The Bilsthorpe Wind Farm is located in Nottinghamshire
Number of Turbines
Equivalent Homes Served
The Bilsthorpe Wind Farm is owned by Bilsthorpe Wind Farm Limited.
NO MM82 Senvion turbines each with a three-bladed rotor, active pitch control and variable speed operation with a rated power of 2,040kW each.
Each year an average of 19,695 MWh of renewable electricity is produced, this is enough power 4,874 residential properties, based upon the national average electricity consumption statistics.
Each year Bilsthorpe Wind Farm makes a contributions totalling £45,000 to its local parish councils, Eakring Parish Council and Bilsthorpe Parish Council. More information can be found at the respective parish council websites.
Website design & build by dink consultants
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive. You can find out more about cookies, how to manage and delete them, and how to manage your browser settings, at www.allaboutcookies.org.
We use the following cookies on our website:
Below is a list of all the cookies we use on our website
Cookie Name: _ga | Default expiration date: 2 yearsDescription: Used to distinguish users.
Cookie Name: _gid | Default expiration date: 24 hoursDescription: Used to distinguish users.
Cookie Name: _gat | Default expiration date: 1 minuteDescription: Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.
Cookie Name: AMP_TOKEN | Default expiration date: 30 seconds to 1 yearDescription: Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.
Cookie Name: _gac_ | Default expiration date: 90 daysDescription: Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out
Bilsthorpe Wind Farm Limited (Company) recognises its responsibility and is committed to respecting the personal data and privacy of our investors, directors, officers, suppliers and other third parties as required by the General Data Protection Regulation (GDPR). As a result, directors and officers of the Company share the Company’s responsibility and must ensure that their conduct in their work complies with this Policy. The Company has delegated responsibility for the Company complying with the GDPR to Foresight Group LLP (Foresight Group). If you, as a director or an officer of Foresight VCT plc or an employee of Foresight Group, are unsure of your responsibilities or need guidance, you must speak to a member of the Foresight Group ISMS & GDPR Panel.
The GDPR and this Policy apply to the processing by the Company of the Personal Data of individuals located in the UK, Guernsey, Jersey or the EEA in the context of its activities (even if the Personal Data concerned is held and processed outside those territories).
The version of the GDPR which became part of UK law from 1 January 2021 as a result of the Brexit Withdrawal Agreement is identical in all material respects with the original version of the GDPR as implemented by national legislation in Guernsey, Jersey and the European Economic Area (EEA). References to the GDPR in this Policy are to the version of the GDPR which applies to the particular processes being undertaken.
The key principles relating to processing of Personal Data set out in the GDPR require Personal Data to be:
Organisations are responsible for and must be able to demonstrate compliance with the principles listed above.
The meaning of “processing” is wide ranging and includes merely holding Personal Data (see the definition below) and the GDPR applies to Personal Data whether it is used in a corporate or private context (for example it applies to personal work email addresses, as well as private email addresses).
This Policy outlines the standards that will promote compliance across the activities of the Company with applicable data protection laws.
It is recognised that, because of the nature of the Company and its activities, alongside Foresight Group being responsible for the Company complying with GDPR, the majority of the Processing of Personal Data will be carried out on its behalf by Foresight Group as a Processor of Personal Data on behalf of the Company as Controller of that Personal Data. The Company’s instructions to its Processor will be required to be consistent with this Policy.
Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.
Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.
Board: the board of directors of the Company from time to time.
Company, we, our or us: Foresight VCT plc.
Company Personnel or you: all directors, officers, consultants and others engaged by the Company, including employees of Foresight Group.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which he/she, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.
Criminal Convictions Data: means personal data relating to criminal convictions and offences and includes personal data relating to criminal allegations and proceedings.
Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to Company Personnel and Personal Data used in our business for our own commercial purposes.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.
EEA: the 27 countries in the EU, Iceland, Liechtenstein and Norway.
Explicit Consent: consent that requires a very clear and specific (ideally written) statement (that is, not just action).
Foresight: Foresight Group LLP.
Foresight Group: Foresight Group Holdings Limited and its direct and indirect subsidiary undertakings.
