Data Protection Policy
October 2018

1. Introduction
   1. The Bernat Klein Foundation ("the Foundation") is fully committed to complying with the requirements of the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (the Data Protection Legislation).
   2. The Foundation recognises that the Data Protection Legislation is important in relation to protecting the rights of individuals on whom the Foundation keeps and uses personal data.
   3. The Foundation will therefore follow procedures that aim to ensure that all employees, agents, consultants, partners or other persons involved in the work of he Foundation and who have access to any personal data held by or on behalf of the Foundation, are fully aware of and abide by their duties and responsibilities under the Data Protection Legislation and assist the Fund in doing so.
2. Statement of policy
   1. In order to operate efficiently and fulfil its functions, the Foundation must collect and use data about people with whom we work in order to provide our services. These may include: Trustees of the Foundation; current officers of the Foundation; any administrators of the Foundation.
   2. In addition, the Foundation may be required to collect and use certain types of data for legal compliance purposes. This personal data must be handled properly, irrespective of how it is collected, recorded and used.
3. Glossary of key terms
   1. The following is a glossary of key terms in the Data Protection Legislation:
      1. Information Commissioner's Office (the ICO) – the ICO is the body responsible for enforcing and monitoring compliance with the Data Protection Legislation;
      2. controller – the organisation that determines the purposes for which and manner in which personal data is used;
      3. data subject – a living individual who is the subject of personal data, for example, Trustees of the Foundation; current officers of the Foundation; any administrators of the Foundation; individuals purchasing or availing themselves of products or services offered by the Foundation;
      4. personal data – any information relating to an identifiable person who can be directly or indirectly identified from that information, in particular by reference to an identifier;
      5. special category personal data is defined as personal data revealing a data subject's: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, and genetic or biometric data where processed for the purpose of uniquely identifying a data subject; and
      6. processing – any operation performed on personal data, including obtaining, recording, storing, using, disclosing and deleting.

4. Principles of data protection

1. 1. The Data Protection Legislation stipulates that anyone processing personal data must comply with the principles of good practice (the Principles).
   2. The Principles require that personal data shall be:
      1. processed lawfully, fairly and in a transparent manner;
      2. obtained only for specific, explicit and legitimate purposes and not processed for any other purpose that is incompatible with those purposes;
      3. adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
      4. accurate and where necessary, kept up to date;
      5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed; and
      6. kept secure by means of appropriate technical and organisational safeguards.

5. Handling of personal data

1. 1. The Foundation will, through appropriate management and the use of strict criteria and controls:
      1. observe fully the conditions regarding the fair collection and use of personal data;
      2. meet its legal obligations to specify the purpose(s) for which personal data is used;
      3. collect and process appropriate personal data and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
      4. ensure the quality of personal data used;
      5. take appropriate technical and organisational security measures to safeguard personal data;
      6. ensure that personal data is not transferred outwith the EU without suitable safeguards; and
      7. ensure that the rights of people about whom the data is held are respected and can be fully exercised by them under the Data Protection Legislation and against the Foundation.
   2. The Foundation will also ensure that:
      1. there is someone with specific responsibility for data protection within the Foundation;
      2. everyone within the Foundation who is managing and handling personal data understands that the Foundation is legally responsible for following good data protection practice and complying with the Data Protection Legislation;
      3. everyone managing and handling personal data within the Foundation is appropriately trained to do so;
      4. queries and complaints about handling personal data are promptly and courteously dealt with; and
      5. data processing by third parties on behalf of the Foundation is carried out under a written agreement.
   3. The Foundation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and, in particular, will ensure that:
      1. appropriate technical measures, including internet security, anti-virus software and firewalls, are installed and kept up-to-date;
      2. personal data held on computer systems is protected by the use of secure passwords, which have forced changes periodically and mandate strong password security; and
      3. passwords should be such that they are not easily compromised.
   4. All contractors, consultants, partners or other associates or agents processing personal data for and on behalf of the Foundation as processors must enter into a contract that provides (as a minimum) that they:
      1. only act on the written instructions of the Foundation (unless required by law to act without such instructions);
      2. ensure that people processing personal data on behalf of the Foundation are subject to a duty of confidence;
      3. only engage a sub-contractor to process personal data on behalf of the Fund with the prior consent of the Foundation and a written contract;
      4. assist the Foundation in responding to requests from data subjects seeking to exercise their rights under the Data Protection Legislation;
      5. assist the Foundation in meeting its obligations under the Data Protection Legislation in relation to security of processing, the notification of personal data breaches and data protection impact assessments where applicable;
      6. delete or return all personal data to the Foundation as requested at the end of the contract;
      7. allow data protection audits and inspections by the Fund of personal data held on its behalf (if requested) to ensure that both parties are meeting their requirements under the Data Protection Legislation and tell the Foundation immediately if asked to do something that infringes the Data Protection Legislation; and
      8. indemnify the Foundation against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.

