DATA PRIVACY STATEMENT (FULL)
Under the GDPR, Rodneyjohnston.uk is responsible for what happens to the personal data in our supply chain. We always need to conduct thorough due diligence with all processors and sub-processors we intend to engage with, to ensure that we have the proper security measures in place to protect the personal data we are processing as part of our relationships.
Privacy by design is an adopted approach to projects that promotes privacy and data protection compliance from the start. We will ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example, when:
• Building new IT systems for storing or accessing personal data
• Developing policies and processes that have privacy implications
• Embarking on a data sharing initiative
• Using data for new purposes
1. Your personal data – what is it?
Data Subject – is an identified or identifiable person to whom the “personal data” relates. It includes names, identity numbers, addresses, date of birth, photographs, information relating to sexual orientation, the fact that an email was sent at a particular time, or, an online alias. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
2. Who are we?
Rodney Johnston is the data controller (contact details below). Rodneyjohnston.uk will decide how your personal data is processed and for what purpose by appointing:
•Data Controllers – people or organizations that collect, manage, and make decisions about what’s done with personal data. Under the GDPR, it is critical that a data controller has a lawful basis for processing the data. When we are acting as a data controller, we will ensure we have a contract in place with any processors or sub-processors we engage that specifies that they will only act upon our documented instructions. This includes transfers of personal data going outside the EEA (the EU plus Iceland, Liechtenstein, and Norway).
•Data Processors – people or organizations that process personal data on behalf of the controller. A contract must stipulate that the data processor or sub-processor will implement appropriate technical and organisational measures to ensure the security of data processing. This security obligation is of vital importance to Rodneyjohnston.uk. It will be very important to get the processor’s help if/when we have to notify a data breach to a regulator and communicate that breach to those data subjects affected by the breach. The processor must assist us by implementing appropriate technical and organisational measures to help us respond to data subjects exercising their rights. For example, the right for their data to be deleted.
3. Why do we need to process your personal data?
We use your personal data for the following purposes: -
To enable us to provide a transportation service for the benefit of guests
To process information directly related to events and ground transportation services
To manage any employees
To maintain our own accounts and records
4. How do we process your personal data?
Rodneyjohnston.uk complies with its obligations of processing personal data under the “GDPR” by applying to all operations including: collection, storage, recording, organising, structuring, adapting, altering, retrieving, collection, use, disclosure, dissemination, alignment, restriction, erasure and destruction.
Data Processors must ensure confidentiality concerning the personal data that it processes. The Data Processor must also tell the Data Controller if they are asked to do something that infringes GDPR.
The Data Controller will make it clear that, at the end of the services concerning the processing, the Data Processor must either delete or return all the personal data to Rodneyjohnston.uk, whichever of these two options the controller chooses:-
We can implement measures to meet this requirement as follows: encryption and pseudonymization of personal data.
Ensuring the ongoing confidentiality, integrity, availability, and resilience of data processing systems and services.
The ability to restore the availability of, and access to, personal data in a timely fashion if a physical or technical incident occurs.
A mechanism for regularly testing, assessing, and evaluating the effectiveness of the measures in place for ensuring the security of any data processing.
5. What is the legal basis for processing your personal data?
Processing is necessary for carrying out obligations under employment law, or a collective agreement.
Processing is carried out by Rodneyjohnston.uk provided: -
the processing relates only to clients and employees (or those who have regular contact with it in connection with those purposes) and there is no disclosure to a third party without consent.
Personal data can only be transferred to countries outside the EU and the EEA (the EU plus Norway, Switzerland and Lichtenstein) where certain, very specific arrangements are in place ensuring protection of the EU individual's data. (For most other non-EEA countries, there are procedures that need to be complied with in order for the legitimate transfer of personal data from the EU to those non-EEA countries. This includes entering into data transfer contracts between the companies who are sharing the personal data.)
6. Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with other members of the Rodneyjohnston.uk team in order to carry out ground transportation or event services. We will only share your data with third parties externally with your consent. GDPR places responsibility on companies to ensure that personal data is protected across the supply chain therefore, across our business, we will act as both a controller and a processor in different scenarios. For example, when we process the personal data of our employees (when delivering event services) we will be acting as a data controller. However, during our delivery of solutions to customers, we will frequently be acting as a data processor as we are processing on behalf of another company. In that role, we may also seek to use a third party to assist in the processing. That third party will be acting as a sub-processor.
We are responsible for demonstrating how we work with suppliers and customers to ensure personal data is never exposed or misused. We will play different roles in the supply chain depending on the particular piece of personal data or service we are delivering. It is vital that we are aware of the effect that the GDPR has on how personal data is handled in our supply chain.
Where we are a data controller, we are responsible for the security of all personal data we hold, be it employee, client, supplier, partner or customer data.
Where we are a data processor, our responsibility will be slightly narrower, but we will still be subject to similar obligations as a result of the contracts the GDPR requires to be in place between us and data controllers.
Any third-parties we engage to process data on our behalf are also responsible for complying with the GDPR. Therefore, we must conduct thorough due diligence on any third-parties we engage with to process personal data, be it partners or suppliers, to ensure that they have sufficient processes and procedures in place to comply with the GDPR.
If we enter into an arrangement with a third-party wherein both parties have a say in determining the purpose and means of processing the personal data we hold, under the GDPR we are considered “joint controllers.” If we enter into an agreement with a partner or supplier where we are considered joint controllers, we must define our respective responsibilities for compliance with the GDPR. This must be done in a transparent manner between the third-party and us.
7. How long do we keep your personal data?
We keep data in accordance with the lifecycle of an event or ground transportation service. For employment purposes we will review our opt-in database on a regular basis.
8. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
The right to request a copy of your personal data which Rodneyjohnston.uk holds about you.
The right to request that Rodneyjohnston.uk corrects any personal data if it is found to be inaccurate or out of date.
The right to request your personal data is erased where it is no longer necessary for Rodneyjohnston.uk to use
The right to withdraw your consent to the processing at any time
The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].
The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]
The right to lodge a complaint with the Information Commissioners Office.
9. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Statement, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
10. Contact Details
To exercise all relevant rights, queries of complaints please in the first instance contact Rodney Johnston, 62 Blackthorn Grove, Menstrie, Clackmannanshire, FK11 7DX
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.