PRIVACY POLICY

SECTION ‘A’ THE POLICY

 

Layout of this document

  1. This document comprises two sections and a number of supporting Protocols:
  2. Section ‘A’: The Policy, which is supported by
  3. Section ‘B’: A number of associated Annexes containing associated Processes and Protocols.

 

Introduction

  1. Mile High Labs International Limited (MHLI) is a commercial enterprise that is registered in the United Kingdom. It is therefore obliged to protect all personal data it processes in compliance with the General Data Protection Regulations 2018. In addition to these requirements, as a professional company, MHLI is passionate about protecting the personal data[i] and Special Categories of Personal Data[ii] (previously Sensitive Personal Data) of those who interact with them, be that in relation to MHLI’s services and products, those employed by them, and, those who, for whatever reason, share their personal data with the company.

 

  1. MHLI is the Data Controller[iii] and is responsible for ensuring that all necessary processes and protocols are in place to ensure that the organisation fully complies with the requirements of the General Data Protection Regulations 2018 (GDPR), the Regulations that govern all aspects of the processing personal data within the European Union.

 

Policy responsibility

  1. The Managing Director of MHLI Ltd has overall responsibility for ensuring that this policy is managed, reviewed and implemented effectively. Day-to-day implementation is the responsibility of the Group Data Protection Officer[iv] (DPO). This Policy applies to ALL offices, businesses and remote working locations within the MHLI European sphere of operation.

 

MHLI Ltd. Registered with the ICO

  1. In compliance with requirements of the GDPR and Information Commissioner’s Office, MHLI Ltd is registered with the ICO for the purposes of processing the personal data of employees, clients, customers and others who in the process of business pass personal data to MHLI Ltd.

 

Intention and application of the document

  1. This Policy has been published to give shape, form and substance to the MHLI’s desire to fulfil its requirements under GDPR. Its application is fully supported by the Directors and Senior Management of the company. The Policy and its associated processes and protocols fully apply to ALL who are directly employed by Mile High Labs International Limited or who undertake activities related to personal data on behalf of MHLI. Failure to comply with any or all of the requirements of this Policy and its Annexes will result in an investigation of the compliance failure and may lead to disciplinary action being taken. In certain circumstances this may lead to dismissal or the cancellation of contracts.

 

Who does the policy apply to?

  1. The policy applies to:
  2. ALL MHLI Ltd employees.
  3. Directors and Board Members.
  4. The management, staff and agents of all MHL Inc. parent and subsidiary companies when working within the European Union sphere of influence or on personal data that may be from time to time shared with them.
  5. Contractors/Consultants or those who provide services that interface with any or all personal data processed by or that comes into the possession of MHLI.

 

  1. Any suspected, actual or potential breach of the policy, whether unintended or otherwise, must be reported immediately (no time delay is permissible) to the relevant manager AND the Data Protection Officer who will take all necessary steps to manage and mitigate the impact of a breach. The DPO will put in place remedial actions to prevent a recurrence of the incident.

 

GDPR, what is it?

  1. The GDPR came into force on 25th May 2018 and it replaced the previous Data Protection Act 1998. The introduction of the GDPR 2018 places a higher and more stringent requirement on Data Controllers and Data Processors to protect personal data that comes into their possession. This applies equally to hard copy and electronic formats and combination of the same. Data Controllers must:
  2. Use personal data only in a way that is consistent with what the Data Subject was informed of and agreed to at the time of gathering the data;
  3. Keep the data safe;
  4. Ensure that the Data Subject remains in control of the data at all times; and
  5. Only keep the data for as long as it is necessary to do so.

 

  1. The GDPR reflects the tension between the rights of the Data Subject and that of the Data Controller to, in this case, undertake business activities that require the processing of the personal data belonging to the Data Subject. However, unless there is a legitimate and demonstrable overriding legal or regulatory reason for doing so, the rights of the Data Subject as listed below will always take precedence over the rights of the Data Controller. An example of this would be the passing of personal information relating to a member of MHLI staff to HMRC or if MHLI were directed to pass personal data by a Court of Law.

