DATA PROTECTION POLICY & PROCEDURES

Data Protection Policy & Procedures 

Contents 

​

Policy Statement 

Rhino Recovery (hereinafter referred to as the “Company”) needs to collect personal information to effectively carry out our everyday business functions and activities and to provide the products and services defined by our business type. Such Data is collected from employees, customers, suppliers, and clients and includes (but is not limited to), name, address, email address, Data of birth, IP address, identification numbers, private and confidential information, sensitive information and bank/credit card details.  In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to processing all personal information in accordance with the General Data Protection Regulation (GDPR), UK Data Protection Laws and any other relevant the Data Protection Laws and codes of conduct (herein collectively referred to as “the Data Protection Laws”). 

The Company has developed policies, procedures, controls and measures to ensure maximum and continued compliance with the Data Protection Laws and principles, including Worker’s training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category Data is one of our top priorities and we are proud to operate a 'Privacy by Design' approach, assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business. 

Purpose 

The purpose of this policy is to ensure that the Company meets its legal, statutory and regulatory requirements under the Data Protection Laws and to ensure that all personal and special category information is processed compliantly and, in the individuals, best interest.  The Data Protection Laws include provisions that promote accountability and governance and as such the Company has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimise the risk of breaches and uphold the Protection of personal Data. This policy also serves as a reference document for employees and third parties on the responsibilities of handling and accessing personal Data and Data subject requests. 

Scope 

This policy applies to all Workers within the Company (meaning permanent, fixed term, and temporary Workers, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.  

Definitions 

“Biometric Data” means personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as Facial Images or Dactyloscopy Data. 

“Binding Corporate Rules” means personal Data Protection policies which are adhered to by the Company for transfers of personal Data to a controller or processor in one or more third countries or to an international organisation. 

“Consent” of the Data subject means any freely given, specific, informed and unambiguous indication of the Data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal Data relating to him or her. 

“Cross Border Processing” means processing of personal Data which: - 

takes place in more than one Member State: or  

which substantially affects or is likely to affect Data subjects in more than one Member State 

“Data controller” means, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. 

“Data processor” means a natural or legal person, public authority, agency or other body which processes personal Data on behalf of the controller. 

“Data Protection Laws” means for the purposes of this document, the collective description of the GDPR, Data Protection Bill and any other relevant Data Protection Laws that the Company complies with. 

“Data subject” means an individual who is the subject of personal Data 

“GDPR” means the General Data Protection Regulation (EU) (2016/679)  

“Genetic Data” means personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result from an analysis of a biological sample from the natural person in question. 

“Personal Data” means any information relating to an identified or identifiable natural person (‘Data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location Data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

“Processing” means any operation or set of operations which is performed on personal Data or on sets of personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

“Profiling” means any form of automated processing of personal Data consisting of the use of personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. 

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal Data are disclosed, whether a third party or not. However, public authorities which may receive personal Data in the framework of a inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those Data by those public authorities shall be in compliance with the applicable Data Protection rules according to the purposes of the processing. 

“Supervisory Authority” means an independent public authority which is established by a Member State 

“Third Party” means a natural or legal person, public authority, agency or body other than the Data subject, under our direct authority. 

​toring to ensure that they are competent and knowledge for the role they undertake.