1. Introduction & Key Definitions
takepayments Limited is committed to conducting its business in accordance with all Data Protection laws and regulations and in line with the highest standards of ethical conduct.
The main Data Protection laws relevant for the purposes of this Policy is the General Data Protection Regulation (EU) 2016/679 (the GDPR).
Under the GDPR, the following defined terms are used. These terms are also used in this Policy.
‘Personal Data’ is any information (including opinions and intentions) which relates to a Data Subject.
‘Process’ is given a very wide meaning under the GDPR and includes any operation or set of operations which is performed on Personal Data (whether or not by automated means) and includes collecting, recording, organising, adapting, retrieving, erasing and even just storing Personal Data (and in this Policy the terms ‘Processing’, ‘Processes’ and Processed’ apply accordingly).
‘Data Subject’ is a living person who is identified or who could be identified, directly or indirectly (including by reference to a name, an identification number, location data, or various other factors).
‘Controller’ is a person or organisation who or which (whether alone or jointly with others) determines the purposes and means of the Processing of Personal Data.
‘Processor’ is any person or organisation who or which Processes Personal Data on behalf of the Controller.
‘Personal Data Breach’ is a breach of security leading to the accidental or unlawful destruction, loss or alteration of Personal Data, or unauthorised disclosure of or access to Personal Data.
Personal Data are subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may Process Personal Data.
takepayments, as a Controller, is responsible for ensuring compliance with the Data Protection requirements outlined in this Policy. Some of the requirements outlined in this Policy will also apply when takepayments is a Processor and (subject to acting in accordance with the Controller’s instructions and the terms of the contract between takepayments and the Controller) the relevant safeguards and requirements in this Policy should also be observed when takepayments operates in that capacity.
2. Policy Objectives
This is the Data Protection Policy for takepayments.
The objective of this Policy is to ensure that all colleagues have a clear understanding of their responsibilities in achieving and maintaining GDPR compliance and managing and controlling the associated risks. It is also intended to promote awareness throughout takepayments of the importance of compliance with the regulations and of the standards and values underpinning the GDPR.
The effectiveness of this Policy will be reviewed regularly, to ensure it keeps up to date with developments in the law and takepayments’s strategy for managing and protecting Personal Data.
Failure to comply with the regulations and ineffective management or control of Data Protection poses several risks including:
3. Scope
This Policy covers takepayments and all associated companies. References in this Policy to ‘takepayments’ shall therefore mean each such associated company, which shall be required to comply with the relevant requirements of this Policy.
This Policy applies to takepayments and all colleagues within any part of the organisation, including all operational and legal entities and applies in respect to all activities, including those relating to outsourced providers and other external contractors.
For the purposes of this Policy, the term “colleague” includes (but is not limited to) an individual who has entered into a contract of employment, as well as independent contractors, agency staff, outsourced service suppliers, consultants and third parties contracting on behalf of takepayments and all associated companies.
This Policy applies to all Processing of Personal Data in electronic form, including electronic mail and documents created with word processing software, or where data are held in manual files that are structured in a way that allows ready access to information about Data Subjects.
This Policy has been designed to establish a standard for the Processing and protection of Personal Data by takepayments. Where any applicable law imposes a requirement which is stricter than imposed by this Policy, the requirements in law must be followed. Furthermore, where applicable law imposes a requirement that is not addressed in this Policy, the relevant law must be adhered to. If there are conflicting requirements in this Policy and applicable law, please consult with the Data Protection Officer (DPO) for guidance.
If a colleague is in any doubt as to whether any information or data is Personal Data and/or about the scope and application of this Policy, they should contact the DPO for guidance.
4. Responsibilities
4.1 Board
The Board is ultimately responsible for ensuring that this Policy remains up to date and is implemented effectively, ensuring that all colleagues responsible for the Processing of Personal Data are aware of and comply with the contents of this Policy.
4.2 Line Management
Directors and Senior Management are responsible for managing Data Protection Risk arising in their areas of responsibility. This includes:
Line Managers are responsible for designing, implementing and operating controls that ensure the Information Security Policy is adhered to in their area, in addition to the requirements of this Policy.
