Data Protection Policy
The Juggling King Rum Company Limited (TJK) handles the personal data of its clients, staff, intermediaries, supplier contacts and other third parties. This data consists of information that relates to and identifies a living individual and may be stored physically or electronically. Personal data includes special category data, particularly sensitive data which warrants extra protections. Personal data does not include information relating to solely corporate vehicles. However, there may be corresponding duties of confidentiality in respect of corporate information and in these circumstances we will adopt an appropriate similar standards of protection.
The protection of personal data is of paramount importance and a critical responsibility that we take seriously at all times. TJK may be exposed to regulatory action, fines and reputational damage for failure to comply with the provisions of the data protection legislation.
Each member of staff has a duty to assist TJK in complying with its obligations under the data protection legislation. You must ensure that whenever handling personal data, you are doing so in accordance with the data protection legislation and all applicable policies and procedures. All business areas have responsibility for ensuring that appropriate practices, processes and controls are put in place to ensure compliance. If you are unsure about any aspects of this policy or what actions you should take in relation to personal data, you must discuss this with your line manager and involve the Operations Director (currently Robert Shepherd as at the date of this policy email@example.com) where appropriate.
There is a glossary at the end of this Policy which provides explanation of some of the key terms used in the Policy.
You are required to comply with this Policy when processing personal data on TJK’s behalf and to attend training on its requirements. This Policy sets out what we expect from you in order for TJK to comply with the data protection legislation and your compliance with this Policy is mandatory. You should read it carefully. Key messages set out in the Policy are:
- If any data subject seeks to exercise any rights (e.g. right of access, rectification, erasure) you must immediately inform the Operations Director and not take any action without consulting the Operations Director;
- Familiarise yourself with the privacy notice – if you think we are processing data outside the terms of the TJK privacy notice, alert the Operations Director;
- Consider at all times when processing personal data whether it is necessary to include all elements of the personal data, and limit the personal data processed where you can;
- If you identify any instances where you need to process large scales of personal data, transfer it to another jurisdiction or the data is particularly sensitive, consult with the Operations Director;
- Always ensure you comply with the information security measures at TJK to ensure the data we hold is kept as securely as possible;
- If you notice that data is somewhere where you do not think it should be, alert the Operations Director
Any breach of this or related policies may result in disciplinary action.
This Policy (and any related policies and procedures) is an internal document. It must not be shared with clients, regulators or other third parties without the approval of the Operations Director.
Data Protection Officer
TJK has appointed a Operations Director with responsibility for overseeing this Policy and, as applicable, developing related policies and procedures. The Operations Director is responsible for:
- Keeping the Board or other relevant teams updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this Policy.
- Handling data protection queries from those covered by this Policy.
- Dealing with requests from data subjects to exercise their rights under the data protection legislation.
- Checking and approving, where necessary, any contracts or agreements with third parties whereby personal data may be transferred.
The current Operations Director is Robert Shepherd as at the date of this policy firstname.lastname@example.org.
Please contact the Operations Director with any questions about the operation of this Policy or the data protection legislation or if you have any concerns that this Policy is not being or has not been followed.
DATA PROTECTION OBLIGATIONS
Controller and processor
TJK is a data controller. In some instances, TJK may also be acting as a processor. Both controllers and processors are required to register/notify in certain jurisdictions. The Operations Director handles such registrations and maintains a register reflecting TJK’s current registrations/notifications.
Where TJK is acting as a processor or dealing with a processor, appropriate processing terms must be agreed between TJK and the relevant entity.
Data protection principles
The data protection legislation imposes obligations on those handling personal data and requires them to process that data in accordance with the data protection principles. In summary, these principles require that personal data shall be:
- processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
- accurate and, where necessary, kept up to date (accuracy);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
Lawfulness, fairness and transparency
Personal data must be processed fairly, lawfully and in a transparent manner in relation to the data subject. TJK may only collect, process and share personal data fairly and lawfully and for specified lawful purposes. Data protection legislation allows processing for specific purposes, some of which are set out below:
- The processing is necessary for performance of a contract: This basis may be relied on where the personal data collected and processed are required to fulfil our engagement with the data subject.
- To pursue our legitimate interests: If the processing of personal data is in the legitimate interest of TJK and is judged not to prejudice the interests or fundamental rights and freedoms of data subjects, this may be a lawful reason for processing. The legitimate reasons relied on by TJK are set out in the TJK privacy notice.
- The data subject has given his or her consent: Where there is no other reasonable basis for the processing, TJK will rely on consent for processing. The data subject’s agreement to the processing must be indicated clearly either by a statement or positive action. Consent requires affirmative action so silence, pre-ticked boxes or inactivity will not be sufficient. Data subjects must be easily able to withdraw consent; this is mentioned in our privacy notice. If a data subject approaches you to withdraw their consent to the processing of their personal data, you must bring this to the immediate attention of the Operations Director. Unless we can rely on another legal basis, explicit consent is usually required for processing special category data and for cross border data transfers. Usually we will be relying on another legal basis (and not require explicit consent) for most types of special category data. However, if consent is required, this should be evidenced and appropriate records kept.
