GDPR
This Policy lays out our legal responsibilities and obligations when handling, processing and managing our employees and customer data.
Content
1. Lawful, fair and transparent processing
2. Limitation of purpose, data and storage
3. Data subject rights
4. Consent
5. Personal data breaches
6. Privacy by design
7. Data Protection Impact Assessment
8. Data transfers
9. Data Protection Officer
10. Awareness and training
LDS (Shetland) Ltd
1. Lawful, fair and transparent processing
LDS (Shetland) Ltd are required to process personal data in a lawful, fair and transparent
manner
Lawful means all processing should be based on a legitimate purpose.
Fair means companies take responsibility and do not process data for any purpose other than the
legitimate purposes.
Transparent means that companies must inform data subjects about the processing activities on
their personal data.
2. Limitation of purpose, data and storage
LDS (Shetland) Ltd are expected to limit the processing, only collect data, which is necessary, and
not keep personal data once the processing purpose is completed. This would effectively bring
the following requirements:
Forbid processing of personal data outside the legitimate purpose for which the personal data
was collected.
Mandate that no personal data, other than what is necessary, be requested.
Ask that personal data should be deleted once the legitimate purpose for which it was collected is
fulfilled.
3. Data subject rights
The data subjects have been assigned the right to ask the company what information it has about
them, and what the company does with this information. In addition, a data subject has the right
to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or
transfer of his or her personal data.
4. Consent
As and when the company has the intent to process personal data beyond the legitimate purpose
for which that data was collected, a clear and explicit consent must be asked from the data
subject. Once collected, this consent must be documented, and the data subject is allowed to
withdraw consent at any moment.
Also, for the processing of children’s data, GDPR requires explicit consent of the parents (or
guardian) if the child’s age is under 16.
5. Personal data breaches
LDS (Shetland) Ltd must maintain a Personal Data Breach Register and based on severity, the
regulator and data subject should be informed within 72 hours of identifying the breach.
6. Privacy by Design
LDS (Shetland) Ltd will incorporate organisational and technical mechanisms to protect personal
data in the design of new systems and processes; that is, the privacy and protection aspects
should be ensured by default.
7. Data Protection Impact Assessment
To estimate the impact of changes or new actions, a Data Protection Impact Assessment will be
conducted when initiating a new project, change or product. The Data Protection Impact
Assessment is a procedure that needs to be carried out when a significant change is introduced
in the processing of personal data. This change could be a new process, or a change to an existing
process that alters the way personal data is being processed.
8. Data transfers
The controller of personal data has the accountability to ensure that personal data is protected
and GDPR requirements respected, even if processing is being done by a third party. This means
controllers have the obligation to ensure the protection and privacy of personal data when that
data is being transferred outside the company, to a third party and / or other entity within the
same company.
9. Data Protection Officer
When there is a significant requirement to process personal data, LDS (Shetland) Ltd will assign
a Data Protection Officer. When assigned, the Data Protection Officer would have the
responsibility of advising the company about compliance with GDPR requirements.
10. Awareness and training
LDS (Shetland) Ltd will create awareness among employees about key GDPR requirements and
conduct regular training / briefings to ensure that employees remain aware of their
responsibilities regarding the protection of personal data and identification of personal data
breaches as soon as possible.