Introduction

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. Our business must comply with the requirements of the General Data Protection Regulations (GDPR) and we must be able to demonstrate compliance to the Information Commissioner’s Office (ICO).

Upon receipt of a request for information our internal policy is as follows:

Responsibility

The directors (Iain Bell and James Alvarez) (“The SAR team”) are responsible for the handling of Subject Access Requests (SAR) in our business.

The duties of the SAR team include but are not limited to:

• Log the receipt and fulfilment of all requests received from a data subject / the person making the request /request or to see his or her personal information.

• Acknowledge the subject access request(SAR).

• Verify the identity of any person making a SAR.

• Maintain a database on the volume of requests and compliance against the statutory timescale.

• Verify whether we are the Controller of the data subject’s personal data.

• Check if we are not a Controller, but rather a Processor. If so, inform the data subject and refer them to the actual Controller. This needs to be recorded in writing.

• Where applicable, decide if a request is excessive, unfounded or repetitive and communicate this to the request or.

• Decide if an exemption applies.

• If a SAR is submitted in electronic form, any information should preferably be provided by electronic means as well.

  Oral and written requests

  Subject access requests can be made in writing, electronically or verbally.

  If a member of staff is in any doubt if a certain situation has given rise to a SAR, speak to Kevin Davies in person providing full details of the incident. Staff should do this without delay and certainly within one business day.

  Where a member of staff receives a subject access request, they must email the relevant information to [email protected] without delay and certainly within two business days.

  How do we verify the requestor’s identity?

  The requestor must supply valid evidence to prove their identity.

  We may verify the requestor’s identity either through a phone call where we ask questions that only the requestor will know the answers to or by requesting forms of identification.

  We accept the following forms of identification:
  • Current UK/EEA Passport
  • UK Driving Licence
  • Financial Statement issued by bank,building society or credit card company • Utility bill for supply of gas, electric,water or telephone landline

  How to process the request

  Our aim is to determine what information the requestor is asking for. If the request is not clear, or where we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to. Where this applies, we will proceed with a request for additional information.

  We must verify whether we process the data requested. If we do not process any such data, we must inform the data subject accordingly. We must respond to the data subject within 30 days of receiving the request as valid. This is a requirement under the GDPR.

Any employee, who receives a request from The SAR team to locate and supply information relating to a SAR, must make a full exhaustive search of the records which they are responsible for or own. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks), recordings, paper records in relevant filing systems.

The SAR team should check whether the data requested also involves data on other data subjects and make sure this data is filtered before the requested data is supplied to the requestor; if data cannot be filtered, ensure that other data subjects have consented to the supply of their data as part of the SAR.

All the information that has been requested must be provided unless an exemption can be applied (see below). Information must be supplied in an intelligible form and we will explain acronyms, codes or complex terms.

No charge to comply with the request (with exceptions)

We will provide a copy of the information free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. We understand that this does not mean that we can charge for all subsequent access requests.

Where applicable, The SAR team will determine the ‘reasonable fee’ that must be based on our administrative cost of providing the information.

Excessive, manifestly unfounded or repetitive requests

Where requests are manifestly unfounded, excessive and repetitive, we may refuse to act on the request or charge a reasonable administration fee. The SAR team will make a decision on this.

The SAR team must provide information on our decision to the requestor in writing within 30 days and must state how they reached their decision.

Complex requests

As stated we have to respond to a SAR within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within 30 days.

Where we decide not to take action on the request of the data subject, we need to inform the data subject of this decision without delay and at the latest within 30 days of receipt of the request.

Our response to the requestor

After processing the SAR, our response to the requestor should include:

• The purpose(s)of the processing;

• The categories of personal data concerned;

• The recipients or categories of recipients to whom personal data has been or will be disclosed, inparticular in third countries or international organisations, including any appropriate safeguards for transfer of data;

• The envisaged period for which personal data will be stored,or,if not possible, the criteria used to determine that period;

• The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

• The right to lodge a complaint with the ICO;

• If the data has not been collected from the data subject:the source of such data;

• The existence of any automated decision-making, including profiling an any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the requestor.

  How to handle exemptions?

  If a member of staff believes that we have a valid business reason for an exemption, they should inform someone in the SAR team without delay in person.

