GDPR Statement
1. Introduction
We are committed to ensuring the privacy and confidentiality of the personal data you provide to us. This GDPR Policy outlines our current policies and practices regarding the collection, use, and protection of personal data, whether obtained directly from you or through our website, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We ask you to periodically review this policy alongside our Privacy Policy, Terms & Conditions, and any other relevant policy we produce, as they may be subject to change.
Please note: Where ‘Beyond Co.’ is mentioned throughout the following policy, this represents BEYOND-CO LTD (Reg No. 13489731 – VAT No. 407009626).
2. Scope
This policy applies to all employees, contractors, subcontractors, suppliers, providers and partners of Beyond Co. who handle personal data in any capacity, ensuring adherence to the UK GDPR and related data protection laws.
3. Data Protection Principles
All personal data processed by Beyond Co. must adhere to the following principles as set out in Article 5 of the UK GDPR:
Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy: Personal data must be accurate and, where necessary, kept up to date.
Storage Limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.
Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
4. Lawful Basis for Processing
Beyond Co. must establish a lawful basis for processing personal data as outlined in Article 6 of the UK GDPR, which includes:
Consent: The data subject has given explicit consent to the processing of their personal data for one or more specific purposes.
Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is a party.
Legal Obligation: Processing is necessary for compliance with a legal obligation to which Beyond Co. is subject.
Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person.
Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Beyond Co.
Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by Beyond Co. or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
5. Data Collection and Processing
Data Collection: Personal data should only be collected for specific, explicit, and legitimate purposes. Data subjects must be informed about the purpose of the collection and how their data will be used in accordance with Articles 12, 13, and 14 of the UK GDPR.
Data Minimisation: Only the minimum amount of personal data necessary for the purpose should be collected and processed.
Data Accuracy: Personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be corrected or deleted promptly.
Data Retention: Personal data should be retained only as long as necessary for the purposes for which it was collected.
6. Data Subject Rights
Beyond Co. respects and upholds the rights of data subjects as outlined in Articles 15 to 22 of the UK GDPR, including:
Right to Access: Data subjects have the right to request access to their personal data.
Right to Rectification: Data subjects can request corrections to inaccurate or incomplete data.
Right to Erasure: Data subjects can request deletion of their personal data (right to be forgotten).
Right to Restriction of Processing: Data subjects can request to restrict the processing of their personal data.
Right to Data Portability: Data subjects can request to receive their personal data in a structured, commonly used format and have the right to transmit it to another controller.
Right to Object: Data subjects can object to the processing of their personal data based on legitimate interests or direct marketing.
7. Data Security
Access Control: Personal data should be accessible only to authorised personnel who require access for legitimate business purposes.
Data Encryption: Personal data should be encrypted during transmission and storage to protect against unauthorised access.
Incident Response: Procedures should be in place to detect, report, and investigate data breaches. Any data breach must be reported to the Data Protection Officer (DPO) immediately in compliance with Articles 33 and 34 of the UK GDPR.
8. Data Sharing and Transfers
Third-Party Sharing: Personal data should only be shared with third parties if necessary and with appropriate safeguards in place as required by Articles 28 and 29 of the UK GDPR.
International Transfers: Transfers of personal data outside the UK should comply with UK GDPR requirements, ensuring an adequate level of protection as per Chapter V of the UK GDPR.
9. Data Protection Officer (DPO)
Beyond Co. has appointed a Data Protection Officer (DPO) responsible for overseeing UK GDPR compliance. The DPO’s responsibilities include:
- Monitoring compliance with the UK GDPR and this policy.
- Advising on data protection impact assessments.
- Cooperating with supervisory authorities.
- Acting as a point of contact for data subjects.
Contact Information:
- DPO Name: Jake Lines.
- Position: Managing Director.
- Email: jake@beyond-co.com.
- Phone: 0333 224 0022.
10. Training and Awareness
All employees and contractors must undergo UK GDPR training and demonstrate an understanding of this policy and their responsibilities regarding data protection.
11. Policy Updates
This policy will be reviewed and updated regularly to reflect any changes in legislation or company operations. Employees will be informed of any significant changes.
12. Compliance and Disciplinary Actions
Non-compliance with this policy may result in disciplinary action, up to and including termination of employment.
13. Conduct and Internal Procedures
Data Handling:
All data must be handled in accordance with UK GDPR principles and Beyond Co.’s policies.
Data Feeds:
Data feeds must be regularly monitored and assessed for compliance with UK GDPR.
Record Keeping:
Maintain detailed records of data processing activities, including the purpose of processing, data sharing, and data retention schedules.
Audits and Assessments:
Conduct regular audits and impact assessments to ensure ongoing compliance with UK GDPR requirements.