legal » GDPR & data protection policy
GDPR & Data Protection Policy
All About Newport Ltd is fully committed to complying with the provisions of all applicable Data Protection legislation and regulations such as the Data Protection Act and EU GDPR.
One of the key provisions of the Data Protection Act is that personal information must be used fairly and lawfully. We will make sure that our use of your personal data does not break any laws.
Our data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data. All users of allaboutnewport.co.uk have a right to access information held by All About Newport Ltd and have it corrected if it is factually inaccurate. See information regarding SAR's below.
Your personal data is data which by itself or with other data available to us can be used to identify you. We are All About Newport Ltd, the data controller. This data protection statement sets out how we’ll use your personal data. You can contact your Data Protection Officer Karen Woodcock at [see Contact us section on this site] if You have any questions.
The types of personal data we collect and use;
Whether or not you become a customer, we’ll use your personal data for the reasons set out below and if you become a customer we will use it to manage your account with us. We’ll collect most of this directly during the booking process. The personal data we use may include:
- Full name and personal details registered for including contact information;
- (e.g. home and/or business address and address history, email address, home/business and mobile telephone numbers);
We are committed to:
Ensuring that we comply with the eight data protection principles, as listed below;
- Meeting our legal obligations as laid down by the Data Protection Act and EU GDPR
- Ensuring that data is collected and used fairly and lawfully
- Processing personal data only in order to meet our operational needs or fulfill legal requirements
- Taking steps to ensure that personal data is up to date and accurate
- Establishing appropriate retention periods for personal data
- Ensuring that data subjects' rights can be appropriately exercised
- Providing adequate security measures to protect personal data
- Ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
- Ensuring that all staff are made aware of good practice in data protection
- Providing adequate training for all staff responsible for personal data
- Ensuring that everyone handling personal data knows where to find further guidance
- Ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly
- Regularly reviewing data protection procedures and guidelines within the organisation
Data Protection Principles
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Personal data shall be accurate and, where necessary, kept up to date
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act and EU GDPR.
- Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Authorised information disclosures
We will not pass information about an individual to another business or organisation unless we have asked for - and you have given - your consent. However, there are exceptions to this. If the police ask us for information about someone, we can give this information without telling the individual - if doing so could obstruct the investigation or stop a crime being prevented. Disclosures can also be made if they are necessary for a court case or to obtain legal advice, for example, in connection with an employment tribunal.
Individuals' Rights
The Data Protection Act and EU GDPR gives individuals certain rights in relation to the use of their personal data. These rights are as follows:
- The right of subject access - gives people the right to obtain information held about themselves. See information regarding SAR's below
- The right to prevent direct marketing - individuals can ask us at any time not to use their personal information for direct marketing purposes. They need to make their request in writing and we will act on it in a reasonable period of time. In most cases, this should be within 28 days
- The right to have personal information corrected - an individual has the right to have incorrect or misleading personal information held about them corrected
- The right to prevent automated decisions - this allows individuals to stop important decisions about them being made by solely automated means - for example, decisions made only by a computer. This can include recruitment decisions made solely on the basis of psychometric testing
Personal Information Access Rights
The Data Protection Act and EU GDPR gives individuals the right to access the personal information you process about them. Individuals have the right to:
- Know whether we, or someone else on our behalf, is processing personal information about them
- Know what information is being processed, why it is being processed and who it may be disclosed to
- Receive a copy of the personal information about them
- Know about the sources of the information
To obtain access to personal information held about them, an individual must send either a written or electronic request - known as a subject access request (SAR). The SAR doesn't have to refer to the Act but should make it clear that it is a formal request from the individual and not just an everyday enquiry. We can charge a fee of up to £10 to provide the information requested. If we are not sure about the identity of an individual requesting information, we can ask for proof.
This could be an official document - eg a council tax bill, driving licence or passport. We can request additional information that we might need to respond to the SAR. For example, if an individual has requested emails we could ask when the emails were sent, or for the senders or recipients of the emails.
Conditions for Responding to a SAR
We will respond to a SAR no later than 40 days after receiving it. The 40-day period does not start until we receive any additional information we need. We will supply the information after we receive any fee payable. We will provide the information requested in a permanent format - such as a computer printout, letter or form - unless:
- The individual agrees otherwise
- It is not possible to supply such a copy
- It will involve 'disproportionate effort'
how to get in touch
contact by phone
To discuss your sales or marketing needs, events or editorial, please call Karen on 07973 385929
contact by email
For local news stories, please send your editorial and photos to info@allaboutnewport.co.uk
contact by post
All About Newport Ltd, c/o MSA Ferndale, Suite 7, Nova House, Audley Avenue Enterprise Park, Newport, Shropshire, TF10 7DW