PandaPCP

PandaPCP — Legal

Data Protection Policy

Lead Social Ltd T/A PandaPCP  ·  FCA FRN: 951156

UK GDPR  ·  Data Protection Act 2018

← Back to Home

Policy, Scope and Objectives

Lead Social Ltd T/A PandaPCP (“the firm”) is committed to compliance with all relevant UK and EU laws in respect of personal data, and to protecting the “rights and freedoms” of individuals whose information we collect in accordance with the General Data Protection Regulation (GDPR).

The firm is committed to complying with data protection legislation and good practice, including:

  • Processing personal information only where this is strictly necessary for legitimate organisational purposes
  • Collecting only the minimum personal information required for these purposes and not processing excessive personal information
  • Providing clear information to individuals about how their personal information will be used and by whom
  • Only processing relevant and adequate personal information
  • Processing personal information fairly and lawfully
  • Maintaining an inventory of the categories of personal information processed by the firm
  • Keeping personal information accurate and, where necessary, up to date
  • Retaining personal information only for as long as is necessary for legal or regulatory reasons or for legitimate organisational purposes
  • Respecting individuals' rights in relation to their personal information, including their right of subject access
  • Keeping all personal information secure
  • Only transferring personal information outside the EU in circumstances where it can be adequately protected

Company: Lead Social Ltd

Trading as: PandaPCP

FCA Reference Number: 951156

Company Number: 12056721

Phone: +44 020 3584 4004

Registered Address: 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom

Contact Email: info@leadsocial.net

This policy applies to all employees, outsourced suppliers, and any third parties working with or for the firm who may have access to personal information. No third party may access personal data held by the firm without having first entered into a data confidentiality agreement. Any breach of the GDPR will be dealt with under the firm's disciplinary policy and may be a criminal offence.

1. Notification

  • The firm has notified the Information Commissioner that it is a data controller and that it processes certain information about data subjects.
  • The firm has identified all personal data that it processes. A copy of the ICO notification details is retained by the Data Protection Officer.
  • ICO notifications are automatically renewed annually.
  • The Data Protection Officer is responsible, each year, for reviewing the details of notification in light of any changes to the firm's activities and any additional requirements identified by means of data protection impact assessments.

2. Responsibilities under the GDPR

  • The firm is both a data controller and a data processor under the GDPR.
  • Anyone in a managerial or supervisory role is responsible for developing and encouraging good information handling practices within the organisation.
  • The Data Protection Officer (DPO), a member of the senior management team, is accountable to the Board/Principals for the management of personal information and for demonstrating compliance, including security and risk management.
  • The DPO has direct responsibility for ensuring that the firm complies with the GDPR on a day-to-day basis, as do Line Managers in respect of data processing within their area of responsibility.
  • The DPO has specific responsibilities in respect of Subject Access Request procedures and is the first point of call for employees seeking clarification on any aspect of data protection compliance.
  • Compliance with data protection legislation is the responsibility of all members of the firm who process personal information.
  • Staff are responsible for ensuring that any personal data they supply is accurate and up-to-date.

3. Risk Assessment

The firm has a process for assessing the level of risk to individuals associated with the processing of their personal information. Assessments will also be carried out in relation to processing undertaken by other organisations on behalf of the firm.

  • The firm shall manage any risks identified by the risk assessment in order to reduce the likelihood of a non-conformance with this policy.
  • Where a type of processing — in particular using new technologies — is likely to result in a high risk to the rights and freedoms of natural persons, a Data Protection Impact Assessment (DPIA) must be carried out prior to the processing.
  • A single assessment may address a set of similar processing operations that present similar high risks.
  • Where a DPIA indicates that processing could cause damage or distress to data subjects, the decision as to whether to proceed must be escalated to the Data Protection Officer.
  • The DPO shall, if there are significant concerns as to the potential damage, distress, or quantity of data concerned, escalate the matter to the Information Commissioner's Office.
  • Appropriate controls will be selected and applied to reduce the level of risk associated with processing individual data to an acceptable level, by reference to the requirements of the GDPR.

4. Data Protection Principles

All processing of personal data must be done in accordance with the following data protection principles of the UK GDPR:

  • Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and transparently. The firm maintains transparent and easily accessible policies relating to the processing of personal data. Information must be communicated to the data subject in clear and plain language.
  • Purpose limitation: Personal data can only be collected for specified, explicit and legitimate purposes. Data obtained for specified purposes must not be used for a purpose that differs from those formally notified to the Information Commissioner.
  • Data minimisation: Personal data must be adequate, relevant and limited to what is necessary for processing. The DPO is the GDPR Owner and is responsible for ensuring information not strictly necessary is not collected. All data collection forms must be approved by the DPO.
  • Accuracy: Personal data must be accurate and kept up to date. Data kept for a long time must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume it is accurate.
  • Storage limitation: Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing. Where personal data is retained beyond the processing date, it will be minimised, encrypted or pseudonymised to protect the identity of the data subject.
  • Integrity and confidentiality: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing and against accidental loss, destruction or damage to personal data.
  • Transfer limitation: Personal data shall not be transferred to a country outside the UK/EU unless that country ensures an adequate level of protection for data subjects' rights and freedoms. Transfer is prohibited unless one or more specified safeguards or exceptions apply.

