1. Introduction, Aims and Scope
1.1. This policy governs the data protection obligations of The Standard Club Europe Limited (SCEL), a company incorporated in England & Wales (company number 00017864) and having its main office at the registered address of The Minster Building 21 Mincing Lane London EC3R 7AG.
1.2. SCEL is part of The Standard Club group of companies (the Group), including:
1.2.1. The Standard Club Ltd (company number 1837) incorporated in Bermuda (of which SCEL is a wholly-owned subsidiary);
1.2.2. Standard Club (Asia) Ltd, incorporated in Singapore, which is also wholly-owned by The Standard Club Ltd;
1.2.3. Standard Club Ireland Ltd, to be incorporated in the Republic of Ireland, which shall also be a wholly-owned subsidiary of The Standard Club Ltd.
1.3. The Group is committed to conducting their businesses in a manner that protects and values each individual’s personal data, and processes said personal data fairly, lawfully, and ethically. The lawful and proper processing of personal data by the Group is integral to the success of its businesses, whether or not required by law under the new General Data Protection Regulation (GDPR), and is expected by its customers and partners.
1.4. The Group has developed policies around data protection to account for the specific challenges of its business, including their global scope (including operating in territories outside of the European Economic Area), the scale of their operations and the sensitive nature of the personal data they sometimes must process.
1.6.1. The Group Governance & Registrations Policy
1.6.2. The Group Subject Rights Policy
1.6.3. The Group Data Retention Policy
1.6.4. The Group Data Incident Policy
1.6.5. The Group Data Transfer Policy
1.6.6. The Managers’ All-Staff Information Security Policy.
1.7. The aim of these policies is to support the management of data protection across the Group by providing this agreed set of standards. All employees and contractors working on behalf of the Group in all relevant territories and businesses must familiarise themselves with the processes and procedures set out herein and comply with them at all times.
1.8. This Policy applies to all Group companies which process (whether electronically or otherwise) Personal Data (including Special Category Personal Data). Subject to the Group Data Transfer Policy (which shall take precedence in all matters of territoriality), the Group shall treat data concerning any living natural person as being personal data, irrespective of their nationality, citizenship, or residence.
1.9. For operational purposes, there may be occasions where deviations to this Policy or any linked Policies are required. Where this in necessary and justified, the deviations shall be recorded by the Group Data Protection Officer, and where appropriate, notified to the Information Commissioner’s Office (ICO).
2.1. The Policy, unless indicated otherwise below, adopts the definitions contained in Article 4 GDPR. Specifically, this Policy relies on the below definitions:
2.1.1. Personal Data means:
'any information relating to an identified or identifiable natural person (data subjec’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.'
2.1.2. Special Category Personal Data means:
'personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.'
2.1.3. Processing means:
'any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.'
2.1.4. Data Controller means:
'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.'
2.1.5. Data Processor means:
'a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.'
2.1.6. Data Subject means:
'an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.'
2.1.7. Third Party means:
'a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.'
2.1.8. Consent means:
'any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.'
2.1.9. Data Breach means:
'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.'
2.2. This policy also relies on the following defined terms:
2.2.1. Archiving means the removal of Data from active systems (including, but not limited to, IT systems) and placing the Data into secure storage (whether hard copy or electronic) where the Data is still capable of being accessed by arrangement.
2.2.2. Data Privacy Officer or DPO means the individual designated by the Group under Article 37(2) GDPR to inform and advise the Group on the Applicable Data Protection Law and Applicable Guidance, and monitor the Group’s compliance with the Applicable Data Protection Law and Applicable Guidance.
2.2.3. Privacy Office means the Office consisting of the Group Data Privacy Officer, the Group Privacy Managers and staff reporting to them directly or indirectly on matters concerning data protection.
2.2.4. Privacy Manager means individuals within the Group who are responsible for managing compliance with the Applicable Data Protection Law and Applicable Guidance and assisting the Group Data Privacy Officer.
2.2.5. General Data Protection Regulation or GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2.2.6. Applicable Data Protection Law (on or after 25 May 2018) means:
184.108.40.206. the Data Protection Act 1998 and subsidiary legislation or orders (but only for as long as they remain in force)
220.127.116.11. the Data Protection Act 2018 (if and insofar as enacted) (DPA2018), and subsidiary legislation and orders made pursuant to the DPA2018
18.104.22.168. the GDPR (but only for as long as the UK remains a Member State of the European Union, and/or the GDPR continues to apply as a matter of domestic law of the UK)
22.214.171.124. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the PEC Directive), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and any subsequent EU instrument (the ePrivacy Regulation) which either amends or replaces these legal instruments (but only for so long as the UK remains a Member State of the European Union)
126.96.36.199. any other domestic data protection laws as shall be in force in the UK from time to time, to give effect to the rights of citizens concerning data protection (including replacements for PECR, whether or not implementing or retaining the EU ePrivacy Regulation).
2.2.7. Applicable Guidance means guidance and/or codes of practice and/or outcomes of any enforcement action issued and/or published by the ICO, the Article 29 Working Party and the European Data Protection Board, or any successor bodies to these organisations, in relation to any Applicable Data Protection Law.
3. The Principles underpinning this policy
3.1. The Group will at all times comply with Applicable Data Protection Law and Applicable Guidance. Insofar as they are able within the law and within the terms of contracts with external parties, Group companies will seek to make all decisions through the prism of acting in the best interests of the Data Subject.
