For the purpose of this policy Dropless Limited will comply with the Data Protection Legislation by following several important principles regarding the privacy and disclosure of information in respect of individuals.
The information below sets out how Dropless uses and protects the data collected via our website, mobile app, telephone or through other means. When using these tools, you will find information that demonstrates how we safeguard your information. Privacy protection is something that Dropless is fully committed to.
Owner and Data Controller
Unit 1F, Clapham North Business Centre,
26-32 Voltaire Rd,
London SW4 6DH
Owner contact email: [email protected]pless.co.uk
This is the privacy notice of Dropless. In this document, “we”, “our”, or “us” refer to Dropless.
We are company number 11018311 registered in England
Data Protection law
The Data Protection Act 2018 and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) describe how organisations must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act 2018 and General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) are underpinned by eight important principles. These say that personal data must:
Be processed fairly, lawfully & Transparently
Be obtained only for specific, lawful purposes
Be adequate, relevant, and not excessive
Be accurate and kept up to date
Not be held for any longer than necessary
Processed in accordance with the rights of data subjects
– Be protected in appropriate ways
– Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection or derogations / contracts are in place.
When does this policy apply?
The Data Protection Legislation and therefore this policy applies to any situation where personal data for a natural living person can be identified. The protection of personal privacy is very important to Dropless Ltd. and any personal data collected and used MUST be treated in accordance with current Data Protection Legislation.
This policy applies to all employees, Partners, contractors, suppliers and any other individuals working for or on behalf of Dropless Ltd.
What is covered by this policy?
The processing, controlling, capture, storage, management, distribution, and secure destruction of any personal data for natural living persons connected with Dropless Ltd.
What personal data do we control/process?
Dropless Ltd. control/process a range of personal data obtained during the course of our work with you. This might include (but not wholly include):
Name, personal address, telephone numbers and email address details
Mode and place of processing the data – Methods of processing
Dropless Ltd. processes the Data of Users in a proper manner and shall take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. The Data processing is carried out using computers and/or IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Data Controller, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of the site (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Data Controller at any time.
Data Protection Risks
This policy helps protect Dropless Ltd and yourselves from some real and every day security risks, including:
– Breaches of confidentiality (i.e. blagging offences or information being give out inappropriately)
– Failure to offer choice. (i.e. all individuals are free to choose how Dropless Ltd. uses their information (subject to other contractual obligations)
– Reputational damage (i.e. damage as a result of a hacking attack)
The Board of Directors are committed to ensuring that Dropless Ltd. takes its responsibilities to comply with the Data Protection Legislation throughout the company seriously. In order that we can operate our business and carry out our contractual obligations and duties Dropless Ltd. is required to collect and use personal information relating to current, past, and prospective clients, staff, business contacts, suppliers, third parties, third party service providers and others with whom we are required to communicate.
We may also be required by law or as part of our responsibilities as professional service providers to collect, use and share personal information with government departments, agencies, and regulators, or in some cases as part of the public interest. We will process this personal information lawfully, fairly and in a transparent way.
We believe that the lawful and correct way in which we deal with personal data is critical to our success, maintaining our reputation, integrity, and our clients’ confidence in us as an open and professional organisation.
