Data Protection Policy Henock SARL
This policy contains information confidential and proprietary to Hennok SARL and its Websites. This document contains information that is confidential or otherwise protected from disclosure and shall not be disclosed without prior approval.
Document version control
The document owner is Suleiman Konneh
|Date||Current Version||Comment||Next review date||Author||Status|
Document history control
The definition of the Data Controller, Data Processor, Data, Personal Data, Processing is in accordance with the Data Protection Act 2018 and the General Data Protection Regulation.
1. Principles of Personal Data
Everyone shall ensure that Personal Data is: –
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, kept up to date;
- kept no longer than is necessary for the purposes for which the Personal Data are processed;
- processed in a manner that ensures appropriate security of the Personal Data.
- Lawfulness of processing
The Hennok SARL and its Websites, will align its processing activities to the appropriate legal basis under Article 6 of consent, contract, legal obligation, vital interests, public task or legitimate interests
- Data minimisation
The Hennok SARL, will ensure in accordance with Article 5(1)(c) of the GDPR that Personal Data: –
(a) is adequate to fulfil the purpose. If it is not helpful to the purpose, then it is inadequate;
(b) is relevant to link the purpose;
(c) is limited to what is necessary this limited to what is required for the purpose.
- Data Protection Impact Assessment (DPIA)
The Data Controller shall carry out the DPIA prior to any processing taking place in accordance with Article 35 & 36 of the GDPR. Any impact assessment may use any existing templates which are available. This impact assessment process will be: –
(a) Ask is it a major project or is there a high risk to Personal Data;
(b) Asses the nature and the scope along with the purpose;
(c) Consider the risk and measures to mitigate the risk;
(d) Where required consultation with individuals or ICO;
(e) obtain stakeholder sign off including DPO, technical, legal etc;
- Right to erasure or right to be forgotten
This process is to be followed for Data subjects right to erasure: –
- The Data Controller is responsible for ensure erasure requests are dealt with. Unless exception of health, freedom of information or archiving etc apply then erasure will not proceed;
- Keep a record of each deletion request;
- If you refuse erasure request you must (a) justify reason for not taking action (b) give them the right to complain to ICO (iii) option to seek alternative judicial remedy;
- The erasure request will dependant on whether the Personal Data is no longer required, consent is withdrawn, unlawfully processed or Data Subject objects;
- Inform other organisations e.g. if Personal Data is disclosed to others or made public in online environments;
- Check with your partners and customers etc that they have also erased the Data Subject from any storage or any backups. This also includes erasure of any Personal Data that has been public including any copies, links or replications.
- Retention of Personal Data
This shall be in accordance with our retention policy.
- Data breach investigation
This shall be in accordance with our data breach investigation policy.
- Registration with the ICO
Where applicable Hennok SARL, if it is required to register shall register with the ICO that processes Personal Data.
The Hennok SARL, will provide their staff and contractors adequate training on data protection laws Data Privacy and where applicable any refresher training.