 

GDPR EU Legislation – UK Compliance

  1. GDPR is EU Legislation, however, whatever action results from the BREXIT negotiations, the UK Government has stated that the UK will continue to be fully GDPR compliant or will conform to the pending UK Data Protection Bill, which has been designed to totally mirror EU GDPR regulations and will be brought into law on the UK leaving the EU.

 

Personal data – what is it?

  1. The GDPR regulations indicate that personal data is primarily data ‘that relates to a living individual who can be identified from that data or from that data plus other personal data the Data Controller holds on that Data Subject[v] (the person to whom the data relates).

 

  1. The word ‘processing’[vi] is the collective term for any and all activities carried out on the data. The GDPR governs the processing of personal data in any format including hard and electronic formats.

 

Data Subject Rights

  1. Data Subjects have eight clear rights. They are as follows:
  2. The right to be informed: This right gives the Data Subject the right to be informed about what their personal data is being used for. MHLI provides this in the form of a Privacy Notice which is made available prior to gathering the personal data. GDPR states that such information must be:
    1. Concise, transparent, intelligible and easily accessible;
    2. Written in clear and plain language, particularly if addressed to a child; and
  • Provided free of charge.

 

  1. The right of access: Data Subjects residing anywhere in the world have the right to ask any EU-based organisation if they hold or are processing any personal data about them (there is NO geographical limitation placed on the location of the requestor). If the organisation is processing data, the subject can request a copy of that data. This is known as a Subject Access Request (SAR). After having verified the identity of the requestor, the data must be provided in a clear way and must not include code of any type that would render the data meaningless to the Data Subject. A SAR must be complied without delay and within 20 working days of receiving the request; that is, the data requested will be in the possession of the Data Subject, in a format that they request, on or before the 20th working day of the request being received. The request must be completed free of charge. In exceptional circumstances – if the request is considered complex, the time to respond can be extended to 40 working days. However, the Data Subject must be notified of the delay within the initial 20 days. They must also be provided with the reasons for that delay. The Information Commissioner will scrutinise the delay justification, if a complaint is made by the Data Subject in relation to the extension and make a decision as to its validity.

 

  • The right of rectification: The Data Subject can have personal data rectified if it is found to be inaccurate or incomplete. As above, the rectification must be carried out within 20 working days or, where it is complex, within 40 working days. NB: where personal data has been disclosed to third parties you must inform them of the rectification where possible. Where appropriate, the Data Controller must also inform the Data Subject about the third parties to whom the data has been disclosed. Similarly, the DS has the right to be informed as to the source of any personal data that has been transferred to or come into the possession of MHLI. This has implications for the tracking of personal data from such sources as trade shows, exhibitions and third-party sources etc.

 

  1. The right to erasure: Also known as the ‘Right to be forgotten’. The broad principle here is to enable a Data Subject to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Erasure must be done thoroughly and completely; it is not acceptable for the data to be removed from the organisation’s computer system but still be recoverable from a backup of the system. Where data has been disclosed to third parties, MHLI must inform those third parties about the requirement to erase personal data that has been shared by them unless it is impossible or involves disproportionate effort to do so. There are also some specific Regulatory and Legislative requirements where the Data Controller can refuse to comply either fully or partially with a request for erasure.

 

  1. The right to restrict processing: The DS can at any time and without giving reason require that all processing of their data be restricted or stopped completely. When processing has been restricted by the Data Subject, MHLI may continue to store the data, but cannot further process it. It is vitally important that systems are in place to ensure the restriction is fully respected by all functions that make up the MHLI organisation. If the data has been supplied to third parties, it is the responsibility of the Data Controller to ensure that third parties are aware of the restrictions and fully comply with the rights of the Data Subject.

 

  1. The right to data portability: This is a new feature of the GDPR and it permits a Data Subject to obtain their personal data from a Data Controller for their own purposes and use it across a range of different organisations and services. The data must be transferred by MHLI in a safe and secure way and should be provided in a useable format. This right must be complied with within 20 working days or, in the case of a complex request, within 40 working days.

