Data Protection GDPR Policy

/Data Protection GDPR Policy
Data Protection GDPR Policy2018-10-23T22:17:17+00:00

Data Protection GDPR policy

Jellybean Creative Ltd

Blueberry Worx, 58 Copson Street, Ibstock, Leicestershire LE67 6LB

Policy: Data Protection (GDPR)

Date Adopted:  Date of last review:         To be reviewed next be-fore/on:

2008 (DPA) Updated 2018 (GDPR)            23/5/2018            17/5/2019

Purpose and Statement:

Jellybean Creative Ltd is committed to ensuring the data processed by our company remains safe and secure.

This policy has been written in line with legislative change, including both the Data Protection Act (1998) and the EU’s General Data Protection Regulation (GDPR).

Jellybean Creative Ltd has determined the lawful reasons with which it processes personal data:

  • Legal obligation – GDPR Article 6(1)(c)
  • Legitimate interest – GDPR Article 6(1)(f)
  • Contract – GDPR Article 6(1)(b)

There is also some limited data we process with consent from the Data Subject; Consent – GDPR Article 6(1)(a).

While Jellybean Creative Ltd avoids sharing data with third parties at most times, some data is shared in accordance with our business practices. The sharing of data with third parties will     always be consensual with the company, and only if Jellybean Creative Ltd is satisfied that their Data Protection policy is GDPR compliant.

Main Aims for the policy:

–              Specify the data Jellybean Creative Ltd collect, how it is stored/protected and the reason for collecting it

–              State how Jellybean Creative Ltd use personal data in processing

–              Disclose who has access to the data and how long we retain information for

–              Explain Data Subject’s rights with Jellybean Creative Ltd data including access,                rectification and erasure

Review and monitoring of policy:

  • Reviewed annually or in instances of legislative change
  • Monitoring is part of Management and Supervision

The following policy is based on the below principles:

The GDPR includes the following rights for individuals:

–              the right to be informed

–              the right of access

–              the right to rectification

–              the right to erasure

–              the right to restrict processing

–              the right to data portability

–              the right to object

–              the right not to be subject to automated decision-making including profiling

General Principles

Jellybean Creative Ltd  is committed to providing fair and understandable privacy policies in       relation to personal data.

Jellybean Creative Ltd will, at all times, keep data in secure locations (including, but not limited to, encrypted and access restricted files) and not retain data unnecessarily or past the retention length as set out in this policy.

In the rare instance a data processor that is not an Jellybean Creative Ltd employee is used, such as a third party, the data subject will either be asked for consent pre to supplying the data or be notified and have the right to object to processing.

Participants and Customers

How Jellybean Creative Ltd collect personal data:

Jellybean Creative Ltd  customers and participants supply their personal data when signing up for project contracts or through our registration form either via the website, or via paper form.

This is either completed by the company representative who made the initial contact with Jellybean Creative Ltd – or their responsible line manager/director.

Personal data may also come to us unsolicited via enquiries through our website and to our generic email account.

Why Jellybean Creative Ltd collect personal data:

To engage and use the services of Jellybean Creative Ltd – prospective and existing clients must agree to some processing of their personal data. This is due to Legitimate Interests – GDPR Article 6(1)(f), Legal Obligation GDPR Article 6(1)(c), Contract – Article 6(1)(b) and/or Consent – Article 6(1)(a).

Should Jellybean Creative Ltd be unable to process participant’s data, we would be contravening both our Health & Safety and Data protection policies.

Special category data is only collected with the consent of the data subject. Special category data Jellybean Creative Ltd collects includes but is not limited to: Company account and taxation information, Company Financial and Bank account details.

Company account and taxation information, along with financial and Bank account details is only collected in instances where account payments and credits need to be performed between the prospective or existing client and Jellybean Creative Ltd. This is to allow the agreed contract of services to be processed and delivered by Jellybean Creative Ltd, for and on behalf of the client.

What data we collect:

Personal data and some special category is collected.

