Don't invest unless you're prepared to lose money. This is a high-risk investment. You may not be able to access your money easily and are unlikely to be protected if something goes wrong. Take 2 mins to learn more.

UK GDPR Policy

Relendex – The UK General Data Protection Regulation (The UK GDPR)

Policy Introduction

The UK GDPR is retained in domestic law now the transition period has ended, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018.
The key principles, rights and obligations remain the same.
Our lead data supervisory authority is the Information Commissioner’s Office (ICO).
As we decide how to process the data we collect on individuals, we are defined as a “data controller” by the ICO. This policy relates to Relendex Ltd.

Overview

The UK GDPR protects your personal data against the risks and losses caused by cyber attacks, which are an ever-growing problem. Failure to provide adequate data protection is a major reputational risk to the firm and can result in fines and other serious consequences.

Awareness

Decision makers and key people in Relendex Ltd are trained to be aware of The UK GDPR provisions.
As Relendex currently employs fewer than 250 employees, a Data Protection Officer is not required. The person responsible for data protection in the business is currently Max Lehrain.

Personal Data

Under The UK GDPR, “personal data” has a wide definition and includes identifiers such as an ID number, location data, online identifiers (IP addresses, cookie identifiers, RFID tags, etc.).
Relendex Ltd must document what personal data is held, where it came from, and who it is shared with.
Additional information required includes the legal basis for data collection, retention periods, and the right of individuals to complain to the ICO.

Six General Principles Regarding Personal Data

Relendex Ltd will follow the following six general principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation – data must only be collected for specified, legitimate purposes
  3. Data minimisation – data must be adequate, relevant, and limited to what is necessary
  4. Accuracy – data must be accurate and kept up to date
  5. Storage limitation – data must be kept no longer than necessary
  6. Integrity and confidentiality – data must be protected with appropriate security measures

Accountability

Relendex Ltd must demonstrate compliance with the six principles and maintain appropriate governance measures.

Individual Rights

Individuals have the right under The UK GDPR to:

  • Access their data
  • Request rectification of inaccuracies
  • Request erasure (right to be forgotten)
  • Restrict processing
  • Object to processing
  • Data portability
  • Prevent direct marketing and automated decision-making

The Right to Be Informed

Individuals must receive clear, fair processing information through privacy notices.

The Right of Access

Individuals may request confirmation, access to their personal data, and privacy information.
Requests must be:

  • Acknowledged promptly
  • Responded to within 30 days (extendable by two months if complex)
  • Free of charge (unless excessive/unfounded)
  • Delivered in a common electronic format

The Right to Rectification

Individuals can request corrections to inaccurate or incomplete data.
Relendex must:

  • Verify identity
  • Act within 30 days
  • Notify recipients of the data, where applicable

The Right to Erasure

Applicable when:

  • Data is no longer necessary
  • Consent is withdrawn
  • Processing is unlawful
  • A legal obligation requires erasure
  • Data was collected from children

The Right to Restrict Processing

Applicable when:

  • Accuracy is contested
  • Processing is objected to
  • Processing is unlawful but erasure is not desired
  • Data is needed for legal claims

The Right to Data Portability

Individuals can request their data in a structured, commonly used, machine-readable format.
Must be fulfilled within 30 days and free of charge unless complex.

The Right to Object

Individuals can object to:

  • Processing for legitimate interests
  • Direct marketing
  • Research/statistics

Direct marketing objections must be honoured immediately.

Legal Basis for Processing

All data processing must have a legal basis disclosed in privacy notices.
Consent must be explicit and withdrawal must be as easy as giving consent.

Data Breaches

Must be reported within 72 hours if likely to result in risk to individuals.
Subjects must be informed without undue delay, and an internal breach register must be maintained.

Penalties

  • Up to 2% of global turnover or €10 million for record keeping and governance failures
  • Up to 4% of global turnover or €20 million for breaches of data rights or principles
  • Individuals may claim compensation for material or non-material damage

Get in touch with our team today.

Got a question about any of our products or services? Our team is here to help.