1. The Policy
.1 Everyone has the right to know how their personal data is handled by the companies they interact with. At Cargo, we acknowledge that during the course of our activities as a Creative Agency, we will collect, store, and process personal information about our staff. We know that we need to treat this data in a lawful and appropriate manner.
.2 We may be required to handle several types of information, including details of current, past and prospective employees, suppliers, clients, other people and organisations that we communicate with, and data supplied to us by customers.
We may hold this information on paper, on a computer, or on other media. Regardless, all information held by Cargo Creative will be subject to the legal safeguards outlined in the General Data Protection Regulation 2018 (the GDPR). The GDPR imposes strict regulations on how we may use that information.
.3 This Data Protection Policy does not form part of any employee’s contract of employment, and it may be amended or edited at any time. Breaching this policy is a serious matter and could result in disciplinary action.
2. Status of the Policy
2.1 This policy is designed to clearly set out Cargo Creative’s rules on data protection and the legal conditions associated with it. Legal conditions related to obtaining, handling, processing, storing, transporting, and destroying personal information must be satisfied in order for us to be a GDPR compliant company.
2.2 The Data Protection Officer (DPO) is responsible for ensuring GDPR compliance, as well as compliance with this policy. At Cargo Creative, the DPO is Kirsty Hart.
2.3 If you believe that the policy has not been followed with regards to personal data – whether your own or someone else’s – you should raise the matter with your line manager or with the DPO.
3. Definition of Data Protection Terms
3.1 Data is information that is stored electronically, on a computer, or in a paper-based filing system.
3.2 A data subject is any person whose personal data is being collected, held or processed. All data subjects have legal rights in relation to the processing and use of their personal data.
3.3 Personal data is, according to the Information Commissioner’s Office, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
3.4 A data controller is any person or organisation that determines the purposes for which and the means by which personal data is processed. So, if your company or organisation decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. We are the data controller of all personal data used in our business.
3.5 A data user is anyone whose work involves the use of personal data: our employees are data users. They are bound by a duty to protect the information they handle by following our data protection and security policies at all times.
3.6 A data processor is anyone who processes personal data on behalf of a data controller. This can include suppliers that handle personal data on our behalf.
3.7 The ‘processing’ of personal data refers to any activity that involves using the data. Data processing includes obtaining, recording, and holding the data in questions, as well as carrying out any operation or set of operations on the data such as organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring personal data to any third parties.
3.8 Sensitive personal data involves any data relating to a person’s ethnic or racial origin, political opinions, religious or non-religious beliefs, mental and physical health, trade union membership, and sexual life and condition. It also includes the commission of, or proceedings for, any offence committed (or alleged to have been committed) by any individual, the disposal of such proceedings, or the sentence of any court in such proceedings. Because of this, sensitive personal data can only be processed under extremely strict principles, and under normal circumstances will require the express permission of the individual in question.
4. Data Protection Principles
Anyone involved in the processing of personal data at Cargo is legally required to comply with the eight enforceable principles of good practice. These provide that personal data must be:
(a) Processed fairly and lawfully.
(b) Processed for limited purposes and in an appropriate way.
(c) Adequate, relevant and not excessive for the purpose.
(e) Not kept longer than necessary for the purpose.
(f) Processed in line with data subjects’ rights.
(h) Not transferred to people or organisations situated in countries without adequate protection.
5. Fair and Lawful Processing
5.1 The purpose of the Act is not to prevent personal data being processed, but instead to ensure that any processing is done fairly and without adversely affecting the rights of the data subject. The data subject must be made aware of who the data controller is (Cargo Creative Ltd, in this case), who the data controller’s representative is (Kirsty Hart, the Data Protection Compliance Manager), the purpose for which the data is to be processed by Cargo, and the identities of anyone to whom the data may be disclosed or transferred.
5.2 Lawful processing of personal data demands that certain conditions be met. These may include requirements that the data subject has provided explicit consent for the processing, or that the processing itself is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed.
