Data Protection Policy

Introduction: 

Wise Auto Ltd (the Company) is involved in the processing of personal data belonging to living individuals, including its staff, customers, contractors, research subjects, and customers. This processing falls under the regulation of the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR). The Information Commissioner's Office (ICO) serves as the regulatory body for the DPA and GDPR in the UK. 

The Company is registered as a Data Controller with the ICO and bears responsibility for ensuring compliance with the GDPR and DPA. 

1.    Key Definitions: 

This policy makes reference to several key definitions, such as 'Personal Data,' 'Processing,' and 'Data Controller.' These definitions are outlined in Annex A. 

2.    Purpose and Objectives of Policy: 

The primary aim of this policy is to express Wise Auto Ltd's commitment to upholding the requirements of the Data Protection Act 2018 ('DPA') and the General Data Protection Regulation ('the GDPR'). 

3.    Scope and Status of the Policy: 

This policy applies to all users of Personal Data, including Company staff, customers, and other parties engaged in the processing of Personal Data. Its applicability extends to all instances where Personal Data is processed for the Company's purposes, regardless of location or equipment used. Furthermore, this policy covers all forms of Personal Data, whether in electronic records or manual paper records. 

Roles and Responsibilities: 

Board of Directors: 

The approval of this policy rests with the Board of Directors. 

Company Executive Group: 

The strategic-level implementation of the policy, oversight of compliance, and identification of risks fall within the responsibilities of the Company Executive Group, which also reports such risks to the Board. 

Information Asset Owners: 

The Company appoints Information Asset Owners (IAOs) to ensure local compliance with data protection for the processed Personal Data. 

Information Asset Managers: 

Information Asset Managers are designated to ensure compliance with data protection within their respective teams. 

Data Protection Officer: 

Wise Auto Ltd's Data Protection Officer (DPO) primarily advises and assesses compliance with the DPA and GDPR, offering recommendations for improved practice. The DPO also serves as the primary point of contact for DPA and GDPR matters. 

Legal Services: 

Legal Services is tasked with providing advice, support, and guidance regarding day-to-day data protection matters. 

All Staff: 

All staff members, including permanent employees, contractors, and temporary workers, are bound to comply with this Policy, the DPA, and the GDPR whenever they process Personal Data on behalf of or for the Company. 

All Customers: 

Customers are responsible for adhering to Company rules and policies, including compliance with this policy while collecting and processing Personal Data for their activities. 

Contractors and Consultants: 

Third parties, such as consultants and contractors, who undertake work on behalf of Wise Auto Ltd that involves Personal Data, must adhere to the Company's Data Protection Policy and comply with the DPA and GDPR. Contracts with external providers will include provisions to ensure compliance with this Policy, the DPA, and GDPR. 

4.    Compliance with the DPA and GDPR: 

Awareness & Capability: 

The Company will implement mandatory Data Protection training and oversee its annual completion for all staff members. 

Privacy By Design: 

Wise Auto Ltd will adopt a Privacy By Design approach by integrating Privacy Impact Assessments into business processes and projects involving Personal Data.

Lawful, Fair & Transparent Processing: 

Appropriate information will be provided to individuals through privacy notices when collecting their Personal Data, and the Company will ensure at least one lawful basis exists for Processing Personal Data. 

Purpose Limitation: 

The Company will explicitly state the purposes for Processing Personal Data and will only process such data for the notified purposes or compatible purposes. 

Data Minimisation: 

The Company will collect only the necessary information required to fulfil identified purposes and ensure that the collected Personal Data is relevant and not excessive. 

Accuracy: 

The Company will ensure the accuracy of processed Personal Data and update it when necessary. 

Security: 

Wise Auto Ltd will safeguard the security of Personal Data and maintain compliance with GDPR requirements. 

Record Keeping & Retention:

The Company will establish a records retention and disposal schedule that sets the timeframes for retaining records containing Personal Data. 

