T: +44 161 928 2533

F: +44 161 928 2566

E: info@dalanguages.co.uk

Sand House | 22-24 Greenwood Street Altrincham | Cheshire | WA14 1RZ

D.A. Languages Ltd.      DATA PROTECTION POLICY- 2018

1. INTRODUCTION

At D.A. Languages we have cause to collect and use information about people with whom we work, including: members, current, past and prospective employees, clients, and suppliers. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means.

The way in which we handle, store and transit data AND the levels of transparency we provide to individuals are fully in line with the Data Protection Act 1998 and also the GDPR (General Data Protection Regulation).

We regard the lawful and correct treatment of personal information as very important to our successful operation and to maintaining confidence between us and those with whom we carry out business. We will ensure that we treat personal information lawfully and correctly.

To this end we fully endorse and adhere to the Principles of Data Protection and transparency to individuals as set out in the GDPR which is/are enforceable from 25th May 2018 and supersede the Data Protection Act 1998.

Article 5 of the GDPR stipulates that anyone processing personal data must comply with 6 core principles of good practice. We understand that these principles are legally enforceable and fines can be issued if organisations do not comply.

Article 5(2) of the GDPR states:

“The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

2. DA Languages will adhere to the principles of the General Data Protection Regulations (GDPR)

1. We ensure that personal, identifiable information (PII) is processed lawfully, fairly and in a transparent manner in relation to individuals; we do this by informing you, at point of contract or registration, what PII data we collect, why we collect it, your rights to object, and who we provide it to.

2. We ensure that PII is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. When we collect PII, we will inform you of the specific purpose for which it will be processed and we will obtain your permission if additional processing of this data is required.

3. We will ensure that any PII collected is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We will adhere to the Moscow Rule as referenced in GDPR legislation which means that we will use a toolkit to analyse and filter which data we:

• Must have i.e. any PII that is required for us to function as a business, such as the names, addresses and qualifications of our linguists.
• Should have i.e. any PII that allows our business to function optimally, such as the native languages, religion and gender of our linguists, so that an appropriate linguist match can be made to each customer’s needs and best interests.
• Could have i.e. any PII that could be used for other purposes to develop our business.
• Won’t have i.e. any other data identified after this analysis will not be requested, collected, processed or stored.

This data flow process will be followed for each business activity which involves any personal identifiable information.

4. We will ensure that all PII held is accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. We will adhere to this principle by having a thorough PII audit process in place which will be actioned at set intervals by our in-house Data Protection Officer, who has completed training in GDPR legislation.

5. We will ensure that PII data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals. We will have robust processes in place for the disposal of PII at relevant timeframes; any PII kept for statistical purposes will be anonymised at that point.

6. PII data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Our organisation has robust data protection measures in place across all business activities and these are audited and reviewed on a regular basis in line with our accreditation with the NHS Information Governance Toolkit and the Cyber Essentials Scheme.

3. The GDPR Legal Framework

3.1 Definitions of GDPR

The GDPR provides conditions for the processing of any personal data and the need for transparency of that data’s usage and storage to the relevant individual. It also makes a distinction between personal data and “sensitive” personal data.

a. Personal data – the GDPR states:

“personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

b. Sensitive data – the GDPR defines this as:

“data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”

3.2 The Core Principles of GDPR

The 6 core principles of the GDPR require that personal information is:

a. processed lawfully, fairly and in a transparent manner in relation to individuals;

b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

3.3. GDPR Conditions for Processing

In addition to complying with all six data protection principles; when processing personal data a data controller must also satisfy at least one processing condition. If the data controller is processing sensitive personal data, at least one sensitive personal data processing condition must also be satisfied.

The grounds for processing personal data under the GDPR broadly replicate those under the DPA. The processing of personal data will only be lawful if it satisfies at least one of the following conditions:

A. Consent of the data subject
B. Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract
C. Necessary for compliance with a legal obligation
D. Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent
E. Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
F. Necessary for the purposes of legitimate interests

The grounds for processing sensitive data under the GDPR broadly replicate those under the DPA, but have become slightly narrower. Any processing of personal data must satisfy at least one of the following conditions:

A. Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
B. Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement
C. Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
D. Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
E. Data manifestly made public by the data subject
F. Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
G. Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures
H. Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
I. Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
J. Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1)