It is essential to our primary function that we are provided, and allowed to process and store the following:

Client Personal Data:

–              Full Name – GDPR Article 6(1)(f)

–              Email Address – GDPR Article 6(1)(f)

–              Business Address –  GDPR Article 6(1)(f)

–              Mobile/Landline contact information –  GDPR Article 6(1)(f)

Participant Special Category Data:

–              Company registration number – further explicate consent sought

–              Company taxation number – further explicate consent sought

–              Company bank account name – further explicate consent sought

–              Company bank account number – further explicate consent sought

–              Company bank sort code number  – further explicate consent sought

–              Company bank SWIFT code number  – further explicate consent sought

–              Company bank IBAN code number  – further explicate consent sought

How data collected is sent internally:

Jellybean Creative Ltd transports data with all due diligence.

Enrolment forms and sensitive data are sent to Jellybean Creative Ltd through an encrypted email server directly from our website which has controlled access. Received enrolment forms and sensitive data are stored on an encrypted email server for no more than 6 months. Received paper enrolment forms are destroyed after no more than 4 weeks.

Storage/Retention of data:

Data received through enrolment forms is uploaded manually into our database software. Our database is stored both in encrypted files on office-based hardware and backed up regularly in our encrypted cloud-based server. Access to these files is restricted through password protection and only available to authorised staff members.

Our standard retention policy (without the data subject’s right to access, rectification and erasure etc.) is THREE YEARS post final contract completion.

Exceptions to our retention policy:

–              Financial records are kept for 6 years due to legal obligation

–              Bank details are deleted after the action concerning them is complete

–              Unsolicited enquiries that do not turn into Live work are deleted after they have been    dealt with

Third Parties/Data Processors:

Jellybean Creative Ltd does not actively share data with third parties, however there are certain instances where sharing information is crucial to our business processes.

Freelance Designers:

Some of Jellybean Creative Ltd creative resource is based on using freelance creative staff. When this resource is used we have confidentiality and data processor agreements in place. Freelance design partners will never be provided with personal details aside from the company name and project venue installation locations (subject to consent from the data subject).

Sub-contract suppliers:

Jellybean Creative Ltd will from time to time outsource parts of the project contract to sub-contract suppliers. These suppliers will either provide support to Jellybean Creative Ltd when our own in-house operation is at full capacity, or these suppliers will be contracted to perform specific tasks which Jellybean Creative Ltd do not specialise in. When this sub-contract resource is used we have confidentiality and data processor agreements in place. Sub-contract partners will never be provided with personal details aside from the company name and project venue installation locations (subject to consent from the data subject).

MailChimp:

Jellybean Creative Ltd  uses a USA based company ‘MailChimp’ to provide newsletters and marketing via email. This is an optional process, which people consent to during enrolment or sign-up directly through our website. Data Subjects can opt-out and erase/rectify their record stored with MailChimp at any time.

Jellybean Creative Ltd  is satisfied that their GDPR regulations are thorough, and the information stored in MailChimp (email addresses) is secure. We have a processor contract in place, and copies are available upon request.

Rights of the data subject and Jellybean Creative Ltd compliance with responses:

Any data subject with personal data stored within Jellybean Creative Ltd is entitled to the rights of:

–              Access

You may contact Jellybean Creative Ltd at any time to access all data held relating to you and/or your company/project). Jellybean Creative Ltd will ensure that we respond to a subject access request without undue delay and within one month of receipt. If the information request will also include data regarding others, Jellybean Creative Ltd has the right to refuse the request or take steps in order to obtain consent from other involved parties.

The right of access does not apply to Jellybean Creative Ltd legal obligations such as Health & Safety records.

–              Rectification

You may contact Jellybean Creative Ltd at any time in order to rectify data held relating to you and/or your company). Jellybean Creative Ltd will ensure that we respond to a rectification request without undue delay and within one month of receipt.

The right to rectification does not apply to Jellybean Creative Ltd legal obligations such as payment record information. 

