Fair Processing Procedure

1. Scope

All processing of information about data subjects within or by Skyemotion Ltd  is within the scope of this procedure.

1. Responsibilities

The Data Protection Officer is responsible for ensuring that the Customer Privacy Notice is correct and that mechanisms exist for making all data subjects aware of the contents of this notice prior to Skyemotion Ltd commencing collection of the their data. 

All staff that may need to collect personal data are required to follow this procedure.

1. Procedure
   1. Those responsible for processing personal data may only do so where this activity has been authorised by the Data Protection Officer

1. In particular, data subjects must be informed, prior to the collection of data, of the following information: 

• the identity of the firm (name contact details);
• the purposes for which personal information will be processed;
• how long the personal data will be stored, or the criteria under which it is stored;
• a description of how (if at all) this information will be disclosed to third parties;
• information about the individual’s rights relating to their personal data, including the right of access to personal information, right to withdraw consent, right to rectify personal data, right to have personal data erased, right to strict processing, the right to lodge a complaint with the Information Commissioners Office. 
• whether personal information is transferred outside the European Union, and whether the destination has been the subject of an adequacy decision or a reference to the safeguards in place;
• details of any automated processing, such as profiling, that will be performed on the personal data supplied;
• whether the personal data must be supplied to fulfil or enter into a contract, as well as whether there are any possible consequences of failing to provide personal data;
• any other information that would make the processing fair.

1. All such information provided to data subjects is in clear, plain language.

1. This information is contained in the Customer Privacy Notice issued to all data subjects before Skyemotion Ltdprocesses their data.

1. Where personal information is collected for marketing purposes or might be used in the future for marketing purposes, the Customer Privacy Notice shall include the following statement: 

I, hereby grant Skyemotion Ltd to process my personal data for the purpose of Marketing. By providing your consent, you agree that you have given your express permission for us to market you regarding products and services that we think may be of interest to you and by any means of communication that is suitable at the time.

If you do not indicate your agreement for us to make contact with you, we may be unable to provide you with details of products and/or services that may suit your needs and circumstances.

We would like to maintain a record of your express consent for us to contact you by post, telephone, SMS, email and instant messaging for marketing our products or services that we think may be of interest to you. Please indicate your consent to us contacting you by any of the means specified below:

Post                         Phone                  SMS                     Email              Instant Messaging* 

1. Where Skyemotion Ltd is collecting personal data for marketing purposes and has sought the specific consent of the data subject to this purpose, the Customer Privacy Notice must highlight the following areas: 

You can:

• change the basis of any consent you may have provided to enable us to market to you in the future (including withdrawing any consent in its entirety).

If you have any questions or comments about this document, or wish to make contact in order to exercise any of your rights set out within it please contact:

Laura Thompson

Office 30 Oaktree Court Business Centre

Mill Lane

Ness

CH64 8PT

1. The Data Protection Officer shall incorporate procedures that indicate, where processing has been based upon consent and that consent is withdrawn, the processing based on that consent will cease.

1. The Data Protection Officer is responsible for monitoring all requests for removal of withdrawals of consent and maintains a register of all such requests and ensures that all removals are completed within 24 hours.

1. The Data Protection Officer is responsible for ensuring that, where other sectoral requirements or legislation require explicit consent for marketing, the Customer Privacy Notice shall contain procedures for collecting this consent.

1. Where sensitive personal information is being collected for a particular purpose(s), The Data Protection Officer shall ensure that the Customer Privacy Notice explicitly states the purpose(s) for which sensitive personal information is or might be used.

1. Where data processing relates to a child (13 years or younger) The Data Protection Officer shall ensure the firm has obtained and recorded consent provided by the holder of parental responsibility over the child.

1. The Data Protection Officer is responsible for ensuring that all new data collection methods are reviewed and signed off to ensure that such methods can be demonstrated as compliant with data protection legislation and good practice.

1. Customer Privacy Notices

The Data Protection Officer is responsible for maintaining a register of Customer Privacy Notices, which identifies for each Customer Privacy Notice the version number, the issue and withdrawal dates, the locations used and, by reference to the data collection purposes, the purposes for which personal data is collected. 

1. Specified Purposes

Personal data may only be processed for the purpose for which it was originally collected.

All requests for changes to the use of personal data must be put in writing using plain language that is clear and concise by email, which sets out the original purpose, the proposed new or additional purpose and the reason for the change. 

The request must be approved by The Data Protection Officer who is also responsible for determining if additional consent must be sought from the data subject. 

Where additional consent is required, The Data Protection Officer will determine the form that this consent must take and the process to be followed by the firm in informing the data subject about the new purpose and obtaining the data subject’s consequent consent. Where a relevant exemption applies, The Data Protection Officer will identify this exemption in the authorisation to process. 

In all cases, The Data Protection Officer is responsible for amending the Data Inventory Record with details of the new purpose, cross-referenced to the Authorisation to Process.

1. Data Sharing

The Data Protection Officer is responsible for ensuring that, where personal data is to be shared with a third party organisation, this sharing is compatible with the firm’s notification to the ICO and with the terms contained in its Customer Privacy Notice.

The Data Protection Officer is responsible for ensuring, where information is to be shared with a third party, that this sharing is compatible with the Customer Privacy Notice previously made,  and that a written agreement is drafted by the firm and entered into by the third party, and that this agreement:

Describes both the purposes for which the information may be used and any limitations or restriction on the further use of the personal information for other purposes.

Includes an undertaking from the third party or other evidence of its commitment to processing the information in a manner, which will not contravene the Data Protection Act. 

Where the law allows data to be shared without the data subject’s consent, the agreement contains specific safeguards/controls to protect the personal information in the context of the GDPR.

The Data Protection Officer is responsible for ensuring, where data collected by the firm is matched with other data to create data profiles that these profiles are only used within the context of its notification to the ICO and with what the data subject has consented to.