01233 743 240

DATA PROTECTION POLICY

1 ABOUT THIS POLICY

1.1 FLOWBIRD LTD (with company number: 08512149) (we, us or our) use information about people (e.g. customers, website visitors, colleagues) when we conduct our business. It is a vital asset which we need to carry out our business activities (e.g. providing our products or services, monitoring our website, paying our staff). It is also important to keep this information safe because it can create risk for those people if it is misused or misplaced (e.g. identity fraud).

1.2 The law formally recognises the value and risk of using people’s information by creating obligations on organisations that use or access it and granting rights to the individuals that it relates to.

This type of law is called data protection law. In the UK, it includes the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018, and supplemented by section 205(4)) and the Data Protection Act 2018.

1.3 This policy sets out:

  1. what our obligations are under data protection law;
  2. What to do if we want to use people’s information in a new way?
  3. when and how we can share people’s information with others;
  4. What records do we need to keep as evidence that we are fulfilling our obligations?
  5. Other policies you need to be familiar with.

1.4 This policy applies to all members of FLOWBIRD LTD's staff. Whether you have an employment contract with us or work for us in another capacity (e.g., contractor or work experience), you must comply with this policy.

1.5 The Information Commissioner’s Office (ICO) is the UK data protection regulator and is responsible for checking that businesses comply with data protection law.

1.6 The ICO handles complaints and can fine or take enforcement action against businesses that do not fulfil their data protection obligations. Failure to comply with data protection obligations can also impact companies' brands and reputations.

1.7 Jason Rainbird is our Data Protection Officer and is responsible for advising and monitoring how we use personal data in our business practice. Our directors are responsible for making (and providing adequate resources to implement) any decisions, including whether to report a breach to the ICO.

1.8 From time to time, we may have contracts with third parties (e.g. customers, suppliers) that contain data protection clauses. Contracts can be enforced by parties and ultimately by the courts if there is a disagreement, so we must have policies in place to comply with our obligations.

1.9 Our employment (and equivalent) contracts require our staff to comply with this policy, and failure to follow this policy may be a disciplinary matter.

2 THE KEY CONCEPTS

2.1 You must be able to recognise language used in data protection law. Data protection law uses specific definitions, and you must be able to identify these definitions so you know what action you need to take (even if that action is referring the matter to the person responsible for data protection):

- Personal Data: any information which does (or could be used to) identify a living person. It does not matter whether their information is kept digitally or in hard copy, or whether it is in writing or in another format (e.g., CCTV footage,  photographs). Examples of personal data include: name, email address, postal address, IP address, cookie information, health data and data relating to criminal convictions.

- Processing: any action done to personal data, ranging from actively using or analysing the information to simply having access to or storing the information. It even includes deleting information.

- Data Subject: the living person who is (or could be) identified by the information.

- Controller: the organisation that makes decisions about what and why information is being collected about individuals. For example, FLOWBIRD LTD will be the controller of personal data relating to our employees.

- Processor: an organisation that carries out a task for the Controller which requires them to process personal data. They must follow the instructions they receive from the Controller, and a contract must be in place before they can begin any processing.

- Lawful Grounds: a justification that allows an organisation to process personal data. An organisation will be breaking the law if it fails to meet one of the six permitted justifications under data protection laws. We (as a business) must always be able to identify which Lawful Grounds we are relying on whenever we process personal data.

3 PRINCIPLES OF DATA PROTECTION LAW

3.1 You must be aware of the seven principles of data protection law. Data protection law sets very

few specific rules to follow. Instead, the law requires us to consider whether the way we use personal data aligns with the seven principles. It is our responsibility (when we are the Controller) to decide how we achieve the principles. The directors will make the final decision on what action the business can take, but you should be aware of the principles. Hence, you understand why you are (or are not) able to use personal data in a certain way.

3.2 The seven principles require us to:

(a) Use personal data in a lawful, fair and transparent way: We must make sure we know which of the six Lawful Grounds we are relying on (see section below), and how the Data Subject can find out how their information is being used.