–              Erasure

You may contact Jellybean Creative Ltd at any time in order to erase data held relating to you and/or your company.  Jellybean Creative Ltd will ensure that we respond to an erasure request without undue delay and within one month of receipt.

The right to erasure does not apply to Jellybean Creative Ltd legal obligations such as Health & Safety and First Aid records.

–              Restrict Processing

You may contact Jellybean Creative Ltd at any time in order to restrict the data we process relating to you and/or your company. Jellybean Creative will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.

–              Data Portability

You may contact Jellybean Creative Ltd at any time in order to obtain the data we process relating to you and/or your company and reuse it across different services. Jellybean Creative Ltd will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.

Please note, this does not apply to Jellybean Creative Ltd legal obligations.

–              Objection

You may contact Jellybean Creative Ltd at any time in order to object to the processing of data relating to you and/or your company). Jellybean Creative Ltd will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.

–              Rights related to automated decision making including profiling

You may contact Jellybean Creative Ltd at any time in order to object to profiling relating to you and/or your company.  Jellybean Creative Ltd will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.

Jellybean Creative Ltd has a lawful reason for profiling; Legitimate Interests and consent.

None of Jellybean Creative Ltd decision making is automated. Profiling is only used in circumstances where a prospective client needs to fulfil certain financial checks made by our financial and accounts teams.

Any and all verbal requests are noted, and then contacted again either via phone or email to verify the request. Verbal requests will be responded to in the time frames mentioned above.

Photos/Videos of Participants

Jellybean Creative Ltd often use photography used from shows & events for marketing purposes both in print media and the website. Clients participating in these events may choose if they do not wish themselves to be depicted in these images.

Social Media:

Jellybean Creative Ltd regularly share photos of part and completed projects and events which we have been involved with the delivery. This is through social media platforms including; Instagram, Facebook, Twitter, Email.

Staff (Employees/Freelance), Volunteers & Potential Staff, Sub-contract labour/suppliers

For the purposes of this policy, the aforementioned persons above will be referred to as ‘staff’.

How Jellybean Creative Ltd collect personal data:

Jellybean Creative Ltd staff supply their personal data when applying for roles within the company. This is either completed through an application form or submission of a CV.

Further information is collected when applicants are considered successful. Unsolicited data may come to Jellybean Creative Ltd in the form of applicants emailing regarding work/volunteer opportunities.

Why Jellybean Creative Ltd collect personal data:

It is Jellybean Creative Ltd legal obligation to collect staff’s personal data in relation to their employment. This is due to Legal Obligation GDPR Article 6(1)(c) and/or Contract – Article 6(1)(b)

Should Jellybean Creative Ltd be unable to process staff’s data, we would be contravening UK Employment law, our own employment contracts (both PAYE and Freelance) and our own Health & Safety policies.

Special category data is only collected with the consent of the data subject. Special category data Jellybean Creative Ltd collects includes but is not limited to: Medical/Disability information, Ethnicity, Gender and Sexuality. Jellybean Creative Ltd lawful purpose for collecting this data is both Article 6(1)(b) – contract and Article 9(2)(b) – employment. This also ensures we are confirming to our Equal Opportunities policy. Any data is always recorded as quantified data (i.e. cumulative numerical data only with no identifying information relating to any data subject).

Jellybean Creative Ltd is also entitled to obtain and process data in relation to criminal convictions and DBS checks.

What data we collect:

Personal data and some special category is collected.

