GDPR Compliance
GDPR Introduction
The General Data Protection Regulation (GDPR) is European wide data protection legislation that requires organisations working with individuals based in the European Economic Area to meet certain requirements regarding the collection, processing, security and destruction of personal information.
As we undertake research that collects or evaluates personal information about a living person who can be identified from the information they have provided we aim to ensure compliance with the General Data Protection Regulation.
Purpose
This policy sets out how Claret-UK Ltd will seek to ensure compliance with the legislation.
Application
This policy applies to Claret-UK Ltd's dealings with respondents, clients and third parties that may be involved in processing personal information. It covers the way personal information will be obtained, used, shared, physically stored and destroyed.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) governs the processing (i.e. obtaining, holding, organising, recording, retrieval, use, disclosure, transmission, combination and destruction) of personal and sensitive data (i.e. information relating to a living individual - the data subject) and sets out the rights of individuals whose information is processed in manual or electronic form or held in a structured filing system. There are six principles that describe the legal obligations of organisations that handle personal information about individuals. These Principles are:
- Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the individual. The information we gather about an individual will be collected in a way where they are fully informed how we intend to use that information, for what purposes and how we will share it. As we deal with data as part of our business, particularly health data (sensitive) and sometimes patients (vulnerable) it is especially important for Claret UK to understand and comply fully with GDPR
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. We will explain why we need the information we are collecting and not use it other than for those purposes.
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We will only collect the information we need to provide the services required.
- Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. The information we collect will be accurate and where necessary kept up to date. Inaccurate information will be removed or rectified as we become aware of the changes.
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals. We will not hold information for longer than is necessary.
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. We will make sure that the personal information we hold is held securely to ensure that it does not become inadvertently available to other organisations or individuals.
Rights of Individuals
The General Data Protection Regulation creates specific rights of individuals. These include: - The right to be informed - The right of access - The right to rectification - The right to erasure - The right to restrict processing - The right to data portability - The right to object - Rights in relation to automated decision making and profiling.
Handling personal information, lawfully, fairly and transparently
The first and second principles require Claret-UK Ltd to acquire and process personal information lawfully, fairly and in a transparent way. Claret-UK Ltd therefore is clear at the outset about the purpose for which information is obtained and processed. Claret-UK Ltd aims to ensure that:
- respondents and potential respondents are aware of the purpose or purposes for which the information is to be used and they have a choice as to whether to provide the information;
- a respondent is able to ask for confirmation of the source of their personal information;
- personal information is not used in ways that would have adverse effects on individuals;
- respondents are provided with easy to read and understand privacy notices when information is collected;
- personal information will only be handled in ways that individuals would reasonably expect;
- the third-party providers we work with to provide potential respondents must comply with the requirements of the General Data Protection Regulation as well;
- marketing undertaken by us will be undertaken in a manner that complies with the General Data Protection Regulation;
- we seek to uphold the individual?s rights with regard to their personal information.
Compliance
- Completed full audit of our data processing
- Embed privacy by design and default into all our projects
- Appointed a DPO (Data Protection Officer) whose role is to ensure data protection compliance
- Registered with the ICO, who will be our lead data protection supervisory authority
Data Protection
Claret UK Ltd is registered with the Information Commissioners Office (ICO), Reg No. Z2319800. ICO guidelines ensure that Data is processed fairly and lawfully in accordance with the latest Data Protection regulations.
CONTACTING CLARET
Please choose the correct method of contacting us depending on what you are contacting us about.
Clients are those wishing to use our services for Market Research.
Respondents are those registered or wanting to register to participate in focus groups and research
surveys.