Our EU GDPR Data Privacy Notice
Office of Data Protection
Auriga Consulting Ltd (Auriga), has a commitment to protect all processing of personal data.
The Auriga DPO is a certified EU GDPR Practitioner and operates on a level where their overall role does not have any influence across the departments which could influence the decisions of data processing and associated processes.
The DPO reports directly to Auriga’s Senior Management Board.
Notice Dissemination and Enforcement
Auriga’s management team are committed to ensuring that all their employees responsible for the processing of personal data are aware of and comply with the contents of this policy.
In addition, Auriga will make sure all Third Parties engaged to process personal data on their behalf (i.e. their Data Processors) are aware of and comply with the contents of this policy. Assurance of such compliance must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to personal data controlled by Auriga.
Data Protection by Design
Under EU GDPR Article 25, Auriga have an obligation to implement technical and organisational measures to show that data protection has been considered and integrated into processing activities. To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes. when reviewing or expanding existing systems or processes, each new system implementation undertakes an approval process before continuing.
Auriga maintain ISO 27001 certification as their standard to protect personal data processed with the Information Security Management System which meets Article 42 requirements.
To confirm that an acceptable level of compliance is being achieved by all Auriga entities in relation to this policy, the DPO will carry out an annual Data Protection compliance audit for all such entities, including any Third Parties. Each audit should, as a minimum, assess:
- Compliance with Policy in relation to the protection of personal data, including:
- The assignment of responsibilities
- Raising awareness
- Training employees
- The effectiveness of Data Protection related operational practices, including:
- Data Subject rights
- Personal Data transfers
- Personal Data incident management
- Personal Data complaints handling
- The level of understanding of Data protection policies and Privacy Notices
- The maturity of Data Protection policies and Privacy Notices
- The accuracy and necessity of personal data being stored
- The conformity of Data Processor activities
- The adequacy of procedures for redressing poor compliance and personal data Breaches
The DPO, in conjunction with key business stakeholders from Auriga, will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time- frame. Any critical deficiencies identified will be reported to and monitored by the Auriga’s Senior Management Board.
2. Data Collection
Personal data should be collected only from the data subject unless one of the following apply:
- The nature of the business purpose necessitates collection of the personal data from other persons or bodies
- The collection must be carried out under emergency circumstances in order to protect the vital interests of the data subject or to prevent serious loss or injury to another person
If personal data is collected from someone other than the data subject, the data subject must be informed of the collection unless one of the following apply:
- The data subject has received the required information by other means
- The information must remain confidential due to a professional secrecy obligation
- A national law expressly provides for the collection, processing or transfer of the personal data
Where it has been determined that notification to a data subject is required, notification should occur promptly, but in no case later than:
- One month from the first collection or recording of the personal data
- At the time of first communication, if used for communication, with the data subject
- At the time of disclosure, if disclosed, to another recipient
Data subjects have the right to be informed about the collection and use of their personal data, when required by applicable law, contract or where it considers that it is reasonably appropriate to do so, Auriga will provide this information to data subjects
When the data subject is asked to give consent to the processing of personal data and when any personal data is collected from the data subject, all appropriate disclosures will be made in a manner that draws attention to them, unless one of the following apply:
- The data subject already has the information
- A legal exemption applies to the requirements for disclosure and/or consent
These disclosures may be given orally, electronically or in writing. If given orally, the person making the disclosures should use a suitable script or form approved in advance by the DPO. The associated receipt or form should be retained, along with a record of the facts, date, content and method of disclosure.
4. Data Use
Auriga collects and processes personal data such as a contact name, phone number, and email address for the following purposes:
- Sales and Marketing account management and communications for existing contacts
- The ongoing administration and management of customer services
- Accounts Payable and Accounts Receivable processing
Auriga will process personal data in accordance with all applicable laws and applicable contractual obligations. Specifically, Auriga will not process personal data unless at least one of the following requirements are met:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the data subject is party to, or to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child)
There are some circumstances in which personal data may be further processed for purposes that go beyond the original purpose for which the personal data was collected. When deciding as to the compatibility of the new reason for processing, guidance and approval must be obtained from the DPO before any such processing may commence.