It is essential to our business that we are provided, and allowed to process and store the following:

Staff Personal Data:

–              Full Name Legal obligation – GDPR Article 6(1)(c) Legal Obligation

–              Date of Birth – GDPR Article 6(1)(c) Legal Obligation

–              Contact Details – GDPR Article 6(1)(c) Legal Obligation

–              Pension Information – GDPR Article 6(1)(c) Legal Obligation

–              NI number – GDPR Article 6(1)(c) Legal Obligation

–              UTR number – GDPR Article 6(1)(c) Legal Obligation

–              Right to work in the UK – GDPR Article 6(1)(c) Legal Obligation

–              Bank Details – Article 6(1)(b) Contract

–              Tax details – GDPR Article 6(1)(c) Legal Obligation

–              Qualifications – Article 6(1)(b) Contract

–              Pay Details – GDPR Article 6(1)(c) Legal Obligation

–              Performance Details – Article 6(1)(b) Contract

–              Annual Leave Details – Article 6(1)(b) Contract

–              Sick/Compassionate/Maternity/Paternity Leave Details – Article 6(1)(b) Contract

–              Safeguarding Concerns – GDPR Article 6(1)(c) Legal Obligation

–              Emergency Contact – GDPR Article 6(1)(b) Contract

Staff Special Category Data:

–              Criminal Record/DBS Checks – GDPR Article 6(1)(c) Legal Obligation & GDPR Article 10

–              Medical/Disability – Article 6(2)(b) Contract & Article 9(2)(b)

–              Ethnicity – Further explicit consent sought- Article 9(2)(a & b)

–              Sexuality – Further explicit consent sought – Article 9(2)(a & b)

How data is sent internally:

Any transfer of data regarding staff is conducted through encrypted emails and/or stored in our encrypted cloud-based server.

Any unsolicited information is received to an encrypted email server.

Storage/Retention of data:

All Staff personal data is stored on encrypted files in our cloud-based server. It is also stored on encrypted hardware within the office. Any hard copies are stored in a locked cabinet. All of these files have restricted access to authorised staff only.

Most staff data is retained for 6 YEARS (post-employment).

Exceptions to our retention policy:

–              Pension details are stored for 75 years (post-employment) due to legal obligation

–              Child Safeguarding records are kept indefinitely on a case-by-case basis, the minimum these will stored for is 6 years due to legal obligation

–              First Aid records are kept for a minimum of 21 years due to legal obligation

Unsuccessful applicant data is stored 6-months post campaign, this includes unsolicited data from potential applicants.

Third Parties/Data Processors:

Jellybean Creative Ltd does not actively share data with third parties, however there are certain instances where sharing information is crucial to our business processes.

NatWest Bank:

In order to process payments by BACs, staff’s bank details and names must be added to our online banking system. Jellybean Creative Ltd is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

HMRC:

In order to fulfil our legal obligations to HMRC, Jellybean Creative Ltd must supply PAYE staff’s personal data each month and at the end of every financial year. Jellybean Creative Ltd is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

People’s Pension:

In order to fulfil our legal obligation with the Pensions Regulator, Jellybean Creative Ltd chose the People’s Pension as our pension provider. Jellybean Creative Ltd must supply PAYE staff’s personal data each month and at the end of every financial year. Jellybean Creative Ltd is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

XERO Accounting:

Xero is Jellybean Creative Ltd finance software. In order to process PAYE staff members monthly pay, Jellybean Creative Ltd processes some of their personal data monthly and stores it there. Jellybean Creative Ltd is satisfied that their GDPR process are thorough and any data will be stored in a secure environment, and not unnecessarily retained.

References:

In order to supply references for staff members, some personal data must be divulged. This will only be done with the data subject’s consent, as Jellybean Creative Ltd may not be fully aware of the recipients GDPR policies.

Website Biography:

Jellybean Creative Ltd website includes staff biographies, these are available for public viewing. Consent it sought before any/all staff profiles are added to the website.

Rights of the data subject and Jellybean Creative Ltd compliance with responses:

Any data subject with personal data stored within Jellybean Creative Ltd is entitled to the rights of:

–              Access

You may contact Jellybean Creative Ltd at any time to access all data held relating to you. Jellybean Creative Ltd will ensure that we respond to a subject access request without undue delay and within one month of receipt.

If the information request will also include data regarding others, Jellybean Creative Ltd has the right to refuse the request or take steps in order to obtain consent from other involved parties.