6. Processing for Limited Purposes
Personal data processed by Cargo may only be processed for the specific subjects either consented to by the data subject, or for any other purposes specifically permitted by the Act.
Because of this, personal data must not be collected for one purpose, and then used for another. Should the personal data need to be used for any other purpose, the data subject will need to be notified and then consent to the new processing.
7. Adequate, relevant and non-excessive processing
When collecting personal data from a data subject, Cargo will notify them of the specific purpose for which the data will be used. Then, data will be collected only enough to satisfy the requirements of this purpose.
Any data that is not necessary for this purpose will not be collected by Cargo in the first place.
8. Accurate Data
Personal data must be accurate and also kept up to date. Information that is misleading or incorrect is not accurate, and therefore steps should be taken to check the accuracy of any personal data at the point of collection, and at regular intervals afterwards.
Legally, out-of-date or inaccurate data should be destroyed.
9. Timely Processing
Personal data will not be kept at Cargo for longer than is necessary for the purpose. Data that is no longer required will be destroyed or erased from our systems.
0. Processing in line with data subject’s rights
Data that is handled by Cargo will be processed in line with the rights of the data subject. Data subjects have a right to:
(a) Request access to any data held about them by a data controller.
(b) Prevent the processing of their data for direct-marketing purposes.
(c) Ask to have inaccurate data amended.
(d) Prevent processing that is likely to cause damage or distress to themselves or anyone else.
1. Data Security
1.1 At Cargo, we must be sure to take appropriate security measures against unlawful or unauthorised processing of personal data, as well as against the accidental loss of – or damage to – personal data.
1.2 To be in accordance with The Act, Cargo must put in place technologies and procedures to maintain the security of all personal data from the point of collection to the point of erasure or destruction. Personal data collected by Cargo can only be transferred to a third-party data processor if they agree to comply with these procedures and policies, or if they put in place adequate measures themselves.
1.3 To maintain data security, Cargo must guarantee the confidentiality, availability, and integrity of the personal data, which is defined as follows:
(a) Confidentiality means that only people who are authorised to use the data will be able to access it
(b) Availability means that any authorised users should be able to access the data if, and only if, they need it for authorised purposes. Personal data at Cargo is stored on our central computer system instead of individual PCs.
(c) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed. When Cargo processes data for clients we only keep the relevant details needed for the pre-agreed data usage purposes.
1.4 Security procedures at Cargo are important for satisfying the criteria mentioned in 11.3. Our internal security procedures include:
(a) Securely locked filing cabinets, desks, and cupboards for storing physical copies of confidential information and personal data
(b) Entry controls – at Cargo, we will immediately report any unauthorised individual found to have accessed/be accessing an entry-controlled area.
(c) Methods of disposal – At Cargo, we must shred paper documents containing confidential information; as well as physically destroy or wipe hard-drives, CDs, and USBs containing confidential or personal data when they are no longer required.
(d) Data users at Cargo understand the importance of logging off their computer when it is left unattended, as well as ensuring confidential information cannot be seen by passers-by.
(e) Cargo’s data servers (which may store confidential information or data) is protected by encryption protocols, secure passwords, and firewalls.
2. Dealing with Subject Access Requests
Data subjects have the right to formally request any information that we hold about them by enquiring in writing to Cargo. Any member of staff who receives a written request should forward it to the Data Protection Compliance Manager (Kirsty Hart) immediately.
3. Providing Information over the Telephone
At Cargo, all our staff will; at some point; have to deal with a telephone enquiry. It is therefore important that they know to be careful about disclosing any personal information held by us. Staff at Cargo should:
(a) Check the caller’s identity to make sure that information is only given to a person who is entitled to it.
(b) If the member of staff is not sure about the caller’s identity, they may suggest that the caller put their request in writing in order to allow for further identity checks.
(c) Refer to the DPCM (Kirsty Hart) for assistance in a difficult situation. Staff at Cargo retain the right not to be bullied into disclosing personal information.