5. Data Protection Officer
To demonstrate the commitment to Data Protection, and to enhance the effectiveness of our compliance efforts, takepayments has appointed a Data Protection Officer (“DPO”). The DPO’s contact details are set out at the end of this Policy, in section 18.
The DPO reports to the Board and their duties include:
6. Data Protection Principles
The GDPR sets out the following six principles to govern the collection, use, retention, transfer, disclosure and destruction of Personal Data. takepayments must comply with these principles and must also be able to demonstrate that it complies.
6.1 Principle 1: Lawfulness, Fairness and Transparency
Personal Data shall be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
This means that:
6.2 Principle 2: Purpose
Personal Data shall be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes.
This means takepayments must specify why Personal Data are being collected and what will be done with it (including giving appropriate ‘fair processing’ notices/Privacy Notices) and must limit the Processing of that Personal Data to only what is necessary to meet the specified purpose (unless it has other lawful grounds for the Processing).
6.3 Principle 3: Data Minimisation
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
This means takepayments must:
6.4 Principle 4: Accuracy
Personal Data shall be accurate and kept up to date and every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are Processed, are erased or rectified without delay.
This means takepayments must take steps to ensure the accuracy of any Personal Data it obtains (checking the source of the information if appropriate) and have in place processes for identifying and addressing out-of-date and incorrect Personal Data (including to deal with any challenges to the accuracy of information).
6.5 Principle 5: Retention
Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are Processed.
This means takepayments must have in place processes to review the length of time Personal Data are kept (having regard to the purpose or purposes they are held), to update, archive or securely delete information if it goes out of date and to securely delete information that is no longer needed.
6.6 Principle 6: Integrity & Confidentiality
Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing, and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
This means takepayments must have appropriate security to prevent Personal Data from being compromised, ensuring that appropriate technical and organisational measures are in place to ensure that the integrity and confidentiality of Personal Data is maintained at all times.
takepayments needs to design and organise its security to fit the nature of the Personal Data held and the harm that may result from a Personal Data Breach (which will include having regard to any ‘special categories’ of Personal Data as referred to in section 7.2). Apart from having the right physical and technical security, takepayments must ensure this is supported by robust policies and procedures (and reliable, well-trained staff).
7. Data Collection
7.1 Data Sources & Information to be given to Data Subjects
takepayments should collect Personal Data only from the Data Subject unless one of the following apply:
When takepayments is acting as Controller, the Data Subject must be given certain information about the collection and use of their Personal Data , regardless of whether Personal Data are collected from the Data Subject or from someone other than the Data Subject. A list of the disclosures that need to be made available to the Data Subject is provided in Appendix 1.
When the Personal Data are obtained directly from the Data Subject, that information has to be provided at the time the Personal Data are obtained.
When the Personal Data are not obtained directly from the Data Subject, that information has to be provided:
7.2 Special Categories of Personal Data
The GDPR refers to ‘special categories’ of Personal Data (also sometimes referred to as ‘sensitive’ Personal Data), which means the following categories of data:
The Processing of special categories of Personal Data is prohibited by law, with certain exemptions. Accordingly, takepayments will not Process special categories of Personal Data unless any of the following conditions are met:
If a colleague is in any doubt about the Processing of special categories of Personal Data, the Data Protection Officer must be consulted for guidance.
7.3 Data Subject Consent
takepayments will obtain Personal Data only by lawful and fair means and, where appropriate, with the knowledge and consent of the Data Subject. Where a need exists to request and receive the consent of a Data Subject prior to the collection, use or disclosure of their Personal Data, takepayments will ensure that such consent is obtained.
The Data Protection Officer, in consultation with other relevant business representatives, shall establish policies and procedures for obtaining and documenting Data Subjects’ consent for the collection, Processing and/or transfer of their Personal Data. The policies and procedures must include provisions for:
8. Lawful Processing & Disclosures
The consent of a Data Subject to Process their Personal Data is only one ground on which takepayments may lawfully Process any Personal Data. Other grounds on which Personal Data may be Processed (without the consent of a Data Subject) include:
Accordingly, takepayments may be permitted (or required) to Process Personal Data in various circumstances. If a colleague is in any doubt as to whether any Personal Data can be lawfully Processed, they should contact the Data Protection Officer for guidance before undertaking any such Processing.
