain personal data using only lawful and fair means where appropriate with the knowledge and consent of the individual concerned.
13.2 CyPro Ltd is committed to requesting and receiving consent of an individual prior to the collection, use or disclosure of their personal data.
13.3 The DPO, with the cooperation of the business, shall establish a system for obtaining and documenting data subject consent for the collection, processing, and/or transfer of their personal data. The system must include provisions for:
- Ensuring clear disclosures are made around what the data is needed for and how it is going to be used.
- Ensuring the request for consent is presented in a manner which is prominent and separate from any other terms and conditions, is made in an intelligible and easily accessible form and uses clear and plain language.
- Documenting the date, method and content of the disclosures made, as well as the validity, scope, and volition of the consents given.
14. Withdrawal of Consent
14.1 Data subjects have the right to withdraw consent of the processing of their personal data at any time. To request withdrawal of consent, please contact the DPO by email: firstname.lastname@example.org.
15. Data Transfers
15.1 CyPro Ltd may transfer Personal Data to internal or Third-Party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects.
15.2 An approval transfer mechanism is complied with when transferring to countries lacking an adequate level of legal protection.
15.3 CyPro Ltd employees may only transfer personal data where one of the transfer scenarios listed below applies:
- The data subject has given consent to the proposed transfer.
- The transfer is necessary for the performance of a contract with the data subject.
- The transfer is necessary for the conclusion or performance of a contract concluded with a Third Party in the interest of the data subject.
- The transfer is legally required on important public interest grounds.
- The transfer is necessary in order to protect the vital interests of the data subject.
15.4 CyPro Ltd shall only transfer personal data to, or allow access by, Third-Parties when assurances are given that the information will be processed legally and fairly and protected according to the GDPR requirements. Pertaining to Third-Party processing, CyPro Ltd will first identify if, under applicable law, the Third-Party is considered a data controller, or a data processor of the personal data being transferred.
15.5 If the Third-Party is deemed to be a data controller, CyPro Ltd will enter into, in cooperation with the DPO, an appropriate agreement with the controller to clarify each party’s responsibilities in respect to the personal data being transferred.
15.6 Where the Third-Party is deemed to be a data processor CyPro Ltd will, in cooperation with the DPO, enter into an adequate processing agreement with the data processor. The agreement must require the data processor to protect the personal data from further disclosure and to only process personal data in compliance with CyPro Ltd’s instructions. In addition, the agreement will require the data processor to implement appropriate technical and organisational measures to protect the personal data as well as procedures for providing notification of personal data breaches.
15.7 In the event that CyPro Ltd outsources services to a Third-Party, CyPro Ltd will identify whether the Third-Party will process personal data on its behalf and whether the outsourcing will entail any personal data crossing international borders. In either case, it will make sure to include, in cooperation with the DPO, adequate provisions in the outsourcing agreement for such processing.
15.8 The DPO shall conduct regular audits on the processing of personal data performed by Third-Parties, especially with regard to technical and organisational measures they have in place.
16. Internal Transfers
16.1 For CyPro Ltd to carry out its business effectively across its various CyPro Ltd entities, there may be occasions when it is necessary to transfer personal data from one CyPro Ltd entity to another, or to allow access to the personal data from an overseas location. Should this occur, the CyPro Ltd entity sending the personal data remains responsible for ensuring protection of that data.
16.2 When transferring personal data to another CyPro Ltd entity, CyPro Ltd must:
- Ensure that the recipient CyPro Ltd Entity is included on the approved list of CyPro Ltd entities. The approved list is held and maintained by the DPO.
- Only transfer the minimum amount of personal data necessary for the purpose of the transfer (for example, to fulfil a transaction or carry out a particular service).
- Ensure adequate security measures are used to protect the personal data during the transfer (including password-protection and Encryption, where necessary).
17.1 Data subjects with a complaint in relation to the processing of their personal data should put the matter in writing by emailing the Data Protection Officer: email@example.com.
17.2 A full investigation of the complaint will be carried out to the extent that is appropriate based on the merits of the specific case and in alignment with the CyPro Ltd complaints process.
17.3 The DPO will acknowledge receipt of the complaint in writing and inform the data subject of the progress and outcomes of the complaint within a reasonable period (within 21 days).
18. Reporting a Data Breach
18.1 The EU GDPR introduces a responsibility on all organisations to report certain types of personal data breaches to the supervisory authority for the UK. This is the Information Commissioners office (ICO) https://ico.org.uk/
18.2 The timescale of reporting a data breach must be within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting an individual’s rights and freedoms, organisations must also inform the individuals affected without undue delay.
18.3 CyPro Ltd must also keep a record of any personal data breaches, regardless of whether notification is required.
19. Compliance Monitoring
19.1 To confirm that an acceptable level of compliance is being achieved by all CyPro Ltd entities in relation to this policy, the DPO will carry out an annual Data Protection Compliance Audit for all such entities, including any Third Parties. Each audit should, as a minimum, assess:
- Compliance with Policy in relation to the protection of personal data, including: The assignment of responsibilities, raising awareness and training employees.
- The effectiveness of Data Protection related operational practices, including: Data Subject rights, Personal Data transfers, Personal Data incident management, Personal Data complaints handling, the level of understanding of Data protection policies and Privacy Notices, the maturity of Data Protection policies and Privacy Notices, the accuracy and necessity of personal data being stored, the conformity of Data Processor activities and the adequacy of procedures for redressing poor compliance and personal data Breaches.
20. Identifying Deficiencies or Non-Compliance with GDPR
20.1 The DPO, in conjunction with key business stakeholders from CyPro Ltd, will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time- frame. Any critical deficiencies identified will be reported to and monitored by the CyPro Ltd’s Senior Management Board.
20.2 This policy was last reviewed and updated on 30th September 2021.