- Vital interests of the data subject: We may process personal data without consent where that is necessary to protect the vital interests of the data subject or another natural person and because consent cannot be given or has been unreasonably withheld.
The purposes for which we process personal data are explained in the TJK privacy notice. If you are concerned that the processing which you are undertaking is not adequately captured in the privacy notice, you must bring this to the attention of the Operations Director and shall not continue processing that personal data without the approval of the Operations Director.
A copy of our privacy notice explaining the purposes for our processing can be found here [link] . The privacy notice also explains to data subjects how and why we will use, process, disclosure, protect and retain personal data.
Whenever we collect personal data directly from data subjects we must provide the data subject with the privacy notice when the data subject first provides the personal data.
When personal data is collected indirectly (for example, from a third party or publically available source) we must also provide the data subject with a privacy notice. You must also check that the personal data was collected by the third party in accordance with the data protection legislation and on a basis which contemplates our proposed processing of that personal data.
The privacy notice is publically available on our website, and is referred to in our Terms of Business, and email disclaimer. Amended or alternative privacy notices should not be provided without the approval of the Operations Director. If you have a concern that an appropriate privacy notice has not been provided, you should raise this with your line manager in the first instance.
There are certain exceptions when a privacy notice is not required to be provided. If you have any queries, consult with the Operations Director.
Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes. You cannot use personal data for new, different or incompatible purposes from that disclosed when it was first obtained unless you have informed the data subject of the new purposes and they have consent where necessary.
Personal data must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed. You may only process personal data when performing your job duties requires it. You cannot process personal data for any reason unrelated to your job duties.
You may only collect personal data that you require for your job duties: do not collect excessive data. Ensure any personal data collected is adequate and relevant for the intended purposes.
In particular, personal data processed should be limited to that necessary to fulfil the legitimate business purpose and should not exceed that. You should also keep in mind that personal data may be disclosable (including expressions of opinion) and so care should be taken in recording it.
You must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with TJK’s Record Retention Policy.
When handling personal data, regard should be had to any contractual terms or policies regarding information security.
Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
You will ensure that the personal data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any personal data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date personal data.
Personal data must not be kept in identifiable form for longer than is necessary for the purposes for which the data is processed.
You must not keep personal data in a form which permits the identification of the data subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.
TJK will maintain retention policies and procedures to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. You must comply with TJK’s Record Retention Policy.
You will take all reasonable and necessary steps to destroy or erase from our systems all personal data that we no longer require in accordance with our applicable records retention schedules and policies. This includes requiring third parties to delete such data where applicable.
Data subjects are informed of the period for which data is stored and how that period is determined in our Privacy notice.
Integrity and confidentiality
Personal data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
TJK will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of personal data that we own or maintain on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.
You are responsible for protecting the personal data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to, personal data. You must exercise particular care in protecting special category data from loss and unauthorised access, use or disclosure.
You must follow all procedures and technologies which TJK puts in place to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to third-party service providers who agree to put adequate measures in place, as requested. Before transferring personal data to a third-party service provider, you must consider any data protection implications associated with that transfer and liaise with the Operations Director to ensure that the transfer is permissible and appropriately documented.
You must maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who have a need to know and are authorised to use the personal data can access it.
- Integrity means that personal data is accurate and suitable for the purpose for which it is processed.
- Availability means that authorised users are able to access the personal data when they need it for authorised purposes.
You must comply with all aspects of any information security policies and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with our data protection obligations and relevant standards to protect personal data.
Privacy by design
TJK will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy and data protection issues, including the completion of one or more data protection impact assessments (DPIA). If you are commencing a new project or involved in changes to existing systems or arrangements, you (and your business area head) must engage with the Operations Director at an early stage to ensure and appropriate DPIA is undertaken.
TRANSFERS OF DATA
As part of our business activities, we commonly transfer personal data to third parties. The list of potential recipients of data is set out in the TJK privacy notice. If you are transferring to a third party which you do not consider is covered by the privacy notice, you must raise the matter with the Operations Director immediately.
In certain circumstances, we will need to transfer large amounts of personal data to a third party. You must not do this without having first discussed the proposed transfer with the Operations Director, who will determine the necessary measures required prior to the transfer which may include:
- Conducting a data protection impact assessment (DPIA).
- Carrying out an audit of the third parties’ data protection policies and procedures.
- Putting in place an agreement with the third part setting out the basis of their instructions and responsibilities.
Appointment of processors
In the event that TJK appoints a third party to process data on its behalf, that third party is likely to be a processor. Any such arrangement must be appropriately documented by putting in place a written agreement with that third party. Such agreement must contain certain provisions and must be prepared in conjunction with the appropriate business head and the Operations Director. The Operations Director will maintain oversight and responsibility for all such outsourcing arrangements.