In some circumstances, takepayments may receive a request from a court or any regulatory or law enforcement authority (including the Police) for information relating to a Data Subject. In these circumstances, the Data Protection Officer must be immediately notified and they will provide guidance and assistance.
9. Privacy Notices
takepayments’s Privacy Policy (also known as a ‘fair processing’ notice) sets out details of how takepayments collects and otherwise Processes any Personal Data.
The Privacy Policy will be brought to the attention of Data subjects at the appropriate point, in accordance with the requirements outlined above.
takepayments’s website will also include its Privacy Policy and an online ‘Cookie Notice’ fulfilling the requirements of applicable law.
10. Data Subject Rights
The Data Protection Officer will establish policies and procedures to enable and facilitate the exercise of Data Subject rights set out below.
Section 10.9 sets out the timescales and other information requirements which takepayments must comply with regarding the exercise of each of those rights, together with details about the circumstances when charges can be levied.
If a request is received relating to any of the rights listed above, takepayments will consider each such request in accordance with all applicable Data Protection laws and regulations (and having regard to the relevant provisions of this Policy).
takepayments must verify the identity of the person making the request, using “reasonable means”. Appropriate verification must confirm that the requestor is the Data Subject or is authorised to make the request on their behalf. takepayments should not provide any information or take any action in response to a request pending verification of such identity or authority, because of the risk of disclosing information to someone who is not entitled to it. Where takepayments has reasonable doubts concerning the identity and/or authority of the person making the request, takepayments may request the provision of additional information necessary to confirm this.
All requests received must be directed to the Data Protection Officer, who will log each request as it is received and deal with it accordingly.
10.1 Right of Access
Data Subjects have the right to obtain:
If the request is made electronically, takepayments should provide the information in a ‘commonly used electronic format’.
It should be noted that situations may arise where providing the information requested by a Data Subject would disclose Personal Data about another individual. In such cases, information must be redacted or withheld as may be necessary or appropriate to protect that other person’s rights.
10.2 Data Rectification
A Data Subject has the right to have their Personal Data rectified if they are inaccurate or incomplete.
If takepayments has disclosed the relevant Personal Data to any third parties, it must inform those third parties about the rectification, unless it is impossible or involves disproportionate effort to do so. If the Data Subject so requests, takepayments must also inform the Data Subject about those third parties.
10.3 Data Erasure
A Data Subject has a right to have their Personal Data erased and to prevent Processing in certain circumstances. The right to erasure is also known as ‘the right to be forgotten’, but the right to erasure does not provide an absolute ‘right to be forgotten’.
A Data Subject has a right to have their Personal Data erased and to prevent further Processing of it any of the following circumstances:
A Data Subject does not have to show that the Processing causes damage or distress when requesting erasure of the Personal Data, but if the Processing does cause damage or distress then this is likely to make the case for erasure stronger and takepayments would need to consider the request accordingly.
There are some specific circumstances where the right to erasure does not apply. takepayments you can refuse to comply with a request for erasure where the Personal Data are Processed for the following reasons:
There are also specific rules relating to the right of erasure for children’s Personal Data (which may be processed via takepayments’s HR department for life assurance/pensions purposes) and where relevant guidance should be sought from the Data Protection Officer.
If takepayments has disclosed the relevant Personal Data to any third parties, it must inform those third parties about the erasure, unless it is impossible or involves disproportionate effort to do so. If the Data Subject so requests, takepayments must also inform the Data Subject about those third parties.
10.4 Restriction of Processing
Data Subjects have a right to restrict Processing of their Personal Data. takepayments must restrict the Processing of Personal Data in any of the following circumstances:
When Processing is restricted, takepayments may store the Personal Data, but not further Process it. takepayments is also permitted to retain just enough information about the Data Subject to ensure that the restriction is respected in future (but no more than this).
If takepayments has disclosed the relevant Personal Data to any third parties, it must inform those third parties about the restriction on the Processing of that Personal Data, unless it is impossible or involves disproportionate effort to do so. If the Data Subject so requests, takepayments must also inform the Data Subject about those third parties.
If takepayments decides to lift a restriction on Processing then it must inform the Data Subject of this decision.
