Privacy Policy – Kevin Green Wealth

KGW Privacy Policy printed 24/05/2018

  1. Policy statement
  1. Responsibilities and roles under the General Data Protection Regulation
  1. Data protection principles

All processing of personal data must be conducted in accordance with the data protection principles as set out in Article 5 of the GDPR. Kevin Green Wealth’s policies and procedures are designed to ensure compliance with the principles.

Data obtained for specified purposes must not be used for a purpose that differs from those formally notified to the supervisory authority as part of Kevin Green Wealth’s GDPR register of processing.

The Data Protection Officer / GDPR Owner will carry out a risk assessment considering all the circumstances of Kevin Green Wealth’s controlling or processing operations.

Kevin Green Wealth will demonstrate compliance with the data protection principles by implementing data protection policies, adhering to codes of conduct, implementing technical and organisational measures, as well as adopting techniques such as data protection by design, DPIAs, breach notification procedures and incident response plans.

  1. Data subjects’ rights
  1. Consent
  1. Security of data
  1. Disclosure of data
  1. Retention and disposal of data

Personal data must be disposed of securely in accordance with the sixth principle of the GDPR. Any disposal of data will be done in accordance with the secure disposal procedure

  1. Data transfers

The transfer of personal data outside of the EEA is prohibited unless one or more of the specified safeguards, or exceptions, apply:

The European Commission can and does assess third countries, a territory and/or specific sectors within third countries to assess whether there is an appropriate level of protection for the rights and freedoms of natural persons. In these instances no authorisation is required.

Countries that are members of the European Economic Area (EEA) but not of the EU are accepted as having met the conditions for an adequacy decision.

A list of countries that currently satisfy the adequacy requirements of the Commission are published in the Official Journal of the European Union. https://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm

If Kevin Green Wealth wishes to transfer personal data from the EU to an organisation in the United States it should check that the organisation is signed up with the Privacy Shield framework at the U.S. Department of Commerce. The obligation applying to companies under the Privacy Shield are contained in the “Privacy Principles”. The US DOC is responsible for managing and administering the Privacy Shield and ensuring that companies live up to their commitments. In order to be able to certify, companies must have a privacy policy in line with the Privacy Principles e.g. use, store and further transfer the personal data according to a strong set of data protection rules and safeguards. The protection given to the personal data applies regardless of whether the personal data is related to an EU resident or not. Organisations must renew their “membership” to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU under that framework.

Kevin Green Wealth may adopt approved binding corporate rules for the transfer of data outside the EU. This requires submission to the relevant supervisory authority for approval of the rules that Kevin Green Wealth is seeking to rely upon.

Kevin Green Wealth may adopt approved model contract clauses for the transfer of data outside of the EEA. If Kevin Green Wealth adopts the model contract clauses approved by the relevant supervisory authority there is an automatic recognition of adequacy.

In the absence of an adequacy decision, Privacy Shield membership, binding corporate rules and/or model contract clauses, a transfer of personal data to a third country or international organisation shall only take place on one of the following conditions:

  1. Information asset register/data inventory

Document Owner and Approval

The Data Protection Officer / GDPR Owner is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the review requirements stated above.

This policy was approved Kevin Green on 12th Jan 2019 and is issued on a version controlled basis under the signature of the Owner.

0