The purpose of this document is to outline the Pacifiers Personalised (PP) policy on GDPR.
1) Awareness PP is aware of the GDPR Regulations and the Board has undertaken an audit of the personal information and data stored and has put measures in place to ensure compliance with the new regulations.
2) Information held in PP has prepared a document which details personal data held by us. The document also details where the information comes from, why the information is held, the lawful basis this is held (consent), how this is updated and if this is shared with any other parties (WE DO NOT SHARE INFO WITH NO OTHER PARTY). This document also ensures compliance with the accountability principle, which requires organisations to be able to show how they comply with the data protection principles for example by having effective policies and procedures in place.
4) Individuals’ rights The GDPR includes the following rights for individuals: • The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object; and • The right not to be subject to automated decision making including profiling
PP understands these rights and has updated processes to ensure compliance.
5) Subject access requests The Association has the processes in place to ensure access requests can be met within 40 days and free of charge.
6) Lawful basis for processing personal data. PP has identified the lawful basis for processing personal data and this is included in the document referred to in point 2 above.
7) Consent. PP understands that consent must be freely given, specific, informed and unambiguous (in our case, no action means agreement).
8) Children PP does not collect, process or store any data on children.
9) Data breaches Should a data breach occur within PP, the Board will report and investigate the breach. Depending on the nature of the breach the Board will determine if the individuals and/or the ICO will be notified.
10) Data Protection by Design and Data Protection Impact Assessments The business of the Association has been assessed and it was deemed not necessary to carry out a Data Protection Impact Assessment. The data processing within PP is minimal and not high risk.
11) Data Protection Officers PP has considered the need to appoint a DPO and have decided that due to the size and nature of the organisation this is unnecessary.
12) International PP operates in more than one EU member state. The lead data protection authority is Portugal as this is where the main business/establishment is conducted.