In the event that any transfer of personal data to a third party will result in that personal data being processed outside of the European Union, TJK must ensure that we meet with the relevant requirements of the data protection legislation before any transfer takes place. Transfers can only be made where a lawful basis for processing has been determined and there is adequate protection for the rights and freedoms of individuals in relation to the processing of information about them. Where the transfer is to a jurisdiction in the EEA (or a jurisdiction deemed adequate by the European Commission (see below)) the recipient will be subject to the same data protection standard adopted across TJK.
Where the recipient is outside the EEA, TJK has an obligation to ensure the necessary obligations of the data protection legislation are met. Where we are making the decision to transfer personal data this will include ensuring that the third parties to which we transfer personal data and who are located outside the EEA (and not otherwise an adequate jurisdiction) have in place policies and procedures in relation to the obtaining, processing and storing of personal data which are at least equivalent to the standards under GDPR and we have a contract in place confirming that. In other instances we may rely on the fact that the data subject has consented to the transfer (i.e. where we have been asked to appoint an external lawyer or the transfer is necessary for the purposes of obtaining legal advice.
If you are unsure about whether or not you should transfer any personal data, you must discuss this with the Operations Director as appropriate.
Some jurisdictions may be designated as “adequate” by the European Commission such that personal data may be transferred to those jurisdictions with no or limited restrictions.
Where data is required to be held by a third party outside of an adequate jurisdiction, for example in the United States TJK’s Operations Director must be informed prior to processing any data or signing any agreements.
DATA SUBJECT RIGHTS
Data subjects have rights to:
- Receive certain information about our processing activities;
- Request access to their personal data that we hold;
- Ask us to erase personal data if it is no longer necessary in relation to the purposes of which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
- Restrict processing in specific circumstances;
- Challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
- Request a copy of an agreement under which personal data is transferred outside of the EEA;
- Prevent processing that is likely to cause damage or distress to the data subject or anyone else;
- Be notified of a personal data breach which is likely to result in a high risk to their rights and freedoms;
- Make a complaint to the supervisory authority;
- Receive or ask for their personal data to be transferred to a third party.
You must immediately forward any data subject request that you receive to the Operations Director.
If a personal data Breach occurs, it must be notified to the applicable regulator(s) and, in certain instances, the data subject.
If there were ever any suspected data security breach, we will follow the guidelines set out on the Office for Data Protection website and will notify data subjects or any applicable regulator where we are legally required to do so.
If you know or suspect that a personal data Breach has occurred, do not attempt to investigate the matter yourself. Immediately record and report the matter to the Operations Director.
You should preserve all evidence relating to the potential personal data Breach.
To manage the personal data processed by TJK and to ensure we are acting in accordance with obligations, we require all staff to undertake data protection training.
We will provide data protection training to all new staff within 10 working days of the commencement of their relationship with us, so far as practicable.
We will provide data protection training to all existing staff.
We will provide additional data protection training to any relevant staff when it is deemed appropriate to do so.
Attendance at training is mandatory (whether that training is online or in person) unless you are told otherwise and attendance will be monitored, with status reports sent to compliance. Failure to undertake any mandatory training may result in disciplinary action.
Frequency of Review: annual
GLOSSARY OF TERMS
consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or clear positive action, signify agreement to the Processing of personal data relating to them.
controller: the person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in line with data protection legislation.
data protection legislation: all applicable laws and regulations relating to the processing of personal data including the General Data Protection Regulation 2016/679 (GDPR), the Data Protection (Bailiwick of Guernsey) Law 2017 and any statutory instrument, order rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated.
data subject: a living, identified or identifiable individual about whom we hold personal data. Data subjects may be nationals or residents of any country and may have legal rights regarding their personal data.
Operations Director: the person appointed with responsibility for data protection compliance.
explicit Consent: consent which requires a very clear and specific statement, not just action.
personal data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. personal data includes Special Category Data and Pseudonymised personal data but excludes anonymous data or data that has the identity of an individual permanently removed. Personal data can be factual (for example, name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
personal data Breach: any act or omission that compromise the security, confidentiality, integrity or availability of personal data or the physical, technical, administrative or organisation safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access or disclosure of personal data is a personal data Breach.
process: any operation or set of operations performed on personal data such as collection, recording, storage, adaptation, alteration, retrieval, disclosure, dissemination, restriction, erasure or destruction.
processor: a person or organisation responsible for processing personal data on behalf of a controller
special category data: relates to particularly sensitive data including heath data, biometric data, genetic data, data relating to racial or ethnic origins, political opinions, sex life, sexual orientation, religious beliefs and information relating to criminal convictions or alleged criminal activity.
staff: all partners, employees, directors, consultants, contractors and other persons engaged by TJK.