4. Monitoring and Review of the Policy
4.1 This policy is reviewed annually by Cargo staff. Recommendations for any amendments are reported and considered by all senior members of staff.
4.2 As time goes on, we will continue to regularly review the effectiveness of this policy to ensure it is achieving its stated objectives.
5. Controlling your Personal Information
Cargo will not sell, distribute, or lease your personal information to third parties unless we have your explicit consent, or are required by law to do so.
As the data subject, you have the right to restrict the collection or use of your personal information in the following ways:
(a) You may submit a request for details of any personal information which we hold about you under GDPR. If you would like a copy of the information that Cargo holds on you, please send a written request to 17a Northumberland Pl, North Shields NE30 1PX.
(b) If you believe that any of the information we are holding on you is incomplete or incorrect, please write to us at the above address to correct this promptly.
6.4 Below is a list of the main cookies that are set by us when you access our website and a description of what we use them for:
These cookies enable Google Analytics software. It helps us take and analyse visitor information such as browser usage and new visitor numbers. That information helps us to improve the website and your visitor experience, and to make our content relevant. The data stored by these cookies never shows personal details from which your individual identity can be established.
6.5 Flash cookies: We may display video content on our website using the Adobe Flash Player, through services such as YouTube and Vimeo. Adobe uses Flash cookies to improve your experience as a user. If you wish to disable or delete a Flash cookie, please visit Adobe Flash Player Security Settings. Please bear in mind that if you disable Flash cookies you will be unable to access certain content on our website which uses Adobe Flash Player, such as our video content.
6.6 Third party cookies: Some cookies may be set by third parties when you visit our website. These third parties may be suppliers who partner with us to deliver our website, companies that participate with us in affiliate marketing programmes and other third parties. These cookies are controlled by the third parties, so please check these third-party websites for more information about these cookies and how to manage them. These third party cookies do not collect personal data from which the third party would be able to identify individual customers.
6.7 Who Is Visiting: Contained within our website is tracking code from Who Is Visiting. Who Is Visiting will track activity on the website and provide Cargo Creative with information on the IP address of the requesting computer, the date and duration of the user’s visit, and the web pages which the user visits. It does not, and cannot, provide information on who has visited the website. It provides information on what company. More information can be found at https://www.whoisvisiting.com/.
6.8 Social buttons: If you share Cargo Creative content with friends through social networks such as Facebook, Google and Twitter you may be sent cookies from these third party websites. We cannot control the setting of these cookies, so we suggest you check the third-party websites for more information about their cookies and how to manage them.
6.9 Managing cookies: You can enable or disable cookies by changing your website browser settings to accept or reject cookies as required. How you do this will depend on the browser you use. We have provided further information below on how to check which browser you use and how to manage cookies. Please bear in mind that if cookies are not enabled on your computer, your activities may be restricted whilst browsing our website, and certain content may not be available to you.
(1) Checking which browser you use
(i) If you are using a PC, go to Help and select the About option.
(ii) If you are using a Mac, click on the Apple menu within the browser and select the About option.
(2) Once you know which browser you are using, follow the instructions below to check if you have cookies enabled on your computer:
(i) Checking cookies for PCs (Microsoft Internet Explorer 6, 7, 8)
- Go to Tools at the top of your browser window. Select ‘Internet options.’ Click on the Privacy tab
- Ensure that your Privacy level is set to Medium or below to enable cookies
- In Mozilla Firefox: Go to Tools and select Options, click the Privacy icon, then click on Cookies and choose allow sites to set cookies.
- In Google Chrome: Go to Tools and select Options, click Under the Hood and select the Content settings button within the Privacy section, then choose Allow local data to be set.
(ii) Checking cookies for Macs
- In Safari on OSX: Click Safari and select Preferences, then click Security then accept cookies.
- In Mozilla and Netscape on OSX: Click on Mozilla or Netscape and select preferences, find Cookies under Privacy & Security, then select Enable cookies for the originating web site only.
- In Opera on OSX: Click Menu and select Settings, select Preferences and then Advanced, and then select Accept cookies.