If consent has not been gained for the specific processing in question, Auriga will address the following additional conditions to determine fairness and transparency of any processing beyond the original purpose for which the personal data was collected:
- Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing
- The context in which the personal data has been collected, in particular regarding the relationship between data subject and the data controller
- The nature of the personal data, in particular whether special categories of data are being processed, or whether personal data related to criminal convictions and offences are being processed
- The possible consequences of the intended further processing for data subjects
- The existence of appropriate safeguards, which may include encryption or pseudonymisation
Due to the nature of Auriga as a business, Children’s data is not processed.
To ensure that the personal data it collects, and processes is complete and accurate in the first instance and is updated to reflect the current situation of the data subject, Auriga shall adopt all necessary measures.
The measures adopted by Auriga to ensure data quality include:
- Ensuring personal data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated is corrected, even if the data subject does not request rectification
- Ensuring personal data is held only for the period necessary to satisfy the permitted uses
- Ensuring the removal of personal data if in violation of any of the data protection principles or if the personal data is no longer required
Auriga will not retain personal data for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further processed. All personal data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.
5. Data Security
Auriga shall adopt physical, technical and organisational security measures to protect data subjects’ Confidentiality, Integrity and Availability.
This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks affecting the confidentiality, integrity and availability of the personal data.
The minimum set of security measures to be adopted are set out in Auriga’s Information Security Policy and includes the following:
- Prevent unauthorised persons from gaining access to data processing systems in which personal data is processed
- Prevent persons entitled to use a data processing system from accessing personal data beyond their needs and authorisations
- Ensure the integrity and confidentiality of Personal Data in the course of electronic transmission is maintained meaning that it cannot be read, copied, modified or removed without authorisation
- Ensure that a system for maintaining accountability is in place. This means access logs are used to establish whether the personal data was entered into, modified or removed from a data processing system and by whom
- Ensure the availability of personal data is maintained, meaning that it is protected against undesired destruction or loss
- Ensure that personal data collected for different purposes can and is processed separately
- Ensure that personal data is not kept longer than necessary
Data Subject Rights
The DPO will establish a system which will enable the exercise of rights granted to the data subjects, which under the EU GDPR are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right of data portability
- The right to object
- The right in relation to automated decision making and profiling
Legal requirements may override the rights of EU GDPR which shall be taken into consideration if a data subject’s rights are to be exercised.
Based upon a written subject access request to the DPO by contacting email@example.com and successful confirmation of identity, data subjects are entitled to obtain the following information about their own personal data:
- The purposes of the collection, processing, use and storage of their personal data
- The sources of the personal data, if it did not come directly from the data subject
- The categories of personal data stored for the data subject
- The recipients or categories of recipients to whom the personal data has been or may be transmitted, along with the location of those recipients
- The predicted period of storage for the personal data or the rationale for determining the storage period
- The right of the data subject to:
- Object to processing of their personal data
- Lodge a complaint with the data protection authority
- Request rectification or erasure of their personal data
- Request restriction of processing of their personal data
It should be noted that situations may arise where providing the information requested by a data subject would disclose personal data about another individual. In such cases, information must be redacted or withheld as necessary or appropriate to protect that person’s rights.
Law Enforcement Requests
In rare circumstances, it is permitted by UK Law that personal data be shared without the knowledge or consent of a data subject. These are the cases where the disclosure of the personal data is necessary:
- The prevention or detection of crime
- The apprehension or prosecution of offenders
- The assessment or collection of a tax or duty
- By the order of a court or by any rule of law
Data Subject Consent
All Auriga entities must obtain personal data using only lawful and fair means where appropriate with the knowledge and consent of the individual concerned.
Auriga is committed to requesting and receiving consent of an individual prior to the collection, use or disclosure of their personal data.
