GDPR Privacy Policy
Consent Procedure [View]

Overview

This procedure has been developed to enable effective management of consent for certain types of processing of personal data, ensuring individuals have a clear choice when providing their personal information to us. 

Consent management for marketing and communication is enabled through the DataCAT application we have installed onto our website and product portals , providing self-service for Data Subjects in regards to their communication preferences, and therefore providing them a significant level of control. This also minimises the level of effort required to manage consent by us.

Managing Consent

The following points apply to how we manage consent in line with the GDPR:

  • Individuals can provide their consent for us to communicate with them about our products and services through a series of clear opt in options

  • The means to consent is separate from any other requests on our website

  • We provide a clear Privacy Notice on our website when asking for consent so individuals can make informed choices about providing their consent

  • Only the minimum personal data is collected to enable this communication (email)

  • Only children over the age of 16 in the EU, or 13 in the UK, can provide valid consent, for children below this age consent can only be provided by those who hold parental responsibility

  • Where we suspect consent has been given by a child below the appropriate age, we will seek to verify the age of the individual (e.g. via proof of identity)

  • We date and time stamp when consent is given so there is a full audit trail of when consent was given

  • Consent can be adjusted by an individual at any point by changing their preferences on our website, or removed by contacting our Data Protection Representative 

  • There is no time limit specified in the GDPR for retaining personal data with consent, however in line with guidance from the Information Commissioner’s Office (ICO)/supervisory authority, we will review consents every two years. The outcome of these reviews will be documented and our Privacy Notice/Data Protection Policy will be updated as required.

Removing Consent

When an individual contacts the Data Protection Representative to request their consent is removed, the Data Protection Representative will contact the relevant Data Manager who will remove the consent and confirm this with the Data Subject via email. This will be logged by the Data Protection Representative.


Consent Summary [View]

  • Individuals can provide their consent for us to communicate with them about our products and services through a series of clear opt in options

  • The means to consent is separate from any other requests on our website

  • We provide a clear Privacy Notice on our website when asking for consent so individuals can make informed choices about providing their consent

  • Only the minimum personal data is collected to enable this communication (email)

  • Only children over the age of 16 in the EU, or 13 in the UK, can provide valid consent, for children below this age consent can only be provided by those who hold parental responsibility

  • Where we suspect consent has been given by a child below the appropriate age, we will seek to verify the age of the individual (e.g. via proof of identity)

  • We date and time stamp when consent is given so there is a full audit trail of when consent was given

  • Consent can be adjusted by an individual at any point by changing their preferences on our website, or removed by contacting our Data Protection Representative 

  • There is no time limit specified in the GDPR for retaining personal data with consent, however in line with guidance from the Information Commissioner’s Office (ICO)/supervisory authority, we will review consents every two years. The outcome of these reviews will be documented and our Privacy Notice will be updated as required.


Data Breach Procedure [View]

Overview

This procedure has been developed to enable effective response to personal data breaches in line with the GDPR. Where a personal data breach has been identified, we will in the first instance:

  • Log the date, time and nature of the breach

  • Begin remedial activity to secure the breach

  • Assess and document the risk posed to the privacy of individuals by the breach (using previous risk assessments carried out in line with the data inventory) 

  • Identify who we need to notify about the breach based on criteria set within the GDPR (this depends on the role we are playing), and document the decision along with supporting rationale

Where we are the Data Controller

Risk

If our assessment identifies it is likely there is a risk to individuals ‘rights and freedoms’ then we must communicate details of the breach to the Information Commissioner’s Office (ICO)/supervisory authority within 72 hours of discovering the breach. Reports to the ICO can be made in the following ways:

  • By phone – 0303 123 1113

  • By email – casework@ico.org.uk

Where submitting a breach report electronically, the following form should be used:

https://ico.org.uk/media/for-organisations/documents/2258298/personal-data-breach-report-form-web-dpa-2018.doc

Reports to the ICO/supervisory authority should include the following pieces of information:

  • A description of the nature of the personal data breach including, where possible:

    • The categories and approximate number of individuals concerned; and

    • The categories and approximate number of personal data records concerned

    • The name and contact details of the Data Protection Officer or other contact point where more information can be obtained

    • A description of the likely consequences of the personal data breach; and

    • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects

Where not all of this information is available within the 72 hour period, we will explain delays and provide outstanding information as quickly as possible, keeping the ICO/supervisory authority informed as to progress.