(b) Only collect personal data for a specific, explicit and legitimate purpose (purpose limitation):

We must be clear about why we want to use the information and record our decision. We must have a good reason before we begin to collect information about people.

(c) Collect the least amount of personal data we need to achieve our aim (data minimisation):

We must always identify the types of information we plan to collect and decide whether it is necessary to have that information to achieve our aim. If it is not necessary, we should not collect the information at all.

(d) Make sure personal data is accurate: We must have processes which ensure we record information correctly and that we can amend it if we later find out there was a mistake.

(e) Only keep personal data for as long as we need it (storage limitation): We must only keep information whilst we need it to achieve our aim. Sometimes the law requires us to keep information for a specific amount of time. If we are the Controller, it is our responsibility to decide how long to keep information for and why. We must record our decision. If we are the Processor, we should ask the Controller how long they want us to retain the information.

(f) Keep personal data safe (by ensuring its security, integrity and confidentiality): We must use appropriate technical (e.g. anti-virus, passwords) and organisational (e.g. staff training and working practices) measures to protect information.

(g) Demonstrate that we process personal data correctly (accountability): We have compliance documents to record how we use personal data, with whom we share it, and how we made our decision. We maintain these documents and update them whenever we collect, use or access personal data in a new way or for a new reason.

4 USING PERSONAL DATA IN A LAWFUL, FAIR AND TRANSPARENT WAY

4.1 You must only access or use Personal Data once a Lawful Grounds has been identified (otherwise you are acting illegally). Whenever we require you to use Personal Data in your role, we must ensure that we have identified and met the criteria for one of the six Lawful Grounds set out below. If you do not think there is a valid Lawful Ground for the way that you are using or accessing Personal Data, please speak with our Data Protection Officer to confirm you can proceed. We can only use Personal Data to:

(a) Perform a contract (with the Data Subject): You can use or access personal data where this is required to carry out a contract (e.g. you need contact details to post a product to the correct address, and their financial information to request payment for the product). This Lawful Ground is not valid where we have a contract with another organisation (see Legitimate Interest instead).

(b) Comply with a legal obligation: You can use or access personal data where the law requires you to (e.g. reviewing identity documents for right to work checks).

(c) Prevent risk to life of the Data Subject or another person (vital interests): You can use personal data where a person’s life is at risk. It is unlikely that you would need to use information in this way as part of your role (e.g., providing an emergency contact on HR records, sharing medical information with an attending paramedic).

(d) Pursue a justifiable commercial aim (legitimate interest): You can use personal data to help us pursue a legitimate business aim (e.g. increase brand awareness, perform contracts with other organisations, defend legal claims). But you can only do this where the benefits of doing so would not outweigh the risks to the Data Subject. If you are not sure if we have a legitimate interest, whether youcan rely on this Lawful Ground, or you receive a question or complaint about the way we use personal data to pursue a commercial aim, you should let our Data Protection Officer know as soon as possible. Where this Lawful Ground is being relied upon, a legitimate interests assessment should be carried out (see Compliance Records section below).

(e) It is part of a public task (public interest): the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

(f) Do the activity that the Data Subject has given their permission (consent) for: You can use personal data where the individual has stated that they are happy for us to use their information for a specific activity. We rely on consent only for some activities, and we keep a clear record of who has given their consent (permission) and which activity they have given it for.

4.2 You must correctly obtain and record consent (and respect when a Data Subject changes their mind). Where we intend to use consent as the Lawful Ground for a business activity, it is only valid if the consent is:

- Specific (related to a clearly defined activity or purpose);

- Informed (explained in a way that the Data Subject understands);

- Unambiguous and given by an explicit affirmative action (you must not design or use forms with pre-ticked boxes. You must not use a person’s information if they have not responded);

- Separate from other contractual terms given to the Data Subject;

- Freely and genuinely given (it is not appropriate to use consent as a Lawful Grounds where the relationship we have with them could pressure them into accepting, e.g. employer-employee relationship. We cannot refuse to provide our product or service to someone who does not want to grant permission for another activity (e.g., marketing).

4.3 If your role requires you to draft consent wording or obtain consent from individuals, you must always give them the option to change their mind (at the time and at a later date) and withdraw their consent.

