Data Protection Policy

SEVENTEEN AND GREEN – DATA PROTECTION

Seventeen and Green are committed to guarding and respecting your data whilst it is in our hands. We collect your personal information because it helps us to understand your needs and guides the way in which we interact and communicate with you.

We have policies in place to protect your data when you send it to us, when we process it or, where you have given us your permission to do so, to send you information that we think you’ll find interesting, and thereafter when we store your data internally.

Data protection law gives individuals the right to understand – and in some cases control – how their data is used. It also places obligations on us to handle people’s data fairly and respect their rights.

If you have any questions about this Policy, then feel free to drop us an email and we’ll do our best to answer your queries.

1. Who and What is covered by this Policy?

This Data Protection Policy together with any other policies referred to are understood and followed by our team.

What is “personal data”?

This Policy only applies to “personal data”. This means information which relates to an identified or identifiable individual. It includes names, addresses, email addresses and correspondence to and from an individual. Where it can be linked to an individual, it also includes online identifiers and web browsing information (e.g. cookie data).

What is “processing”?

This Policy also refers to “processing” personal data. Processing essentially means doing anything with personal data; this includes collecting it, storing it, combining it with other data, sharing it with a third party, and even deleting it.

We process personal data captured by this Policy when we collect and store data about our customers. All of this personal data will be treated in accordance with this Policy.

 

2. Our Data Protection Principles

Fairness and Transparency: Give people information about how we process their personal data.

What does this mean in practice?

We are transparent and give people information about how we use their personal data. This also means not doing anything with their personal data which they would not expect or that we would be embarrassed for them to know about.

 

Lawful Processing: Make sure we always have a good, lawful reason to process personal data.

What does this mean in practice?

We comply with any applicable laws when we process personal data.

Additionally, we should only process personal data if it can satisfy certain conditions set out in data protection law. The most important of these for us will be one of the following: (i) the relevant individual has given her/his consent; (ii) the processing is necessary as part of a contract with the individual; (iii) the processing is necessary to comply with a legal obligation; or (iv) the processing is necessary for our (or a third party’s) ‘legitimate interests’, provided such interests are not overridden by any risk or harm to the individual.

 

Purpose Limitation: Only collect personal data for a specific purpose. If we want to reuse the personal data for a new purpose, we must make sure the new purpose is compatible with the original purpose.

What does this mean in practice?

We will always have a clear purpose for any personal data before we collect it, and this should reflect a specific business need. If we later want to use the personal data for a new purpose or share it with a new third party, we should consider whether it is compatible with the original purpose

 

Data Minimisation: Only process as much personal data as we need, and no more.

What does this mean in practice?

In any particular case, we only collect or otherwise process as much personal data as we need for that specific purpose. This means we should not collect personal data that we do not need, or ask for personal data ‘just in case’ it may be useful.

 

Accuracy: Keep personal data accurate, complete and up-to-date.

What does this mean in practice?

Wherever possible, we keep personal data up to date. If we become aware of personal data which is inaccurate or out-of-date, we take reasonable steps to correct it or delete it.

 

Retention: Only keep personal data for as long as we need it. If we don’t need the personal data anymore, we delete it or anonymise it.

What does this mean in practice?

We should only keep personal data for as long as we need it for its specified purpose and outlined in our data retention policy.

 

Security: Protect personal data from getting lost or stolen.

What does this mean in practice?

We take all possible steps to protect personal data with appropriate security measures, to prevent any accidental or unauthorised access, damage, loss or disclosure.

 

Individual Rights: Allow individuals the right to access, correct or erase their personal data, or object to it being used for certain purposes.

What does this mean in practice?

Anyone whose personal data we process has the right to obtain a copy of that personal data, and correct any inaccuracies. In certain circumstances, they also have a right to have their personal data erased or not used for a particular purpose.

 

Accountability: We will take steps to make sure our processing of personal data complies with this Policy.

What does this mean in practice?

We are responsible for ensuring our processing of personal data is compliant with the law. That is why we have implemented this Policy, as well as our privacy policy which accompanies it.

Any new website developments, apps, or other tools will be designed to enable us to comply with our Data Protection Principles.

This Policy and the accompanying policies will be periodically reviewed and updated as necessary to ensure they are effective and meet our requirements.

 

New Data processing assessment: We will take necessary risk mitigation steps to ensure about robust systems and processes are used for new initiatives which involve data.

What does this mean in practice?

We will conduct an assessment, designed to enable us to decide whether our new initiative is justified against GDPR rules and if so, how we can manage in the most privacy friendly manner.