Buddy Reel App (The Yellow Boys Ltd) is fully committed to and compliant with the requirements of the General Data Protection Act 2018 (GDPR), Privacy & Electronic Communications (EC Directive) Regulations 2003 (PECR). The company will, therefore, follow procedures that aim to ensure that all individuals who have access to any Personal Data held by or on behalf of the company are fully aware of and abide by their duties and responsibilities under the above Act and regulations.
Buddy Reel App (The Yellow Boys Ltd) regards the lawful and correct treatment of Personal Data is essential to its successful operations and to maintaining confidence between the company, its employees, clients, and temporary workers. The company will, therefore, ensure that it treats Personal Data lawfully and correctly. To this end, the company fully endorses and adheres to the Principles of Data Protection as set out in the General Data Protection Regulations 2018 as detailed below.
- Operating a secure internet connection.
- Ensuring devices and software have security provisions.
- Controlling access to our data and services.
- Protecting our equipment and software from viruses and other malware.
- Keeping our devices and software up to date.
Scope of the Policy
In order to operate efficiently, Buddy Reel App (The Yellow Boys Ltd) has to collect and use information about the people that sign up for or download the app. Personal Data must be handled and dealt with properly however it is collected, recorded, and used, and whether it be on paper, in computer records, or recorded by any other means, and there are safeguards within the GDPR to ensure this.
All employees are required to comply with this policy when dealing with other employees, consultants, clients, suppliers, customers and contacts of the Company, and anyone else with whom they come into contact during the course of their employment.
All employees are made fully aware of this policy and of their duties and responsibilities under the GDPR. In addition, we have a full GDPR Data Protection Policy which provides more detailed information relating to our obligations and controls to manage data in line with current legislation.
It is the direct responsibility of the Managing Director to ensure the implementation of this policy on a day-to-day basis; however, all employees have a responsibility to accept their personal involvement in applying it and must be familiar with the policy and ensure that it is followed by both themselves and employees for whom they have a responsibility.
Disciplinary action may be taken against any employee who acts in breach of this policy. Disciplinary action may include summary dismissal in the case of a serious breach of this policy or repeated breaches. In other cases, it may include a verbal or written warning. Such action will be taken in accordance with the Company’s disciplinary procedure.
Breaches of this policy may also result in the employee responsible being held personally liable for compensation if legal action is taken in relation to data protection.
The Principles of Data Protection
We adhere to the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:
- Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness, and Transparency).
- Collected only for specified, explicit, and legitimate purposes (Purpose Limitation).
- Adequate, relevant, and limited to what is necessary for relation to the purposes for which it is Processed (Data Minimisation).
- Accurate and where necessary kept up to date (Accuracy).
- Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).
- Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity, and Confidentiality)
- Not transferred to another country without appropriate safeguards being in place
- Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests).
We are responsible for and can demonstrate on request compliance with the data protection principles listed above.
Lawfulness, Fairness & Transparency
Personal Data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
We will only collect, Process and share Personal Data fairly and lawfully and for specified purposes. The GDPR restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing, but ensure that we Process Personal Data fairly and without adversely affecting the Data Subject. The GDPR allows Processing for specific purposes, some of which are set out below:
- The Data Subject has given his / her Consent;
- The Processing is necessary for the performance of a contract with the Data Subject;
- To meet our legal compliance obligations.;
- To protect the Data Subject’s vital interests; or
You must identify and document the legal ground being relied on for each Processing activity.
A Data Subject Consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are insufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters. For example, we request that a ‘User’ gives ‘Consent’ when they sign up to the app via Facebook, only taking this information to better enhance their experience.
Data Subjects can easily withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if we intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first Consented.
Unless we can rely on another legal basis of Processing, Explicit Consent is usually required for Processing Sensitive Personal Data, for Automated Decision-Making and for cross border data transfers.
Usually, we will be relying on another legal basis (and not require Explicit Consent) to Process most types of Sensitive Data. Where Explicit Consent is required, we will issue a Fair Processing Notice to the Data Subject to capture Explicit Consent. Sensitive Personal Data may be particularly relevant when collecting personal and work information from a candidate or temporary worker, therefore, we will take particular care whenever collecting and Processing such information.
We keep records of all Consents so that we can demonstrate compliance with Consent requirements if required to do so.
Transparency (Notifying Data Subjects)
Personal Data will only be collected for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes. We will not use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have Consented where necessary.
Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. We will only Process Personal Data when performing when it is required to perform our job duties and services. We will not collect excessive data and we will ensure that when Personal Data is no longer needed for the specified purposes, it is deleted or anonymised in accordance with the Company’s data retention guidelines.
Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when found to be inaccurate. We will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards and take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. We maintain a retention procedure to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. Thereafter we will take all reasonable steps to destroy or erase it from our systems.
Disposal of Records
Electronic records will be securely and permanently deleted as appropriate. We will maintain records of disposal and will detail the date and the name of the person who authorised the record’s disposal for all records that are either deleted or destroyed.
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.
In line with regulation 6 of the PECR, when people visit our website, we:
- Tell people the cookies are there
- Explain what the cookies are doing and why; and
- Get the person’s Consent to store a cookie on their device.
We then allow them to set their preferences to accept or reject cookies by obtaining Explicit Consent. Restricting or rejecting cookies on our website may, however, mean that certain areas of the site will not function correctly.
This is done the first time we set cookies for each piece of equipment and again if we make significant changes to the cookies on the site.
We may also use third-party apps, tools, plug-ins and widgets on our website(s), and these may use automated means to collect information relating to how you interact with these features. Such information collected is subject to the privacy policies of those providers and to applicable law. Buddy Reel App (The Yellow Boys Ltd) is not responsible for the practices of these providers.
Access by Data Subjects
Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
- Withdraw Consent to Processing at any time (where the Company is relying on Consent);
- Receive certain information about our Processing activities;
- Request access to their Personal Data that we hold;
- Prevent our use of their Personal Data for direct marketing purposes;
- Ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
- Restrict Processing in specific circumstances;
- Challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
- Request a copy of an agreement under which Personal Data is transferred outside of the EEA;
- Request a copy of an agreement under which Personal Data is transferred outside of the EEA;
- Prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
- Be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
- Make a complaint to the supervisory authority; and
- In limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.
We will verify the identity of an individual requesting data under any of the rights listed above and will not allow third-parties to persuade us to disclose Personal Data without proper authorisation.
Any Data Subject request must be forwarded to the Operations Director.
The Compliance Manager will be responsible for ensuring that the Policy is implemented. Implementation will be led and monitored by the Operations Director who will have overall responsibility for:
- The provision of cascade data protection training, for staff within the company.
- For the development of best practice guidelines.
This policy will be reviewed regularly and may be altered from time to time in light of legislative changes or other prevailing circumstances.