High Risk

Where our risk assessment identifies there is a high risk to an individual’s rights and freedoms, we will contact them to inform them of the breach as quickly as possible so they can take steps to defend themselves from any potential damage. As a minimum we will provide the following:

  • The name and contact details of the Data Protection Officer (or appropriate contact) or other contact point where more information can be obtained;

  • A description of the likely consequences of the personal data breach; and

  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

If we decide not to notify Data Subjects, the rationale needs to be captured.

Where we are the Data Processor

We will notify all personal data breaches to the relevant Data Controller as quickly as possible. This will include as much of the following information as possible to allow the Data Controller to carry out their own assessment to risk:

  • A description of the nature of the personal data breach including, where possible:

    • The categories and approximate number of individuals concerned; and

    • The categories and approximate number of personal data records concerned

    • The name and contact details of the Data Protection Officer (if your organisation has one) or other contact point where more information can be obtained

    • A description of the likely consequences of the personal data breach; and

    • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects

For security purposes this will be done via telephone initially, then secure transfer of subsequent information can be agreed. Communication to the Data Controller will be logged and stored as part of the breach investigation to ensure it is available for interested parties.


Data Protection Policy [View]

Overview

The General Data Protection Regulation 2016 replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.

Our Commitment (Policy Statement)

We are committed to the protection of the rights of individuals whose personal data we collect and process as part of delivering our services/products. We have developed this policy so we can describe in simple terms how we do this in line with all relevant laws and regulations, including the General Data Protection Regulation (GDPR). This policy has been made freely available so all interested parties can easily understand how we protect the data under our care. Our approach to managing personal data is reviewed on at least an annual basis to ensure it meets with the appropriate laws and regulations, and to ensure we are satisfied it provides adequate protection to personal data.

Our Privacy Notice lays out the personal data we will collect and for what purpose:

  • We only ever collect the minimum required to achieve that purpose. We will not use personal data obtained for a specified purpose in any other way than that declared in our Privacy Notice and/or consented to by the owner of said data. 

  • Before we process personal data we will always identify a lawful basis for doing so, and we will provide clear, understandable and accessible information (e.g. a privacy notice displayed on our website) to help ensure all interested parties are as informed as possible and our processing of personal data is both fair and transparent. 

  • We will only retain data for as long as is necessary, and anonymise personal data wherever possible.

  • The rights of Data Subjects (as defined in our Privacy Notice) in regards to the processing of personal data are fully supported at all times.

The scope of this Policy

This policy applies to all processing of personal data, including but not limited to processing personal data of: 

  • Potential and existing customers

  • Potential and existing employees

  • Potential and existing suppliers

  • Partner organisation personal data

This policy applies to all of our employees, partner organisations (including our supply chain partners) and any third parties working with or for us, will be expected to read, understand and adhere to this policy. No third party may access personal data held by SharpStream Ltd without having the appropriate confidentiality/data processing agreement in place, which will mirror the conditions of this policy. 

Key Roles and Responsibilities

We are identified as a both a Data Controller and a Data Processor under the GDPR.

Senior management and all those in managerial or supervisory roles throughout SharpStream are responsible for developing and encouraging good information handling practices, with specific responsibilities laid out in individual job descriptions.

Our Data Protection Representative has the following responsibilities (in line with Article 39 of the GDPR):

  • To inform and advise our senior management and employees about our obligations to comply with the GDPR and other data protection laws;

  • To monitor compliance with the GDPR and other data protection laws, and with our data protection policies, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;

  • To advise on, and to monitor, data protection impact assessments;

  • To cooperate with the supervisory authority; and

  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc), specifically being the point of contact for data subject requests.

Those who have a specific responsibility to oversee management of personal data are responsible for making sure this is done so in line with this policy and all supporting procedures.

Accuracy of Personal Data

We will make every reasonable effort to ensure the personal data we hold is accurate, including clear instructions for data entry, collecting minimal data to reduce the overall potential for error, and where possible putting controls around data entry fields to minimise the ability to enter inaccurate data. 

Where inaccuracies are identified or changes are required, we have outlined a ‘Right to Rectification’ procedure (see ‘Right to Rectification’ Procedure). The specific Data Manager is responsible for responding to requests for rectification from data subjects within one month. This can be extended to a further two months for complex requests.

