Rosas

GDPR Policy

General Data Protection Regulations (GDPR) Policy

Introduction

This policy outlines Rosa’s obligations regarding data protection and the rights of our customers and business contacts (“data subjects”) under EU Regulation 2016/679 General Data Protection Regulation (GDPR). Under the GDPR, “personal data” refers to any information related to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, by an identifier such as a name, ID number, location data, online identifier, or other specific factors.

This policy governs the collection, processing, transfer, storage, and disposal of personal data by Rosa. All employees, agents, contractors, and other parties working on behalf of the company must adhere to the procedures and principles outlined here.

Rosa is dedicated to not only complying with the letter of the law but also embracing its spirit. We prioritize the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of everyone we interact with.

Data Protection Principles

To ensure compliance with the GDPR, Rosa adheres to the following principles:

  1. Lawful, Fair, and Transparent Processing: Personal data must be processed lawfully, fairly, and transparently.
  2. Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes and not processed further in ways incompatible with those purposes.
  3. Data Minimization: Only data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed should be collected.
  4. Accuracy: Personal data must be accurate and kept up to date. Inaccurate data should be corrected or erased without delay.
  5. Storage Limitation: Data should be kept in a form that permits identification of data subjects for no longer than necessary.
  6. Integrity and Confidentiality: Data must be processed securely to prevent unauthorized or unlawful processing, accidental loss, destruction, or damage.

Rights of Data Subjects

Under the GDPR, data subjects have the following rights:

  • Right to be Informed: About how their data is used.
  • Right of Access: To their personal data.
  • Right to Rectification: Of inaccurate personal data.
  • Right to Erasure: Also known as the ‘right to be forgotten.’
  • Right to Restrict Processing: Under certain conditions.
  • Right to Data Portability: To move their data between services.
  • Right to Object: To data processing.
  • Rights Related to Automated Decision-Making and Profiling.

Lawful, Fair, and Transparent Data Processing

Data processing must adhere to the principles of lawfulness, fairness, and transparency. Personal data processing is considered lawful if at least one of the following conditions is met:

  • The data subject has given consent.
  • Processing is necessary for contract performance.
  • Processing is required for legal compliance.
  • Processing is necessary to protect vital interests.
  • Processing is in the public interest or under official authority.
  • Processing is for legitimate interests, provided these are not overridden by data subjects’ rights and freedoms.

Special category data (sensitive data) requires additional conditions for lawful processing.

Purpose Limitation

Rosa collects and processes personal data only for specific, explicit, and legitimate purposes. Data subjects are informed about these purposes at the time of data collection.

Data Minimization

We collect and process only the personal data that is necessary for the specified purposes.

Accuracy and Data Integrity

Rosa ensures that all personal data is accurate and kept up to date. Inaccuracies are corrected or erased promptly.

Data Retention

Personal data is retained only as long as necessary for the purposes for which it was collected. Unneeded data is securely erased or disposed of.

Secure Processing

Rosa implements appropriate technical and organizational measures to protect personal data against unauthorized processing, accidental loss, destruction, or damage.

Accountability and Record-Keeping

Our Data Protection Officer, Sue Halawa, oversees the implementation of this policy and ensures compliance with the GDPR. We maintain internal records of data collection, processing, and storage activities.

Data Protection Impact Assessments

Rosa conducts Data Protection Impact Assessments for new projects and uses of personal data, overseen by the Data Protection Officer, to identify and mitigate risks.

Keeping Data Subjects Informed

Data subjects are informed about the processing of their data at the time of collection or as soon as possible if data is obtained from third parties. Information provided includes the purpose of data processing, data retention details, and data subjects’ rights.

Data Subject Access

Data subjects can request access to their personal data. Requests are handled by the Data Protection Officer and are responded to within one month, extendable by two months if necessary.

Rectification and Erasure of Personal Data

Data subjects can request rectification of inaccurate data and erasure of data under certain conditions. Rosa will act on such requests within one month, extendable by two months if needed.

Restriction of Data Processing

Data subjects can request the restriction of data processing. Rosa will retain only the data necessary to ensure compliance with the restriction.

Objections to Data Processing

Data subjects can object to data processing based on legitimate interests or for direct marketing purposes. Rosa will cease such processing unless overriding legitimate grounds exist.

Data Security – Transferring and Storage

  • Personal data in emails must be encrypted and marked “confidential.”
  • Data is transmitted over secure networks only and stored securely using passwords and encryption.
  • Hardcopies are stored in locked, secure locations.

Data Breach Notification

All data breaches must be reported to the Data Protection Officer. If a breach poses a risk to data subjects, the Information Commissioner’s Office must be notified within 72 hours, and affected individuals informed if there is a high risk.

By adhering to these principles and procedures, Rosa ensures the protection of personal data and compliance with GDPR requirements. For any questions or further information, contact our Data Protection Officer, Sue Halawa.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.