Data Protection & Privacy Policy
1.1 General Policy
Spherica (hereinafter referred to as ‘the Company’, ‘we’ and ‘us’) is committed to protecting the rights of data subjects with regard to the processing of their personal data. We are also committed to facilitating the exercise of a data subjects rights over their data. This document lays out our policy on which the personal data collected by us or provided to us will be processed.
Terminology:
EU – European Union
EC – European Commission
ICO – Information Commissioner’s Office
GDPR – General Data Protection Regulation
1.2 Data Protection by Design and Default
When creating or modifying systems and procedures for processing personal data, we always consider how to protect this data. We will ensure we collect only the essential data attributes that we require, and we will keep the data for only as long as is necessary.
If we are to process personal data which is likely to result in a high risk to the data subject, we will conduct a Data Protection Impact Assessment. We will consult with the Information Commissioner’s Office (ICO) where the Data Protection Impact Assessment indicates processing will result in a high risk to data subjects. Wherever possible we will only process personal data within the UK or EU and ensure compliance with GDPR transfers.
1.3 Fair Processing Notice
We will tell data subjects what data we hold about them, how and why we will process it, and inform them of their rights concerning their personal data. We will not knowingly mislead data subjects about processing. We will only process personal data in the ways we have told data subjects, namely by virtue of a contract or legitimate interest.
Both legitimate interests and contracts are our main legal basis for processing any data. We will of course be sure to review our legal basis for processing with any new projects or work undertaken by the Company and inform our clients if the basis on which we process their data is to change.
We process data on a contractual legal basis following the GDPR regulations which stipulate that this basis for processing is allowed where it is ‘necessary for the performance of a contract to which the data subject is party’.
Processing personal data is necessary for the purpose of the legitimate interests pursued by the Company. The reason for which we regard as legitimate is as follows:
Aspiration to grow the Company, it is necessary in order for progress to be made and we balance the needs of the company against those of individuals. We endeavour to have a robust procedure for categorisation of prospective client’s to enable us to prevent any infringement of an individual’s interests, whist maintaining our legitimate interest to process their data.
1.4 Data Accuracy
The data subject has a right to request rectification, but we will also make our best efforts to ensure that personal data is accurate. When we become aware that personal data is inaccurate, we will try to update it. Where this is not possible, we will stop processing the data. When personal data changes we will use our best endeavours to inform any recipients of that data of the changes.
1.5 Information Security Concerning Personal Data
We shall assess the risks of processing to the data subject and will deploy appropriate security measures.
- To ensure security, where appropriate, we will:-
- Train our team members to understand the importance of personal data and how it must be correctly treated
- Control access to personal data by using authentication and authorisation, to keep it confidential, including limiting access to your data to those who have a genuine business need to know
- Keep backups to help us guard against loss and damage
- Ensure personal data is available when and where it is required
- Install security patches as they become available
- Only use operating systems and software that allow single sign on to better protect from security breaches
- Keep up to date with current advice and changes in the risk landscape
- Have procedures in place to deal with suspected data security breach and notification to the data subject where require
1.6 Data Subject Rights
We are committed to respecting and facilitating the exercise of data subject rights. We train our staff to recognise requests from data subjects and create procedures to satisfy the exercise of those rights. Data subjects have the following right including, but not limited to :
•
- Access to your personal data
- Be informed about how we process and store your personal data
- Inform of any mistakes to your personal data (Rectification)
- Request to erasure of personal data held by us
- Request to receive the personal data we hold on you (Data Portability request)
- Object to the processing of your personal data or request a restriction of processing
- Contact ICO if you are concerned about any breach by us of data protection laws
1.6.1 Right to be Informed
We will provide all individuals with clear and concise information about what we do with their personal data. We will provide them with:-
- Our name and contact details
- The purposes of any processing
- The lawful basis for any processing
- Information pertaining to their rights as a data subject
- All other relevant details about the processing and their ability to refuse processing inline with the other subsections below.
1.6.2 Right to Access
When access is requested, where possible, we will:-
- Check the identity of the data subject before releasing personal data to them
- Protect the rights of other natural persons while fulfilling a data subject access request
- Explain the processing and the categories of personal data being processed
- Respond to a data subject access requests within 30 days
If it is not possible to provide access, we will tell the data subject.