The DPO, with the cooperation of the business, shall establish a system for obtaining and documenting data subject consent for the collection, processing, and/or transfer of their personal data. The system must include provisions for:
- Ensuring clear disclosures are made around what the data is needed for and how it is going to be used
- Ensuring the request for consent is presented in a manner which is prominent and separate from any other terms and conditions, is made in an intelligible and easily accessible form and uses clear and plain language
- Documenting the date, method and content of the disclosures made, as well as the validity, scope, and volition of the consents given
Withdrawal of Consent
Data subjects have the right to withdraw consent of the processing of their personal data at any time.
To request withdrawal of consent, please contact the DPO by email: firstname.lastname@example.org
7. Data Transfers
Third Party Transfers
Auriga may transfer Personal Data to internal or Third-Party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects.
An approval transfer mechanism is complied with when transferring to countries lacking an adequate level of legal protection.
Auriga employees may only transfer personal data where one of the transfer scenarios listed below applies:
- The data subject has given consent to the proposed transfer
- The transfer is necessary for the performance of a contract with the data subject
- The transfer is necessary for the conclusion or performance of a contract concluded with a Third Party in the interest of the data subject
- The transfer is legally required on important public interest grounds
- The transfer is necessary in order to protect the vital interests of the data subject
- Auriga shall only transfer personal data to, or allow access by, Third Parties when assurances are given that the information will be processed legally and fairly and protected according to the GDPR requirements. Pertaining to Third Party processing, Auriga will first identify if, under applicable law, the Third Party is considered a data controller, or a data processor of the personal data being transferred
- If the Third Party is deemed to be a data controller, Auriga will enter into, in cooperation with the DPO, an appropriate agreement with the controller to clarify each party’s responsibilities in respect to the personal data being transferred
- Where the Third Party is deemed to be a data processor Auriga will, in cooperation with the DPO, enter into an adequate processing agreement with the data processor. The agreement must require the data processor to protect the personal data from further disclosure and to only process personal data in compliance with Auriga’s instructions. In addition, the agreement will require the data processor to implement appropriate technical and organisational measures to protect the personal data as well as procedures for providing notification of personal data breaches
- In the event that Auriga outsources services to a Third Party, Auriga will identify whether the Third Party will process personal data on its behalf and whether the outsourcing will entail any personal data crossing international borders. In either case, it will make sure to include, in cooperation with the DPO, adequate provisions in the outsourcing agreement for such processing
- The DPO shall conduct regular audits on the processing of personal data performed by Third Parties, especially with regard to technical and organisational measures they have in place
For Auriga to carry out its business effectively across its various Auriga entities, there may be occasions when it is necessary to transfer personal data from one Auriga entity to another, or to allow access to the personal data from an overseas location. Should this occur, the Auriga entity sending the personal data remains responsible for ensuring protection of that data.
When transferring personal data to another Auriga entity, Auriga must:
- Ensure that the recipient Auriga Entity is included on the approved list of Auriga entities. The approved list is held and maintained by the DPO
- Only transfer the minimum amount of personal data necessary for the purpose of the transfer (for example, to fulfil a transaction or carry out a particular service)
- Ensure adequate security measures are used to protect the personal data during the transfer (including password-protection and Encryption, where necessary)
Data subjects with a complaint in relation to the processing of their personal data should put the matter in writing by emailing the Data Protection Officer: email@example.com
A full investigation of the complaint will be carried out to the extent that is appropriate based on the merits of the specific case and in alignment with the Auriga complaints process.
The DPO will acknowledge receipt of the complaint in writing and inform the data subject of the progress and outcomes of the complaint within a reasonable period.
Reporting a Data Breach
The EU GDPR introduces a responsibility on all organisations to report certain types of personal data breaches to the supervisory authority for the UK the Information Commissioners office (ICO) https://ico.org.uk/
The timescale of reporting a data breach must be within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting an individual’s rights and freedoms, organisations must also inform the individuals affected without undue delay.
Auriga must also keep a record of any personal data breaches, regardless of whether notification is required.