UK MOR Ltd Data Protection Policy 1st Feb 2021
This Policy sets out the obligations of UK MOR Ltd, a company registered in England under number 8976655, whose registered office is at 28 High Street, Rampton, Cambs, CB24 8QE (“the Company”) regarding data protection and the rights of staff, customers, business contacts (“data subjects”) in respect of their personal data under Data Protection Law. “Data Protection Law” means all legislation and regulations in force from time to time regulating the use of personal data and the privacy of electronic communications including, but not limited to, the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”), as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 as amended, and any successor legislation.
This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
2. Definitions “consent”
“data processor” “data subject” “EEA”
means the consent of the data subject which must be a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them;
means the natural or legal person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, the Company is the data controller of all personal data relating to staff, customers, business contacts used in our business for our commercial purposes;
means a natural or legal person or organisation which processes personal data on behalf of a data controller;
means a living, identified, or identifiable natural person about whom the Company holds personal data;
means the European Economic Area, consisting of all EU Member States, Iceland, Liechtenstein, and Norway;
“personal data breach”
“special category personal data”
means any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject;
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person; and
means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data.
4. Any questions relating to this Policy or to Data Protection Law should be referred to the Data Protection Officer. In particular, the Data Protection Officer should always be consulted in the following cases:
4. The Data Protection Principles
This Policy aims to ensure compliance with Data Protection Law. The UK GDPR sets out the following principles with which any party handling personal data must comply. Data controllers are responsible for, and must be able to demonstrate, such compliance. All personal data must be:
3. Employees, agents, contractors, or other parties working on behalf of the Company may process personal data only when the performance of their job duties requires it. Personal data held by the Company cannot be processed for any unrelated reasons.
1. The Data Protection Officer is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/ or guidelines.
14. Data Protection Impact Assessments and Privacy by Design
d) the risks posed to data subjects and to the Company, including their likelihood and severity.
3. Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:
15. Keeping Data Subjects Informed
for direct marketing purposes, the Company shall cease such processing promptly.
4. [Where a data subject objects to the Company processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the UK GDPR, demonstrate grounds relating to his or her particular situation. The Company is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.]
21. Direct Marketing
a) The Company may send marketing text messages or emails to a customer provided that that customer’s contact details have been obtained in the course of a sale, the marketing relates to similar products or services, and the customer in question has been given the opportunity to opt-out of marketing when their details were first collected and in every subsequent communication from the Company.
29. Transferring Personal Data to a Country Outside the UK
This Policy has been approved and authorised by:
Name: Martin Markey
Date: 1st February 2021
Due for Review by: 1st February 2022