  Exempt information must be redacted from the released documents with an explanation of why that information is being withheld.

  Complaints

  Where a requestor is not satisfied with a response to a SAR, we must manage this as a complaint. We must advise the requestor that if they remain unhappy with the outcome they may complain to the Information Commissioners Office or take legal action against us.

  Breach statement

  Breaches of this policy by members of staff will be investigated and may result in disciplinary action. Serious breaches of policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against the relevant member of staff.

This is the Data Breach Policy of Minted Box Ltd. (“Minted Box”) (“MB”) (“We”) Background

The General Data Protection Regulation (GDPR) is based around six principles of handling of personal data. We must comply with all six principles as a business; otherwise we’ll be in breach of the GDPR. We understand that the principles give people specific rights in relation to their personal information and place certain obligations on organisations that are responsible for processing it.

Aim

The GDPR requires that we must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. This policy sets out how we deal with a data security breach.

What is a personal data breach?

The Information Commissioner’s Office states that a personal data breach can be broadly defined as a security incident
that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

Action to be taken in the event of a data breach 1. Containment and recovery

The immediate priorities are to:

• Contain the breach;

• Assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen; and

• To limit the scope.

  In the event of a security incident or breach, staff must immediately inform the compliance officer (James Alvarez).

  The compliance officer will take the lead on investigating the breach. In the event where James Alvarez is absent for whatever reason, Iain Bell will take the lead on investigating a breach.

  Steps to take where personal data has been sent to someone not authorised to see it:

• Inform the recipient not to pass it on or discuss it with anyone else;

• Inform the recipient to destroy or delete the personal data they have received and get them to confirm in writing that they have done so;

• Explain to the recipient the implications if they further disclose the data; and

• Where relevant, inform the data subjects whose personal data is involved what has happened so that they can take any necessary action to protect themselves.

  2. Assessing the risk

  Perhaps most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen.

  Examples of the type of questions to consider:

  1. What type of data is involved?

  2. How sensitive is it?

  3. If data has been lost or stolen, are there any protections in place such as encryption?

  4. What has happened to the data?
     i.e. If stolen, could it be used for purposes which are harmful to the individuals to whom the data relate?; if it has been damaged, this poses a different type and level of risk

5. Estimate how many individuals’ personal data are affected by the breach

6. Who are the individuals whose data has been breached?
   Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions that should be taken in attempting to mitigate those risks

7. What harm can come to those individuals?
   Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?

8. Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service?

9. Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause

3. Notifying the ICO and individuals, where relevant

a. Who is responsible?

In our business, the compliance officer is the point of contact for staff and the ICO on this policy and on all matters relating to data protection.

The compliance officer is also responsible for notifying the ICO and individuals (where applicable) of relevant personal data breaches.

b. What breaches do we need to notify the ICO about?

When a personal data breach has occurred, we need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then we must notify the ICO; if it’s unlikely then we don’t have to report it.

If we decide we don’t need to report the breach, we need to be able to justify this decision, and we should document it.

c. When to notify the ICO and dealing with delays

Notifiable breaches must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If we don’t comply with this requirement, we must be able to give reasons for the delay.

In some instances it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. Where that applies we should provide the required information in phases, as long as this is done without undue further delay.

d. Breach information to the ICO

When reporting a breach, we will provide the following information:

• a description of the nature of the personal data breach including, where possible:

  o the categories and approximate number of individuals concerned;

  o and the categories and approximate number of personal data records concerned;

• details of our compliance officer and how to contact them;

• a description of the likely consequences of the personal data breach; and

• a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

  e. Individuals

  Where notification to individuals may also be required, the compliance officer will assess the severity of the potential impact on individuals as a result of a breach and the likelihood of this occurring. Where there is a high risk, we will inform those affected as soon as possible, especially if there is a need to mitigate an immediate risk of damage to them.

  g. Information to individuals

  The compliance officer will consider who to notify, what we are going to tell them and how we are going to communicate the message. This will depend to a large extent on the nature of the breach but will include the name and contact details of our data protection officer (where relevant) or other contact point where more information can be obtained; a description of the likely consequences of the personal data breach; and a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

  The breach need not be reported to individuals if:

• We have implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach;

• We have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

• It would involve disproportionate effort(in this case a public communication may be more appropriate).