5. Accountability

The GDPR introduces the principle of accountability, which states that the controller is not only responsible for ensuring compliance but for demonstrating that each processing operation complies with the requirements of the GDPR. Specifically, the firm is required to:

  • Maintain necessary documentation of all processing operations
  • Implement appropriate security measures
  • Perform Data Protection Impact Assessments (DPIAs) where required
  • Comply with requirements for prior notifications or approval from supervisory authorities
  • Appoint a Data Protection Officer if required

6. Data Subjects' Rights

Data subjects have the following rights regarding data processing and the data recorded about them:

  • To make subject access requests regarding the nature of information held and to whom it has been disclosed
  • To prevent processing likely to cause damage or distress
  • To prevent processing for purposes of direct marketing
  • To be informed about the mechanics of automated decision-taking processes that will significantly affect them
  • Not to have significant decisions that will affect them taken solely by automated process
  • To sue for compensation if they suffer damage by any contravention of the UK GDPR
  • To take action to rectify, block, erase or destroy inaccurate data (including the right to be forgotten)
  • To request the ICO to assess whether any provision of the UK GDPR has been contravened
  • The right for personal data to be provided in a structured, commonly used and machine-readable format (data portability)
  • The right to object to any automated profiling without consent

7. Complaints

Data subjects who wish to complain about how their personal information has been processed may lodge their complaint directly with us. Where data subjects wish to complain about how their complaint has been handled, or appeal against any decision made following a complaint, they may lodge a further complaint to the Data Protection Officer.

Data subjects may also complain directly to the Information Commissioner's Office (ICO):

Website: https://www.ico.org.uk

Telephone: 0303 123 1113

8. Consent

The firm understands ‘consent’ to mean that it has been explicitly and freely given — a specific, informed and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of personal data relating to them. Consent can be withdrawn at any time.

  • Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing
  • There must be some active communication between the parties demonstrating active consent — consent cannot be inferred from non-response to a communication
  • For sensitive data, explicit written consent must be obtained unless an alternative legitimate basis for processing exists
  • Where the firm provides online services to children, parental or custodial authorisation must be obtained (applies to children under the age of 13)
  • In most instances, consent to process personal and sensitive data is obtained routinely using standard consent documents

9. Security of Data

All employees are responsible for ensuring that any personal data held by the firm is kept securely and is not disclosed to any third party unless specifically authorised. All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy. Personal data must be kept:

  • In a lockable room with controlled access
  • In a locked drawer or filing cabinet
  • If computerised, password protected in line with the Access Control Policy
  • On removable computer media that is encrypted

Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit written authorisation. Personal data may only be deleted or disposed of in line with the Secure Disposal policy. Hard drives of redundant PCs are to be removed and immediately destroyed before disposal. Processing of personal data off-site presents a greater risk of loss, theft or damage — staff must be specifically authorised to process data off-site.

10. Rights of Access to Data

Data subjects have the right to access any personal data held by the firm in electronic format and manual records which form part of a relevant filing system. This includes:

  • The right to inspect confidential personal references received by the firm
  • Information obtained from third-party organisations about that person
  • The right to receive a copy of the data held within one month of requesting it

Subject Access Requests are dealt with in accordance with the firm's Subject Access Request procedure. To submit a Subject Access Request, contact us at info@leadsocial.net.

11. Disclosure of Data

The firm must ensure that personal data is not disclosed to unauthorised third parties, which includes family members, friends, government bodies, and in certain circumstances the Police. The UK GDPR permits certain disclosures without consent for the following purposes:

  • To safeguard national security
  • Prevention or detection of crime including the apprehension or prosecution of offenders
  • Assessment or collection of tax or duty
  • Discharge of regulatory functions (includes health, safety and welfare of persons at work)
  • To prevent serious harm to a third party
  • To protect the vital interests of the individual (life and death situations)

All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer.

12. Retention and Disposal of Data

Personal data may not be retained for longer than it is required. Personal data must be disposed of in a way that protects the rights and freedoms of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and in line with the firm's secure disposal procedure.

  • Records are retained in line with this Data Protection Policy and any applicable regulatory timeframe
  • The Data Protection Officer is responsible for ensuring data is reviewed at least annually and securely deleted once no longer required
  • The DPO must specifically approve any data retention that exceeds defined retention periods — this approval must be written
  • Manual records that have reached their retention date are to be shredded and disposed of as confidential waste
  • Hard drives of redundant PCs are to be removed and destroyed before disposal

Questions about data protection?

Lead Social Ltd T/A PandaPCP  ·  FCA FRN: 951156

info@leadsocial.net