This policy establishes an effective, accountable and transparent framework for ensuring compliance with the requirements of the GDPR Policy Template.
This policy applies to all ELITE employees and all third parties responsible for the processing of personal data on behalf of ELITE services/entities. The content of this Policy also applies to our Charity’s Social Enterprise and trading arms, ELITE Paper Solutions and ELITE Training Solutions.
ELITE is committed to conducting its business in accordance with all applicable data protection laws and regulations and in line with the highest standards of ethical conduct.
This policy sets forth the expected behaviours of ELITE employees and third parties in relation to the collection, use, retention, transfer, disclosure and destruction of any personal data belonging to an ELITE contact (i.e. the data subject).
Personal data is any information (including opinions and intentions) which relates to an identified or identifiable natural person. Personal data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process personal data. An organisation that handles personal data and makes decisions about its use is known as a Data Controller. ELITE, as a Data Controller, is responsible for ensuring compliance with the data protection requirements outlined in this policy. Non-compliance may expose ELITE to complaints, regulatory action, fines and/or reputational damage. ELITE, as a Data Processor is responsible for ensuring compliance with the requirements of the Data Controller and with the data protection requirements outlined in this policy. Non-compliance may expose ELITE to complaints, regulatory action, fines and/or reputational damage
ELITE’s leadership is fully committed to ensuring continued and effective implementation of this policy and expects all ELITE employees and third parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.
To demonstrate our commitment to data protection, and to enhance the effectiveness of our compliance efforts, ELITE has appointed a Data Protection Officer. The Information security Policy Template operates with independence and is supported by suitability skilled individuals granted all Ensuring establishment of procedures and standard contractual provisions for obtaining compliance with this Policy by any third party who:
· provides personal data to an ELITE service/entity
· receives personal data from an ELITE service/entity
· has access to personal data collected or processed by ELITE.
To ensure that all data protection requirements are identified and addressed when designing new systems or processes or services and/or when reviewing or expanding existing systems or processes or services, each of them must go through an approval process before continuing. Each ELITE service/entity must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the Data Protection Officer, for all new and/or revised systems or processes for which it has responsibility. The subsequent findings of the DPIA must then be submitted to the Data Privacy Team for review and approval. Where applicable, the any third-party Information Technology (IT) contractors, as part of ELITE’s IT system and application design review process, will cooperate with the Data Protection Officer to assess the impact of any new technology uses on the security of personal data.
To confirm that an adequate level of compliance that is being achieved by all ELITE services/entities in relation to this policy, the Data Protection Officer will carry out an annual data protection compliance audit for all such services/entities. Each audit will, as a minimum, assess:
· Compliance with policy in relation to the protection of personal data, including:
· The assignment of responsibilities.
Raising awareness.
Training of employees.
The effectiveness of data protection related operational practices, including:
Data subject rights.
Personal data transfers.
Personal data Protection Impact Assessment.
Personal data complaints handling.
The level of understanding of data protection policies and privacy notices.
The currency of data protection policies and privacy notices.
The accuracy of personal data being stored.
for and limit the processing of that personal data to only what is necessary to meet the specified purpose.
Principle 3: Data Minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means ELITE must not store any personal data beyond what is strictly required.
Principle 4: Accuracy. Personal data shall be accurate and, kept up to date. This means ELITE must have in place processes for identifying and addressing out-of-date, incorrect and redundant personal data.
Principle 5: Storage Limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. This means ELITE must, wherever possible, store personal data in a way that limits or prevents identification of the data subject.
Principle 6: Integrity & Confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. ELITE must use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all times.
General Data Protection Regulation (GDPR): The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data.
Data Processor: the entity that processes data on behalf of the Data Controller.
Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union.