Security of Personal Data

We do everything we can to secure personal data. All of our employees are responsible for ensuring that personal data we hold is kept securely and is not disclosed to any third party unless that third party has been specifically authorised by us to receive that information and has entered into an appropriate data processing/confidentiality agreement. We risk assess the processing of personal data on at least an annual basis, or when a new requirements is identified. These risk assessments are carried out to minimise both the possibility and impact of a data security breach, and therefore minimise the threat to individual’s privacy. The results of these assessments inform the security arrangements we put in place to protect personal data, a number of which are listed below:

  • Password protection

  • Automatic locking of idle terminals

  • Removal of access rights for USB and other memory media

  • Virus checking software and firewalls

  • Role-based access rights including those assigned to temporary staff

  • Encryption of devices that leave the organisations premises such as laptops

  • Security of local and wide area networks

  • Privacy enhancing technologies such as pseudonymisation and anonymisation

  • Identifying appropriate international security standards relevant to SharpStream

  • The appropriate training levels throughout SharpStream

  • Measures that consider the reliability of employees (such as references, right to work checks etc.)

  • The inclusion of data protection in employment contracts

  • Identification of disciplinary action measures for data breaches

  • Monitoring of staff for compliance with relevant security standards

  • Physical access controls to electronic and paper based records

  • Adoption of a clear desk policy

  • Storing of paper based data in lockable fireproof cabinets

  • Adopting clear rules about passwords

  • Making regular backups of personal data and storing the media off-site

  • The imposition of contractual obligations on the importing organisations to take appropriate security measures when transferring data outside the EEA.

Personal data will only be deleted or disposed of in line with the Retention of Records Procedure.

Data Retention

Retention periods for personal data relating to specific purposes are laid out in our Privacy Notice and have been assessed based on perceived need.  Personal data will be retained in line with our Retention of Records Procedure and destroyed securely following expiry of the retention period (see Retention of Records Procedure).

Any exceptions to the procedure must be documented clearly and agreed by the Data Protection Representative.

Disclosure to Third Parties

In order to provide the appropriate level of service we may need to share some personal data with third parties. These arrangements are summarised in our Privacy Notice and detailed in our Information Inventory. This sharing will only be for the specific purposes agreed, and will be carried out under the appropriate data processing /confidentiality agreements. 

We will only transfer data outside of the European Economic Area (EEA) to non-European Economic Area countries (referred to in the GDPR as ‘third countries’) when the appropriate safeguards are in place. These include:

An Adequacy Decision

The European Commission can and does assess third countries, a territory and/or specific sectors within third countries to assess whether there is an appropriate level of protection for the rights and freedoms of natural persons. In these instances no authorisation is required. Countries that are members of the European Economic Area (EEA) but not of the EU are accepted as having met the conditions for an adequacy decision.

A list of countries that currently satisfy the adequacy requirements of the Commission are published in the Official Journal of the European Union:

http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm 

In making an assessment of adequacy, we take account of the following factors:

  • The nature of the information being transferred;

  • The country or territory of the origin, and final destination, of the information;

  • How the information will be used and for how long;

  • The laws and practices of the country of the transferee, including relevant codes of practice and international obligations; and

  • The security measures that are to be taken as regards the data in the overseas location.

Privacy Shield

When transferring personal data from the EU to an organisation in the United States we check that the organisation is signed up with the Privacy Shield framework at the U.S. Department of Commerce (US DOC). The obligation applying to companies under the Privacy Shield are contained in the “Privacy Principles”. The US DOC is responsible for managing and administering the Privacy Shield and ensuring that companies live up to their commitments. In order to be able to certify, companies must have a privacy policy in line with the Privacy Principles e.g. use, store and further transfer the personal data according to a strong set of data protection rules and safeguards. The protection given to the personal data applies regardless of whether the personal data is related to an EU resident or not. Organisations must renew their “membership” to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU under that framework.

Binding Corporate Rules

If required we may adopt approved binding corporate rules for the transfer of data outside the EU. This requires submission to the Information Commissioner (relevant supervisory authority) for approval of these rules.

Model Contract Clauses

We may adopt approved model contract clauses for the transfer of data outside of the EEA. In this case we will adopt the model contract clauses approved by the (Information Commissioner’s Office/ relevant supervisory authority) there is an automatic recognition of adequacy.