In the case of a breach affecting individuals in different EU countries, we are aware that the ICO may not be the lead supervisory authority. Where this applies, the compliance officer should establish which European data protection agency would be the lead supervisory authority for the processing activities that have been subject to the breach.

h. Thirdparties

In certain instances the compliance officer may need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals.

i. Document all decisions

The compliance officer must document all decisions that we take in relation to security incidents and data breaches, regardless of whether or not they need to be reported to the ICO.

4. Evaluate our response and mitigation steps

We investigate the cause of any breach, decide on remedial action and consider how we can mitigate it. As part of that process we also evaluate the effectiveness of our response to incidents or breaches. To assist in this evaluation we consider:

• What personal data is held, where and how it is stored

• Risks that arise when sharing with or disclosing to others

• This includes checking the method of transmission to make sure it‘s secure and that we only share or disclose the minimum amount of data necessary

• Weak points in our existing security measures such as the use of portable storage devices or access to public networks

• Whether or not the breach was a result of human error or a systemic issue and determine how a recurrence can be prevented?"whether this is through better processes, further training or other corrective steps

• Staff awareness of security issues and look to fill any gaps through training or advice

• The need for a Business Continuity Plan for dealing with serious incidents

• The group of people responsible for reacting to reported breaches of security

Minted Box Ltd. (“Minted Box”) (“MB”) (“We”) (“Us”), and the Customer.

Definitons

Data Controller, Data Processor and Data Subject have the respective meanings (or their corresponding equivalent meanings) set out in the applicable DP Legislation

DP Legislation means the Data Protection Act 1998, The General Data Protection Regulation (Regulation (EU)
2016/679) (“GDPR”) and all other laws and regulations from time to time relating to the processing of personal data, including

any which implement the GDPR or create broadly equivalent law in the United Kingdom

Personal Data has the meaning set out in the applicable DP Legislation and relates only to personal data, or any part of such personal data, in respect of which the Supplier is not the Data Controller and in relation to which the Supplier is providing services under this Agreement

Processing has the meaning set out in the applicable DP Legislation, and “Process” shall be construed accordingly

Data Protection Legislation (i) the GDPR, the LED and any applicable national implementing Laws as amended from time to time (ii) the DPA 2018 (subject to Royal Assent) to the extent that it relates to processing of personal data and privacy; and (iiii) all applicable Law about the processing of personal data and privacy;

Data Protection Impact Assessment an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data;

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Data Protection Officer take the meaning given in the GDPR;

Data Loss Event any event that results, or may result, in unauthorised access to Personal Data held by the Contractor under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach.

Data Subject Access Request a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data.

DPA 2018: Data Protection Act 2018;
GDPR the General Data Protection Regulation (Regulation (EU) 2016/679); LED Law Enforcement Directive (Directive (EU) 2016/680);

Protective Measures appropriate technical and organisational measures which may include: pseudo-anonymisation and encryption of Personal Data, ensuring confidentiality, integrity, availability and GDPR Addendum resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the such measures adopted by it;

Schedule means the schedule attached to this Annex 1 forming part of this Letter and titled: ‘Schedule of Processing, Personal Data and Data Subjects’; and

Sub-Processor any third Party appointed to process Personal Data on behalf of the Contractor related to this Agreement. Background

The Customer (“You”) is the owner and/or data Controller of certain data (“Customer data”) and agrees that MB may process that data on the terms of this Agreement.

1. The Customer shall own the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy, backing up and quality of the Customer Data.

2. Both parties will comply with all applicable requirements of the Data Protection Legislation. This Agreement is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.

3. The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and MB is the Data Processor of the Customer Data. The Schedule sets out the scope, nature and purpose of processing by us, the duration of the processing and the types of personal data and categories of Data Subject.

4. Without prejudice to the generality of clause 2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Us for the duration and purposes of this Contract and has entered into appropriate data sharing agreements and the Customer shall, whenever requested by Us provide copies of all agreements and consents to Us such that We can satisfy ourselves as to these consents (provided always that it shall be the Customer’s sole responsibility to ensure that it has all necessary consents).