The Data Protection Officer will establish policies and procedures to ensure takepayments is able to determine where it may be required to restrict the Processing of Personal Data.
10.5 Objection to Processing
Data Subjects have the right to object to:
For objections relating to Processing of data for the performance of a legal task or takepayments’s legitimate interests, Data Subjects must have an objection on “grounds relating to his or her particular situation”. takepayments must stop Processing the Personal Data on request unless:
For objections relating to Processing of data for direct marketing purposes, takepayments must stop Processing Personal Data for those purposes as soon as the objection is received.
For objections relating to Processing of Personal Data for the purposes of certain research and statistics, Data Subjects must have an objection on “grounds relating to his or her particular situation”.
takepayments cannot charge for dealing with these objections.
Where the relevant Processing activities fall into any of the above categories and are carried out online, takepayments must offer a way for Data Subjects to object online.
10.6 Rights related to automated decision making and profiling
Data Subjects have rights in certain circumstances to object to decisions being taken about them without human intervention, including profiling (which means any form of automated processing intended to evaluate certain personal aspects of a Data Subject).
takepayments should not undertake any processing operations which constitute automated decision making without the approval of the Data Protection Officer (who will consider whether new policies and procedures are required to deal with the rights of the Data Subjects in this regard).
10.7 Data Portability
The right to data portability allows a Data Subject to obtain and reuse their Personal Data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
Where the right of data portability applies, takepayments must provide the Personal Data in a structured, commonly used and machine-readable form (such as CSV files). ‘Machine-readable’ means that the information is structured so that software can extract specific elements of the data, which enables other organisations to use the information.
takepayments must provide the information free of charge.
If the Data Subject requests it, takepayments may be required to transmit the Personal Data directly to another organisation if this is technically feasible.
10.8 Right to make complaints
Data Subjects have a right to make complaints. For more details, see section 13.
10.9 Timescales, Charges and Information Requirements
The provisions below apply to any exercise by a Data Subject of any of the above rights, except as otherwise stated above with regard to any specific right.
takepayments must provide the information and/or complete the request (as applicable) without delay - and at the latest within one month of receipt of the request. However, this period can be extended by a further two months where requests are complex or numerous. If this is the case, takepayments must inform the Data Subject within one month of the receipt of the request and explain why the extension is necessary.
Where the Data Subject makes the request by electronic means, the relevant information must be provided by electronic means where possible (unless otherwise requested by the Data Subject).
In most cases, takepayments must provide the information or take the action requested free of charge. However, a ‘reasonable fee’ can be charged when (a) a request is manifestly unfounded or excessive (particularly if it is repetitive); or (b) requests are made for further copies of the same information previously provided by takepayments. Note that this does not mean that takepayments can charge for all subsequent requests. The fee must be based on the administrative costs of providing the information or communication or taking the action requested).
Where requests are manifestly unfounded or excessive (particularly where they are repetitive), takepayments may, instead of charging a reasonable fee as set out above, refuse to respond. In this case, takepayments must explain to the Data Subject (without undue delay and in any event within one month from the date of the request) why it has refused, informing the Data Subject of their right to complain to the supervisory authority and to a judicial remedy.
11. Data Transfers
takepayments must comply with strict rules regarding transfers of Personal Data outside of the EU (including to an international organisation), whether the transfer is to another takepayments company or to a third party. These rules are in place to ensure that the level of protection of Data Subjects afforded by the GDPR is not undermined. takepayments must only transfer Personal Data outside of the EU or an international organisation where permitted as set out below.
11.1 Data Transfers to Another Country or International Organisation
Transfers on the basis of an adequacy decision
takepayments may transfer Personal Data to another country or an international organisation where that country is recognised by law as having an adequate level of legal protection for the rights and freedoms of the relevant Data Subjects or the international organisation in question ensures an adequate level of protection.
For a list of countries currently recognised as having an adequate level of legal protection, see Appendix 2. This list may change from time to time (where authorisations or approvals are amended, replaced or repealed) and accordingly the Data Protection Officer shall ensure that Appendix 2 is updated when applicable.
