Data Protection Policy

Bamboo Marketing NW Limited T/A PCPHero (“the firm”) is committed to protecting the privacy and security of personal data. This policy sets out the firm's approach to data protection in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The firm will carry out a risk assessment to identify the risks posed to personal data by its activities and, in particular by its processing operations. Risk assessments will also be carried out in relation to processing undertaken by other organisations on behalf of the firm.

All processing of personal data must be done in accordance with the following data protection principles of the UK GDPR:

• Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and transparently. The firm maintains transparent and easily accessible policies relating to the processing of personal data.
• Purpose limitation: Personal data can only be collected for specified, explicit and legitimate purposes. Data obtained for specified purposes must not be used for a purpose that differs from those formally notified to the Information Commissioner.
• Data minimisation: Personal data must be adequate, relevant and limited to what is necessary for processing. All data collection forms must be approved by the Data Protection Officer.
• Accuracy: Personal data must be accurate and kept up to date. Data that is kept for a long time must be reviewed and updated as necessary.
• Storage limitation: Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.
• Integrity and confidentiality: Personal data must be processed in a manner that ensures its security against unauthorised or unlawful processing and against accidental loss, destruction or damage.
• Transfer limitation: Personal data shall not be transferred to a country outside the UK/EU unless that country ensures an adequate level of protection for data subjects' rights and freedoms.

The UK GDPR introduces the principle of accountability which states that the controller is not only responsible for ensuring compliance but for demonstrating that each processing operation complies with its requirements. Specifically, the firm is required to:

• Maintain necessary documentation of all processing operations
• Implement appropriate security measures
• Perform Data Protection Impact Assessments (DPIAs) where required
• Comply with requirements for prior notifications or approval from supervisory authorities
• Appoint a Data Protection Officer if required

Data subjects have the following rights regarding data processing and the data recorded about them:

• To make subject access requests regarding the nature of information held and to whom it has been disclosed
• To prevent processing likely to cause damage or distress
• To prevent processing for purposes of direct marketing
• To be informed about the mechanics of automated decision-taking processes that will significantly affect them
• Not to have significant decisions that will affect them taken solely by automated process
• To sue for compensation if they suffer damage by any contravention of the UK GDPR
• To take action to rectify, block, erase or destroy inaccurate data (including the right to be forgotten)
• To request the ICO to assess whether any provision of the UK GDPR has been contravened
• The right for personal data to be provided in a structured, commonly used and machine-readable format (data portability)
• The right to object to any automated profiling without consent

The firm understands ‘consent’ to mean that it has been explicitly and freely given — a specific, informed and unambiguous indication of the data subject's wishes signifying agreement to the processing of personal data relating to them. Consent can be withdrawn at any time.

• Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing
• There must be some active communication between the parties demonstrating active consent
• Consent cannot be inferred from non-response to a communication
• For sensitive data, explicit written consent must be obtained unless an alternative legitimate basis for processing exists
• Where the firm provides online services to children, parental or custodial authorisation must be obtained (applies to children under the age of 13)

All employees are responsible for ensuring that any personal data held by the firm is kept securely and is not disclosed to any third party unless specifically authorised. Personal data must be kept:

• In a lockable room with controlled access
• In a locked drawer or filing cabinet
• If computerised, password protected in line with the Access Control Policy
• On removable computer media that is encrypted

Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit written authorisation. Personal data may only be deleted or disposed of in line with the Secure Disposal policy.

The firm must ensure that personal data is not disclosed to unauthorised third parties, which includes family members, friends, government bodies, and in certain circumstances the Police. The UK GDPR permits certain disclosures without consent for the following purposes:

• To safeguard national security
• Prevention or detection of crime including the apprehension or prosecution of offenders
• Assessment or collection of tax or duty
• Discharge of regulatory functions (includes health, safety and welfare of persons at work)
• To prevent serious harm to a third party
• To protect the vital interests of the individual (life and death situations)

All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer.

Personal data may not be retained for longer than it is required. Personal data must be disposed of in a way that protects the rights and freedoms of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and in line with the firm's secure disposal procedure.

• Records are retained in line with the firm's Data Protection Policy and any applicable regulatory timeframe
• The Data Protection Officer is responsible for ensuring data is reviewed annually and securely deleted once no longer required
• Manual records that have reached their retention date are to be shredded and disposed of as confidential waste
• Hard drives of redundant PCs are to be removed and destroyed before disposal

Data subjects who wish to complain about how their personal information has been processed may lodge their complaint directly with us. You also have the right to complain directly to the Information Commissioner's Office (ICO):