6. Basis and purposes for processing personal data

1. Before any personal data is processed by the Foundation for the first time, the Foundation will:
   1. review the purposes of the particular processing activity and select the most appropriate lawful basis under the Data Protection Legislation. The lawful bases most commonly used by the Foundation are that:
      1. the individual has consented – this is only appropriate where it is not a precondition of a service or another lawful basis applies, for example, for marketing communications;
      2. the processing is necessary for performance of or to take steps to enter into a contract with the individual – this will apply to individuals purchasing or availing themselves of products or services offered by the Foundation;
      3. the processing is necessary to comply with a legal obligation – the Foundation needs to process certain personal data under law; or
      4. the processing is necessary for the Foundation's or a third party's legitimate interests – provided that the legitimate interests are not overridden by the interests of the data subject;
   2. document the Foundation's decision as to which lawful basis applies, to help demonstrate compliance with the Principles; and
   3. include information about the purposes, lawful basis and special condition (if applicable) of the processing within the Foundation's privacy notice provided to individuals.
2. The Fund will review the procedures above every 3 years.

1. The Foundation keeps written records of processing activities, including:
   1. the name and details of the Foundation;
   2. the purposes of the processing of personal data by the Foundation;
   3. a description of the categories of individuals and categories of personal data processed by the Foundation;
   4. categories of recipients of personal data with whom the Foundation shares personal data;
   5. where relevant, details of transfers to countries outwith the EU, including documentation of the transfer mechanism safeguards in place;
   6. details of how long the Foundation keeps personal data in line with Section 10 of this Policy;
   7. a description of technical and organisational security measures put in place to keep personal data secure; and
   8. the legitimate interest for the processing of personal data.

1. Privacy notices
   1. The Foundation will issue privacy notices from time to time to ensure that data subjects understand how their personal data is collected, used, stored, shared and deleted by the Foundation.
   2. We will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
2. Rights of data subjects
   1. Data subjects have the following rights in relation to their personal data:
      1. to be informed about how, why and on what basis that information is processed – as contained within the Foundation's privacy notices;
      2. to obtain confirmation that their personal data is being processed by the Foundation and to obtain access to it and certain other information, by making a subject access request;
      3. to have personal data corrected if it is inaccurate or incomplete;
      4. to have personal data erased if it is no longer necessary for the purpose for which it was originally collected / processed, or if there are no overriding legitimate grounds for the processing (this is sometimes known as the 'right to be forgotten');
      5. to restrict the processing of personal data where the accuracy of the data is contested, or the processing is unlawful (but the individual does not want the personal data to be erased), or where the Foundation no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim;
      6. to object to the processing of personal data carried out in pursuit of the Foundation's or a third party's legitimate interests;
      7. to obtain personal data provided to the Foundation by the individual for that individual's own reuse, where the Foundation processes such personal data to perform a contract with that individual or where the individual has given consent and where the processing by the Foundation is undertaken by automated means; and
      8. to object to decisions being taken by automated means which produce legal effects concerning an individual or similarly significantly affect an individual.

1. Retention and disposal of personal data
   1. The Foundation will review the personal data we store every 3 years to consider whether it requires to be disposed of or whether the Fund requires to retain it for any particular purpose. If the Foundation retains any personal data, there must be a lawful basis for doing so and the data should be reviewed annually thereafter.
   2. All personal data held by the Foundation is disposed of securely, ensuring any backup or additional copies are also securely disposed of.

1. Data breaches
   1. A data breach may take many different forms, for example:
      1. loss or theft of data or equipment on which personal data is stored;
      2. unauthorised access to or use of personal data either by a member of staff or third party;
      3. loss of data resulting from an equipment or systems (including hardware and software) failure;
      4. human error, such as accidental deletion or alteration of data;
      5. unforeseen circumstances, such as a fire or flood;
      6. deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and
      7. 'blagging' offences, where information is obtained by deceiving the Fund.
   2. The Foundation will:
      1. make the required report of a data breach to the ICO without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals; and
      2. notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.
   3. It is important that staff report any suspected or actual data breach to the Foundation’s Chair immediately. We will be responsible for recording and reporting data breaches.
2. Complaints
   1. Where any data subject feels that the Foundation has:
      1. misused their personal data;
      2. refused to allow access to data;
      3. refused to amend alleged inaccuracies; or
      4. otherwise breached the Data Protection Legislation in relation to their personal data or data protection rights, they can complain to the Foundation.

1. 1. Data subjects may also raise complaints with the ICO.

1. Risk Management and Audit
   1. There are potential financial penalties and compensation payments due following on from a failure to comply with the Data Protection Legislation.
   2. The Foundation will review this Policy and the associated procedures on a regular basis to ensure that they meet all legislative and regulatory requirements and best practice guidance. In addition, an annual audit and review of personal data held by the Foundation will be carried out to ensure ongoing compliance with the provisions of the Data Protection Legislation.
   3. Internal audit procedures will form an important part of establishing and sustaining good data protection practices. The Foundation will review the data it processes and collects and assess this against the Principles.
   4. We will undertake self-assessment to periodically check our compliance with the Data Protection Legislation; this Policy, regulatory and good practice guidance; and our working practices in the collection, processing and storage of personal data.

1. Policy Review
   1. As a strategic document, this Policy will be reviewed every three years. The next review will therefore take place in 2021 or earlier to take account of:
      1. legislative, regulatory and good practice requirements;
      2. the Foundation's performance; or
      3. the views of any stakeholder in the use of personal data.
   2. If you have any questions or concerns about anything in this policy, do not hesitate to contact us.