External Contractors and International Transfers: 

Wise Auto Ltd will establish legally binding contracts with external entities engaged in processing Personal Data on its behalf. Adequacy arrangements will be implemented for the transfer of Personal Data outside the European Union. 

Other Third-Party Access: 

The disclosure of Personal Data to third parties, such as the police, central government, and other educational institutions, will only occur when a lawful basis exists, and appropriate arrangements are in place. 

Internal Sharing: 

Wise Auto Ltd will ensure that sharing of Personal Data across different teams, divisions, or faculties is limited to areas with a legitimate business need. 

5.    Data Subjects Rights: 

The Company will comply with requests from an individual to exercise their rights under the DPA and the GDPR. All individuals have the right to be informed about the information the Company holds about them and to request copies of that information. This right is known as a Subject Access Request. Any individual who wishes to submit a Subject Access Request should contact the company in writing. 

Under the DPA and GDPR, individuals also possess the following rights in relation to their Personal Data: 

  • They can request the rectification of their Personal Data if it is inaccurate. 
  • They can request the erasure of their Personal Data. 
  • They can request the restriction of the Processing of their Personal Data. 
  • They have the right of portability in relation to their Personal Data. 
  • They can object to the Processing of their Personal Data. 
  • They can object to Processing that involves automated decision-making or profiling. 

The Company's Data Protection Officer should be contacted by individuals who wish to exercise the rights mentioned above. It is recommended that the request be submitted in writing by Individuals, specifying the exact Personal Data and/or Processing they are referring to and the right they wish to exercise. If access to Personal Data is being sought (i.e., making a 'Subject Access Request'), the guidance available on our website might be helpful to review. 

If a request from an individual to exercise the rights under the DPA and GDPR is received, it must be immediately forwarded to the responsible person by any staff member. Cooperating with Legal Services to ensure compliance with an individual's request under the DPA and GDPR within the statutory timescales is the responsibility of all staff. 

6.    Own Personal Data:

 All staff and customers are responsible for maintaining accurate and up-to-date information provided to the Company. Changes in Personal Data, such as addresses, must be promptly communicated in writing to the Company. 

7.    Personal Data Breaches:

Wise Auto Ltd will respond promptly to identified Personal Data Breaches, conducting thorough investigations to determine the necessary actions, including whether to report the breach to the ICO, inform data subjects, and implement new measures to mitigate further breaches. 

8.    Compliance: 

The responsibility for compliance with this Policy, the DPA, and the GDPR falls on all staff members and customers. Breaches of the policy may result in disciplinary action, and severe or deliberate breaches of the DPA can lead to criminal prosecution. Non-compliance with the GDPR by the Company could result in substantial fines or actions imposed by the ICO. 

9.    Further Information: 

For questions concerning the interpretation or implementation of this policy, individuals should initially contact the Data Protection Officer. Any individual who believes the policy has not been followed in relation to their Personal Data should also address the matter with the Company's Data Protection Officer. 

For additional information about the DPA and GDPR, individuals can refer to the Information Commissioner's Office (ICO) website. Further guidance for staff is available on the company's data protection website. Related policies can be accessed in the policy section of the Wise Auto Ltd website. 

Document: Data Protection Policy; Owner: Wise Auto; Approved by: Board of Directors 

Annexe A: Key Definitions 

  • 'Personal Data' refers to data related to living individuals that can identify them, including opinions and intentions. Under GDPR, this definition explicitly extends to IP addresses. 
  • 'Sensitive Personal Data' includes an individual's Special Category Data and information about alleged criminal offenses. 
  • 'Special Category Data' encompasses information about racial origin, political opinions, beliefs, trade union membership, health, sex life, sexual orientation, and genetic or biometric data. 
  • 'Processing' includes operations performed on Personal Data, such as collection, use, disclosure, and storage. 
  • 'Data Controller' designates the organization determining how and why Personal Data is processed, bearing responsibility for DPA and GDPR compliance. 
  • 'Personal Data Breach' signifies a breach resulting in unauthorized access or disclosure of Personal Data.