Associate Handbook 2018

Under the Data Protection Laws all personal data which is held by the Company is covered by its provisions. This includes not only automated personal data, but also any set of information relating to individuals, which enables the Data Controller to access specific information relating to that individual. For example, card index systems or the contents of a filing cabinet referenced by surname.

Processing Personal Data

If Associates handle personal data in any way they should take as much care as possible that they are operating in accordance with Company procedure. Details of the Data Protection Laws and Company procedure are available from the Data Protection Manager.

There are a number of data protection principles, set out under the GDPR.

Under the Data Protection Laws personal data must be: -

obtained and processed both fairly lawfully and transparently;



 obtained only for one or more specific, explicitly and legitimate purposes;

 shall not be further processed in any manner incompatible with that purpose or those purposes;

 adequate, relevant and limited to what is necessary in relation to those purposes;

accurate and, where necessary, kept up to date;



held only for as long as is necessary for those purposes;



processed in accordance with the rights of data subjects;



 protected by appropriate technical and organisational security measures; and

 must not be transferred to a country or territory outside the EEA, unless adequate protection is guaranteed.

The Data Protection Laws clarify that for processing to be fair and lawful, data must not be processed unless:

 The Data Subject has consented to the processing; or

 The processing is necessary for the performance of a contract to which the data

subject is a party;

 Processing is required for compliance with legal obligation;

 Processing is necessary to protect the vital interests of the data subject

 Processing is necessary for the performance of a task carried out in the public

interest

 Processing is necessary for our legitimate business interests except where those

interests are overridden by the interests of fundamental rights and freedoms of the

Data Subject