Data Protection Policy

Table of Contents

1. Introduction
2. Definitions
3. Scope
4. Who is responsible for this Policy
5. The Principles
6. Accountability and Transparency
7. Our Procedures
8. Special Categories of Personal Data
9. Responsibilities
10. Privacy Notices
11. Subject Access Requests
12. Right to Erasure
13. Third Parties
14. Criminal Offence Data
15. Audits, Monitoring and Training

1. Introduction

Two70 Digital is committed to protecting the rights and freedoms of data subjects, and safely and securely processing their data in accordance with all of our legal obligations. This policy sets out how we seek to protect personal data and ensure that our staff understand the rules governing their use of the personal data to which they have access in the course of their work.

2. Definitions

• Business purposes: The purposes for which personal data may be used by us, including compliance with legal, regulatory, and corporate governance obligations, investigations, monitoring staff conduct, marketing, and improving services.
• Personal data: Any information relating to an identified or identifiable natural person.
• Special categories of personal data: Includes information about race, religion, genetics, health, etc.
• Data controller: The entity that determines the purposes and means of processing personal data.
• Data processor: The entity that processes data on behalf of the controller.

3. Scope

This policy applies to all staff of Two70 Digital and supplements other policies related to data usage. Any new or modified policy will be circulated to staff before being adopted.

4. Who is responsible for this Policy

The Data Protection Officer (DPO), Toby Lewis, is responsible for the day-to-day implementation of this policy. Contact the DPO for further information.

5. The Principles

Two70 Digital complies with the principles of data protection enumerated in the EU General Data Protection Regulation (GDPR). The principles include:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality

6. Accountability and Transparency

We must demonstrate compliance with data protection laws by documenting our processes and maintaining transparency with our data subjects.

7. Our Procedures

Fair and lawful processing

We process personal data lawfully by ensuring the individual has consented, or that another lawful basis for processing exists, such as a contract or legal obligation.

Lawful basis for processing data

We must establish a lawful basis for processing data, such as consent, contract, legal obligation, vital interests, public function, or legitimate interest.

8. Special Categories of Personal Data

Special categories of personal data include sensitive information, and generally require explicit consent from the data subject for processing.

9. Responsibilities

Our Responsibilities

Two70 Digital is responsible for analyzing the types of data held, identifying lawful bases, ensuring compliance with the GDPR, and reporting data breaches.

Your Responsibilities

Employees must fully understand their data protection obligations, ensure compliance, and report any breaches immediately.

10. Privacy Notices

Privacy notices must be supplied at the time personal data is obtained from the data subject, and should include information such as the purpose of data processing and the lawful basis for it.

11. Subject Access Requests

Individuals have the right to request access to their personal data. We must respond to these requests within one month and provide the data in a machine-readable format, such as a CSV file.

12. Right to Erasure

Individuals have the right to request that their data be erased in certain circumstances, such as when it is no longer necessary for the purpose it was collected or when consent is withdrawn.

13. Third Parties

We must have written contracts with any third-party data processors and ensure that they comply with GDPR standards.

14. Criminal Offence Data

Any processing of criminal offence data must be done in accordance with the law and requires approval from the DPO.

15. Audits, Monitoring, and Training

Regular data audits will be conducted to manage risks, and staff will receive adequate data protection training.

Version 1.0 (June 2024)
Contact: admin@two70digital.com