VROMO means the
it shall ensure that all information that it makes available through VROMO is accurate and up to date, including (but not limited to) information supplied for:
VROMO is committed to working in accordance with the General Data Protection Regulation and with the highest standards of ethical conduct.
This policy outlines the behaviours and standards required of the; organisation, all employees, workers and third parties in relation to the collection, retention, transfer, disclosure, use and destruction of any personal data.
Data Protection Principles
The Organisation is committed to adhering to the Data Protection Principles which state:
1. Data must be processed lawfully, fairly and in a transparent manner
2. Data must be obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
3. Data processed must be adequate, relevant and limited to what is necessary
4. Data must be accurate and, where necessary, kept up to date, every reasonable step must be taken to ensure data that are inaccurate, are erased or rectified without delay.
5. Data must not be kept for longer than is necessary for the purposes for which the data are processed.
6. Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.
Information is kept and processed about individuals for legal purposes (such as for payroll), for administration purposes and for the purposes of day-to-day people-management. VROMO is aware that in order to process personal data, or sensitive personal data VROMO must rely on the data being:
– necessary for the performance of a contract, or;
– in preparation for a contract, or;
– to comply with our legal obligations, or;
– for our legitimate business interests or;
– to perform a task carried out in the public interest or in the exercise of an official authority.
If the organisation wishes to hold and process data which does not fall within conditions listed above then it will seek to obtain the consent of the individual.
Right of Access
Individuals have the right to access to information stored about them. Employees can ask for access to their own personal details held electronically or held manually. Employees who wish to see their records should give notice electronically and in writing to the Finance Director. VROMO has up to 1 month to provide the information following the subject access request, which it will usually do in electronic format.
In complex cases, or where there are numerous related requests, VROMO will liaise with the individual to inform them of progress, and if it is not possible to complete the request within 1 month, VROMO will inform the individual of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
In the event that data is retained with third parties, VROMO will ensure that the request is communicated and actioned by the third party in line with the timescales outlined above, unless impossible or would require disproportionate effort.
VROMO reserves the right to charge a fee or refuse to a respond to a request if it is manifestly unfounded or excessive. Similarly, VROMO reserves the right to withhold personal data if disclosing it would adversely affect the rights and freedoms of others.
Rectification of Data
VROMO is committed to keeping data that is accurate and up to date. Data will be checked for accuracy where possible, and any data that is in accurate, out of date or unnecessary will be corrected or erased as appropriate.
Where an individual identifies that their personal data is incorrect, or incomplete or where they are aware that their personal data has changed, they must inform the organisation as soon as possible. The organisation will then take steps to rectify any inaccuracies as soon as possible, and at the latest within 1 month.
In complex cases, or where there are numerous cases, VROMO will liaise with the individual to inform them of progress, and if it is not possible to complete the request within 1 month, VROMO will inform the individual of the delay and the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.
In the event that data has been disclosed to third parties, VROMO will ensure that the request for rectification is communicated and actioned by the third party in line with the timescales outlined above, unless this is impossible or would involve disproportionate effort.
The Right to be Forgotten
Also known as ‘the right to erasure’, the right to be forgotten doesn’t provide an absolute right to be forgotten, but data subjects have a right to have personal data erased and to prevent processing in some circumstances i.e.
● Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
● When the individual withdraws consent;
● When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
● The personal data was unlawfully processed;
● The personal data has to be erased in order to comply with a legal obligation;
● The personal data is processed in relation to the offer of information society services to a child.
If you wish to ask for your own personal data to be partially/fully erased and no longer processed, please write to the Finance Director with full details of your request. VROMO has up to 1 month to respond to you and either delete the data or explain why it is unable to comply with your request. Circumstances where VROMO may be unable to comply include there it is required to retain the information by law, or if the data is needed in connection with legal proceedings.
In complex cases, or where there are numerous related requests, VROMO will liaise with you to inform you of progress, and if it is not possible to respond to your request within 1 month, VROMO will inform you of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months, if necessary.
In the event that data is retained with third parties, VROMO will ensure that the request is communicated and if appropriate actioned by the third party in line with the timescales outlined above.
Security of Data
VROMO is committed to taking steps to ensure that personal data is protected, and to prevent any unauthorised access, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of our security systems and by regular training and awareness raising.
Any data breaches, will be managed according to the procedures documented in our Data Protection Breach Reporting Policy and Procedure.
VROMO is committed to ensuring that subject data is kept for no longer than necessary and only kept as long as it’s relevant and necessary for legitimate purposes. As soon as data is no longer necessary for the purposes for which it was originally collected, it will be securely deleted, unless it is necessary to keep the data.
VROMO does not intentionally keep data longer than necessary and when data is no longer required, VROMO is committed to securely deleting it as soon as possible. For more information and our retention guidelines, please refer to our Data Retention Policy.
All staff are responsible for data protection and should be alert to any actual, suspected, threatened or potential data protection breaches. As soon as a data protection breach has been discovered, where possible, the member of staff should complete a Data Protection Breach Reporting Form (to the fullest extent possible at that time), which provides full details concerning the breach. This form should then be passed to the Finance Director as soon as possible and within 24 hours of the discovery of the breach.
If you need help completing the form, or are unable to complete the form, then any delay should be avoided and instead the matter should be reported immediately, either verbally or using electronic means, such as email.
We are committed to monitoring this policy and will update it as appropriate.
27a, George’s Court,
19 W 34th Street
New York NY, 10001, United States