This policy document is compliant with the provisions of the EU General Data Protection Regulation 679/2016.
This policy document sets out the policies and procedures Papastamos Limited trading as Physiomove London will comply with when dealing with personal data.
Personal data must be protected in accordance with the provisions of the General Data Protection Regulation 679/2016. Dependence on personal data for the normal conduct of business necessitates the creation of this policy to set out the procedures and measures to protect personal data.
This policy defines rules, procedures and measure to collect, use and store personal data in a GDPR-compliant manner as well as control and prevent unauthorised access to personal data. A breach of data security can lead to regulatory fines, an inability to provide services, loss of customer confidence, and physical, financial and emotional damage to the affected persons.
This policy therefore discusses:
Data categories
Data classification
Data ownership
Data collection/generation
Data usage
Data storage
Data disposal
Data transfer
Data security
This policy defines the Papastamos Limited trading as Physiomove London overall data protection objectives and procedures that we endorse.
This embodies the principles of data protection as described in Article 5 of the GDPR, namely:
Lawfulness, fairness and transparency,
Purpose limitation,
Data minimisation,
Accuracy,
Storage Limitation,
Integrity and confidentiality
Breach of the policy and its consequences
A breach of this policy could have severe consequences to Papastamos Limited trading as Physiomove London, its ability to provide services, or maintain the integrity, confidentiality, or availability of services.
Intentional misuse of data resulting in a breach of any part of this policy will result in disciplinary action at the discretion of the senior management of Papastamos Limited trading as Physiomove London. Severe, deliberate or repeated breaches of the policy by any employee may be considered grounds for instant dismissal; or in the case of a Papastamos Limited trading as Physiomove London vendor, termination of their contracted services. All employees and vendors are bound by these policies and are responsible for their strict enforcement.
Scope of the Policy
This policy applies to all Papastamos Limited trading as Physiomove London and customer data assets that exist in any processing environment of Papastamos Limited trading as Physiomove London, on any media during any part if its life cycle. The following entities or users are covered by this policy:
- Visitors
This document forms part of our contractual agreements for vendors, suppliers, and third party processor or agents, hereafter referred to as vendors. . All parties must read this policy completely, and confirm that they understand the contents of the policy and agree to abide by it.
Data Life Cycle
The security of data can be understood through the use of a data life cycle. The typical life cycle of data is: collection/generation, use, storage and disposal. The following sections provide guidance as to the application of this policy through the different life cycle phases of data.
Users of data assets are personally responsible for complying with this policy. All users will be held accountable for the accuracy, integrity, and confidentiality of the information to which they have access. Data must only be used in a manner consistent with this policy.
Data Protection Policy Statement
Goals
This policy has been written with the following goals in mind:
To ensure the security integrity and availability of all the company and customer data
To establish the company baseline data security stance and classification schema
that it should enable the firm to meet its own requirements for the management of personal information
that it should ensure that the firm meets applicable statutory regulatory contractual and/or professional duties;
Processing environment
Papastamos Limited trading as Physiomove London’s processing environment that this policy applies to is comprised of:
- Data Protection Responsibilities
The Management department is responsible for:
Defining the security requirements controls and mechanism
Defining the methods and guidelines used to identify and classify all data assets
Defining the procedures for identifying data owners for all data assets
Defining the labeling requirements for all data assets
Defining procedures for data usage processing transmission storage and disposal
Defining the procedures necessary to ensure compliance to this policy
Facilitating the evaluation of new regulatory requirements and best practices
- Management Responsibilities
Other departments within Papastamos Limited trading as Physiomove London also have various responsibilities for ensuring compliance with this policy, such as:
All individual department must ensure that staff complies with this policy.
The Managementmust ensure that adequate logs and audit trails are kept of all data access.
The Managementmust ensure the activation of all security mechanisms.
The Management is responsible for communicating business requirement and issues for business processes and the data those include, to ensure their correct data classification.
The Management is responsible for regularly evaluating the data classification schema for consistent application and use.
- Other Responsibilities
Other departments and related entities have responsibilities to comply with this policy, such as:
All Papastamos Limited trading as Physiomove London agents, vendors, content providers, and third party providers that process customer data must have a documented data protection policy that clearly identifies those data and other resources and the controls that are being imposed upon them.
All Papastamos Limited trading as Physiomove London agents, vendors, content providers, and third party providers that access the Papastamos Limited trading as Physiomove London processing environment and its data or provide content to it must have a security policy that complies with and does not contradict the Papastamos Limited trading as Physiomove London data protection policy.
All agents, vendors, content providers, and third party providers must agree not to bypass any of our security requirements.
