This document outlines our data protection policy in line with the European General Data Protection Regulation (GDPR).
1.1 The General Data Protection Regulation (GDPR) protects the 'rights and freedoms' of a living nature person in regard to their personal data, its processing and storage.
1.2 Some definitions used in this document are taken directly from the GDPR:
2.1 The stakeholders of intraHouse are committed to complying with all relevant laws in accordance with the GDPR.
2.2 Compliance with the GDPR is described within the sections of this policy along with associated processes and procedures.
2.3 The GDPR and this policy apply to all of intraHouse's personal data processing functions, including those performed on customers, clients, employees, suppliers and partners and any other personal data the organisation processes from any source.
2.4 intraHouse has established objectives for data protection and privacy which are detailed in the sections below.
2.5 intraHouse's Data Protect Officer (DPO) is responsible for any changes to intraHouse's activities related to its data protection practices.
2.6 This policy applies to all Employees/Staff and outsourced suppliers. Any breach of this policy will be dealt with by intraHouse's DPO, and in cases where the matter is criminal, the appropriate authorities will be notified.
2.7 Any third parties working with or on behalf of intraHouse, and who have access to personal data, will be expected to have read, understood and to comply with this Data Protection Policy.
3.1 intraHouse is a data controller and/or data processor under the GDPR.
3.2 Top Management and all those in managerial or supervisory roles throughout intraHouse are responsible for developing best practices within intraHouse in regard to data protection.
3.3 Our DPO is a member of the senior management team, and is accountable to the CEO of intraHouse for the management of personal data within intraHouse and for ensuring intraHouse's compliance with data protection laws and best practices which includes:
3.3.1 development and implementation of the GDPR
3.3.2 Security and risk management as it applies to the GDPR.
3.4 Our DPO has a daily responsibility for intraHouse compliance with the GDPR with the support other intraHouse managers in relation to their personal data processing that takes place within their area of responsibility.
3.5 Our DPO has the duty to perform procedures such as Right to be Forgotten as well our staff's primary contact for help in any areas related to data protection compliance.
3.6 Compliance with the GDPR is the responsibility of all intraHouse stakeholders.
3.7 intraHouse's Staff is subject to periodic training in matters relating to data processing.
3.8 Staff have the obligation to provide intraHouse accurate and up-to-date personal information about themselves.
4.1 intraHouse's policies and procedures are designed for compliance with the guidelines of Article 5 of the GDPR, in short to process personal data lawfully, fairly and transparently. Where applicable, to provide the data subject a minimum of information which includes:
4.1.1 the identity and the contact details of the controller (i.e. intraHouse);
4.1.2 the contact details of our DPO;
4.1.3 the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
4.1.4 the period for which the personal data will be stored;
4.1.5 the data subject's rights to request the following: access or deletion of his/her personal data, the correction errors within their personal data, a review of the process or procedure for collection and storage.
4.1.6 The intention to transfer personal data to a recipient in a third country (i.e. non-European country).
4.2 Personal data can only be collected for specific and legitimate purposes and will not be used for purposes other than stated.
4.3 Personal data must be restricted to what is necessary for processing
4.3.1 Our DPO is responsible for ensuring that intraHouse does not collect unnecessary personal data information.
4.3.2 All our data collection forms have a link to our privacy statement.
4.3.3 At least, once a year our DPO perform Data Protection Impact Assessments(DPIAs) on our processes to ensure compliance.
4.4 Personal data maintenance considerations:
4.4.1 Personal data is stored only if it's presumed accurate.
4.4.2 Staff are trained in collecting accurate personal data.
4.4.3 The data subject is responsible for providing accurate and up-to-date personal data upon completion of any intraHouse submission form.
4.4.4 A person aware of a change in circumstance related to intraHouse's accurate storage of personal data ought to notify intraHouse so that the change of circumstances is recorded and acted upon.
4.4.5 Our DPO responds to requests from data subjects typically within one month. If intraHouse decides not to comply with a request, the data subject will be notified of the reason.
4.4.6 in regard to supporting 3rd parties with their personal data accuracy, our DPO is responsible for making them aware of any change in circumstances that may affect the accuracy of their personal data storage or processing.
4.5 In form submission by the data subject, the personal data therein must be kept only as long as is necessary for secure processing.
4.5.1 Where applicable, personal data should be encrypted in order to protect the identity of the data subject in the event of a data breach.
4.5.2 Personal data that will be retained during a form submission process must be securely destroyed upon completion of the process.
4.5.3 Data storage that could exceed legit retention periods must be justified and approved in writing by the DPO.
4.6 When assessing appropriate technical measures for controlling or processing personal data operations, the DPO will consider the following:
5.1 intraHouse recognizes the rights of the data subject as expressed in the GDPR and intends to fully support the data subjects in exercising these rights as they pertain to their personal data that is under the control of intraHouse or being processed by intraHouse.
6.1 intraHouse understands a data subject's 'consent' to mean that, upon the data subject being fully informed of the intended personal data processing operation, it has been freely given by a clear affirmative and mindful action and signifies agreement to the policies, terms and conditions that apply.
6.2 The data subject can withdraw his or her consent at any time by request to the DPO or, where applicable, use a service intended for that purpose.
6.3 Consent cannot be inferred from non-response to a communication, and where applicable, intraHouse will be able to demonstrate that consent was obtained for a personal data processing operation.
7.1 All personal data should be accessible only to those who are authorized to use it, and access may only be granted by the DPO to intraHouse staff, or 3rd party entities (under the constraint of a confidentiality agreement), with just cause. As such all personal data should be treated appropriately:
7.2 intraHouse staff must take care to keep unauthorized personnel from viewing screens displaying personal data and follow other related security rules.
7.3 Physical materials displaying personal data may not be left where they can be accessed by unauthorised personnel, and may not be removed from business premises without explicit authorisation by the DPO.
8.1 All formal requests, such as from an official law enforcement agency, to provide personal data must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the DPO.
9.1 intraHouse shall not keep personal data beyond a period necessary for its original purpose(s).
9.2 intraHouse may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes provided that doing so will also safeguards the rights and freedoms of the data subjects.
9.3 The retention period for each information asset will be set out in intraHouse's Information Asset Register (IAR).
9.4 Personal data must be disposed of securely and in accordance GDPR.
10.1 All exports of personal data from within the European Economic Area (EEA) to third countries (non-EEA countries) are unlawful unless there is an appropriate level of protection for the rights of the data subjects. The transfer of personal data outside of the EEA is prohibited unless one or more of these specified safeguards, or exceptions, apply:
11.1 intraHouse has established the IAR in order to manage its personal data inventory as well as the life cycle of its information assets as determined by:
11.2 By means of the IAR, all intraHouse management is aware of any risks associated with the processing of particular types of personal data, and can act accordingly in order to best safeguard the freedoms and rights of data subjects.
11.2.1 The DPO assesses, and indicates within the IAR, the risk levels of particular information assets in order to establish guidelines for their management in compliance with the GDPR. Data protection impact assessments are performed in relation to the processing of personal data by intraHouse.
11.2.3 The DPO must approve of new technologies for any personal data storage or processing by performing DPIAs.
11.2.4 In the case that there are significant doubts concerning a particular information asset based on the results of a DPIA, either as to the potential for damage, breach, distress, or regarding quantity of data, the DPO will seek the counsel of a supervisory authority.