1.1 CyPro Ltd has a commitment to protect all processing of personal data.
1.2 Cypro Ltd have appointed Rob McBride as their designated Data Protection officer (Controller of Data). The DPO reports directly to CyPro’s Senior Management Board.
2.1 CyPro Ltd’s management team are committed to ensuring that all their employees responsible for the processing of personal data are aware of and comply with the contents of this policy. In addition, CyPro Ltd will make sure all Third Parties engaged to process personal data on their behalf (i.e. their own Data Processors) are aware of and comply with the contents of this policy. Assurance of such compliance must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to personal data controlled by CyPro Ltd.
3.1 Under “EU GDPR Article 25”, CyPro Ltd have an obligation to implement technical and organisational measures to show that data protection has been considered and integrated into processing activities. To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes. when reviewing or expanding existing systems or processes, each new system implementation undertakes an approval process before continuing.
3.2 CyPro Ltd maintain management systems in place, aimed at protecting the personal data processed which meet Article 42 requirements.
4.1 Personal data should be collected only from the data subject unless one of the following apply:
4.2 If personal data is collected from someone other than the data subject, the data subject must be informed of the collection unless one of the following apply:
5.1 Data subjects have the right to be informed about the collection and use of their personal data, when required by applicable law, contract or where it considers that it is reasonably appropriate to do so, CyPro Ltd will provide this information to data subjects.
5.2 When the data subject is asked to give consent to the processing of personal data and when any personal data is collected from the data subject, all appropriate disclosures will be made in a manner that draws attention to them, unless one of the following apply:
5.3 These disclosures may be given orally, electronically or in writing. If given orally, the person making the disclosures should use a suitable script or form approved in advance by the DPO. The associated receipt or form should be retained, along with a record of the facts, date, content and method of disclosure.
6.1 CyPro Ltd collects and processes personal data such as a contact name, phone number, business name, email address and small personal identifying data for the following purposes:
6.2 CyPro Ltd will process personal data in accordance with all applicable laws and applicable contractual obligations. Specifically, CyPro Ltd will not process personal data unless the data subject has given consent to the processing of his or her personal data for one or more specific purposes:
6.3 There are some circumstances in which personal data may be further processed for purposes that go beyond the original purpose for which the personal data was collected. When deciding as to the compatibility of the new reason for processing, guidance and approval must be obtained from the DPO before any such processing may commence.
6.4 If consent has not been gained for the specific processing in question, CyPro Ltd will address the following additional conditions to determine fairness and transparency of any processing beyond the original purpose for which the personal data was collected:
7.1 Due to the nature of CyPro Ltd as a business, Children’s data is not processed.
8.1 To ensure that the personal data it collects, and processes is complete and accurate in the first instance and is updated to reflect the current situation of the data subject, CyPro Ltd shall adopt all necessary measures.
8.2 The measures adopted by CyPro Ltd to ensure data quality include:
9.1 CyPro Ltd will not retain personal data for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
10.1 CyPro Ltd shall adopt physical, technical and organisational security measures to protect data subjects’ Confidentiality, Integrity and Availability.
10.2 This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks affecting the confidentiality, integrity and availability of the personal data.
10.3 The minimum set of security measures to be adopted are set out in CyPro Ltd’s Information Security Policy and includes the following:
11.1 The DPO will establish a system which will enable the exercise of rights granted to the data subjects, which under the EU GDPR are:
11.2 Legal requirements may override the rights of EU GDPR which shall be taken into consideration if a data subject’s rights are to be exercised.
11.3 Based upon a written subject access request to the DPO by contacting hello@cypro.co.uk and upon a successful confirmation of identity, data subjects are entitled to obtain the following information about their own personal data:
11.4 The person subject to Data Subject Review has a right to:
11.5 It should be noted that situations may arise where providing the information requested by a data subject would disclose personal data about another individual. In such cases, information must be redacted or withheld as necessary or appropriate to protect that person’s rights.
12.1 In rare circumstances, it is permitted by UK Law that personal data be shared without the knowledge or consent of a data subject. These are the cases where the disclosure of the personal data is necessary for:
13.1 All CyPro Ltd entities must obtain personal data using only lawful and fair means where appropriate with the knowledge and consent of the individual concerned.