Data Classification
Data classification is necessary to enable the allocation of resources to the protection of data assets, as well as determining the potential loss or damage from the corruption, loss or disclosure of data.
To ensure the security and integrity of all data the default classification for all data not classified by its owner must be Confidential Data Policy
The Management is responsible for the classification of data.
The Management is responsible for evaluating the data classification schema and reconciling it with new data types as they enter usage. It may be necessary, as we enter new business endeavors, to develop additional data classifications.
All data found in the processing environment must fall into one of the following categorie(s):Confidential Customer Data – Confidential customer data is defined as data that only authorized internal “the company” entities or specific authorized external entities can access. The disclosure, use, or destruction of confidential customer data can have adverse effects on Papastamos Limited trading as Physiomove London and their relationship with their customers, and possibly carry significant liability for both. Confidential customer data is entrusted to and may transit or is stored by Papastamos Limited trading as Physiomove London (and others) over which they have custodial responsibility but do not have ownership.
Data Ownership
In order to classify data, it is necessary that an owner be identified for all data assets. The owner of the data is Heba Massri.
The owner of data is responsible for classifying their data according to the classification schema noted in this policy.
The Management is responsible for developing, implementing, and maintaining procedures for identifying all data assets and associated owners.
Data collection/generation
Data will be collected in accordance with the Article 13 and 14 of the GDPR, confirming to the transparency principle and ensuring that the data protection principles are duly observed.
Data may be collected in the following ways:User generated content on the website of Papastamos Limited trading as Physiomove London.
Each mode of data collection should have a specific purpose accompanied by one or more of the legal bases as defined in the GDPR.
Data Usage
All users that access Papastamos Limited trading as Physiomove London or customer data for use must do so only in conformance to this policy. Uniquely identified, authenticated and authorized users must only access and use data.
Data should be used only for the stated purpose of its collection or generation. Any purpose outside the defined scope will be considered “misuse of data” and will entail consequences for the involved parties.
Each user must ensure that Papastamos Limited trading as Physiomove London data assets under their direction or control are properly labelled and safeguarded according to their sensitivity, proprietary nature, and criticality.
Access control mechanisms must also be utilised to ensure that only authorized users can access data to which they have been granted explicit access rights.
Data Storage
The general premise for the data storage period is:
- for a time period necessary to fulfil that purpose.
All users that are responsible for the secure storage of Papastamos Limited trading as Physiomove London or customer data must do so only in accordance with this policy.
Access control mechanisms must also be utilised to ensure that only authorised users can access data to which they have been granted explicit access rights.
Data Transmission
All users that access Papastamos Limited trading as Physiomove London or customer data to enable its transmission must do so only in accordance with this policy.
The media used to distribute data should be classified so that it can be identified as confidential and if the media is sent using courier or other delivery method, it should be accurately tracked.
No data can be distributed in any media from a secured area without proper management approval.
Data Disposal
The Management must develop and implement procedures to ensure the proper disposal of various types of data. These procedures must be made available to all users with access to data that requires special disposal techniques.
Data should be disposed in a secure manner so that it is completely destroyed and no information can be obtained from the waste.
For electronic data the process of deletion will be carried out by electronic shredding.
For paper records physical paper shredders will be used.
All digital storage devices i.e. hard drives or flash drives will be completely destroyed so that no data is recoverable from them.
Policy Review
It is the responsibility of the Management to facilitate the review of this policy on a regular basis. This policy will be reviewed Annually. Senior management should, at a minimum, be included in the Annually review of this policy.
Last updated: 15-10-2019
Consent Policy
This document sets out Papastamos Limited trading as Physiomove London Data Consent Policy. It covers the processing and sharing of personal data. If you require advice and assistance around any data protection matter please contact Papastamos Limited trading as Physiomove London Nominated Data Protection Person
The GDPR and Consent
The GDPR sets a high standard for consent. Consent means offering individuals the power to choose and take control of their data.
Genuine consent will put individuals in charge, build customer trust and engagement, and enhance Papastamos Limited trading as Physiomove London’s reputation.
The GDPR states that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in).
It specifically bans pre-ticked opt-in boxes. It also requires individual, also known as “granular”. Consent options for distinct processing operations. Consent is kept separate from other terms and conditions and should not be a precondition of signing up to a service.
The GDPR gives a specific right to withdraw consent. Papastamos Limited trading as Physiomove London will inform individuals about their right to withdraw and offer easy ways for customers to withdraw consent at any time.
Papastamos Limited trading as Physiomove London will keep clear records to demonstrate consent and regularly review existing consents and consent mechanisms that we rely upon to ensure they meet the GDPR standards.
