The Crafty Wytch

Art & Crafts from the Secret Garden

Data Protection Act 1998
Incorporating Updates: GDPR 2018
The Crafty Wytch

General Data Protection Policy

Introduction
The Data Protection Act 1998 concerns personal privacy and regulates how information about living individuals may be collected, used, retained and disclosed. All processing of personal data must be notified to the Information Commissioner – Data Protection Officer- Alison Spaven
The new Act applies to all personal data whether it is in manual or electronic format. Individuals are entitled to see all information kept about themselves. The Business should be open with individuals about any information held about them. The Business will not pass any personal information on to third parties.
These guidelines give a brief and simple outline of the responsibilities of our Business and the  named handlers of Data – Alison Spaven under the Data Protection Act 1998 and updates from European Legislation in 2018 (GDPR)

Summary
At The Crafty Wytch we hold a mailing list comprised of sign ups via our website and customers expressing further interest in our business. We only use the list for the purpose of a monthly mail out “Newsletter” . There are no hard marketing campaigns or profiling activity in our business and we take data protection and privacy/consent very seriously.
We always advise how to unsubscribe via our mail outs.

We have recently strengthened access to our policies by having them available at the point of sign up and customers not coming via direct sign up will now be asked for opt in consent.

Full policy and principle is outlined below- Thank you for reading

Data protection principles
Named Handlers must comply with the eight principles governing the legal processing of personal data.
1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be held only for one or more specified and lawful purpose(s) and shall not be further processed in any manner incompatible with that purpose(s).
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
4. Personal data shall be accurate and where necessary kept up to date.
5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area (without the individual’s express consent) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Achieving compliance with the data protection principles
Principle 1
No personal data should be created or held unless the individual has given his/her consent. Where sensitive data is concerned specific consent must be obtained – the individual must be informed that this type of personal data is being held, told the reason for it and must then agree.
Principle 2
Do not use data obtained for one purpose for a different purpose.
Principle 3
Do not collect information about individuals which is not absolutely necessary. Do not ask questions seeking data without ensuring that the questions is strictly relevant. If excessive or superfluous personal data is acquired it should be deleted or destroyed immediately.
Principle 4
If data is retained it must be reviewed and if necessary amended or updated. No data should be kept unless it is reasonable to assume that it is accurate.
Principle 5
Regular and systematic reviews of files (both manual and electronic) containing personal data should take place to ensure that information is not retained for longer than is necssary.
Principle 6
The rights of individuals in respect of their data should always be considered. Consent should be obtained if personal data is to be generated or retained for any purpose. Data subjects are legally entitled to know what information is being held about them. It is also important that no personal data is disclosed to anyone, either inside or outside the business, unless strictly necessary or unless the consent of the data subject has been obtained.

Principle 7
Handlers must ensure that any personal data is kept in a secure place – in lockable filing cabinets or in rooms which can be locked when unoccupied. They must also seek to prevent unauthorised access to any computers in which personal data is stored.
Principle 8
No personal data should be transferred, even for a legitimate purpose, outside of the European Economic Area (EEA) except with the specific consent of the data subject. This is particularly important when considering the global publication of personal information via the World Wide Web.
Rights of the individual
Under the Data Protection Act 1998 individuals have the right to inspect all personal information held about themselves.