Data Protection Policy and Privacy Notice

 

PERSONAL DATA

Any personal data provided to Gold Creek Finance LTD will be held strictly in accordance with the GDPR Regulations.

DATA CONTROLLER

A data controller is an employee or sub-contractor to Gold Creek Finance LTD. This person is responsible for handling that personal data and responsible if the data is passed to a third party (e.g., Lender). If a data breach occurs the employee/Contractor is responsible as the data controller and may have to report the breach to the ICO within 72 hours.

DATA PROCESSOR

A data processor is an employee or sub-contractor who is given data not directly by Gold Creek Finance LTD but by a company a client has referred (e.g., Lender). In this case the client would be the data controller and the employee or sub-contractor the data processor. If the employee or sub-contractor sends the personal information to the wrong person and a breach occurs, they will need to inform the Data Controller of the breach and possibly report it to the ICO within 72 hours.

OTHER ORGANISATIONS

We must ensure that any organisation who we pass personal data to and receive personal data from are GDPR compliant. It is recommended that we sign an agreement regarding the processing and breach reporting procedures with them.

DATA STORAGE

We must have a legal reason to store personal data otherwise we require consent. By consent, we will collect any personal data when you register to use our services as an individual. If data is provided by a third party, we will be the data processor. If the information relates to addresses, then we will store information by address. We must delete the personal data if we do not have a legal basis or consent to store it. If there is a legal claim, then we have a legal basis to store the information. If we store personal data, we must have a retention period clearly stated and obtain consent.

Data must only be stored digitally on telephones or electronic items such as tablets or laptops which are password protected or encrypted.

SUBJECT ACTION REQUESTS

Must be processed within 30 days for no fee.

NEW SYSTEMS

We must carry out a risk assessment of any new/existing data systems that may risk the rights and freedoms of individuals and design new systems to be private and secure.

HR AND PERSONNEL

The same processing factors must be considered when processing employee personal data. Standard data under contract in article 6 and special category data must only be processed with consent under Article 9.

LEGAL BASIS FOR PROCESSING DATA

Article 6

To process personal data one condition from Article 6 must apply.

  • Consent (Individual has given clear consent for you to process their personal data for a specific purpose)
  • Contract (Necessary for a contract you have with the individual)
  • Legal obligation (To comply with the law, not including contractual obligations)
  • Vital interests (Protecting someone’s life) CCTV?
  • Public task (Task in the public interest or a clear basis in law. Public authorities)
  • Legitimate interests (Processing data in ways you would reasonably expect with minimal privacy impact on individual’s rights and freedoms)

Special Category Data – Sensitive Data

  • Racial ethnic origin
  • Political Opinion
  • Religious of philosophical beliefs
  • Trade union membership
  • Genetic Data
  • Biometric data
  • Health
  • Sex life
  • Sexual orientation

We will only share your data with our employees or sub-contractors instructed by us to carry out any work in relation to your request. We will not use your data for any other purposes.

TO PROCESS SPECIAL CATEGORY DATA, WE MUST HAVE A CONDITION UNDER ARTICLE 6 ABOVE AND ARTICLE 9 BELOW (DO YOU REALLY NEED THIS INFORMATION?)

Article 9

  • Consent
  • Vital interests (Protecting someone’s life)
  • Obligation under employment, collective agreement, social security, or social protection law
  • Not for profits bodies (Carrying out legitimate activities within with safeguards in place. Consent required for disclosure outside the organisation)
  • Already made public
  • Legal claims
  • Substantial public interest
  • Health
  • Public health
  • Archiving (In the public interest)

In most cases to process Special Category Data we will need to use Consent as the other conditions do not generally apply.

CONSENT

  • Consent must be freely given, specific, informed, and unambiguous. There must be a positive opt-in.
  • Consent cannot be inferred from silence, pre-ticked boxes, or inactivity.
  • Consent can be withdrawn at any time in writing either by email or letter.

INDIVIDUALS’ RIGHTS

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing (inaccurate, unlawful, legal claim)
  • The right to data portability (You return data after use on paper/ memory stick etc.)
  • The right to object (legitimate interests, research purposes – except public task)
  • The right not to be subject to automated decision-making including profiling

REGISTRATION

Our company is registered with the Information Commissioners Office and our registration number is ZB664956

DATA BREACHES

If a data breach occurs, we must ensure that every effort is made to rectify or mitigate the loss immediately. All people concerned must be notified about the breach of their data within 24 hours. Data breaches must be reported to the ICO within 72 hours only where it is likely to result in a risk to the rights and freedoms of individuals – if it could result in:

  • Discrimination,
  • Damage to reputation,
  • Financial loss,
  • loss of confidentiality
  • Any other significant economic or social disadvantage.