5. Without prejudice to the generality of clause 2, We shall, in relation to any Personal Data processed in connection with the performance by MB of its obligations under this Agreement:

5.1 process that Personal Data only on the written instructions of the Customer and any Data Controller in relation to the Personal Data unless We are required by the laws of the United Kingdom, any member of the European Union or by the laws of the European Union applicable to us to process Personal Data. Where We are relying on laws of the United Kingdom, a member of the European Union or European Union law as the basis for processing Personal Data, We shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Us from so notifying the customer;

5.1.1 MB will inform the Controller if it believes any instruction to hand information to the Data Controller breaches the GDPR or any other law

2. 5.2  ensure that it has in place appropriate technical and organisational measures, reviewed by the Customer if the Customer elects, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

3. 5.3  ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and

4. 5.4  assist the Customer and any Data Controller of the Personal Data, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; such assistance may include:

   1. 5.4.1  a systematic description of the envisaged processing operations and the purpose of the processing;

   2. 5.4.2  an assessment of the necessity and proportionality of the processing operations in relation to the Services;

   3. 5.4.3  an assessment of the risks to the rights and freedoms of Data Subjects; and

   4. 5.4.4  the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.

5. 5.5  at the written direction of the Customer or the relevant Data Controller, delete or return Personal Data and copies thereof to the Customer or the Data Controller on termination of the Agreement unless required by Applicable Laws to store the Personal Data;

6. 5.6  notify the Customer without undue delay on becoming aware of a Personal Data breach who must then notify the relevant Data Controller;

7. 5.7  maintain complete and accurate records and information to demonstrate its compliance with this Agreement;

8. 5.8  not transfer any Personal Data outside of the European Economic Area unless:

   1. 5.8.1  this is at the request of the Customer (for example but not limited to a request for the delivery of Personal Data to a person or a server situated outside the European Economic Area); or

   2. 5.8.2  the prior written consent of the Customer has been obtained; or

   3. 5.8.3  the transfer is permitted by Chapter 5 of the GDPR or other provisions of Applicable Laws.

   4. 5.8.4  assist the Customer in carrying out data protection impact assessments and consulting with relevant supervisory authorities where such assessments and/or consultations are required pursuant to the Data Protection Legislation, provided that the scope of such assistance shall be agreed by the parties in advance.

9. 5.9  The Customer does not consent to MB appointing any third-party Processor of Personal Data under this Agreement.

10. 5.10  Before allowing any sub-Processor to process any Personal Data related to this agreement We  shall:

    1. 5.10.1  notify the Customer of the intended sub-Processor and details of processing activities;

    2. 5.10.2  enter into a written agreement with the sub-Processor to ensure adherence to our terms as detailed in this agreement;

    3. 5.10.3  provide the Customer with such information regarding the sub-Processor as the Customer may reasonably require

11. 5.11  Subject to clause 5.11 MB will notify the Customer immediately if it:

    1. 5.11.1  receives a Data Subject Access Request

    2. 5.11.2  receives a request to rectify, block or erase any personal data

    3. 5.11.3  receives any other request, complaint or communication relating to either party’s obligations under the Data Protection legislation;

    4. 5.11.4  receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this agreement where required by law;

    5.11.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required by Law;

12. 5.12  MB’s obligation to notify under 5.10 shall include the provision of further information to the Customer as detail becomes available

13. 5.13  The Customer shall indemnify and hold MB harmless from and against any and all losses and damages to the extent arising from or related to Customer Data (except to the extent that any such claim, demand or action arose out of or is in connection with MB’s intentional misuse of, infringement of, or gross negligence or wilful misconduct in relation to Customer Data).

14. 5.14  The parties shall co-operate with each other to demonstrate compliance with this clause Agreement and allow for and contribute to audits, including inspections conducted by or on behalf of the Customer.

15. 5.15  This Agreement will remain in full force and effect so long as MB retains any Customer Data. Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination in order to protect Personal Data will remain in full force and effect.

In this Agreement, Data Protection Legislation means:
(i) the Data Protection Act 1998 while it is force;
(ii) unless and until the GDPR is no longer directly applicable in the UK, the GDPR; (iii) any successor legislation to the GDPR or the Data Protection Act 1998.