4.4 Any marketing communications we send to individuals must include a link which allows the recipient to unsubscribe (this is not mandatory for communications sent to recipients which are businesses).

4.5 You must be able to direct Data Subjects to the relevant privacy notice. Individuals have the right to know how we use their personal data. We publish privacy notices to explain what information we collect, how we use it and whom we share it with. You must be able to direct an individual to the relevant privacy notice (this may vary depending on their relationship with us, e.g., whether they are a customer or a member of staff).

4.6 You must have an additional lawful basis to process any special category data. Data protection laws treat certain types of personal data as sensitive and require additional safeguards when processing such data (known as special category data). This includes health data, data relating to religious beliefs, data relating to sexual orientation, biometric and genetic data, data revealing racial or ethnic origin and data revealing trade union membership. Before processing any special category data, you should speak to the Data Protection Officer to find out if any additional conditions for processing can be relied upon (in addition to one of the Lawful Grounds above).

5 USING PERSONAL DATA FOR A SPECIFIC, EXPLICIT AND LEGITIMATE PURPOSE (PURPOSE LIMITATION)

5.1 You must conduct a due diligence exercise before using personal data for a new purpose. The Data Protection Officer decide the purposes for which we use personal data and keeps an up-to-date record.

Record of the purposes (in the Record of Processing Activities, see Compliance Records  section below). We encourage innovation and new ideas, but we also ensure we consider the impact on Data Subjects before approving new projects or business practices. You must obtain approval from our Data Protection Officer and complete a data protection impact assessment (a specific type of risk assessment document) when requested by them. You must not start any new activity or project until you have received approval.

5.2 You must inform the Data Subject before you use their information for the new purpose. (e.g. update the relevant privacy notice). If consent is the current Lawful Ground relied on for the existing purpose, you must obtain new consent before you start any new activity or project.

6 USING THE LEAST AMOUNT OF PERSONAL DATA NEEDED TO ACHIEVE THE AIM (DATA MINIMISATION)

You must only access and use the personal data you need to perform your role. Accessing personal data that you are not authorised to access or that you have no reason to access may result in disciplinary action. If you have received or accessed information in error, please let our Data Protection Officer know as soon as possible.

7 KEEPING PERSONAL DATA SAFE

7.1 You must be able to recognise and report a suspected data breach. If you believe there has been a data breach, you must contact our Data Protection Officer immediately.  You'll be able to learn more about Data Breaches and your responsibilities in the Data Breach Policy.

7.2 You must abide by our processes and policies. We provide training on how to use our IT systems and handle hard-copy information (e.g. clear desk policy, use of confidential waste bin). You must not try to override or circumvent technical measures we put in place to protect information (e.g., user permissions), and you must follow the organisation's measures we implement (e.g. attend staff training).

7.3 Keep your logins and passwords confidential (do not share accounts). Your account credentials, passwords, and other information provided as part of our security procedures are confidential. It is your responsibility to keep your login information secure, and you must notify our Data Protection Officer if you think your account has been accessed by someone else (or otherwise compromised).

8 SHARING PERSONAL DATA WITH OTHERS

8.1 You must only share personal data internally, which is required for the recipient’s role (and you should follow IT sharing procedures). It is important to remain diligent even when sharing information within the company. It is not always appropriate to share information with another person or team (e.g. disciplinary outcome shared with the marketing team). If you are uncertain, you should check with our Data Protection Officer before you share any information. You should follow IT best-practice guidelines (e.g., password-protect files, send links rather than attachments for documents) and maintain a clear-desk policy.

8.2 You must only share personal data externally where we have a contract (unless there is a legal exception). It is mandatory to have a contract in place where organisations share information (which are called data processing agreements). These agreements set out which organisation is the Controller and the Processor.

8.3 Where the recipient is outside the United Kingdom or the European Economic Area, there are additional requirements. You must check with our Data Protection Officer before you send any personal data to an organisation or person located (or whose servers are located) in a country outside the United Kingdom or the European Economic Area.

