GDPR Compliance Policy for Our Zero
- Introduction
Our Zero is committed to ensuring the protection of personal data collected, processed, and stored on our platform. This GDPR Compliance Policy outlines the measures and procedures we have implemented to ensure compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws and regulations.
- Scope
This policy applies to all personal data collected, processed, and stored by Our Zero, including data from customers, users, employees, and any other stakeholders.
- Definitions
Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’).
Processing: Any operation or set of operations performed on personal data, whether or not by automated means.
Data Controller: The natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of personal data.
Data Processor: The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller. - Principles
Our Zero adheres to the following principles when processing personal data:
- Lawfulness, fairness, and transparency: Personal data is processed lawfully, fairly, and in a transparent manner.
- Purpose limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data minimization: Personal data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Accuracy: Personal data is accurate and kept up to date, and reasonable steps are taken to ensure that inaccurate data is rectified or deleted.
- Storage limitation: Personal data is kept in a form that allows identification of data subjects for no longer than necessary for the purposes for which it is processed.
- Integrity and confidentiality: Personal data is processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
- Data Collection, Processing, and Storage
Our Zero ensures that personal data is collected, processed, and stored in compliance with the GDPR and other relevant data protection laws and regulations. This includes:
- Obtaining explicit consent from data subjects before collecting their personal data.
- Informing data subjects about the purpose of collecting their personal data, the legal basis for processing, the retention period, and their rights under GDPR.
- Implementing appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.
- Data Subject Rights
Our Zero respects the rights of data subjects under GDPR, including:
- The right to be informed about the collection and use of their personal data.
- The right to access their personal data and supplementary information.
- The right to rectification if their personal data is inaccurate or incomplete.
- The right to erasure, also known as the ‘right to be forgotten,’ enabling data subjects to request the deletion or removal of personal data.
- The right to restrict processing, allowing data subjects to block or suppress the processing of their personal data.
- The right to data portability, allowing data subjects to obtain and reuse their personal data for their own purposes across different services.
- The right to object to the processing of their personal data.
- Data Protection Officer
Our Zero has appointed a Data Protection Officer (DPO) responsible for overseeing data protection strategy and implementation, as well as ensuring compliance with GDPR and other data protection laws and regulations.
- Breach Notification
In case of a personal data breach, Our Zero will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR. If the breach is likely to result in a high risk to the rights and freedoms of data subjects, Our Zero will also notify the affected data subjects without undue delay.
- Training and Awareness
Our Zero is committed to raising awareness about data protection and GDPR compliance among its employees, contractors, and partners. To achieve this, we will:
- Provide regular training sessions on GDPR and data protection best practices for all employees who handle personal data.
- Include data protection and GDPR compliance in employee onboarding and orientation programs.
- Distribute informational materials and resources to ensure employees understand their responsibilities under GDPR and other data protection laws and regulations.
- Conduct regular audits and assessments to ensure ongoing compliance with GDPR and other data protection laws and regulations.
- Third-Party Data Processors
Our Zero only works with third-party data processors that can provide sufficient guarantees regarding their GDPR compliance and the protection of personal data. We have appropriate data processing agreements in place with all third-party data processors to ensure they comply with GDPR requirements.
- Data Protection Impact Assessments
Our Zero conducts Data Protection Impact Assessments (DPIAs) for any new project, system, or process that may pose a high risk to the privacy and protection of personal data. DPIAs help to identify and minimise data protection risks and ensure that appropriate security measures are implemented.
- Policy Review and Updates
This GDPR Compliance Policy will be reviewed and updated regularly to ensure continued compliance with the GDPR and other applicable data protection laws and regulations. Any changes to the policy will be communicated to all relevant stakeholders.
- Contact Information
If you have any questions or concerns regarding this GDPR Compliance Policy, please contact our Data Protection Officer (DPO) at platform@ourzero.co.uk
By using the Our Zero platform or any other test micro sites, you acknowledge and agree to the terms outlined
| Task / Activity | Responsible Person | Timeline | Status | Comments |
|---|---|---|---|---|
| Data Protection Impact Assessments (DPIAs) | Data Protection Officer | Every 6 months | Pending / In Progress / Completed | |
| Identify the need for a DPIA | Data Controller or Data Processor | Before processing personal data | Pending / In Progress / Completed | |
| Describe the processing activities and data flows | Data Controller or Data Processor | Before conducting the DPIA | Pending / In Progress / Completed | |
| Identify the privacy risks and evaluate their impact | Data Protection Officer | Within 1 month | Pending / In Progress / Completed | |
| Identify measures to mitigate the privacy risks | Data Protection Officer | Within 1 month | Pending / In Progress / Completed | |
| Consult with stakeholders and obtain approval | Data Protection Officer | Within 1 month | Pending / In Progress / Completed | |
| Implement the DPIA and monitor its effectiveness | Data Controller or Data Processor | Ongoing | Pending / In Progress / Completed |
| Task / Activity | Responsible Person | Timeline | Status | Comments |
|---|---|---|---|---|
| Data Protection Impact Assessments (DPIAs) | Data Protection Officer | Every 6 months | Pending / In Progress / Completed | |
| Identify the need for a DPIA | Data Controller or Data Processor | Before processing personal data | Pending / In Progress / Completed | |
| Describe the processing activities and data flows | Data Controller or Data Processor | Before conducting the DPIA | Pending / In Progress / Completed | |
| Identify the privacy risks and evaluate their impact | Data Protection Officer | Within 1 month | Pending / In Progress / Completed | |
| Identify measures to mitigate the privacy risks | Data Protection Officer | Within 1 month | Pending / In Progress / Completed | |
| Consult with stakeholders and obtain approval | Data Protection Officer | Within 1 month | Pending / In Progress / Completed | |
| Implement the DPIA and monitor its effectiveness | Data Controller or Data Processor | Ongoing | Pending / In Progress / Completed |
In this GDPR Compliance Policy.
| Task / Activity | Responsible Person | Timeline | Status | Comments |
|---|---|---|---|---|
| Data Protection Impact Assessments (DPIAs) | Data Protection Officer | Every 6 months | Pending / In Progress / Completed | |
| Identify the need for a DPIA | Data Controller or Data Processor | Before processing personal data | Pending / In Progress / Completed | |
| Describe the processing activities and data flows | Data Controller or Data Processor | Before conducting the DPIA | Pending / In Progress / Completed | |
| Identify the privacy risks and evaluate their impact | Data Protection Officer | Within 1 month | Pending / In Progress / Completed | |
| Identify measures to mitigate the privacy risks | Data Protection Officer | Within 1 month | Pending / In Progress / Completed | |
| Consult with stakeholders and obtain approval | Data Protection Officer | Within 1 month | Pending / In Progress / Completed | |
| Implement the DPIA and monitor its effectiveness | Data Controller or Data Processor | Ongoing | Pending / In Progress / Completed |