Transfers subject to appropriate safeguards
takepayments may only transfer Personal Data to another country (whether to group companies or third parties located in another country) which is not approved as above, where one of the transfer scenarios listed below applies:
Transfers in other situations
In the absence of an adequacy decision or of appropriate safeguards as outlined above, takepayments may only transfer Personal Data to another country or an international organisation where one of the following conditions is met:
Where none of the conditions above apply, the only other situation in which a transfer to another country or an international organisation may take place is where the transfer:
In the above situation, takepayments is obliged to: (a) inform the supervisory authority of the transfer and (b) inform the Data Subject of the transfer and of the compelling legitimate interests pursued for the transfer, in addition to providing the other information which is required to be provided to Data Subjects as outlined in section 7.1.
11.2 Transfers between Group Companies
If there are occasions when it is necessary for takepayments to transfer Personal Data from one group company to another, or to allow access to the Personal Data from an overseas location then the company transferring the Personal Data remains responsible for ensuring protection for that Personal Data, but the company receiving the Personal Data should also observe appropriate safeguards as outlined in this Policy.
When transferring Personal Data to another company or allowing another company access to it, takepayments must:
11.3 Transfers to Third Parties
takepayments will only transfer Personal Data to, or allow access by, any third parties when it is assured that the information will be Processed legitimately and protected appropriately by the recipient.
Where third party Processing takes place, takepayments will first identify the role of takepayments and the third party and ensure that an appropriate written agreement is in place, as referred to in section 11.4.
When takepayments is outsourcing services to a third party (including Cloud Computing services), it will identify whether the third party will Process Personal Data on its behalf and whether the outsourcing will entail any transfers of Personal Data to another country or international organisation.
Where third parties, whether companies or individuals, are engaged to Process Personal Data on takepayments’s behalf (i.e. Processors), assurance of such compliance must be obtained from such third parties prior to granting them access to Personal Data controlled by takepayments. Written contracts should also be place, which include the minimum required terms pursuant to the GDPR, prior to any Processing.
The Data Protection Officer shall conduct regular audits of Processing of Personal Data performed by third parties on behalf of takepayments, especially in respect of technical and organisational measures they have in place. Any deficiencies identified will be reported to the Board and may be monitored further accordingly.
11.4 Assessing the Role of Controller and Processor
Before any Personal Data are transferred to or from takepayments, it is imperative to ascertain which party is the Controller and which is the Processor of the relevant Personal Data.
In either case, takepayments must enter into, in consultation with the Data Protection Officer, an appropriate written agreement with the Controller to clarify each party’s responsibilities in respect to the Personal Data transferred, prior to any Processing taking place.
Where the third party is a Processor, that agreement must also include certain minimum required terms pursuant to the GDPR (which the Data Protection Officer, or takepayments’s legal advisors, can advise on). takepayments must also ensure, prior to any Processing taking place, that appropriate assurance of compliance with the requirements of all applicable Data Protection laws is obtained from the Processor.
In some instances, it is possible that both takepayments and a third party could be a Controller of the relevant Personal Data, in which case the Data Protection Officer will provide guidance and advice on the relevant procedures to be followed.
12. Data Protection by Design
To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing.
takepayments must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in consultation with the Data Protection Officer, for all new and/or revised systems or processes for which it has responsibility. The subsequent findings of the DPIA must then be submitted to the Board for review and approval.
Where applicable, the Information Technology (IT) department, as part of its IT system and application design review process, will consult with the Data Protection Officer to assess the impact of any new technology uses on the security of Personal Data.
13. Complaints Handling
Data Subjects who wish to complain about the Processing of their Personal Data will be notified that they should put the complaint in writing to the Data Protection Officer.
If any colleague receives a complaint directly from a Data Subject (whether or not made in writing), they should inform the Data Protection Officer.
An investigation of the complaint will be carried out by the Data Protection Officer to the extent that is appropriate based on the merits of the specific case. The Data Protection Officer will inform the Data Subject of the progress and the outcome of the complaint within a reasonable period (and, where appropriate, will ensure that colleagues are appraised of the progress and/or outcome of the complaint).
If the issue cannot be resolved through consultation between the Data Subject and the Data Protection Officer, then the Data Subject may, at their discretion, seek legal redress and/or complain to the relevant supervisory authority.
