Cayman Nutrition Ltd. - Data Protection Law, 2017 Policy
Data Protection Principles
Fair and lawful processing
Fairness
We have considered how the processing may affect the individuals concerned and can justify any adverse impact.
We only handle people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified.
We do not deceive or mislead people when we collect their personal data.
Lawfulness
We have identified an appropriate lawful basis (or bases) for our processing.
If we are processing sensitive personal data, we have identified an applicable condition for processing this type of data.
We don’t do anything generally unlawful with personal data.
Transparency
We are open and honest and we comply with the transparency obligations of the right to be informed.
Purpose limitation
We have clearly identified our purposes for processing.
We have documented those purposes.
We include details of our purposes in our privacy information for individuals.
We regularly review our processing and, where necessary, update our documentation and our privacy information for individuals.
If we plan to use personal data for a new purpose, we check that it is compatible with our original purpose or we get specific consent for the new purpose.
Data minimization
We only collect personal data we actually need for our specified purposes.
We have sufficient personal data to properly fulfil those purposes.
We periodically review the data we hold, and delete anything we don’t need.
Data accuracy
We ensure the accuracy of any personal data we create.
We have appropriate processes in place to check the accuracy of the data we collect, and we record the source of that data.
We have a process in place to identify when we need to keep the data updated to properly fulfil our purpose, and we update it as necessary.
If we need to keep a record of a mistake, we clearly identify it as a mistake.
Our records clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts.
We comply with the individual’s right to rectification and carefully consider any challenges to the accuracy of the personal data.
As a matter of good practice, we keep a note of any challenges to the accuracy of the personal data.
Storage limitation
We know what personal data we hold and why we need it.
We carefully consider and can justify how long we keep personal data.
We have a policy with standard retention periods where possible.
We regularly review our information and erase or anonymize personal data when we no longer need it.
We have appropriate processes in place to comply with individuals’ requests for erasure under the right to stop or restrict processing.
We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
Respect for the individual’s rights
We respect the right to be informed by notifying each individual about our identity and the purpose(s) of processing as soon as possible.
We know what personal data we have on each individual, and are ready to respond to requests for access within the 30-day timeline.
We have procedures in place to respond to individual’s requests to have inaccurate data rectified and execute on them where substantiated.
We are ready to respond to notices from individuals who require that we stop processing their data in whole or in relation to certain purposes or in certain manners.
We are ready to stop direct marketing in respect of individuals who notify us.
We notify individuals when we take decisions that affect them based solely on automatic means, and we are ready to reconsider it on a different basis.
Security – integrity and confidentiality
We undertake an analysis of the risks presented by our processing, and use this to assess the appropriate level of security we need to put in place.
When deciding what measures to implement, we take account of the state of the art and costs of implementation.
We have an information security policy (or equivalent) and take steps to make sure the policy is implemented.
We make sure that we regularly review our information security policies and measures and, where necessary, improve them.
We use encryption and/or pseudonymization where it is appropriate to do so.
We understand the requirements of confidentiality, integrity and availability for the personal data we process.
We make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
We conduct regular testing and reviews of our measures to ensure they remain effective and up to date, and act on the results of those tests where they highlight areas for improvement.
We ensure that any data processor we use also implements appropriate technical and organizational security measures.
International transfers
Personal information will not be transferred to another country or territory unless an “adequate level of protection” can be ensured.
Legal Basis for Processing
Consent
Asking for consent
We have checked that consent is the most appropriate legal basis for processing.
We have made the request for consent prominent and separate from our terms and conditions.
We ask people to positively opt in.
We don’t use pre-ticked boxes or any other type of default consent.
We use clear, plain language that is easy to understand.
We specify why we want the data and what we’re going to do with it.
We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.
We name our organization and any third party controllers who will be relying on the consent.
We tell individuals they can withdraw their consent.
We ensure that individuals can refuse to consent without detriment.
We avoid making consent a precondition of a service.
If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
Recording consent
We keep a record of when and how we got consent from the individual.
We keep a record of exactly what they were told at the time.
Managing consent
We regularly review consents to check that the relationship, the processing and the purposes have not changed.
We have processes in place to refresh consent at appropriate intervals, including any parental consents.
We make it easy for individuals to withdraw their consent at any time, and publicize how to do so.
We act on withdrawals of consent as soon as we can.
We don’t penalize individuals who wish to withdraw consent.
Individual Rights
The right to be informed
We provide individuals with all the following privacy information:
The name and contact details of our organization; and The purposes of the processing.
We provide individuals with privacy information at the time we collect their personal data from them (or as soon as possible afterward if it is not reasonably practicable to give notice upfront).
If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information within a reasonable of period (or make it easily accessible, e.g. on our website, if it is not reasonably practicable to directly contact the individual).
