The General Data Protection Regulation (GDPR) is a legal framework for data protection which came into force on 25 May 2018.
This framework applies to all organisations, regardless of whether it is established within or outside of the European Union if the organisation processes personal information or possesses personal information of data subjects residing in the EU.
Processing of Personal information
We will process your personal information where there is one or more lawful bases to do so under the GDPR, where:
- you have given your consent for the processing of your personal information;
- necessary for the performance of a contract you have entered into with us or to take specific steps at your request prior to entering into the contract;
- it is necessary to comply with our legal or regulatory obligations;
- necessary to protect the vital interests of a natural person, whether you or another person;
- necessary for the performance of a task carried out in the public interest or exercise of official authority on our part;
- necessary for the purposes of our legitimate interests or another natural person’s legitimate interests.
Subject to any exceptions under the GDPR, you have the following rights:
Right to access
You have the right to request confirmation whether we process your personal information, a copy of the personal information, and any supplementary information provided for under the GDPR.
Right to rectification
You have the right to require us to rectify any incomplete or inaccurate personal information.
Right to erasure
You have the right to request that we delete personal information we process about you if one of the bases provided under the GDPR applies.
Right to restrict processing
You have the right to restrict our processing of your personal information in certain circumstances e.g the accuracy of your personal information is disputed, where the processing is not lawful under the GDPR, or we no longer need your personal information for processing, but you require the personal information to establish, exercise or defend a legal claim.
Right to object
You have the right to object to our processing of your personal information where such personal information is being processed by us for the performance of a task carried out in the public interest, or in the exercise of official authority on our part, or for the purposes of the legitimate interests pursued by us. Additionally, you have the right at any time to object to our processing of your personal information for direct marketing or for scientific or historical research purposes or statistical purposes.
What we may need from you and response time
We may need to request specific information from you to help us confirm you identity and ensure your right to access your personal information (or to exercise of any of your other rights). We will process your requests to access, rectify, or erase your personal information, or any requests to vary or withdraw your consent a within a reasonable period of time from when the request was made. However, if your request is complex or you have made a number of requests, it may take a longer time. Erasure or withdrawal may materially affect our ability to provide services to you. We will notify you of any impact before processing your request.
We will implement appropriate technical and organizational measures to prevent the accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to the personal information transmitted, stored or processed by us. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We may transfer your personal information to third parties or international organisations where we have obtained your consent to do so and where the recipient organisation has provided appropriate safeguards e.g data protection clauses.
Retention of Records
Any personal information in our possession or under control will be destroyed and/or anonymised when:
- the purpose for which the personal information was collected is no longer served by the retention of such personal information; or
- the retention is no longer necessary for any legal, regulatory, or business purposes.
Notification of breach
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Last updated 1 December 2021