 

  • The right to object: Data Subjects have the right to object to the processing of their personal data including processing carried out for the purposes of profiling or direct marketing. In the case of a request to cease using data for direct marketing, the processing must stop as soon as the objection is received. NB: there are NO exemptions or grounds to refuse or delay this request.

 

NB: MHLI must inform individuals of their right to object at the point of first communication and in their Privacy Notice. The right to object must be ‘explicitly brought to the attention of a Data Subject and must be presented clearly and separately from other information’.

 

  • Rights in relation to automated decision making and profiling. Data Subjects have the right not to be subject to decisions based solely on automated processing where the decision has legal or similarly significant effects on the individual.

 

Recruitment and discipline processes

  1. All of the above have implications in relation to recruitment and wider HR processes.

 

 

 

How does MHLI process personal data?

  1. MHLI will seek to fully comply with our obligations under the GDP Regulations and we do that in a range of ways. These include:
  2. Keeping personal data up to date.
  3. Only collecting personal data that is applicable to our needs.
  4. Not retaining data that becomes excess to our needs.
  5. Protecting personal data from loss, misuse, unauthorised access or disclosure.

 

  1. We will do this by ensuring that appropriate physical, technical, electronic and operational data security measures are in place and that our staff are suitably trained and managed with regard to the processes and protocols required to comply with the Regulations.

 

What is the legal basis that allows MHLI to process personal data?

  1. The GDPR requires that a legal justification be established before personal data is processed; this is dependent upon the use to which the data will be put by MHLI. This protects both the Data Subject and the Data Controller by ensuring that personal data will only be used for the purposes that the Data Subject has explicitly agreed to. These are:
  2. Processing is necessary for the purposes of the legitimate interests pursued by MHLI or a third party except where such interests are overridden by the interests, rights or freedoms of the data subject.
  3. Explicit, informed and verifiable consent is given by the data subject.
  4. Processing is necessary for MHLI to comply with Legal or Regulatory requirements.

 

How does MHLI use personal data?

  1. MHLI will use personal data:
  2. To enable us to provide professional business-related services.
  3. To enable employee management and administration and for those who from time to time provide services to MHLI as consultants or contractors.
  4. To comply with organisational Legal and Regulatory requirements placed upon MHLI.
  5. For direct marketing purposes including informing the DS of MHLI product news, events, activities and services – direct marketing will only be undertaken with prior, informed, express and verifiable consent; this consent can be removed by the Data Subject at any time. NB: a DS may opt out of receiving marketing materials yet still remain a customer of MHLI.

 

Data sharing agreements

  1. MHLI is a standalone enterprise registered in the United Kingdom and is the sole Data Controller for all personal data that it processes or is processed on its behalf. MHLI is therefore responsible for the safety and security of that data. Data sharing is defined as the disclosure of personal data by MHLI to any third-party organisation; this includes but is not limited to MHLI’s parent and subsidiary organisations. An example of this would be the sharing of the personal data (name etc.) of a private individual, a client who had made a complaint about a product or services supplied by MHLI with MHL Inc. For this reason, MHLI complaints procedure will be based upon a ‘Complaint Number’ which will be allocated to each individual complaint. This number can be shared with the MHL Inc. allowing the complaint to be dealt with effectively but access to the remainder of the complainant’s personal details to remain restricted.

 

  1. Data Sharing may be considered appropriate when the Data Subject has given informed, express and verifiable consent to the data sharing taking place with that specified organisation or a third party, or where there is a justified UK or EU compliant legal or regulatory requirement on MHLI to do so.

 

  1. Data Sharing Agreements (DSA) must be in writing, retained as a record of permission and adequately address the following issues:
  2. The informed and express consent of the Data Subject.
  3. The purpose for sharing.
  4. The organisations with whom the data will be shared.
  5. The geographical location of the organisation with whom the data will be shared.
  6. The data items to be shared.
  7. The quality of the data – accuracy, relevance and useability.
  8. Data security.
  9. Retention and disposal of the data.
  10. The Data Subjects rights to exercise their rights.