–              Rectification

You may contact Jellybean Creative Ltd at any time in order to rectify data held relating to you. Jellybean Creative Ltd will ensure that we respond to a rectification request without undue delay and within one month of receipt.

The right to rectification does not apply to Jellybean Creative Ltd legal obligations such as payment record information.

–              Erasure

You may contact Jellybean Creative Ltd at any time in order to erase data held relating to you. Jellybean Creative Ltd will ensure that we respond to an erasure request without undue delay and within one month of receipt.

The right to erasure does not apply to Jellybean Creative Ltd legal obligations such as Health & Safety / First Aid records.

–              Restrict Processing

You may contact Jellybean Creative Ltd at any time in order to restrict the data we process relating to you. Jellybean Creative Ltd will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.

However, due to our legitimate interest and legal obligations in most of the data collected- we may not be able to restrict processing.

–              Data Portability

You may contact Jellybean Creative Ltd at any time in order to obtain the data we process relating to you and reuse it across different services. Jellybean Creative Ltd will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.

Please note, this does not apply to Jellybean Creative Ltd legal obligations.

–              Objection

You may contact Jellybean Creative Ltd at any time in order to object to the processing of data relating to you. Jellybean Creative Ltd will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.

However, due to our legitimate interest and legal obligations in most of the data collected- we may not be able to accept your objection.

–              Rights related to automated decision making including profiling

You may contact Jellybean Creative Ltd at any time in order to object to profiling relating to you). Jellybean Creative Ltd will ensure that we respond to a request to restrict processing without undue delay and within one month of receipt.

Please note, this does not apply to Jellybean Creative Ltd legal obligations.

Jellybean Creative Ltd has a lawful reason for profiling; Legitimate Interests and consent.

None of Jellybean Creative Ltd decision making is automated. Profiling is only used in circumstances where a staff member has a criminal conviction.

Any and all verbal requests are noted, and then contacted again either via phone or email to verify the request. Verbal requests will be responded to in the time frames mentioned above.

Training and Data Protection in Practise

All members of staff (PAYE, Freelance and Voluntary) must agree to this Data Protection policy prior to accepting a contract of employment.

Training is supplied as part of management and supervision. It is also included in all induction and training periods.

Complaints and Data Breeches

Complaints:

Complaints in regard to the handling of any personal data can be made directly to Jellybean Creative Ltd DPO: Roslyn Mudge, Office Manager

Email: [email protected]

Telephone: 0845 2240916

Address: Jellybean Creative Ltd, 58 Copson Street, Ibstock, Leicestershire,  LE67 6LB

If you feel that your complaint was not handled in the correct manner, or still have concerns, you may escalate the complaint by either contacting Jellybean Creative Ltd board of directors (details upon application) or by contacting the Independent Commissioner’s Office (ICO).

ICO Telephone Number: 0303 123 1113

Data Breeches:

If Jellybean Creative Ltd experiences a data breech of any kind, we have a legal obligation to report this to ICO within 72 hours. The data breech will be reported by the DPO. In the instance they are unavailable to report the breech, the next most senior staff member shall do so.

Jellybean Creative Ltd will also inform all the victims of the data breech as soon as possible if there is a high risk of adversely affecting individuals’ rights and freedoms.

Jellybean Creative Ltd will store and record all data breeches.

This Is A Custom Widget

This Sliding Bar can be switched on or off in theme options, and can take any widget you throw at it or even fill it with your custom HTML Code. Its perfect for grabbing the attention of your viewers. Choose between 1, 2, 3 or 4 columns, set the background color, widget divider color, activate transparency, a top border or fully disable it on desktop and mobile.

This Is A Custom Widget

This Sliding Bar can be switched on or off in theme options, and can take any widget you throw at it or even fill it with your custom HTML Code. Its perfect for grabbing the attention of your viewers. Choose between 1, 2, 3 or 4 columns, set the background color, widget divider color, activate transparency, a top border or fully disable it on desktop and mobile.