Foresight GDPR Panel: the panel established by Foresight Group’s Executive Committee to ensure that its business (including that of the funds managed by it, including their subsidiaries, or a Foresight Group entity) is compliant with GDPR. Details of panel members (including contact details) will be provided to Company Personnel.
General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679) or, as applicable, that Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act of 2018. Personal Data is subject to the legal safeguards specified in the GDPR.
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Category Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Processor: a person or entity that carries out Processing.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and securely.
Special Category Data (also previously referred to as Sensitive Personal Data): information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
As stated above, it is recognised that, because of the nature of the Company and its activities, the majority of the Processing of Personal Data will be carried out on its behalf by Foresight or a third-party service provider overseen by Foresight as a Processor of Personal Data on behalf of the Company as Controller of that Personal Data. As the Company is unstaffed, most of the Company’s operations are delegated to third parties and the Company consists of only the Board, which has no employees or internal operations. The Company’s instructions to its Processor will be required to be consistent with this Policy.
We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the Company and will provide for our successful business operations.
GDPR Panel Members: Jo Nicolle, Director, Head of GovernanceChris Tanner, Partner
GDPR Email Address:DProtection@foresightgroup.eu
In particular, a member of the Foresight Group GDPR Panel must always be contacted in the following circumstances:
(a) if there has been a Personal Data Breach (see section 10.2 below);
(b) if you become aware of or believe there to be any rights invoked by a Data Subject (see section 12 below);
(c) if you need help with any contracts or other areas in relation to sharing Personal Data with third parties (see section 13.7 below)
(d) if you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by the Company) (see section 5.1 below);
(e) if you need to rely on Consent and/or need to capture Explicit Consent (see section 5.2 below);
(f) if you need to draft Privacy Notices or Fair Processing Notices (see section 5.3 below);
(g) if you are unsure about the retention period for the Personal Data being Processed (see section 9 below);
(h) if you are unsure about what security or other measures you need to implement to protect Personal Data (see section 10.1 below);
(i) if you are unsure on what basis to transfer Personal Data outside the UK, Guernsey, Jersey and the EEA (see section 11 below);
(j) whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA (see section 13.4 below) or plan to use Personal Data for purposes others than what it was collected for;
(k) If you plan to undertake any activities involving Automated Processing including profiling or Automated Decision-Making (see section 13.5 below); or
(l) If you need help complying with applicable law when carrying out direct marketing activities (see section 13.6 below).
We are committed to apply the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:
(a) Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
(b) Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).
(d) Accurate and where necessary kept up to date (Accuracy).
(e) Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).
(f) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
(g) Not transferred to another country without appropriate safeguards being in place (Transfer Limitation).
(h) Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests).
It is important that you understand that the Company is responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability) and that you play an important part in helping the Company to achieve that.
It is important to ensure that Personal Data is Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
You may only collect, Process and share Personal Data fairly and lawfully and for specified purposes. The GDPR restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing but ensure that we Process Personal Data fairly and without adversely affecting the Data Subject.
The GDPR allows Processing for specific purposes, some of which are set out below:
(a) the Data Subject has given his or her Consent;
(b) the Processing is necessary for the performance of a contract with the Data Subject;
(c) to meet our legal compliance obligations;
(d) to protect the Data Subject’s vital interests; or
(e) to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices or Fair Processing Notices.
In order to evidence our consideration in respect of each Processing activity, you are required to identify and document the legal ground being relied on.
In our role as a Data Controller, we must only process Personal Data on the basis of one or more of the lawful bases set out in the GDPR, which include Consent.
Consent by a Data Subject to permit us to Process their Personal Data is only valid if they indicate agreement clearly either by a statement or positive/affirmative action and so silence, pre-ticked boxes or inactivity are not sufficient. Consent must also be clear and not hidden, so if it is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.
Once a Data Subject has given Consent, they must be able to easily withdraw that Consent at any time and we must endeavour to facilitate that withdrawal without delay. Additionally, Consent may need to be refreshed if the Personal Data is to be Processed for a different and incompatible purpose than that described at the time the original Consent was given. In that case, we must ensure that we set out the nature and purpose of the proposed Processing when asking the Data Subject to “re-Consent”.