8.4 Where the disclosure is required by law, you need to disclose Personal Data. In exceptional circumstances, you might be contacted by an external organisation (e.g. police, solicitor) who requests personal data. You must refer these requests to our Data Protection Officer as soon as possible so they can evaluate them and decide whether to respond on our behalf. You must not release any information unless our Data Protection Officer instructs you.

8.5 You must be able to recognise when you have received a Data Subject access request (and other data right requests). Individuals are granted specific rights under data protection law, one of which is the right to access information about them. If you receive a Data Subject right request, you must notify our Data Protection Officer as soon as possible. You can learn more about Data Subject Rights and your responsibilities in the Data Protection Requests Policy.

9 DELETING (OR RETURNING) PERSONAL DATA THAT IS NO LONGER NECESSARY

9.1 You must securely delete information at the end of its retention period. You must comply with our internal policies relating to data retention, and you must delete or destroy the information and any copies of the information in line with the relevant procedure we have in place (e.g. confidential waste for hard copy information). If you are unsure of our procedures or when personal data should be deleted, you should contact the Data Protection Officer.

9.2 You must return (or delete) personal data that does not belong to us when instructed to do so.

  1. Where we use, store or access personal data on behalf of another organisation (e.g. our business customers), we act as the Processor. We always have a contract with the other organisation that processes personal data. At the end of the agreement, you must contact the other organisation to request their instructions on whether to delete or return their personal data.

 

9.3 You must check before you fulfil a Data Subject request to erase (delete) their personal data.

Data protection law entitles individuals to ask organisations to delete their personal data. You receive this type of request, you must notify our Data Protection Officer as soon as possible. You can learn more about Data Subject rights and your responsibilities in the Data Protection Requests Policy.

10 THE COMPLIANCE RECORDS WE KEEP

10.1 You must be aware of the different compliance records we keep. We have up-to-date compliance records, which help us to understand how the business uses personal data and ensure that we use it in a safe way and only for permitted purposes. The directors are responsible for ensuring compliance records are maintained (and reviewed at least annually), but you should be aware of the compliance records so you understand why you are required to provide certain information or take specific action. The records we keep include:

10.1.1 Record of Processing Activities (ROPA): We use this document to set out key information we use when we act as a Processor and Controller. It states the:

- the purpose we are processing personal data (e.g. staff administration);

- Lawful Grounds we rely on (e.g. fulfil employment contract);

- categories of individuals (e.g. our workers, emergency contacts);

- types of personal data (e.g. payroll information, contact details);

- Where we act as a Processor, we also include the details of the organisation that is the Controller;

10.1.2 Retention Schedule: We use this document to identify when we should securely destroy information. It groups categories of information (e.g. HR files) and sets a precise expiry date (e.g. six years after an employee’s final working day);

10.1.3 Incident Report: We use this document to record any suspected data breaches. It sets out what data was affected and what action we took (e.g. whether the incident was formally reported). We use it to help us improve how we keep information safe (e.g., update staff training, install additional security features).

10.1.4 Data Protection Impact Assessments: We use this document to risk assess existing and proposed projects and activities that involve the use of personal data, and that could involve high-risk processing. It helps the directors decide whether to approve a course of action.

10.1.5 Legitimate Interests Assessment (LIA): We use this document whenever we are acting as the Controller and rely on Legitimate Interest as its Lawful Ground. It records that the directors have considered adequately whether we are justified in using personal data to pursue the aim. It has three parts: purpose test (identify the aim); necessity test (must personal data be processed to achieve the aim); and balancing test (do the benefits of pursuing the aim outweigh the risk to the individuals).

10.2 You must assist the Data Protection Officer in maintaining our compliance records and act on their instructions (e.g. provide information, delete records) to ensure that our compliance documents can be properly maintained.

11 IF YOU HAVE ANY QUESTIONS ABOUT THIS POLICY

You should speak to our Data Protection Officer. They can be contacted at:

Email: operations@flowbird.co.uk

Phone number: 01233 743240

12 KEEPING THIS POLICY UP TO DATE

This policy was created on 12 December 2024 and will be reviewed and updated annually, or sooner if required by data protection laws.