GDPR Compliance Document for Inicio Tech Limited
1. Introduction
Inicio Tech Limited is a web development company that also provides server services and develops apps and websites. This document outlines the procedures and measures Inicio Tech Limited has implemented to ensure compliance with the General Data Protection Regulation (GDPR).
2. Data Protection Principles
Inicio Tech Limited adheres to the GDPR principles, ensuring that personal data is:
– Processed lawfully, fairly, and transparently.
– Collected for specified, explicit, and legitimate purposes.
– Adequate, relevant, and limited to what is necessary.
– Accurate and kept up to date.
– Retained only as long as necessary.
– Processed securely.
3. Data Audit and Record of Processing Activities
3.1. Data Audit
We have conducted a comprehensive data audit to identify:
– The types of personal data we collect.
– The purposes for which we process personal data.
– The legal basis for data processing.
– Data retention periods.
– Data sharing practices.
3.2. Record of Processing Activities (ROPA)
We maintain a detailed record of our processing activities, including:
– Contact details of the data controller and DPO.
– Purposes of data processing.
– Categories of data subjects and personal data.
– Recipients of personal data.
– Transfers of data outside the EU.
– Data retention periods.
– Security measures in place.
4. Data Protection Officer (DPO)
4.1. Appointment of DPO
Inicio Tech Limited has appointed a Data Protection Officer (DPO) to oversee GDPR compliance. The DPO is responsible for:
– Monitoring compliance with GDPR.
– Providing advice on data protection impact assessments.
– Cooperating with the ICO.
– Acting as a contact point for data subjects and the ICO.
4.2. Contact Information
DPO Contact Information:
Office #101-103, 2235-2243 Coventry Road, Sheldon Chambers, Birmingham, B26 3NW
0121 8099 365
info@iniciotech.co.uk
5. Privacy Policy
5.1. Updating Privacy Policy
Our privacy policy is regularly updated to ensure transparency. It includes:
– The types of personal data collected.
– How personal data is used.
– Legal basis for processing.
– Data retention periods.
– Data subject rights.
– Contact information for the DPO.
5.2. Accessibility
The privacy policy is accessible on our website and provided at the point of data collection.
6. Data Subject Rights
6.1. Procedures for Data Subject Requests
We have established procedures to handle data subject requests, including:
– Access to personal data.
– Rectification of inaccurate data.
– Erasure of data (right to be forgotten).
– Restriction of processing.
– Data portability.
– Objection to processing.
6.2. Response Time
Requests are responded to within one month. If more time is needed, the data subject will be informed within the initial month.
7. Data Protection Impact Assessments (DPIAs)
7.1. Conducting DPIAs
We conduct DPIAs for high-risk processing activities to identify and mitigate risks to data subjects. DPIAs are documented and include:
– A description of the processing activities.
– An assessment of the necessity and proportionality of processing.
– An assessment of risks to data subjects.
– Measures to address and mitigate risks.
7.2. Regular Reviews
DPIAs are reviewed regularly and updated when necessary.
8. Data Breach Response
8.1. Data Breach Procedures
We have established procedures to detect, report, and investigate data breaches. These procedures include:
– Immediate containment and recovery.
– Assessing the breach’s impact.
– Notifying the ICO within 72 hours if necessary.
– Informing affected data subjects if there is a high risk to their rights and freedoms.
8.2. Documentation
All data breaches are documented, including details of the breach, its effects, and remedial actions taken.
9. Employee Training
9.1. Regular Training
All employees receive regular training on GDPR and data protection practices. Training covers:
– Data protection principles.
– Data subject rights.
– Identifying and reporting data breaches.
– Secure data handling.
9.2. Record Keeping
Training sessions and materials are documented and stored securely.
10. Contracts with Third Parties
10.1. Third-Party Contracts
We review and update contracts with third-party processors to ensure they include GDPR-compliant data protection clauses. Contracts specify:
– The processor’s obligations.
– Security measures.
– Data subject rights.
– Assistance with DPIAs and data breach notifications.
10.2. Regular Reviews
Third-party contracts are reviewed regularly to ensure ongoing compliance.
11. Security Measures
11.1. Technical Measures
We implement technical measures to protect personal data, including:
– Encryption of data at rest and in transit.
– Secure access controls.
– Regular security assessments and updates.
11.2. Organizational Measures
We implement organizational measures, including:
– Data protection policies.
– Regular security training for employees.
– Incident response plans.
12. Ongoing Compliance and Monitoring
12.1. Regular Audits
We conduct regular audits to ensure ongoing GDPR compliance. Audits cover all aspects of data protection, including data processing activities, security measures, and employee training.
12.2. Continuous Improvement
We continuously review and improve our data protection practices based on audit findings, changes in legislation, and best practices.