We provide the information in a way that is:
o concise;
o transparent;
o intelligible;
o easily accessible; and
o uses clear and plain language.
We regularly review and, where necessary, update our privacy information.
If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
We undertake an information audit to find out what personal data we hold and what we do with it. The results may be recorded in a record of processing activities (RoPA).
We put ourselves in the position of the people we’re collecting information about.
We carry out user testing to evaluate how effective our privacy information is.
When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:
o a layered approach;
o dashboards;
o just-in-time notices;
o icons; and
o mobile and smart device functionalities.
The right of access
Preparing for subject access requests:
We know how to recognize a subject access request and we understand when the right of access applies.
We have a policy to record the requests we receive.
We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
We understand the nature of the supplementary information we need to provide in response to a subject access request.
Complying with subject access requests:
We have processes in place to ensure that we respond to a subject access request without undue delay and within thirty days of receipt.
We are aware of the circumstances when we can extend the time limit to respond to a request.
We understand that there is a particular emphasis on using clear and plain language if we are disclosing information to a child.
We understand what we need to consider if a request includes information about others.
The right of rectification
Preparing for requests for rectification:
We know how to recognize a request for rectification and we understand when this right applies.
We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
Complying with requests for rectification:
We have processes in place to ensure that we respond to a request for rectification without undue delay.
We have appropriate systems to rectify or complete information, or provide a supplementary statement.
We have procedures in place to inform any recipients if we rectify any data we have shared with them.
The right to stop or restrict processing
Preparing for requests to stop or restrict processing:
We know how to recognize a request to stop or restrict processing and we understand when the right applies.
We have a log in place to record requests.
We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
Complying with requests to stop or restrict processing:
We have processes in place to ensure that we respond to a request to stop or restrict processing without undue delay and within twenty-one days of receipt.
· We have appropriate methods in place to stop or restrict the processing of personal data on our systems.
We have appropriate methods in place to indicate on our systems that processing has been restricted.
We understand we need to apply to the Ombudsman not to comply with a request to stop or restrict processing.
We have procedures in place to inform any recipients if we stop or restrict any data we have shared with them.
The right to stop direct marketing
Preparing for objections to processing:
We know how to recognize a notice to stop direct marketing and we understand when the right applies.
We have a policy in place for how to record objections we receive.
We understand that it is best practice to inform individuals of their right to object to direct marketing, in addition to including it in our privacy notice.
Complying with requests which object to processing:
We have processes in place to ensure that we respond to a notification to stop direct marketing without undue delay within a reasonable period of time.
We have appropriate methods in place to erase, suppress or otherwise cease processing personal data.
Rights in relation to automated decision making
All automated individual decision-making and profiling; to comply with the DPL:
We meet a lawful condition in Schedule 2 of the DPL to carry out automated decision-making.
We provide individuals with a privacy notice when obtain their personal data indirectly.
We only collect the minimum amount of data needed and have a clear retention policy for the data we use for the automated decisions we take about individuals.
We tell our customers about the automated decision-making we carry out which impact them significantly.
We respond within twenty-one days to notifications received from individuals requiring us to reconsider the decision or make a new decision on a different (non-automated) basis, by specifying what steps we intend to take to meet their notification.
As a model of best practice:
We have additional checks in place for our automated decision-making systems to protect any vulnerable groups (including children).
We carry out a privacy impact assessment to consider and address the risks before we start any new automated decision-making.
We inform individuals what information we use to make solely automated decisions, and where we get this information from.
We use anonymized data in our solely automated individual decision-making.
We don’t use sensitive personal data in our automated decision-making systems unless that processing meets one of the conditions
Schedule 3 of the DPL.
We have a simple way for people to ask us to reconsider an automated decision.
We have identified staff in our organization who are authorized to carry out reviews and change decisions.
We regularly check our systems for accuracy and bias and feed any changes back into the design process.
Personal Data Breaches
Preparing for a personal data breach:
We know how to recognize a personal data breach.
We understand that a personal data breach is not only about loss or theft of personal data.
·We have prepared a response plan for addressing any personal data breaches that occur.
We have allocated responsibility for managing breaches to a dedicated person or team.
Our staff know how to escalate a security incident to the appropriate person or team in our organization to determine whether a breach has occurred.
Responding to a personal data breach:
We have in place a process to assess the likely risks to individuals as a result of a breach.
We know the Ombudsman is the relevant supervisory authority for our processing activities.
We have a process to notify the Ombudsman and the affected individuals of a breach within 5 days, even if we do not have all the details yet.
We know what information we must give the Ombudsman and the individuals about a breach.
We know what information about a breach we must provide to the Ombudsman and affected individuals, including advice to help them protect themselves from its effects.