14. Breach Reporting
Any colleague who suspects that a Personal Data Breach has occurred must immediately notify the Data Protection Officer, providing a full description of what occurred and (as far as possible) the Personal Data involved.
The Data Protection Officer will investigate all reported incidents to confirm whether or not a Personal Data Breach has occurred. If a Personal Data Breach is confirmed, the Data Protection Officer will follow the relevant procedure in takepayments’s Data Breach Policy based on the criticality and quantity of the Personal Data involved.
15. Accountability & Records
takepayments must be able to demonstrate compliance with the GDPR. All colleagues should undertake their activities accordingly, so that compliance can be readily demonstrated as applicable. This includes making and maintaining written records of all relevant activities relating to the Processing of Personal Data (including with regard to decisions made, actions taken and analysis of Data Protection Impact Assessments).
takepayments also has specific legal responsibilities to maintain certain internal records regarding Processing activities which are under its responsibility, as follows.
In its capacity as a Controller, takepayments must maintain written/electronic records of the following information:
In its capacity as a Processor, takepayments must maintain written/electronic records of all categories of Processing activities carried out on behalf of the Controller, containing:
16. Data Protection Training
All takepayments employees who have access to Personal Data will have their responsibilities under this Policy outlined to them as part of their staff induction training. In addition, takepayments will provide regular Data Protection training and procedural guidance for its staff.
The training and procedural guidance will consist of, at a minimum, the following elements:
17. Compliance Monitoring
To confirm that an adequate level of compliance that is being achieved in relation to this Policy, the Data Protection Officer may carry out a Data Protection compliance audit. An audit, if carried out, will look at some or all of the following areas:
The Data Protection Officer, in consultation with key business stakeholders, will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame. The creation of any such rectification plan does not absolve responsibility for the identified deficiencies or any failure to comply with this Policy.
The Data Protection Officer may (at their discretion) report any identified deficiencies to the Board/Senior Management team. The DPO (and/or the Board/Senior Management team) may monitor the rectification of the identified deficiencies and conduct further audits.
18. Contact Details
Data Protection Officer (DPO):
Julia Lowe
takepayments Limited
First Floor, Suites 3/4
Origin 4, Genesis Office Park
Genesis Way
Europarc
Grimsby
North East Lincolnshire
DN37 9TZ
Email: Julia.Lowe@takepayments.com
Appendices
Appendix 1 – Information Notification to Data Subjects
The table below outlines the various information elements that must be provided by the Controller to the Data Subject depending upon whether or not the information has not been obtained from the Data Subject.
Information to be supplied |
Data obtained directly from Data Subject |
Data not obtained directly from Data Subject |
The identity and the contact details of the Controller and, where applicable, of the Controller’s representative. |
✓ |
✓ |
The source the Personal Data originates from, and if applicable, whether it came from publicly accessible sources. |
|
✓ |
The contact details of the Data Protection Officer, where applicable. |
✓ |
✓ |
The purpose(s) and legal basis for Processing the Personal Data. |
✓ |
✓ |
The categories of Personal Data concerned. |
|
✓ |
The recipients or categories of recipients of the Personal Data. |
✓ |
✓ |
Where the Controller intends to transfer Personal Data to a recipient in another country, details of that transfer and the applicable safeguards. |
✓ |
✓ |
The period for which the Personal Data will be stored, or the criteria used to determine that period. |
✓ |
✓ |
Where applicable, the legitimate interests pursued by the Controller or by a third party. |
✓ |
✓ |
The existence of each of the Data Subject rights - information access, objection to Processing, objection to automated decision-making and profiling, restriction of Processing, data portability, data rectification and data erasure. |
✓ |
✓ |
Where Processing is based on Consent, the existence of the right to withdraw Consent at any time. |
✓ |
✓ |
The right to lodge a complaint with a supervisory authority. |
✓ |
✓ |
The existence of automated decision-making (including Profiling) along with meaningful information about how decisions are made, the significance and the consequences. |
✓ |
✓ |
Whether the provision of Personal Data is part of a statutory or contractual requirement and if so the possible consequences of failure to provide such data. |
✓ |
|
Appendix 2 – Adequacy for Personal Data Transfers
The following are a list of countries recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of their Personal Data.