Privacy Policy

Angelic Reiki Association Data Protection Policy

 

Introduction

The Angelic Reiki Association (“ARA”) is committed to conducting its business in accordance with all applicable Date Protection laws and regulations including the General Date Protection Regulation (“GDPR”).  ARA expects all ARA Employees and Third Parties to share this commitment.

We process personal information to enable us to provide our services as a professional association which includes administering membership records, promoting our services, maintaining our records and supporting and managing our voluntary employees.

This Data Protection Policy (“Policy”) sets out ARA’s responsibiity and accountability regarding Data Protection;  how ARA meets the principles relating to processing of personal data;  and any processes associated with the rights of data subjects (individuals).   Any breach of this Policy will be taken seriously and may result in disciplinary action or business sanction.

1. Scope

This policy applies to all Data Subjects’ personal date stored or processed by ARA.   Specifically:

  • As a Data Controller, this Policy applies to all personal data ARA stores and processes about our members, prospective members, and other third parties.
  • Where ARA is deemed a Data Processor due to specific consultancy or advisory services.

2. Objectives

ARA will:

  • Adhere to the GDPR Principles for processing personal data as detailed in this Policy.
  • Respect and support individuals’ rights concerning their personal data as detailed in GDPR.
  • Ensure date protection is built in by design and default for all processes that include personal data.
  • Undertake, in addition to the above, a data protection impact assessment for such processes that might have a high risk of data breach which includes personal data.
  • Consider and put in place organisational and technology measures to mitigate risks to personal data.
  • Should ARA transfer personal data to a third party in a country located outside of the EEA, consider their compliance with an approved transfer mechanism such as the EU-US Privacy Shield.
  • Report data breaches according to the ARA Data Breach Notification Process.
  • Handle complaints according to the ARA Complaints Process.
  • Monitor and maintain records to support the accountability requirement of GDPR.
  • Review and audit this Policy and supporting processes and procedures annually as a minimum.
  • Correct any identified deficiencies in this Policy and the supporting processes and procedures within a defined and reasonable time frame.

3.  Responsibility

Everyone who works for or with ARA has a responsibility for ensuring that personal data is collected, stored and handled appropriately.   The Chair of ARA is ultimately responsible for meeting ARA legal Data Protection Obligations.   To ensure the understanding of responsibilities when handling personal data, ARA will:

  • Provide training to all employees on their responsibilities including security measures.
  • Ensure that all existing officers are aware of, and will adhere to, this Policy and associated documentation.
  • Include GDPR readiness status as part of the selection process of new associates, sub-contractors and other third parties used as Data Processors.

4.  Data Protection Principles

There are six data protection principles required by GDPR Article 5 and adhered to by ARA.   This section outlines the responsibilites arising from these principles and the ARA Policy for each.

i.     Lawful, Fair and Transparent Data Processing

The requirement of this principle is that personal data must be processed lawfully, fairly and in a transparent manner in relation to individuals.   ARA will maintain a register of all personal data that is stores and processes, the purpose, the lawful bases for doing so, and any personal data that is shared with third parties.

ARA Privacy Notices:

This information will be communicated with Data Subjects via ARA Privacy Notices (an example is the one provided on the ARA website) or within terms and conditions or other contracts.   In all instances these will be written in concise, understandable language which is appropriate for the audience.   The relevant Privacy Notice or link to Privacy Notice, will be provided at the point of collection of personal data or as soon as it practically possible.

ii     Processed for Specified, Explicit and Legitimate Purposes

The requirement of this principle is that personal data is collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes..   Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.   ARA will obtain personal data only by lawful and fair means and, where appropriate with the knowledge and consent of the individual concerned.

ARA Consent Policy

Where a need exists to request and receive the consent of an individual prior to the collection, use or disclosure of their personal data, ARA is committed to seeking such consent.   Where special categories of data are stored and processed, consent will always be required.   There are some exceptions to this detailed in Article 9 of GDPR.   If and when ARA wishes to use personal data for any reason apart from what was originally agreed under the first principle (see above), ARA will see explicit consent for the new reason(s).