 

When will personal data be shared with third parties?

  1. Personal data will be treated as strictly confidential and will only be shared with third parties when:
  2. MHLI has the Data Subject’s express, informed and verifiable consent in writing to do so; or
  3. When there is a UK or EU Legal or Regulatory requirement for that sharing to take place.

 

  1. MHLI may use other organisations to provide a service such as cloud-based IT management software and applications for administrative support, the bulk storage of data, website hosting, or for necessary IT support. The organisations selected and appointed to provide these services will only be engaged if they can demonstrate that they are fully GDPR compliant and that they have signed a contract with MHLI to the effect that they fully comply with the data security policies and processes prescribed by MHLI.

 

Retention and disposal of personal data

  1. MHLI is committed to processing personal data in a responsible and compliant manner. It has developed and will maintain a compliant Retention and Disposal Schedule which will delineate the timescales for the retention or disposal of personal data; this will apply equally to data held in hard-copy, electronic versions and any combination of the same. In the case of hard copy data, it will only be disposed of onsite either by self-shredding or by contracting the services to a reputable service provider. The Retention and Disposal Schedule will also govern:
  2. Who is responsible to authorise the disposal of personal data;
  3. How the disposal will be undertaken; and
  4. How the disposal will be recorded and signed off.

 

  1. The retention requirements of personal data vary greatly dependent upon the type of data that is being processed. MHLI will use the guidance provided by the ICO to inform this process. There are three broad areas:
  2. The Regulatory, Legislative;
  3. Operational requirements placed upon MHLI;
  4. The Data Subject’s agreement to the information that is being processed. However, Data Subjects have the right to require MHLI to cease processing their data at any time, and MHLI will do that providing there is no Legal, Regulatory or operational requirement to prevent it.

 

Accessing personal data

  1. There are two broad avenues for people to access personal data. They are as follows:
  2. Subject Access Request (SAR) – A request made directly by the Data Subject for access to their personal data.
  3. Third Party Access Request – A request made by anyone other than the Data Subject for personal data belonging relating to another data subject.

 

  1. The difference being that a Data Subject can exercise their rights under the Regulations to obtain access to their personal data by making an SAR, however, a person or organisation making a Third Party Access Request must have an explicit and justifiable Legal or Regulatory authority to have access to the personal data before the Data Controller can make personal data available to them.

 

  1. The response procedures and protocols for responding to an SAR and a Third-Party Access Request is outlined at the attached Annexes.

 

Further processing

  1. If MHLI wishes to use a Data Subject’s personal data for a new purpose (not covered by the use expressly agreed by the DS with MHLI before providing the data), then MHLI is required to provide the DS with a notice fully explaining this new use, purposes and processing conditions and seek the agreement of the DS before any processing takes place. NB: If permission is not granted then the new use is not permitted. The notification and request process and support documentation must be recorded and logged for future use in the event of a complaint or review.

 

 

Will Data Subjects be informed about any data breaches that impact them?

  1. Yes, MHLI will do this in compliance with GDPR requirements.

 

How do you make a complaint relating to the processing of your data?

  1. There are two options by which a data subject can exercise their rights, make requests for further information, or make a complaint in relation to MHLI’s processing of their personal data.

 

  1. Option 1. To Mile High Labs International Ltd

Address:

The Data Protection Officer

Mile High Labs International Ltd

Unit 2 Falcon Way

Adelaide Industrial Estate

Belfast BT12 6SQ

Telephone: +44 (0)28 9099 5253

Email:        GDPRinquiries@milehighlabs.com

 

  1. Option 2. To the Information Commissioner’s Office

Address:

The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place
Belfast BT7 2JB

Telephone: +44 (0)28 9027 8757

Email:        ni@ico.org.uk

Website:    www.ico.uk

 