1.6.3 Right to Rectification
When rectification is requested, where possible, we will:-
- Correct personal data without delay
- Complete incomplete personal data
- Add extra information in the form of notes
- Notify any recipient of the personal data of the rectification
If it is not possible to rectify the personal data, we will tell the data subject.
1.6.4 Right to Erasure
When erasure is requested, where possible, we will:-
- Erase the personal data without delay
- Notify any recipient of the personal data of the erasure
If it is not possible to erase the personal data, we will tell the data subject.
We will keep enough personal data to ensure we do not direct market to the data subject again. This data will be processed only for suppression purposes, on the basis of having a ‘legal obligation’ to do so.
1.6.5 Right to Restriction of Processing
When a restriction of processing is requested, where possible, we will:-
- Temporarily restrict processing of the personal data without delay
- Notify the data subject before we lift the restriction
- Only process restricted personal data with the explicit consent of the data subject
- Notify any recipient of the personal data of the restriction of processing
If it is not possible to restrict processing of the personal data, we will tell the data subject.
1.6.6 Right to Data Portability
When we receive a request for data portability, where possible, we will:-
- Check the identity of the data subject before releasing personal data to them
- Protect the rights of other natural persons while fulfilling a data portability request.
- Provide the data in CSV form without delay
If it is not possible to provide data portability, we will tell the data subject.
1.6.7 Right to Object
When there is an objection to data processing, where possible, we will:-
- Stop processing the personal data without delay
If it is not possible to stop processing of the personal data, we will tell the data subject.
We will keep enough personal data to ensure we do not direct market to the data subject again. This data will be processed only for suppression purposes, on the basis of having a ‘legal obligation’ to do so.
1.6.8 Automated Individual Decision Making, Including Profiling
The only current circumstance in which we use automated individual decision making, is within our recruitment technology, to source and select candidates for us to consider based on the suitability of an open role, or in relation to a role for which they have applied for. The process of sourcing suitable candidates is automated, however decisions made on who we will engage with to fill any job openings is made by Spherica.
1.7 Transfers
We will act responsibly when transferring personal data to other controllers and processors. When using processors, the processing will be governed by a written contract. When transferring personal data to other controllers we will take reasonable steps to ascertain their identity, and ensure they will respect and protect the rights and freedoms of the data subjects, including introducing contractual terms.
We will not transfer data outside the UK or to an international organisation unless:-
- There is an adequacy decision made by the EC
- The transfer is covered by binding corporate rules
- All necessary GDPR requirements have been met and demonstrated by all parties.
- We have informed you in a separate Data Protection and Privacy Notice that it may be necessary
1.8 Cooperation with the ICO
We will cooperate with the ICO on any personal data protection issues.
1.9 Personal Data Breach Detection
We will take appropriate measures to detect a personal data breach.
1.10 Personal Data Breach Notification
If a personal data breach is deemed likely to result in a high risk to the rights and freedoms of data subjects, we will seek guidance from the ICO. We are prepared to notify the data subject(s) affected, if practicable. If this is not practicable, we will notify data subject(s) by making a public announcement.
If we become aware of a personal data breach we will without delay:-
- Investigate the cause of the data breach.
- Identify the number of personal data records affected.
- Assess the risks to the rights and freedoms of data subjects.
- Inform the ICO of the personal data breach within 72 hours.
1.11 Websites and Online Services
We will ensure data subjects are informed about how their personal data will be used, when it is captured through our website.
We will ensure the documentation on our website is clear and easy to understand by the intended audience.
A copy of this Privacy Policy can also be found on our website via the following link, https://www.spherica.co.uk/privacy-policy/
1.12 Children
We believe children should be afforded additional protection. We will ensure all communications intended for an audience of children will be written in an appropriate way so that children can understand and make informed decisions about their personal data.
Where appropriate we will seek confirmation from a holder of parental responsibility.
1.13 Data Protection Officer
Our Data Protection Officer is Jessica Harper. Their contact details are [email protected]