13.2 CyPro Ltd is committed to requesting and receiving consent of an individual prior to the collection, use or disclosure of their personal data.
13.3 The DPO, with the cooperation of the business, shall establish a system for obtaining and documenting data subject consent for the collection, processing, and/or transfer of their personal data. The system must include provisions for:
14.1 Data subjects have the right to withdraw consent of the processing of their personal data at any time. To request withdrawal of consent, please contact the DPO by email: hello@cypro.co.uk.
15.1 CyPro Ltd may transfer Personal Data to internal or Third-Party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects.
15.2 An approval transfer mechanism is complied with when transferring to countries lacking an adequate level of legal protection.
15.3 CyPro Ltd employees may only transfer personal data where one of the transfer scenarios listed below applies:
15.4 CyPro Ltd shall only transfer personal data to, or allow access by, Third-Parties when assurances are given that the information will be processed legally and fairly and protected according to the GDPR requirements. Pertaining to Third-Party processing, CyPro Ltd will first identify if, under applicable law, the Third-Party is considered a data controller, or a data processor of the personal data being transferred.
15.5 If the Third-Party is deemed to be a data controller, CyPro Ltd will enter into, in cooperation with the DPO, an appropriate agreement with the controller to clarify each party’s responsibilities in respect to the personal data being transferred.
15.6 Where the Third-Party is deemed to be a data processor CyPro Ltd will, in cooperation with the DPO, enter into an adequate processing agreement with the data processor. The agreement must require the data processor to protect the personal data from further disclosure and to only process personal data in compliance with CyPro Ltd’s instructions. In addition, the agreement will require the data processor to implement appropriate technical and organisational measures to protect the personal data as well as procedures for providing notification of personal data breaches.
15.7 In the event that CyPro Ltd outsources services to a Third-Party, CyPro Ltd will identify whether the Third-Party will process personal data on its behalf and whether the outsourcing will entail any personal data crossing international borders. In either case, it will make sure to include, in cooperation with the DPO, adequate provisions in the outsourcing agreement for such processing.
15.8 The DPO shall conduct regular audits on the processing of personal data performed by Third-Parties, especially with regard to technical and organisational measures they have in place.
16.1 For CyPro Ltd to carry out its business effectively across its various CyPro Ltd entities, there may be occasions when it is necessary to transfer personal data from one CyPro Ltd entity to another, or to allow access to the personal data from an overseas location. Should this occur, the CyPro Ltd entity sending the personal data remains responsible for ensuring protection of that data.
16.2 When transferring personal data to another CyPro Ltd entity, CyPro Ltd must:
17.1 Data subjects with a complaint in relation to the processing of their personal data should put the matter in writing by emailing the Data Protection Officer: hello@cypro.co.uk.
17.2 A full investigation of the complaint will be carried out to the extent that is appropriate based on the merits of the specific case and in alignment with the CyPro Ltd complaints process.
17.3 The DPO will acknowledge receipt of the complaint in writing and inform the data subject of the progress and outcomes of the complaint within a reasonable period (within 21 days).
18.1 The EU GDPR introduces a responsibility on all organisations to report certain types of personal data breaches to the supervisory authority for the UK. This is the Information Commissioners office (ICO) https://ico.org.uk/
18.2 The timescale of reporting a data breach must be within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting an individual’s rights and freedoms, organisations must also inform the individuals affected without undue delay.
18.3 CyPro Ltd must also keep a record of any personal data breaches, regardless of whether notification is required.
19.1 To confirm that an acceptable level of compliance is being achieved by all CyPro Ltd entities in relation to this policy, the DPO will carry out an annual Data Protection Compliance Audit for all such entities, including any Third Parties. Each audit should, as a minimum, assess:
20.1 The DPO, in conjunction with key business stakeholders from CyPro Ltd, will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time- frame. Any critical deficiencies identified will be reported to and monitored by the CyPro Ltd’s Senior Management Board.
20.2 This policy was last reviewed and updated on 30th September 2021.