Caraline - Privacy Policy - Fair Processing Procedure

1. Scope

The scope of this procedure encompasses all information processing of data subjects by Caraline.

2. Fair Processing Notice

Responsibility for the Fair Processing Notice rests with the Data Protection Officer or GDPR Owner (hereafter “DPO”), who must ensure that it is factually correct and that appropriate mechanisms are in place to ensure that all data subjects are aware of its contents prior to the commencement of Caraline’s data collection.

3. Procedure

Personal data may only be processed upon receipt of authorisation from the DPO.

The following information must be provided to data subjects prior to data collection, in plain and clear language:

1. Organisation Name, including contact details;

2. Objective behind the processing of personal information;

3. Duration of time the personal data will be stored for and the storage criteria;

4. Statement regarding the disclosure of personal information to third parties;

5. Information regarding the rights of data subjects in respect of their personal data, including but not limited to:

* The right to access personal information;

* The right to withdraw consent;

* The right to amend personal data;

* The right to request that personal data be permanently deleted;

* The right to strict processing; and

* The right to raise an official complaint with the relevant authority;

6. Information in relation to any automated processing, for instance profiling, to be carried out, if relevant;

7. Whether personal data must be provided for the purposes of fulfilling or entering into a contract and the outcome should the data subject refuse to provide personal data;

8. Details regarding the destination of the personal data:

* Whether personal data will be transferred outside of the European Union; and

* Whether an adequacy decision has been made regarding the destination of the data; and/or

* Whether any safeguards are in place to ensure the adequacy of the destination; and

9. Any other material that would ensure that the data processing is fair at all times.

All data subjects must be notified prior to the processing of their personal data by Caraline via a FAIR PROCESSING NOTICE, containing the following statements:

For marketing use, whether currently or in the future:

“Please note that your personal information may be used for marketing purposes tbc. This is not obligatory and you may opt out by emailing: admin@caraline.com, requesting that your personal information be removed. You may also unsubscribe from our electronic marketing content at any time, by selecting the unsubscribe option.”

For marketing use, when specific consent has been provided by the data subject:

“Please note that you have provided explicit consent for the use of your personal information by Caraline for marketing use tbc. You may withdraw your consent by emailing: admin@caraline.com at any time and you will be immediately withdrawn from all of our marketing lists.”

4. Responsibilities of DPO

1. Consent procedures: To incorporate procedures in relation to personal data processing based on consent, ensuring that processing ceases when consent is withdrawn;

2. Consent withdrawal: To monitor all requests withdrawing consent by keeping a register of all relevant requests and ensuring that all requests are actioned within 24 hours;

3. Explicit consent: To ensure that the Fair Processing Notice contains relevant procedures for receiving the relevant consent, when explicit consent is required for marketing purposes due to sectoral requirements or legislation;

4. Sensitive personal data: To ensure that the Fair Processing Notice sets out explicitly the purpose or purposes for which sensitive personal data will, or may, be used, when sensitive personal information is collected for a specific purpose or purposes;

5. Parental consent: To ensure that parental consent has been provided in relation to all data subjects 16 years of age, or younger;

6. Data protection law: To ensure that all new data collection methods comply with data protection laws and good practice, by reviewing and signing off all new such methods;

7. Fair Processing Notice register: To maintain an Fair Processing Notice register of all Fair Processing Notices issued, setting out the following information:

* Fair Processing Notice version number;

* Issue date and withdrawal date;

* Location where data will be used;

* Purpose for which personal data is collected; and

* Description of expressions, foreign language or formatting, to ensure that the Fair Processing Notice can be fully understood by the target group.

8. Specified purpose: To approve all written requests for changes to the purpose of process of personal data and determine if additional consent is required from the data subject:

* In the event that additional consent is required, to determine the form of the consent and the protocol to be followed by Caraline to ensure that the data subject is informed of the new purpose and has provided the necessary consent;

* To identify a relevant exemption, when applicable, in the Authorisation to Process; and

* To update the Data Inventory Schedule 92017-B by setting out details of the new purpose, referring directly to the Authorisation to Process; and

9. Data protection: To ensure that personal data that is shared with a third party complies with Caraline’s notification to the ICO and with the terms of the Fair Processing Notice previously provided to the data subject and any relevant consents provided by the data subject:

* To ensure that an agreement drafted by Caraline’s legal advisors is entered into with the third party, setting out the purpose or purposes for which the information will, or may be, used and listing any restrictions or limitations on the use of the personal information for other purposes;

* To ensure that the agreement contains an undertaking, or other applicable evidence, by the third party that it is committed to processing its data in such a way that it adheres to the requirements of the DPA at all times;

* To ensure the agreement contains appropriate controls and safeguards to ensure the protection of personal information pursuant to the GDPR, when such information may be legally shared without the consent of the data subject; and

* To ensure that any data profiles created by matching data collected by Caraline with other data are not used outside of the context of the ICO notification and the consents of the data subject.

5. Document owner

The Clear Comm is the owner of this policy document and must ensure that it is periodically reviewed according to the review requirements contained herein.

The latest version of this policy document dated 20 March 2018 is available to all employees of Caraline on the corporate intranet.

This policy document was approved by Caraline’s Board of Trustees and is issued by the Chief Executive Officer (“CEO”) on a version controlled basis.

Name of CEO: Brian Holmes Date: 20 March 2018

Change history record

Issue Description of Change Approval Date of Issue

1 n/a n/a n/a

2 n/a n/a n/a

3 n/a n/a n/a