Employees of Papastamos Limited trading as Physiomove London must have respect for privacy and people’s right to determine what happens to their personal and sensitive information.
If there is any doubt, contact the Nominated Data Protection Person
Papastamos Limited trading as Physiomove London and its employees and third-party providers have been trained, appraised and understand that:
Individuals have the right to withdraw/withhold consent in most circumstances, and this right must be respected and recorded appropriately
Consent must be freely given, specific and informed
All employees must ensure they consider the safety and welfare of the individual when making decisions on whether to share information about them.
All employees must establish the capacity of the individual’s ability to provide consent
When requesting consent, staff must ensure that information is provided in a suitable, accessible format or language. If necessary, provide large print or Braille versions, accredited interpreters, signers, or other appropriate special communication skills.
Employees must record the decision to share personal information on an appropriate register or specific system which can be readily accessed in line with Papastamos Limited trading as Physiomove London policies and procedures on data protection.
What if there is no consent?
Papastamos Limited trading as Physiomove London acknowledges that obtaining consent is not always possible, or consent may be refused. However, not obtaining consent or the refusal to give consent may not constitute a reason for not processing or sharing information.
There are certain situations where an individual’s information can be disclosed without obtaining
Consent, if there is a lawful basis for processing without consent in place.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply. Whenever you process personal data without consent:
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Different criteria apply to sensitive personal information (now called “special categories of personal data”). This is now defined as data relating to:
race;
ethnic origin;
politics;
religion;
trade union membership;
genetics;
biometrics (where used for ID purposes);
health;
sex life; or
sexual orientation.
In order to process special category data legally, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked.
In summary, these are:
- explicit consent of the person concerned
- for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection
- to protect the vital interests of the data subject or of another natural person
- processing is carried out with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim
- the processing relates to personal data which are manifestly made public by the data subject
- processing is necessary for the establishment, exercise or defence of legal claims
- processing is necessary for reasons of substantial public interest
- for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment
- for reasons of public health
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Special Case Children
The duty of confidentiality owed to a child/young person who lacks capacity is the same as that owed to any other person. Occasionally, children/young people will lack the capacity to consent. An explicit request by a child that information should not be disclosed to parents or guardians, or indeed any third party, must be respected except where it puts the child at risk of significant harm, in which case disclosure may take place in the ‘public interest’ without consent.
Criminal Offences
The GDPR rules for sensitive (special category) data do not apply to information about criminal allegations, criminal proceedings or convictions. Instead, there are separate safeguards for personal data relating to criminal convictions and offences, or related security measures, set out in Article 10 of the GDPR.
To process personal data about criminal convictions or offences, you must have both a lawful basis under Article 6 of the GDPR and either legal authority or official authority for the processing under Article 10.
Article 10 also specifies that you can only keep a comprehensive register of criminal convictions if you are doing so under the control of the official authority.
If you are in any doubt as to how to go about handling special categories of data, such as data concerning children, sensitive data such as race and sexuality, or criminal data see the checklist at the end of this policy statement and consult Papastamos Limited trading as Physiomove London ’s Nominated Data Protection Person for further advice and guidance
Policy Breach Statement
Any breach of this Policy will be investigated and may result in disciplinary action. Serious breaches may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you. Papastamos Limited trading as Physiomove London as well as those individuals affected is also at risk of financial and reputational harm. Fines of up to €20 million may be imposed on organisations for serious data breaches.
Please report any actual or potential data breaches or other concerns relating Data Protection or consent to Papastamos Limited trading as Physiomove London Nominated Data Protection Person as soon as possible, in accordance with Papastamos Limited trading as Physiomove London Data Breach Policy
Checklist
Asking for consent
e have checked that consent is the most appropriate lawful basis for processing.
We have made the request for consent prominent and separate from our terms and conditions.
We don’t use pre-ticked boxes or any other type of default consent
We use clear plain language that is easy to understand.
We specify why we want the data and what we are going to do with it.
We name organisations and any third-party controllers who will be relying on the consent.
We tell individuals they can withdraw their consent.
We ensure that individuals can refuse to consent without detriment.
Recording consent
- We maintain a record when and how we obtained consent from the individual.
- We maintain a record of exactly what they were told at the time
Managing consent
We regularly review existing consent to check that the relationship the processing and the purposes have not changed.
We have processes in place to refresh consent at appropriate intervals including any parental consents.
We use privacy dashboard or other preference-management tools as a matter of good practice.
We make it easy for individuals to withdraw their consent at any time and publicise how to do so.
We act on withdrawals of consent as soon as we can.
We do not penalise individuals who wish to withdraw consent.