Exceptions

In the absence of an adequacy decision, Privacy Shield membership, binding corporate rules and/or model contract clauses, a transfer of personal data to a third country or international organisation shall only take place on one of the following conditions:

  • The Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

  • The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the Data Subject's request;

  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the controller and another natural or legal person;

  • The transfer is necessary for important reasons of public interest;

  • The transfer is necessary for the establishment, exercise or defence of legal claims; and/or

  • The transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent.

Information Inventory

To ensure we have a clear view of risk to personal data, we have mapped where it sits within our organisation or is processed by our partners and assessed the level of risk associated. This data inventory and data flow determines:

  • Business processes using personal data;

  • Source of personal data;

  • Volume of data subjects;

  • Description of each item of personal data;

  • Processing activity;

  • Maintains the inventory of data categories of personal data processed;

  • Documents the purpose(s) for which each category of personal data is used;

  • Recipients, and potential recipients, of the personal data;

  • The role of the SharpStream throughout the data flow;

  • Key systems and repositories;

  • Any data transfers; and

  • All retention and disposal requirements.

Note: This is summarised in our Privacy Notice.

Where there are changes to the type of processing, for example exploiting new technology or making changes to the approach, a further risk assessment will be carried out.

How SharpStream demonstrates its Compliance with the GDPR

We aim to be as effective and transparent as possible in how we manage personal data. We have documented and implemented this policy along with key supporting procedures so our approach is clear to interested parties. We also record the processing of personal data, and annual reviews into the appropriateness of our approach.


Privacy Notice - SharpStream Ltd [View]

SharpStream Ltd provides digital audio streaming services to digital audio content creators. 

Your personal data

In order for SharpStream to deliver an effective service, at times we need to collect and use your personal data. This notice outlines the types of data we use as well as how and why we will use it.

Purpose: To register you as a customer/user

What we need

Name, address, email address, telephone number and payment details.

The legal basis for us processing this

Performance of a contract.

Where this data will be stored 

SurveyMonkey - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

ProsperWorks - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

FreshWorks - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Google - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

How long will we keep this data

For as long as you remain a customer.

Where the data is sourced

Directly from you.

Purpose: To communicate details of products/services to you

What we need

Name, email address, telephone number and your communication preferences.

The legal basis for us processing this 

Your consent to do so.

Where this data will be stored

Via third parties: 

ProsperWorks - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

MailChimp - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Google - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

RingCentral - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

FreshWorks - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

SurveyMonkey - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

How long will we keep this data 

For as long as you consent to us processing (as per the Information Commissioner’s guidance, we will review your consent at least every two years).

Where the data is sourced 

Directly from you.

Purpose: To deliver our services or products to you

What we need 

Name, address, email address, telephone number and payment details.

The legal basis for us processing this

Performance of a contract.

Where this data will be stored 

Xero - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

ProsperWorks - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

MailChimp - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Google - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

RingCentral - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

FreshWorks - USA. Protected by: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

How long will we keep this data 

For as long as you are a customer.

Where the data is sourced

Directly from you.

What happens if you do not provide the data 

We will be unable to perform the services contract. 

Cookies

You can read about how we use cookies in our Cookies Notice. 

Your rights 

Whilst we are holding or processing your personal data, you have the following rights:

  1. Right of Access

You have the right to request a copy of the information that we hold about you.

  1. Right of Rectification

You have a right to correct data that we hold about you that is inaccurate or incomplete.

  1. Right to be Forgotten

In certain circumstances you can ask for the data we hold about you to be deleted.

  1. Right to Restriction of Processing 

Where certain conditions apply you have a right to restrict the processing of your personal data.

  1. Right of Portability 

You have the right to have the data we hold about you transferred to another organisation.

  1. Right to Object

You have the right to object to certain types of processing such as direct marketing.

  1. Right to Object to Automated Processing, including Profiling

At SharpStream, we use no automated processing in our decision-making. 

  1. Right to Judicial Review

In the event that SharpStream refuses your request under rights of access, we will provide you with a reason as to why. If you are not satisfied with this you have the right to complain to the relevant supervisory authority (see detail below on Complaints)


Where you have consented to processing of your personal data, you have the right to remove this consent at any time. You can exercise these rights at any time by contacting the appropriate individual under ‘Key Contacts’.

Disclosure

In most instances, we will not disclose your personal data to third parties without your consent. We have the following third party agreements in place:

  • GDPR Design help us hold and process your communication preferences securely in line with consent provided via our website

Some of the organisations we share information with are based in third countries (countries sitting outside of the European Economic Area), and there are appropriate safeguards in place to protect your personal data.

