Data Protection Policy
Aros acknowledges that everyone has rights with regard to the way in which their personal data is handled.
Aros will collect, store and process personal data about its employees (past, present and prospective), clients, suppliers and other third parties in accordance with our statutory obligations, including the General Data Protection Regulation 2016 (GDPR).
Data users (see Definition of Data Protection Terms) are obliged to comply with this policy when processing personal data on Aros’ behalf. Any breach of this policy may result in disciplinary action.
Aros, as a data controller, is registered with the Information Commissioner’s Office (ICO), registration number ZA284823.
About This Policy
This policy applies to all individuals working for Aros at all levels, including directors, senior managers, staff, consultants, agency staff, agents or any other person associated with us wherever located.
The types of personal data that Aros may be required to handle include information about current, past and prospective employees, clients, suppliers, users of its website and others that Aros communicates with.
The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the General Data Protection Regulation 2016 (GDPR) and other regulations.
It is Aros’ policy to ensure that our compliance with the GDPR and other relevant legislation is clear and demonstrable at all times.
This policy and any other documents referred to in it sets out the basis on which Aros will process any personal data it collects from data subjects, or that is provided to Aros by data subjects or other sources. It also sets out rules on data protection and the legal conditions that must be satisfied when Aros obtains, handles, processes, transfers and stores personal data.
Anyone processing personal data on behalf of Aros must only do so as instructed and in accordance with this policy and any other policy or procedure designed to ensure our compliance with our legal obligations.
Definition of Data Protection Terms
Data is the information which is stored electronically, on a computer or in certain paper-based filing systems.
Data Subjects for the purpose of this policy include all living individuals about whom Aros hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information. In Aros, data subjects include current, past and prospective employees, suppliers, contractors and clients.
Personal Data means data relating to a living individual who can be identified from that data (or from that data and other information in Aros’ possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions or behaviour.
Data Controllers are the people who, or organisations which, determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with regulation. Aros is the data controller of all personal data used in its business for its own commercial purposes.
Data Users are those Aros employees whose work involves handling (‘processing’ in Data Protection terms) personal data. Data users must protect the data they handle in accordance with this data protection and any applicable data security procedures at all times. Data users are likely to include people in ‘Administration’ roles (including studio management, finance, senior management and Directors).
Data Processors include any person or organisation that is not a data user that processes personal data on Aros’ behalf and on Aros’ instructions e.g. IT support, pensions, accountants, health insurance brokers
Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Sensitive Personal Data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any such court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.
Anyone processing personal data must comply with the Article 5 of the GDPR that requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- Collectedfor specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
- The controller shall be responsible for, and be able to demonstrate, compliance with the principles (‘accountability’)
Aros must ensure that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems.
The following actions are undertaken to ensure that Aros complies at all times with the accountability principle of the GDPR:
- The legal basis for processing personal data is clear and unambiguous
- All staff involved in handling personal data (data users) understand their responsibilities for following good data protection practice
- Training in data protection has been provided to all staff as necessary
- Rules regarding consent are followed
- Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively
- Regular reviews of procedures involving personal data are carried out
- Privacy by design is adopted for all new or changed systems and processes
These actions will be reviewed on a regular basis as part of the management review process of the information security management system.
Legal Basis for Processing Personal Data
Under the GDPR there are six legal bases for processing personal data:
- For the performance of a contract– the processing is necessary for a contract you have with Aros.
- Compliance with a legal obligation – the processing is necessary for Aros to comply with the law (not including contractual obligations).
- Legitimate business interests – the processing is necessary for Aros’ legitimate business interests or the legitimate interests of a third party i.e. data necessary to manage HR-related activities designed to ensure the continuity, growth and long-term success of the organization, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
- Vital interests – the processing is necessary to protect someone’s life i.e. emergency contact details.
- Public interest – the processing is carried out in the public interest, i.e. is necessary for Aros to perform a task in the public interests or for Aros’ official functions and the task or function has a clear basis in law.
- Consent – the processing is necessary for a contract Aros has with the individual.
Aros will only process personal data for the specific purposes notified to the data subject when the data is first collected or for any other purposes specifically permitted by the regulation as above.
Aros will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
Aros will put in place procedures and technologies to maintain the security of all personal data from the point of collections to the point of destruction. Personal data will only be transferred to a data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.
Aros will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
Confidentiality – means that only people who are authorised to use the data can access it
Integrity – means that the personal data should be accurate and suitable for the purpose for which it is processed
Availability – means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on Aros’ computer network with appropriate access permissions set. No personal information is to be stored on individual PC hard drives (see also Aros IT Use Policy).
All of Aros’ data is stored on secure servers both locally and backed up remotely in an ISO27001 compliant Tier 3 datacentre in the UK.
Unless it is necessary for a reason allowable in the GDPR, explicit consent must be obtained from a data subject to collect and process their data. In case of children below the age of 16 parental consent must be obtained. Transparent information about our usage of their personal data must be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.
If the personal data are not obtained directly from the data subject then this information must be provided within a reasonable period after the data are obtained and definitely within one month.
The data subject also has rights under the GDPR. These consist of:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Each of these rights must be supported by appropriate procedures within Aros that allow the required action to be taken within the timescales stated in the GDPR.
These timescales are shown in Table 1.
|Data Subject Request||Timescale
|The right to be informed||When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)|
|The right of access||One month|
|The right to rectification||One month|
|The right to erasure||Without undue delay|
|The right to restrict processing||Without undue delay|
|The right to data portability||One month|
|The right to object||On receipt of objection|
|Rights in relation to automated decision making and profiling.||Not specified|
In order to comply with the requirement that personal data is kept for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’) Aros will retain personal data in line with its Data Retention Policy.
At the end of the relevant periods your personal data will be deleted or destroyed.
Privacy by Design
Aros has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more Privacy Impact Assessments (PIA).
Transfer of Personal Data
Transfers of personal data outside the European Union must be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time.
It is Aros’ policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority (DPA) will be informed within 72 hours. This will be managed in accordance with our Data Breach Policy and Procedure document which sets out the overall process of handling information security incidents.
Under the GDPR the relevant DPA has the authority to impose a range of fines of up to four percent of annual worldwide turnover or twenty million Euros, whichever is the higher, for infringements of the regulations.
You can visit our website without providing any personal information, however we may automatically collect IP addresses, information about your visit and how you use our website.
You may provide us with information by corresponding with us by phone, email, or otherwise as indicated on the website.
Aros may amend this Data Protection Policy from time to time, for example, to keep it up to date or to comply with legal requirements.
For further information on Aros’ privacy and data protection policies please contact firstname.lastname@example.org
V1 – 01.05.18