Breaches in Security

  1. If, despite the security measures that have been put in place (Information Security Policy), a suspected, actual or potential breach in data security occurs, it is essential that it is dealt with effectively and expeditiously. A breach may arise from a theft, a deliberate attack on MHLI data processing, unauthorised use of personal data by a member of staff, accidental loss or equipment failure. No matter how the breach occurs, all MHLI management, staff, employees and contractors MUST respond appropriately by:
    1. Reporting the breach without delay to their Manager AND the Data Protection Officer or, in their absence, the Director of Finance or the MD.
    2. Follow the processes laid out in the Personal Data Breach Protocol including the notification of the DS and the ICO if deemed to fall within their requirements.
    3. Record their actions in the Data Breach Audit Log.
    4. Identify the potential scope, source, impact and risk of the breach on the Data Subject and the organisation.
    5. Review associated Policies, Processes, Protocols and retraining requirements.
    6. Retrain all staff.

 

GDPR Induction, training and performance

  1. It is a requirement of employment with MHLI that ALL staff and those who supply services on a contracted or consultancy basis fully comply with the requirements of this and other associated Policies. In order to do that effectively, it is vital that training and information be supplied to ALL of the above individuals before they commence any activities that bring them into contact with personal data. Training is mandatory. Attendance will be formally recorded, as will the outcomes of any competency tests undertaken by participants. Training interventions will be as follows:
  2. Induction / On-boarding of new members of staff. It is essential that all new full and part-time joiners be made aware of the competencies (skills and knowledge) requirements under GPDR.
  3. Initial training for ALL existing members of staff.
  4. Refresher training conducted on an annual basis and when a change in legislation or process makes upskilling necessary.
  5. Overview training for any contractor or service supply staff who may have contact with or access to personal data of any type.
  6. Training will include a multi choice knowledge test.

 

  1. A Training Register will be completed for each training intervention. This will include:
  2. The content of the training.
  3. The date and duration of the training.
  4. The name of the person who delivered the training.
  5. The name and business identifier of those who attend the training.

 

Pre-planned Data Protection Audits

  1. It is essential that MHLI DPO undertakes regular Data Protection Audits in order to:
  2. Keep pace with changes in GDPR and related legislation;
  3. Maintain high levels of GDPR compliance; and to
  4. Ensure that processes, procedures and protocols are applied effectively across the organisation.

 

  1. DPA Compliance Audits will be undertaken on a minimum of a sixth-monthly unannounced basis to allow an effective understanding of GDPR performance to be developed. An audit report will be furnished to the MD outlining performance, any remedial action to be taken and this will form part of the ongoing ISO QA reports.

 

 

SECTION ‘B’ Annexes

ANNEX ‘A’

GDPR Principles

GDPR principles lay out the responsibilities placed on a Data Controller to process data. The following are extracted from Article 5 of the Regulations. The GDPR requires that personal data be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Collected for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Using appropriate technical or organisational measures.

 

NB: Article 5(2) requires that: “The Data Controller (MHLI) shall be responsible for, and be able to demonstrate, compliance with the principles.”

 

 

ANNEX ‘B’

Lawful Basis for Processing

Under the GDPR, MHLI must have lawful reason for processing personal data and they MUST be able to adequately demonstrate (justify) that reason when asked. There are six lawful bases available to MHLI and each are of equal importance but not all are applicable to every contextual need. The application is determined by the relationship between MHLI and the Data Subjects whose data they process. The reasons are as follows:

  1. Consent: The Regulations require a high standard of consent by the Data Subject:
    1. Consent MUST be opt-in rather than opt-out: GDPR specifically bans ‘pre-ticked’ opt-in boxes on websites.
    2. The consent statement must be clear, concise and unambiguous.
  • Vague or blanket generic consent is not allowed – separate consent statements must be obtained for separate things – marketing separate from sales-related permission to process.
  1. The Data Subject must be made aware of the purpose that the data will be used for before the data is gathered. An effective and clear Privacy Notice will greatly assist in meeting this requirement.
  2. Consent statements must be kept clear from any other documentation such as terms and conditions etc.
  3. It is vitally important that clear records exist that demonstrate and confirm that permission was granted by the Data Subject.
  • The consent of the Data Subject for processing of their Personal Data can be withdrawn at any time. It is vital that the Data Subject is told before they consent that they have the right to withdraw consent and that the process is simple and fool proof. It is vitally important that the Data Controller can demonstrate prior informed consent was established.