To enable Dropless Ltd. to meet our data protection commitments, whilst protecting our reputation, we will adopt appropriate and relevant data protection and privacy standards, guidelines, and requirements for legal, regulatory or legitimate organisational purposes. When dealing with personal data Dropless Ltd. will:
– Voluntarily appoint an external DPO
– Process personal information only where this is strictly necessary in a fair and lawful way, ensuring it is relevant and adequate
– Keep the information we hold to a minimum and only while we have a purpose to retain it in line with what is required of us by law and as set out in Dropless Ltd. Data Retention Policy
– Where appropriate, we will carry out a Data Protection Impact Assessments where personal data is being processed
– Have in place written contracts with organisations who process personal data on our behalf in support of delivering our business
– Provide clear details about how personal information is used and by whom, taking particular care when dealing with high-risk personal information
– Maintain full records of personal information processed by ourselves including the categories and purposes for each category
– Keep accurate personal information, update as appropriate, store securely and do not hold for any longer than necessary, ensuring that we dispose of it appropriately
– Take a ‘data protection by design and default’ approach, adopting and implementing the appropriate technical and organisational security measures
– Throughout the entire lifecycle of our processing/controlling of data operations, including maintaining effective data protection policies to safeguard personal information
– Only transfer personal information outside the UK in circumstances where it can be adequately protected
– Provide a strategy for dealing with regulators across the EU (EEA) where services are offered to those who are resident in other EU (EEA) countries
– Ensure that people know about their rights to see the personal information we hold about them and that we respond appropriately, taking into account the exemptions allowed by Data Protection Legislation, should a request for access, rectification or erasure (the right to be forgotten) be received.
To effectively manage our responsibilities Dropless Ltd. will ensure:
– The DPO has specific responsibility for data protection within Dropless Ltd. You can contact our GDPR DPO by emailing [email protected]
– We document our approach to managing breach activity, managing Subject Access Requests (SAR’s) and keep evidence of the steps we take to comply
– We regularly review and audit how we handle personal information
– We clearly describe the ways in which personal information is treated with a commitment to continuous improvement and will communicate to train and support internal departments as appropriate
– Staff handling personal information understand that they are responsible for following good practice, they will receive appropriate training and are properly supervised. We ask all staff annually to renew their online GDPR and Security Management training and sign our information security policy agreement. We regularly assess the performance of all our people who handle personal information.
– In the event of a data or privacy breach, we take swift and appropriate steps to minimise any reputational damage to Dropless Ltd. and any affected third parties and endeavour to minimise any associated business disruption
– We have appropriate systems and procedures in place to deal with breaches occurring outside of core office hours and that these will be managed in line with the defined company approach.
– Dropless Ltd. ensures we are legal, fair, compliant, and transparent when we process personal information and subject to Data Protection guidelines, individuals have the right to the following:
– To be informed as to the purpose of the processing and the lawful basis for this processing.
– To access their personal data and to request rectification or erasure if it is inaccurate or incomplete.
– To restrict and/or object to the processing of their data.
– To data portability, allowing them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.
– We do not use automated individual decision-making or profiling. Should the need for us to do so ever arise we will ensure this is necessary as part of a contract, is lawful and/or based on the individual’s consent.
Subject Access Requests
Everyone has the right to request a copy of the personal information we hold about them. We are required to complete any request we receive within 1 month of receipt and therefore it is very important that these requests are recognised, dealt with effectively, promptly and in line with our documented approach. The requestor should write to us using the above address or email us at [email protected]
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If a data breach occurs, the GDPR team must be informed by telephone or email [email protected] immediately. We will investigate, record, and take any steps required to minimise the risk of further unlawful disclosure. If necessary, we will inform the data subject as soon as practical and inform the relevant authority within 72 hours of the data breach. We appreciate that if we fail to notify of a breach when required to, this can result in a significant fine.
What is excluded from this policy
This policy is not required to cover information held for deceased individuals. However, Dropless Ltd. will always apply best practice and therefore we will apply the same principles to deceased individuals.
Failure to comply with this policy
Data processing arrangements that are not in line with Data Protection Legislation create unnecessary risk. Staff who do not comply with this policy may be subject to disciplinary action.
If you believe that Dropless Ltd. has processed your personal data in a way that is unlawful and in breach of the guidelines set out by the GDPR you have the right to complain although the ICO would have expected you to attempt to resolve the complaint via Dropless Limited first.
The Information Commissioner’s Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with Data Protection Legislation in the UK. You can contact them at the Information Commissioner’s Office, Wycliffe House, Water Lane, Cheshire, SK9 5AF, telephone number +44 (0)162 554 5745 or via their website at www.ico.org.uk.