GENERAL DATA PROTECTION REGULATION (GDPR) POLICYHow Your Information is Collected, Stored and Used and Your Access Rights
THIS (Tinnitus and Hearing Information Show) are events sponsored and organised by The Invisible Hearing Clinic to raise awareness of issues related to tinnitus, hyperacusis and hearing loss. In order to ensure that attendees and interested parties are kept informed about various aspects of the show, data is collected and stored. This policy details how this data should be collected, stored and used to ensure compliance with GDPR.
2. COLLECTION OF DATA
The show organisers will collect and store data collected as part of the registration process. This will include but is not necessarily limited to the attendee’s name and address, email address, home address and telephone number. Financial information does not currently need to be collected. The current means of data collection is via Eventbrite’s secure online ticket registration portal.
3. DATA CONTROLLER & DATA PROCESSORS
Mr Carl Peach of Peachy Marketing is the Data Controller for THIS (Tinnitus and Hearing Information Show). He will determine which data is processed and the purpose of that data. He will also ensure that all data is destroyed and deleted when it is no longer useful or required for processing purposes. With regard to storage limitation, THIS (Tinnitus and Hearing Information Show) will always ensure that personal data is only kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing.
Additionally, all employees at The Invisible Hearing Clinic are involved in handling and processing data for THIS (Tinnitus and Hearing Information Show). This is necessary in order to ensure the prompt and efficient handling of enquiries relating to information shows and subsequent business enquiries. They understand their responsibilities under GDPR and will fully comply with both this policy and with the law.
4. DATA PROTECTION AND SECURITY
Data protection and security is vitally important. All servers are secured with firewall protection. They are regularly checked and updated to avoid the risk of a data breach. In the unlikely event of a breach in which hackers successfully obtained sensitive information, THIS (Tinnitus and Hearing Information Show) will immediately inform those affected and aim to make appropriate reparation. This will be followed by a full review of security. Data collected is generally accessed via the cloud and access is via encrypted password.
5. ACCURACY OF DATA
All data processors should take reasonable steps to ensure that it is kept as accurate and up-to-date as possible. They are encouraged to take every opportunity to keep the data subject’s information accurate. This could be by asking subjects with whom there is only occasional contact to confirm their details, or by making clients aware of how they can update their own information.
6. DATA SUBJECTS ACCESS REQUESTS
THIS (Tinnitus and Hearing Information Show) collects data, which can sometimes be sensitive information and therefore aims to ensure all Data Subjects are aware of:
- How the data is being used
- How to exercise their rights in respect of that data
Any natural persons who have data held by THIS (Tinnitus and Hearing Information Show) have the right to access and information relating to the data stored about themselves. They can access this by completing a Subject Access Request Form. (A copy of this form is available for download below or by telephoning The Invisible Hearing Clinic on 0141 226 2268)
The show organisers respect the right of individuals who require their data to be removed and will respectfully adhere to any such requests and THIS (Tinnitus and Hearing Information Shows) will provide the following information to Data Subjects upon request:
- What information the company holds about them and why.
- How long the information will be stored.
- How to gain access to that information.
- Whether any third parties have access to their personal data and be given the contact information for such persons.
- How the company is meeting its data protection obligations.
All Subject Access Requests that are submitted will be processed by the Data Controller. No-one else within the company has the right to provide such information. The Data Controller will always verify the identity of anyone making a subject access request, at which point the subject must complete a standard request form. Information will be provided within 40 days of receipt of this form.
THIS (Tinnitus and Hearing Information Show) has the right to withhold information if the subject access request has not been received from the data subject, or from their legal parent or guardian in the case of minors.
In certain circumstances, the General Data Protection Regulation allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, THIS (Tinnitus and Hearing Information Show) sponsors The Invisible Hearing Clinic. will disclose requested data. However, the Data Controller will ensure the request is legitimate, seeking assistance from the directors and from the company’s legal advisers where necessary before any information is disclosed.
7. STAFF GUIDELINES
- When data is stored on paper, it should be kept in a secure place where unauthorised people cannot access it.
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees should make sure paper and printouts are not left where unauthorised people could see them.
- Data printouts should be shredded and disposed of securely when no longer required.
- When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking.
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media, these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud based storage service.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smartphones.
- All servers and computers containing data should be protected by robust security software and a firewall.
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- Data must be encrypted before being transferred electronically.
- Personal data should never be transferred outside of the European Economic Area (EEA).
- Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
- Data will be held in as few places as necessary. Never create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call or visit the business premises.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the databases/files.
This Policy will take effect from 2nd January 2019. It has been approved and will become directly binding to THIS (Tinnitus and Hearing Information Show) and the show’s sponsors The Invisible Hearing Clinic including all branches, staff and affiliates of the company moving forward of this date. Review Date: Tuesday 2nd July 2019.
All parties involved in the creation of this policy will adhere to all responsibilities and regulations underlined within it, and will to the best of their knowledge and abilities ensure compliance with the terms of this policy as well as the law.
TINNITUS AND HEARING INFORMATION SHOW GLASGOWSATURDAY 9th FEBRUARY 2019
GRAND CENTRAL HOTEL, CENTRAL STATION,
99 GORDON STREET, GLASGOW, G1 3SL