 

  1. The processing is necessary for the performance of a contract:

For example: if you need to process information in order to prepare and submit a contract. This again should be documented as the lawful basis.

 

  1. The processing is necessary for compliance with a legal obligation.

For example: where an employer is obliged to disclose employee salary details to HMRC.

 

  1. The processing is necessary to protect the vital interests of the Data Subject or some other person.

For example: To protect someone’s life.

 

  1. The processing is necessary for the performance of a task carried out in the public interest. For example: The interests are normally set out in law.

 

  1. The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party.

Legitimate interests is the most flexible lawful basis for processing but it may not always be the most appropriate. There are three elements:

  1. MHLI can identify a legitimate interest;
  2. MHLI can demonstrate that processing is necessary to fulfil the legitimate interest; and
  • MHLI can balance those legitimate interests against the Data Subject’s interests, rights and freedoms?

[i] Personal Data: Is any information relating to a living individual who can be identified by the data directly or indirectly. Personal data can be held in electronic and hard copy formats. GDPR widens the definition of personal data to include ‘outline identifiers’ such as Internet Protocol (IP) addresses.

 

[ii] Special Categories of Personal Data: was previously referred to as ‘Sensitive Personal Data’. GDPR defines special categories as: ‘Personal data that reveals racial or ethnic origins, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.’

 

[iii] Data Controller: The Data Controller is the legal entity that determines the purpose and manner in which personal data will be processed.

 

[iv] Data Protection Officer: The person appointed by MHLI to ensure the day-to-day management of the GDPR compliance activities are implemented and maintained to ensure compliance throughout the organisation. They report directly to the MD in all GDPR associated matters.

 

[v] Data Subject: The Data Subject is the living person to whom the data refers. In the context of MHLI this will include all employees, contractors, suppliers, customers, clients and all who share their personal data with MHLI.

 

[vi] Processing: Includes: gathering, storage, using, sharing, altering or disposal of personal data.

PRIVACY NOTICE

Introduction

  1. Mile High Labs International Limited (MHLI) is a commercial enterprise registered in the United Kingdom. We are passionate about protecting the personal data of those who interact with us in relation to our services and products; those who work for us and those who, for whatever reason, share their personal data with us.

 

  1. MHLI is the Data Controller and is responsible for ensuring that all necessary processes and protocols are in place to ensure the organisation fully complies with the requirements of the General Data Protection Regulations 2018 (GDPR), the Regulations that govern all aspects of the processing of personal data within the European Union.

 

Personal data – what is it?

  1. The GDPR regulations indicate that personal data is primarily data ‘that relates to a living individual who can be identified from that data or from that data plus other personal data the Data Controller holds on that Data Subject (the person to whom the data relates).

 

  1. The word ‘processing’ is the collective term for any and all activities carried out with the data and includes: gathering, using, sharing, altering or disposal of personal data. GDPR governs the processing of personal data in any format including hard and electronic formats, or in any combination of the same.

 

How do we process your personal data?

  1. MHLI seeks to fully comply with our obligations under the GDPR and we do that in a range of ways. These include: keeping personal data up to date; only collecting personal data that is applicable to our needs, not retaining data that becomes excess to our needs; by protecting personal data from loss, misuse, unauthorised access or disclosure. We will do this by ensuring that appropriate technical and operational data security measures are in place and that our staff are suitably trained and managed with regard to the processes and compliance protocols required to comply with the Regulations.

 

What is the legal basis that allows MHLI to process your personal data?

  1. The GDPR requires a legal justification be established before personal data is processed and this is dependent upon the use to which the data will be put. This protects you, the Data Subject, by ensuring that your personal data will only be used for the purposes that you have explicitly agreed to. These are:
  2. Processing is necessary for the purposes of the legitimate interests pursued by MHLI or a third party except where such interests are overridden by the interests, rights or freedoms of the data subject.
  3. Explicit consent by you, the data subject.
  4. Processing is necessary for MHLI to comply with Legal or Regulatory requirements. Examples of this could be our legal obligations to maintain certain records so that we may carry out our obligations under employment, social security or social protection law, or a collective agreement.