When processing Special Category Data or Criminal Convictions Data, we will usually rely on a legal basis for processing other than Explicit Consent or Consent if possible. Where Explicit Consent is relied on, you must issue a Privacy Notice to the Data Subject to capture Explicit Consent. In the rare situations where Explicit Consent is relied on, we need to provide the Data Subject with more information on the nature and purpose of our requirement as it may be that Explicit Consent is required. In these situations you must refer to the Foresight Group GDPR Panel for guidance on the arrangements required, as the Foresight Group GDPR Panel will need to ensure appropriate controls are in place to manage that Sensitive Data, and also that the Explicit Consent, which must be in writing, is appropriately worded. The Foresight Group GDPR Panel will also consider whether or not we can rely on another legal basis of Processing. Similarly, Explicit Consent is also required for Automated Decision-Making and for cross border data transfers. Where Explicit Consent is required, a Fair Processing Notice is required to be sent to the Data Subject to capture Explicit Consent, though, as stipulated above, that must be reviewed by the Foresight Group GDPR Panel before being finalised/ sent. Guidance on the content of the Fair Processing Notice is provided in 5.3 below.
You will need to evidence Consent captured and keep records of all Consents so that the Company can demonstrate compliance with Consent requirements.
The GDPR requires us as a Data Controller to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. That information must be provided through appropriate Privacy Notices or Fair Processing Notices, which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them, but in all cases, the wording must be approved by the Foresight Group GDPR Panel before finalising/issuing.
Whenever we collect Personal Data directly from Data Subjects, including for human resources or employment purposes, we must provide the Data Subject with all the information required by the GDPR including the identity of the Data Controller, Foresight Group’s Data Protection email address: DProtection@foresightgroup.eu, how and why we will use, Process, disclose, protect and retain that Personal Data through a Fair Processing Notice which must be presented when the Data Subject first provides the Personal Data.
Where we Process Personal Data via a third party or from a publicly available source, it will be necessary to implement controls and procedures to ensure that:
Where we record your image via CCTV at one of our sites, we will provide you with all the information required by the GDPR including the reason for having CCTV installed, who is responsible for the CCTV and who to contact.
Ideally, the controls and procedures should be in writing, and where necessary, include a checklist in order to ensure and evidence that all steps identified as required are taken.
It is necessary to ensure that Personal Data is only collected for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes, and so you should not request Personal Data on the basis that it may be required in the future or is a “nice to have”.
You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have Consented where necessary. If you are in any doubt over whether you are using Personal Data for anything other than the purposes it was originally provided, please refer to a member of the Foresight Group GDPR Panel.
As mentioned above, it is important to ensure that we do not ask for more Personal Data than is needed. Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
You may only Process Personal Data when performing your duties requires it, and if the Processing is either as disclosed when the Personal Data was first obtained or was consented to subsequently. You cannot Process Personal Data for any reason unrelated to the purpose for which it was obtained.
You may only collect Personal Data that we require to enable us to carry out the Processing for which it was obtained: do not collect excessive Personal Data and ensure any Personal Data collected is adequate and relevant for the intended purposes only.
You must ensure that when Personal Data is no longer needed for specified purposes, it is held securely, and that you notify a member of the Foresight Group ISMS & GDPR Panel to determine whether that data may be deleted or anonymised in accordance with any applicable data retention guidelines.
Note: different retention periods will apply to different data types and these are set out in Foresight Group’s guidelines. If you are in any doubt over what applies to the Personal Data you are dealing with, please speak to a member of the Foresight Group GDPR Panel before taking any action. It is important that no personal data is deleted before the relevant retention period has expired, and that no personal data is deleted or anonymised without the prior authorisation of the Foresight Group GDPR Panel.
Personal Data must be accurate and, where necessary, kept up to date. If we discover or are made aware that Personal Data held is not accurate, it must be corrected or deleted without delay in accordance with procedures or guidance from the Foresight Group GDPR Panel.
As mentioned, it is important that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You are required to implement controls and procedures that check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards, where appropriate. Where we hold inaccurate or out-of-date Personal Data, we must take appropriate steps to ensure it is amended or deleted, however please adhere to the protocols noted in this document as regards deletion and seek the necessary advice before taking any action.