Organisation: ProsperWorks

Country: United States

Safeguard in place: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Organisation: MailChimp

Country: United States

Safeguard in place: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Organisation: Survey Monkey

Country: United States

Safeguard in place: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Organisation: Google 

Country: United States

Safeguard in place: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Organisation: PandaDoc 

Country: United States

Safeguard in place: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Organisation: FreshWorks

Country: United States

Safeguard in place: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Organisation: Xero

Country: United States

Safeguard in place: Data protection adequacy assessment for the European Commission (EU – US Privacy Shield)

Key Contacts

Our Data Protection Representative is responsible for helping ensure we treat your personal data appropriately. They can be contacted through the following means:

Data Protection Representative

  • privacy@sharp-stream.com

  • 0800 999 2468

Complaints

If you feel you need to make a complaint about how we are processing your personal data, you can contact the Information Commissioner’s Office as the relevant supervisory authority. You do so through the following means:



Retention of Records Procedure [View]

Overview

This procedure has been developed to ensure effective retention of records in line with the relevant data protection laws and regulations. We will only retain the specific data required for processing, and will only retain this data for as long as is necessary to serve its specific purpose.

This procedure applies to all records we hold, including:

  • All electronic media;

  • Online records;

  • Paper-based records.


The basic procedure for building a retention schedule (as part of building our information inventory) is as follows:

  • Identify all data in the organisation;

  • Identify where this data is held and by whom (including third parties);

  • Describe the purpose of this data (i.e. the basis for retention);

  • Define the retention period, inc when this starts;

  • Provide justification for the retention period;

  • Describe the disposal method; and

  • Identify who manages the data.

Procedure

The procedure will be followed in line with the guidance below:

Storage of Records

Records will be version controlled, with the minimal number of versions stored, ideally one version where possible. Sensitive information will be protected either via password or encryption.

Electronic information will be stored only on agreed servers/hardware, and we will not exceed 90% of manufacturer’s recommended lifespan for storage equipment. Once this threshold is reached, data will be copied onto a new device and deleted in line with disposal guidelines defined below.

Paper copy records will be locked in a secure location when not being used.

In order to provide the appropriate level of service we may need to share some personal data with third parties. These arrangements are summarised in our Privacy Notice and detailed in our data inventory. This sharing will only be for the specific purposes agreed, and will be carried out under the appropriate data processing /confidentiality agreements. This will include the third party making adequate provision for secure storage of records, and a clear approach to retention.

Where data will be held outside of UK or European Economic Area, we will ensure the appropriate safeguards in place, examples include (see Data Protection Policy for more detail):

  • Adequacy decision

  • Privacy Shield

  • Binding Corporate Rules

  • Model Contract Clauses

Destruction of Records

Destruction of data will be handled as follows: 

  • Electronic media – disposed of using a certified agency that disposes of electronic devices.

  • Online records – (stored in all applications) are deleted with all backup records subsequently removed.

  • Paper based records – shredded or disposed of via a certified secure shredding organisation.


Destruction of data must be completed within 30 days of a retention period expiry.

Roles and Responsibilities

The following roles are responsible for retention of these records as they are the information asset owners:

  • Data Managers are responsible for ensuring that all personal data under their charge is collected, retained and destroyed in line with the requirements of the GDPR, including deletion of records past their retention period.

  • Data Protection Representative is responsible for ensuring compliance with this procedure, as well as periodically reviewing its effectiveness.

  • The Executive is responsible for ensuring that retained records are included in business continuity and disaster recovery plans.


Review of this Procedure

This procedure and the supporting Retention Schedule will be reviewed by the Data Protection Representative on at least an annual basis to ensure is accuracy and effectiveness. 


Right to be Forgotten Procedure [View]

Overview

This procedure has been developed to enable effective responses to requests to realise the right to erasure, or the ‘Right to be Forgotten’. 

Procedure

The basic procedure is as follows:

  1. Individuals will raise requests for erasure with the Data Protection Representative 

  2. Where the identity of the Data Subject has not been confirmed, the Data Protection Representative  will contact the Data Subject to request proof of identity – this should be a current passport or driving license.

