Data protection policy
Sorted takes the management of data protection law and associated obligations very seriously. This policy sets out how Sorted manages those responsibilities. However, this policy is neither an exhaustive statement of data protection law nor of our (or your) responsibilities in relation to data protection.
If at any time you have any queries on this policy, your responsibilities or any aspect of data protection law, contact: firstname.lastname@example.org
Sorted acts both as a controller and a processor (for customer provided data). As such it obtains, uses, stores and otherwise processes company confidential and personal data relating to potential staff (applicants), current staff, former staff, contractors, website visitors, SaaS product users, sales contacts and data provided by customer pursuant to fulfilling the functions of the contracted SaaS services, collectively referred to in this policy as data subjects.
When processing personal data on behalf of customers, this data may be subject to the UK GDPR or the EU GDPR (depending on where the customer and its own customers are located). Currently the obligations under the UK GDPR and EU GDPR are very similar, and therefore the provisions of this policy should be taken as applying to all personal data Sorted handles.
When processing data, Sorted is obliged to fulfil data subjects’ reasonable expectations of privacy by complying with the UK GDPR, the EU GDPR (where applicable) other relevant data protection legislation and our contractual obligations concerning data protection (data protection law).
This policy therefore seeks to ensure that we:
- 1. are clear about how personal data must be processed and Sorted’s expectations for all those who process personal data on its behalf
- 2. comply with the data protection law and with good practice
- 3. protect Sorted’s and customers’ reputation by ensuring the data entrusted to us is processed in accordance with contract and data subjects’ rights;
- 4. protect Sorted from risks of personal data breaches and other breaches of data protection law
This policy applies to all personal data we process regardless of the location where that data is stored and regardless of the data subject. All staff and others processing personal data on Sorted’s behalf must read it. A failure to comply with this policy may result in disciplinary or other legal action.
All staff managers are responsible for ensuring that all Sorted staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.
The Information Security Manager or their designate is responsible for overseeing this policy.
Data Subject Protection Principles
When you process data, you should be guided by the following principles, which are set out in the UK GDPR (and EU GDPR). Sorted is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:
Those principles require personal data to be:
- 1. processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency)
- 2. collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (purpose limitation)
- 3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (data minimisation)
- 4. accurate and where necessary kept up to date (accuracy)
- 5. not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (storage limitation)
- 6. processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (security, integrity and confidentiality)
What is Personal Data?
Personal data is information which relates to an identified or identifiable individual (where the individual’s identity is known or could be found out). This includes, for example:
- 1. An individual’s name, job title and contact details (for example, postal addresses, telephone numbers and email addresses)
- 2. Biographical information about an individual
- 3. Records of an individual’s behaviour (for example, whilst browsing a website or information relating to purchases that an individual has made at a customer’s website)
- 4. Technical information about a user’s connection or device (for example, IP addresses and information obtained through device fingerprinting)
- 5. An expression of opinion about an individual
- 6. A record of Sorted’s intentions towards the individual (for instance, how a complaint by that individual will be dealt with)
- 7. Information which affects an individual’s privacy, whether in their personal, family, organisation or a professional capacity
Information about companies or other legal entities is not personal data. Where an individual’s name is used in a purely incidental manner – for example, an email is sent or copied to John.Smith@company.com, but the email relates only to the company and the only information about John Smith is that he is the recipient of the email – this is unlikely to constitute personal data. However, where an individual is targeted specifically or more significant personal data is handled relating to an individual, this is likely to constitute personal data, even if the individual is acting purely in a professional capacity.
What is Personal Data?
Virtually anything we do with personal data is considered to be “processing” of that personal data, including collection, modification, transfer, viewing, deleting, holding, backing up, archiving, retention, disclosure or destruction. So even just storage of personal data is a form of processing. We might process personal data using computers or manually by keeping paper records.
For more details as to how we process personal data within our business, please see our data map or privacy notices.
We process personal data every day for many different purposes and in many ways. We must, therefore, comply at all times with the Data Protection Principles (as set out above).
When are we entitled to process Personal Data?
For personal data to be processed lawfully, we must be processing it on one of the legal grounds set out in the data protection laws.
For the processing of ordinary personal data in our organisation these may include, among other things:
- 1. the relevant data subject has given their consent to the processing
- 2. the processing is necessary for the performance of a contract with the relevant data subject
- 3. the processing is necessary for the compliance with a legal obligation to which Sorted is subject
- 4. the processing is necessary to achieve Sorted’s (or someone else’s) legitimate interests.
Special category data under the data protection laws is personal data relating to a data subject’s race, political opinions, health, religious or other beliefs, trade union records, sex life, biometric data and genetic data. In addition, criminal records history is in a special category, which is in many ways treated the same as special category data. When processing this type of personal data, there are additional requirements which must be met. Please contact IT Support prior to commencing any processing of special category data.