3.2. Article 5 GDPR provides for the core principles of Applicable Data Protection Law:
3.2.1. We shall process personal data fairly, lawfully and transparently
3.2.2. We shall only be processed for specified, explicit purposes, or collateral purposes that are not incompatible with the processing for which the data was obtained
3.2.3. We will limit processing of personal data to what is adequate, relevant and necessary
3.2.4. We will keep personal data accurate and up-to-date
3.2.5. When we no longer need to keep personal data in a way that identifies the data subject, we will either delete it, or render data subjects non-identifiable
3.2.6. We will take appropriate technological and organisational measures to keep personal data secure, and protect it against accidental or malicious unlawful or unauthorised processing.
3.3. The Group has, as part of its compliance with the Applicable Data Protection Law, from 25 May 2018, prepared a full Data Inventory, conducted a Data Mapping Exercise, and Gap Analysis. These allow the Group to monitor and demonstrate the extent to which the Group’s current data protection policies and processes under the Data Protection Act 1998 meet GDPR compliance requirements, and in what areas the Group needs to update its policies and processes in order to achieve compliance.
3.4. The Group shall, pursuant to Article 24(2) GDPR, endeavour to adhere to all ICO-approved codes of conduct (pursuant to Article 40 GDPR), and shall seek to achieve certification of compliance (pursuant to Article 42 GDPR) from a certification body approved by the ICO or other supervisory authority.
3.5. Under Article 29 GDPR, any processor engaged on behalf of the Group shall process personal data only on the Group’s instructions, under contract compliant with Article 28.
4. Processing personal data Fairly, Lawfully and Transparently
4.1. The Group will keep and maintain a Data Inventory, listing the categories of all the Personal Data that it processes, including specifying the Special Category Personal Data.
4.3. The Group will conduct a general Privacy Impact Assessment (PIA) upon the implementation of GDPR on 25 May 2018, and shall thereafter conduct Data Protection Impact Assessments (DPIAs) pursuant to Article 35 GDPR upon developing new procedures or processes, or entering into new forms of business which involve the processing of personal data. The Group DPO shall be responsible for any prior consultation with the ICO within the meaning of Article 36 GDPR. In particular, any new reliance on automated decision-making (including profiling) under Article 22 GDPR shall be referred to the ICO for prior consultation.
4.4. The Group will act in accordance with all its legal and ethical obligations in respect of personal data, including (but not limited to) Applicable Data Protection Law.
4.5. The Group will give effect to Articles 12-14 GDPR and the Right to Information.
4.6. Any agreements by which both the Group and another entity are both Data Controllers shall specify the division of responsibilities in a manner that maximises the transparency of approach to data subjects, especially with respect to their Data Subject Rights. This shall be recorded in summary form in the Group Governance & Registrations Policy. The Group Data Subject Rights Policy details the process by which allocation of responsibility for decision-making in relation to data subject Requests shall be made.
5. Processing personal data for Specified Purposes only
5.1. The Group DPO will maintain the Data Inventory, which shall include:
5.1.1. as against every type and category of Personal Data the lawful basis (or bases) for its processing, according to Article 6 GDPR
5.1.2. as against every type and category of Special Category Personal Data, the exemption (or exemptions) relied upon under Article 9(2) GDPR from the prohibition in Article 9(1) GDPR
5.1.3. as against every type and category of personal data relating to criminal convictions and the like (Article 10 GDPR), the provision of Applicable Data Protection Law which permits such processing
5.1.4. a full record of any circumstances in which the Group company as a data controller relies on its own legitimate interests, and consideration of the extent (if at all) to which this infringes upon the principles of the Applicable Data Protection Law.
5.1.5. Where the processing of personal data is for purposes (Other Purposes) which are distinct from those purposes (the Original Purposes) for which the personal data was obtained, the Group DPO shall ensure that such Other Purposes are recorded and rendered distinctive in the Data Inventory, and that a PIA is conducted to ensure compliance with Article 6(4) GDPR as to the compatibility of the Other Purposes with the Original Purposes.
6. Data Minimisation
6.1. The Group will only process Personal Data insofar as is reasonably necessary to do so.
6.2. The Group will review its Data Inventory on a periodical basis, no less than once per annum, and the Group DPO shall certify (no less than annually) that no types or categories of personal data are excessive, or inadequate, or not relevant to the purposes for which that personal data is processed.
6.3. The Group shall take such steps as are required to comply with Article 25 GDPR, including constant review of processing to ensure data protection is embedded into its policies and processes both by design and by default.
7. Data Integrity
7.1. The Group shall ensure, where reasonably practicable, that all personal data it processes shall be accurate and up-to-date.
7.2. The Group Data Subject Rights Policy provides for the Right to Rectification, which shall be effected without undue delay on receipt of a Request from, or on behalf of, a data subject seeking to rectify (including seeking to amplify) their Personal Data.
8. Data Retention
8.1. The Group Data Retention Policy provides details as to the period for which types and categories of personal data shall be retained, and the lawful basis for that retention.
8.2. In the absence of any justification under the Group Data Retention Policy, personal data shall be deleted without undue delay, unless paragraph 8.3 applies.
8.3. In limited circumstances, to be recorded in the Data Inventory and approved in each case in advance by the Group DPO (who shall report all such approvals to the Boards of the Group companies) personal data may be retained beyond the date provided for in the Group Data Retention Policy, but only if the data subjects are rendered non-identifiable from such data, and in such circumstances Article 11 GDPR shall apply.
9. Appropriate Technical & Organisational Measures
9.1. The Group shall take all appropriate technical and organisational measures to keep Personal Data secure and processed only for the authorised purposes.
9.3. Further provisions as to this principle of Applicable Data Protection Law can be found in the Group Data Incident Policy and the Group All-Staff Information Security Policy
10. Audit and Review
10.1. This Policy shall be reviewed on an annual basis by the Group DPO and the Boards of each of the Group companies and the Boards of such data co-controllers for whom the Group DPO acts as their DPO.