1) Lawful, fair and transparent processing Northside Counselling Service will process all personal data in a lawful, fair and transparent manner. • Lawful means all processing will be based on the legitimate purposes pertaining to the provision of counselling or training activities. • Fair means NCS takes responsibility and will not process data for any purpose other than the legitimate purposes. • Transparent means that NCS will inform data subjects about the processing activities on their personal data.
2) Limitation of purpose, data and storage NCS commits to limiting the processing, only to the collection of data which is necessary, and not keep personal data once the processing purpose is completed. • NCS forbids the processing of personal data outside the legitimate purpose for which the personal data was collected • mandates that no personal data, other than what is necessary, be requested • states that personal data will be deleted once the legitimate purpose for which it was collected is fulfilled.
3) Data subject rights Our data subjects have the right to ask NCS what information it has about them, and what the company does with this information. In addition, a data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data. Our data subjects have the right to request access to his or her personal data. This request provides the right for data subjects to see or view their own personal data, as well as to request copies of their personal data.
4) Consent If an occasion should arise whereby NCS has the intent to process personal data beyond the initial stated legitimate purpose for which that data was collected, a clear and explicit consent will be
requested from the data subject. Once collected, this consent will be documented, and the data subject is allowed to withdraw her or his consent at any moment. NCS recognises that for the processing of children’s data, GDPR requires explicit consent of the parents (or guardian) if the child’s age is under 16.
5) Personal data breaches NCS will maintain a Personal Data Breach Register and, based on severity, the regulator and data subject will be informed within 72 hours of identifying the breach.
6) Privacy by Design NCS will incorporate organisational and technical mechanisms, to the best of its ability, to protect personal data in the design of new systems and processes; that is, privacy and protection aspects will be foremost in consideration of the design of our systems and processes.
7) Data Protection Impact Assessment To estimate the impact of changes or new actions, a Data Protection Impact Assessment will be conducted when initiating a new project, process or change. The Data Protection Impact Assessment is a procedure that will be carried out when a significant change is introduced in the processing of personal data. This change could be a new process, or a change to an existing process that alters the way personal data is being processed.
8) Data transfers The NCS CEO is the controller of personal data and has the accountability to ensure that personal data is protected and GDPR requirements respected, even if processing is being done by a third party. This means the NCS data controller has an obligation to ensure the protection and privacy of personal data when that data is being transferred outside of NCS, to a third party and / or other entity within the same company.
9) Data Protection Officer The role and functions of the Data Protection Officer will reside within the purview of the CEO, and therefore has the responsibility of advising the company about compliance with EU GDPR requirements.
10) Awareness and training NCS will create awareness among all staff and contracted staff about key GDPR requirements, and where applicable conduct trainings or disseminate information to ensure that employees remain aware of their responsibilities about the protection of personal data and identification of personal data breaches as soon as possible.