Data Subjects’ Rights
Data subjects have rights in relation to the way we handle their personal data. These include the following rights:
- 1. where the legal basis of our processing is consent, to withdraw that consent at any time
- 2. to ask for access to the personal data that we hold
- 3. to prevent our use of the personal data for direct marketing purposes
- 4. to object to our processing of personal data in limited circumstances
- 5. to ask us to erase personal data without delay:
- a. if it is no longer necessary in relation to the purposes for which it was collected or otherwise processed
- b. if the only legal basis of processing is consent and that consent has been withdrawn and there is no other legal basis on which we can process that personal data
- c. if the data subject objects to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest
- d. if the data subject has objected to our processing for direct marketing purposes
- e. if the processing is unlawful
- 6. to ask us to rectify inaccurate data or to complete incomplete data
- 7. to restrict processing in specific circumstances e.g., where there is a complaint about accuracy
- 8. to ask us for a copy of the safeguards under which personal data is transferred outside of the UK (or EEA in the case of personal data which is subject to the EU GDPR)
- 9. the right not to be subject to decisions based solely on automated processing, including profiling, except where necessary for entering into, or performing, a contract, with Sorted; it is based on the data subject’s explicit consent and is subject to safeguards; or is authorised by law and is also subject to safeguards
- 10. to prevent processing that is likely to cause damage or distress to the data subject or anyone else
- 11. to be notified of a personal data breach which is likely to result in high risk to their rights and freedoms
- 12. to make a complaint to the ICO
Any data subject requesting data under any of the rights listed requires their identity to be verified prior to action being taken.
Requests (including for data subject access – see below) must be complied with, usually within one month of receipt. Anyone receiving such a request must immediately forward it to email@example.com
1. Sorted’s responsibilities
Where Sorted is the controller, Sorted is responsible for establishing policies and procedures in order to comply with data protection law and for complying with all obligations imposed by data protection law.
Where Sorted is the processor, Sorted is responsible for complying with all contractual commitments and following established policies and procedures and for complying with certain of the obligations imposed by data protection law, primarily regarding security.
2. Data Protection Officer responsibilities
The DPO is responsible for:
- 1. advising Sorted and its staff of its obligations under data protection law, and other Security policies and procedures as necessary
- 2. monitoring compliance with this Regulation and other relevant data protection law, monitoring compliance with Sorted policies with respect to this and monitoring training and audit activities relating to data protection compliance
- 3. to provide advice where requested on data protection impact assessments
- 4. to cooperate with and act as the contact point for the Information Commissioner’s Office and Customers’ security contact
The DPO shall in the performance of their tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
3. Staff responsibilities
Staff (Permanent, contract or agency) members who process data as covered by this policy must comply with the requirements of this policy and ensure that:
- 1. all personal data is kept securely
- 2. no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party
- 3. personal data is kept in accordance with the relevant retention schedule
- 4. any queries regarding data protection, including subject access requests and complaints, are promptly directed to IT Support
- 5. any data protection breaches are swiftly brought to the attention of IT Support and the Data Protection Officer and that they support the response team in resolving breaches
- 6. where there is uncertainty around a data protection matter advice is sought via IT Support
Where external companies are used to process personal data on behalf of Sorted, responsibility for the security and appropriate use of that data remains with Sorted as the controller or first-level processor (as applicable).
Where a third-party processor is used:/p>
- 1. a processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data
- 2. reasonable steps must be taken that such security measures are in place
- 3. a data processing agreement must be signed by both parties
Data protection law requires us to keep full and accurate records of all our data processing activities.
These records should include, at a minimum, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data and the data’s retention period. Any changes to these records need to be notified to firstname.lastname@example.org
Records of personal data breaches must also be kept, setting out:
- 1. the facts surrounding the breach /li>
- 2. its effects
- 3. the remedial action taken
We are subject to certain rules and privacy laws when carrying out marketing activities.
For example, where we are contacting a data subject through a personal email address, text message to a personal phone or personal social media account (or similar) prior consent is required. This does not apply to communications sent to company email addresses, phones or social media accounts but, in these cases, we must still ensure that we have a good reason to send the communication and that we respect any opt-out/unsubscribe requests.
The right to object to direct marketing must be explicitly offered to the data subject in an intelligible manner so that it is clearly distinguishable from other information.
A data subject’s objection to direct marketing must be promptly honoured. If a data subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
Sharing Personal Data
In the absence of consent, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties.
Some bodies have a statutory power to obtain information, and you should seek confirmation of any such power before disclosing personal data in response to a request by contacting email@example.com
Changes to this policy
The policy shall be updated from time to time, the latest version is to be found on the Policies and Procedures section of the Intranet.