 

How do we use your personal data?

  1. Personal data will be used as follows:
  2. To enable us to provide professional business-related services.
  3. To enable employee management and administration and for those who from time to time provide services to MHLI as consultants or contractors.
  4. To comply with organisational Legal and Regulatory requirements placed upon MHLI.
  5. For direct marketing purposes including informing you of MHLI product news, events, activities and services – direct marketing will only be undertaken with your prior, informed and express consent; this consent can be removed by you at any time.

 

When will we share your personal data with third parties?

  1. Your personal data will be treated as strictly confidential and will only be shared with third parties when:
  2. MHLI has your explicit, informed and express consent to do so.
  3. When there is a Legal or Regulatory requirement for that sharing.

 

  1. Where we use other organisations to provide a service, such as cloud-based IT management software or applications for administration support, the storage of data, website hosting, or for necessary IT support, these organisations will only be selected and appointed if they can prove they are fully GDPR compliant and have signed a contract with MHLI to the effect that they will fully comply with the data security policies and processes prescribed by MHLI.

 

How long do we keep your personal data?

  1. The retention requirements of personal data vary greatly dependent upon the type of data that is being processed. There are two broad areas:
  2. The Regulatory, Legislative or operational requirements placed upon MHLI.
  3. Your agreement to the information that is being processed: You have the right to require MHLI to cease processing your data at any time, and we will do that in as far as any Legal, Regulatory or operational requirements prevent that.

 

Your rights relating to your personal data and processing undertaken by MHLI

  1. Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
  2. The right to request to be informed as to the personal data which we process about you; this is known as a making a Subject Access Request (SAR). If you are making an SAR it must be made in writing; email or letter format will suffice.
  3. To allow us to process your SAR effectively, please include the following information:
    • Your full name;
    • Your full address including any Post Code;
    • Your telephone number in case we need to contact you;
    • Your email address in case we need to contact you;
    • Sufficient information that will allow us to clearly identify the information; where available an order or invoice number, an approximate data of MHLI’s initial contact with you as information of this type will greatly assist us in responding to your SAR or enquiry in a timely manner.
    • The email address to forward your SAR to is listed at Point 14 below.
  4. The right to require MHLI to correct without delay any errors / inaccuracies including out of date information that are identified in your personal data.
  5. The right to request that your personal data be erased where it is no longer necessary for us to retain such data.
  6. The right to withdraw your consent to the processing taking place at any time.
  7. The right to request that MHLI provides you the data subject with your personal data and where possible, to transmit on your written request, that data directly to a data controller that you have identified.
  8. The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
  9. The right to object to the processing of personal data.
  10. The right to lodge a complaint with the Information Commissioner’s Office.

 

Further processing

  1. If we wish to use your personal data for a new purpose, not covered by the use expressly agreed by you with MHLI, then we will provide you with a notice explaining this new use, purposes and processing conditions.

Will I be informed about any data breaches that impact me?

  1. Yes, we will do this in compliance with GDPR requirements.

How do you make a complaint relating to the processing of your data?

  1. You have two options by which you can exercise your rights, make requests for further information, or make a complaint in relation to MHLI’s processing of your personal data. This must be done in writing; email or letter format will suffice. Please send you requests to:

Mile High Labs International Ltd

Address:

The Data Protection Officer

Mile High Labs International

2 Falcon Way

Adelaide Industrial Estate

Belfast BT12 6SQ

Telephone:      +44 (0)28 9099 5253

Email:              GDPRinquiries@milehighlabs.com

 

  1. If you require further information in relation to GDPR please contact the Information Commissioner’s Office. Contact details as follows:

The Information Commissioner’s Office

3rd Floor 14 Cromac Place
Belfast BT7 2JB

Telephone:      +44 (0)28 9027 8757

Email:              ni@ico.org.uk

Website:          www.ico.org.uk