OLLIE WILKINSON RACING (OWR) is committed to its obligations under the law and this document describes how OWR is committed to meeting its data protection commitments and obligations. This policy sets out the lawful basis on which OWR processes personal data.
The Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights have been revised and superseded by the Data Protection Act 1998 which came into force 1st March 2000. These are superseded by the EU General Data Protection Regulation (GDPR) that come into force May 25th 2018.
OWR’s Lawful Basis for Processing Data For all Business to Business, client to Business and Business to client communications (generally via email) Policy is to fully comply with the EU General Data Protection Regulation in line with the Information Commissioners Office guidelines.
OWR is committed to being fully transparent about the data it collects and processes and to meeting its data protection obligations. This policy documents OWR’s purpose of processing activities for all Business to Business, client to Business and Business to client communications (generally via email).
OWR’s communications are handled by their commercial partners at Hazel PR Limited, Arena Business Centre, 9 Nimrod Way, Ferndown, Dorset BH21 7HH and may be contacted email@example.com. for questions about this policy or requests for further information.
OWR has a commercial relationship with Bradley Ellis Racing Limited and the company address is 88 Falconwood Road, Croydon, Surrey, CR0 9BD and the company may be contacted at firstname.lastname@example.org.
DEFINITIONS UNDER THE ACTS / REGULATIONS
Data Controller. A data controller is the person who determines the purposes for which and the manner in which any personal data is, or is likely to be, processed as part of the Data Protection Act 1998.
Under GDPR, a data controller determines how and why personal data is collected and where from.
Data Processor. A data “processor” acts on behalf of the “controller” to process data according to their guidelines.
Processing. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
DATA PROTECTION PRINCIPLES
OWR will comply with the eight principles of the schedule 1 to the Data Protection Act, namely that personal data should be:
Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are accurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
JUSTIFICATION OF PROCESSING
In order for data to be processed lawfully, under the first principle, OWR has considered all legal bases for the collection of personally identifiable information via Business to Business, client to Business and Business to client communications (generally via email) that;
- We understand our responsibility to protect the individual’s interest;
- We believe that there is a limited privacy impact on the individual;
- We believe that the individual should reasonably expect us to use their data for business purposes and we do not want to bother them with disruptive consent requests when they are unlikely to object to the processing;
- We have identified the legitimate interests;
- We have checked that the processing is necessary and there is no less intrusive way to achieve the same result;
- We only use individual’s data in ways they would reasonably expect unless we have a very good reason;
- We are not using people’s data in ways they would find intrusive or which could cause harm unless we have a very good reason;
We have considered safeguards to reduce impact where possible;
- We have considered whether we can offer an opt out;
- We keep our Legitimate Interests Assessment under review if circumstances change amend or change accordingly;
We have therefore decided that we justify processing and storing of personal data obtained via Business to Business, client to Business and Business to client communications (generally via email) on the grounds of legitimate interests and that legitimate interest is the commercial interest of OWR.
OWR and their commercial partners Hazel PR Limited and Bradley Ellis Racing Limited has put in place adequate security measures to safeguard personal data from destruction, loss, unauthorised access or disclosure, for example, security against hacking on any website that collects visitors’ e-mail addresses.
RIGHTS OF INDIVIDUALS
OWR affords the following rights to data subjects, in accordance with their application under the GDPR;
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
An individual may request access to all personal data of which he or she is the subject and which OWR is processing. Requests of this nature will be handled using the Guidance and Procedures for Handling Requests under GDPR of their commercial partners Hazel PR Limited and Bradley Ellis Racing Limited.
If OWR discovers that there has been a breach of any personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. OWR will record all data breaches regardless of their effect. If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
OWR RESERVES THE RIGHT TO CHANGE THIS POLICY AT ANY TIME.