  3. The Data Protection Representative  will assess the appropriateness of the request and decide whether to meet it or not

  4. If the request is to be met, the  Data Protection Representative will forward on the request to the appropriate data manager(s), who will notify the Data Protection Representative when the request has been completed

  5. The Data Protection Representative will notify the individual via email their request has been carried out, and delete any residual electronic traces of their data

  6. If the request is not to be met, the Data Protection Representative will email the requestor explaining why this is the case and highlighting their right to complain to the ICO/supervisory authority – this will be logged

  7. All requests will be completed within one month of receipt

Assessing Requests

As per point 2 above, individuals have the right to request all personal data we hold on them is erased, however this is not an absolute right. The Data Protection Representative will assess requests to identify whether they meet one of the following points:

  • The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed

  • The individual has withdrawn consent

  • The individual raises an objection to processing and there is no overriding legitimate interest for continuing the processing

  • Where personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)

  • The personal data has to be erased in order to comply with a legal obligation

  • The personal data is processed in relation to the offer of information society services to a child

Where one or more of the points is satisfied, the personal data of the individual will be erased as per the request. 

Erasing Data

Destruction of data will be handled as follows: 

  • Electronic Media – disposed of using a certified agency that disposes of electronic devices.

  • Online Records – (stored in all applications) are deleted with all backup records subsequently removed.

  • Paper based Records – shredded or disposed of via a certified secure shredding organisation.



Right to Portability Procedure [View]

Overview

This procedure has been developed to enable effective responses to requests to realise the ‘right to portability’. This refers to the transfer of personal data we hold to other organisations, or us receiving personal data, both at the request of the Data Subject.

Individuals have the right to ask for:

  • A copy of the personal data they have provided to us previously

  • Us to transmit the data to another Data Controller

Where SharpStream are Transferring Data

  • Individuals will raise requests for portability with the Data Protection Representative;

  • The DPR will log the request, and assess whether further identification is required (e.g. driver’s license) and will assess the level of risk to privacy posed by meeting the request;

  • If the request is to be met, the specific personal data requested is identified by the DPR, extracted and sent to the relevant organisation via password protected email – personal data will be provided in a structured, commonly used, electronic file format (e.g. CSV file). This is logged for audit trail purposes;

  • The DPR will notify the requester of the data transfer via email, along with a password protected copy of the data provided. This is logged for audit trail purposes;

  • If the request is not to be met (e.g. identification is not sufficient or the risk is deemed too high), the DPR will email the requestor explaining why this is the case and highlighting their right to complain to the ICO/supervisory authority – this will be logged;

  • All requests will be completed within one month of receipt, however where there are particular complexities this can be extended to three months. The DPR will inform the data subject of the reasons for the delay within one month of the original request;

Where SharpStream are Receiving Personal Data

  • We receive the data along with the stated purpose from a third party;

  • The DPR will log receipt of the data;

  • The DPO will assess the data and make sure:

    • It is what is needed to carry out requested processing activity; and

    • It does not represent undue risk to the Data Subject.

  • Where 3a and b are satisfied, the DPO/relevant data contact will contact the Data Subject and confirm receipt of their personal data, along with details of:

    • The specific purpose for processing it;

    • Where it will be held, any sharing with third parties;

    • Who will be responsible for the data; and 

    • How long it will be held.

  • Where 3a and b are not met, reject the data and contact the Data Subject to explain why.


Right to Rectification Procedure [View]

Overview

This procedure has been developed to enable effective responses to requests to realise the right to rectification. 

Procedure

The basic procedure is as follows:

  • Individuals will raise requests for rectification with the Data Protection Representative, which will be logged along with the time and date

  • Where the identity of the Data Subject has not been confirmed, the Data Protection Representative will contact the Data Subject to request proof of identity – this should be a current passport or driving license.

  • The Data Protection Representative will assess the appropriateness of the request and decide whether to meet it or not

  • If the request is to be met, the Data Protection Representative will forward on the request to the appropriate Data Manager who will carry out the rectification and notify the Data Protection Representative when the request has been completed

  • The Data Protection Representative will notify the individual via email their request has been carried out

  • If the request is not to be met, the Data Protection Representative will email the requestor explaining why this is the case and highlighting their right to complain to the relevant supervisory authority – this will be logged. Reasons for refusing a request include:

    • We are satisfied the data in question is actually accurate

    • The request is unfounded or excessive (e.g. it is repeated) 

  • The results of requests will be logged by the Data Protection Representative

  • All requests will be completed within one month of receipt