Consent may be withdrawn by an individual at any time.   The mechanism by which this can be done will be detailed in at least the ARA Privacy Notice(s).   ARA will record and manage consent given and withdrawn.

iii     Adequate, Relevant and Limited Data Processing

The requirement of this principle is that any personal data which is stored and processes should be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.   ARA will identify for each Data Subject the purpose of the processing and the minimum personal data it requires for this purpose.

iv     Accuracy of Data and Keeping Data up to Date

Accurate and, where necessary, kept up to date;  every reasonable step must be taken to ensure that personal data that is inaccurate (having regard to the purposes for which it is processed) is erased or rectified without delay.    ARA will periodically check the accuracy of any personal data it stores and processes.   Where reasonable, any rectifications identified, or notified by an individual will be undertaken as soon as is practicable.

v     Timely Processing

The requirement of this principle is that personal data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data is processed;  personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.   ARA will identify the retention period for personal data stored and processed.   Personal data will be deleted as soon as is practical after that time.

vi     Secure Processing

This requirement is that personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidently loss, destruction or damage, using appropriate technical or organisational measures.   ARA will use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data.

5.  Rights of Individuals

The GDPR provides eight rights for individuals.   This section summarises each of these and provides the ARA process associated with each.   Where ARA is deemed to be a Data Processor, ARA will engage with Data Controller(s) on how requests from individuals will be fulfilled.   When an individual makes a request regarding any of these rights, then before any action is taken concerning the request, ARA will check that:

  • The request is reasonable.
  • Their identity is confirmed.
  • There is no impact on other individuals’ personal data and their rights.
  • There is no legal, regulatory or contractual requirement to retain their data in its current form.

i)          Right to be informed

Keeping Data Subjects informed:  The Right to be informed encompasses ARA’s obligations to provide ‘fair processing information’, typically through a Privacy Notice.   It emphasises the need for transparency about how we use personal data.

ARA Process

The ARA process regarding this Right is cofered in the sections ARA Privacy Notices and ARA Consent Policy earlier in this document.

ii)         Right of Access

Individuals have the right to access their personal data and supplementary information.   The Right of Access allows individuals to be aware of and verify the lawfulness of the processing.   Details of who to contact to exercise this right are provided in the ARA Privacy Notice.

ARA Process

The process from receipt of a subject access request through to response is detailed in the ARA Access Request Procedure.

iii)      Right to Rectification

The GDPR gives individuals the right to have their personal data rectified.   Personal data can be rectified if it is inaccurate or incomplete.   Details of who to contact to exercise this right are provided in the ARA Privacy Notice.

ARA Process

After completing the checks detailed at the top of this section, ARA will amend the relevant data as soon as is reasonably possible.   An email will be sent to the requesting individual to confirm, and act as a record of, the completion of the request.

iv)        Right to Erasure

Erasure of Personal Data:   The right to erasure is also known as “the right to be forgotten”.   The broad principle underpinning this right is that an individual can request deletion or removal of personal data where there is no compelling reason for its continued processing.

ARA Process

After completing the checks detailed at the top of this section, ARA will delete the relevant  data as soon as is reasonably possible.   An email will be sent to the requesting individual to confirm, and act as a record of, the completion of the request.

v)          Right to Restrict Processing

Restriction of personal data processing.   Individuals have a right to ‘block’ or suppress processing of their personal data.   When processing is restricted, ARA is permitted to store the personal data, but not further process it.   ARA can retain just enough information about the individual to ensure that the restriction is respected in future.

ARA Process

After completing the checks detailed at the top of this section, ARA will not process the requesting individuals, personal data until notified.   An email will be sent to the requesting individual to confirm, and act as a record of the request.

vi)         Right to Data Portability

The right to Data Portability allows individuals to obtain and reuse their personal data for their own purposes.   It allows them to move, copy or transfer their personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.   It enables consumers to take advantage of applications and services which can use this date to find them a better deal, or help them understand their spending habits.

ARA Process

ARA holds only basic personal data.   As such there is no data that falls under this Right.

vii)       Right to Object

Individuals have the right to object to:

  • Processing based on legitimate intersts or the performance of a task in the public interest/exercise of official authority (including profiling).
  • Direct marketing (including profiling).
  • Processing for purposes or scientific/historical research and statistics.

Details of who to contact to exercise this Right and how to complain are provided in the ARA Privacy Notice.

ARA Process

This is detailed in the ARA Complaints Procedure.

viii)   Rights to Automated Decision Making including Profiling

Companies can only carry out this type of decision making where the decision is:

  • Necessary for the entry into or performance of a contract;  or
  • Authorised by Union or Member state law applicable to the controller;  or
  • Based on the individual’s explicit consent
ARA Process

No automated decision making (nor profiling) is undertaken by ARA either directly or on behalf of third parties.   Should it ever be, then a process will be put in place and this Policy document updated.

6.  Change Control

Version 1.0  implemented 18 May 2018 approved by Colleen Tucker