We are required to ensure that Personal Data is not kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. As a general rule, we will hold Personal Data as long as the following criteria remains relevant:
General guidance on retention periods will be issued by the Foresight Group GDPR Panel from time to time.
We are required to ensure that we do not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements. Where that situation does arise, it is necessary to understand what retention arrangements apply to that Personal Data, and to escalate to the Foresight Group GDPR Panel where it is believed that the retention period has expired or is due to expire imminently.
The Company will maintain retention policies and procedures to ensure Personal Data is deleted (as advised by the Foresight Group GDPR Panel) after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. In that regard, it is extremely important to comply with Foresight’s guidelines on Data Retention and to ensure that only the Foresight Group GDPR Panel can arrange and/or authorise the destruction of Personal Data.
The Foresight Group GDPR Panel will take all reasonable steps when arranging to destroy or erase from our systems all and any Personal Data that we no longer require in accordance with all the Company’s applicable records retention schedules and policies. This includes requiring third parties to delete such data where applicable.
It is necessary to ensure that Data Subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice or Fair Processing Notice. Appropriate wording should be agreed with the Foresight Group GDPR Panel before finalising/ issuing any notice.
The Foresight Group GDPR Panel will work with Company Personnel to ensure that Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage. However, if Company Personnel discover any such situation, this must be immediately escalated to the Foresight Group GDPR Panel.
We will, in consultation with Company Personnel and experts as appropriate:
We require that you follow all procedures and utilise technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. The transfer of Personal Data may only take place where it is being sent to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place. However, any transfer must only be facilitated upon the prior authorisation of the Foresight Group GDPR Panel. Data security must be maintained by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
(a) Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it.
(b) Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.
(c) Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.
In order for you to comply with all applicable aspects of any Information Security Policy/ies adopted by the Company, appropriate controls and procedures must be implemented. Those procedures and controls, whether administrative, physical and/or technical, are all safeguards and must be in accordance with the GDPR and any relevant standards to protect Personal Data.
The GDPR requires Data Controllers to notify any Personal Data Breach to the applicable regulator and, in certain instances, the Data Subject. Note that the definition of Personal Data Breach is wide and includes, for example, the unauthorised receipt of Personal Data.
We are under a 72-hour time constraint to make a breach notification, and so it is extremely important that you escalate any situation where you believe that a breach may have taken place to the Foresight Group GDPR Panel.
Foresight have put in place procedures to deal with any suspected Personal Data Breach which will involve the notification to Data Subjects or any applicable regulator where we are legally required to do so. This includes the Foresight Group GDPR Panel acting on behalf of the Company to investigate any incident or data breach and notifying the relevant regulator where necessary.
If you know or suspect that a Personal Data Breach has occurred, you must not attempt to investigate the matter yourself. You must immediately contact the Foresight Group GDPR Panel for Personal Data Breaches and incidents. However, you must preserve all evidence relating to the potential Personal Data Breach in the manner specified in the Information Security Incident Management Policy located in Foresight’s Governance & Compliance Library
The GDPR restricts data transfers to countries outside the UK, Guernsey, Jersey and the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. Transfers of this kind occur when Personal Data originating in one country is transmitted, sent, viewed and/ or accessed in or to a different country.
The transfer of Personal Data outside the United Kingdom, Guernsey, Jersey and the EEA can only be facilitated upon the prior authorisation of the Foresight Group GDPR Panel if one of the following conditions applies:
(a) as applicable, the European Commission or the UK Government has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms (for these purposes, Guernsey and Jersey have been formally recognised by the EU: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside- eu/adequacy-protection-personal-data-non-eu-countries_en) and the UK;
(b) appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission or the UK Government, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the Foresight Group ISMS & GDPR Panel;
(c) the Data Subject has provided Explicit Consent to the particular proposed transfer after being informed of any potential risks; or
(d) the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Data Subject (including an employment contract), reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.
Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
(a) withdraw Consent to Processing at any time (where Consent is the lawful basis on which the personal data is Processed);
(b) receive certain information about the Data Controller’s Processing activities;
(c) request access to their Personal Data that we hold;
(d) prevent our use of their Personal Data for direct marketing purposes;
(e) ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data (for example if the Data Subject believes we hold inaccurate Personal Data about them, or Personal Data which we do not need to have in order to carry out Processing for them);
(f) restrict Processing in specific circumstances;
(g) challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
(h) request a copy of an agreement under which Personal Data is transferred outside of the United Kingdom, Guernsey, Jersey or the EEA;
(i) object to decisions based solely on Automated Processing, including profiling (ADM);
(j) prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
(k) be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
(l) make a complaint to the supervisory authority; and
(m) in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.
In view of the above, it is essential that you verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation). Requests may take any number of forms, including a telephone call, email and letter. Where a request is made by telephone, you must take all reasonable measures to ensure you are talking to the Data Subject or a person appropriately authorised by the Data Subject to have access to the data requested. In any case, if you are not sure, please refer to your line manager for guidance.
You must immediately forward any Data Subject request you receive to the Foresight Group GDPR Panel.
13.1 The Company (as a Data Controller) is required to implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. This must be done via our Company Personnel and/or Foresight in such a manner as to enable us to be able to demonstrate, compliance with the data protection principles. This means that you and your team must ensure you have:
The Company must have adequate resources and controls in place to ensure and to document GDPR compliance including:
(a) establishing suitable governance responsibilities for data privacy;
(b) implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of Data Subjects;
(e) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
The GDPR requires us to keep full and accurate records of all our data Processing activities.
As noted in 13.1 above, we require that you keep and maintain accurate corporate records reflecting our Processing including records of Data Subjects’ Consents and procedures for obtaining Consents.
These records should include, as a minimum, the name and contact details of the Data Controller and the Foresight Group GDPR Panel, clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place. In order to create such records, data maps should be created which should include the detail set out above together with appropriate data flows.
We are required to ensure all Company Personnel have undergone adequate training to enable them to comply with data privacy laws. We must also test our systems and processes to assess compliance.
It is important that you undergo all mandatory data privacy related training. If you feel that you require additional training, please speak to the Foresight Group GDPR Panel.
We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with data privacy principles.
Privacy by design is an approach that promotes privacy and data protection compliance from the start and is an essential tool in minimising privacy risks and building trust with our Data Subjects.
In establishing and following controls and procedures, it will be necessary for you to assess what Privacy by Design measures can be implemented on all programs/systems/processes that Process Personal Data by taking into account the following:
(a) the state of the art;
(b) the cost of implementation;
(c) the nature, scope, context and purposes of Processing; and
(d) the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.
As a Data Controller, the Company must also conduct DPIAs in respect to high risk Processing.
DPIAs are required (and discuss your findings with the Foresight Group ISMS & GDPR Panel) when implementing major system or business change programs involving the Processing of Personal Data including:
(e) use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
(f) Automated Processing including profiling and ADM;
(g) large scale Processing of Sensitive Data or Criminal Convictions Data; and
(h) large scale, systematic monitoring of a publicly accessible area.
We also undertake DPIAs on other kinds of Personal Data processing in order to determine the level of risk involved.
A DPIA template is available from the Foresight Group ISMS & GDPR Panel and will include:
(i) a description of the Processing, its purposes and the Data Controller’s legitimate interests if appropriate;
(j) an assessment of the necessity and proportionality of the Processing in relation to its purpose;
(k) an assessment of the risk to individuals; and
(l) the risk mitigation measures in place and demonstration of compliance.
The Company, at the date of this policy, does not use profiling or ADM.
However, generally, ADM is prohibited when a decision has a legal or similar significant effect on an individual unless:
(a) a Data Subject has Explicitly Consented;
(b) the Processing is authorised by law; or
(c) the Processing is necessary for the performance of or entering into a contract.
If certain types of Sensitive Data or Criminal Convictions Data are being processed, then grounds (b) or (c) will not be allowed but such Sensitive Data and Criminal Convictions Data can be Processed where it is necessary (unless less intrusive means can be used) for substantial public interest like fraud prevention.
If a decision is to be based solely on Automated Processing (including profiling), then Data Subjects must be informed when you first communicate with them of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information. Further, suitable measures must be put in place to safeguard the Data Subject’s rights and freedoms and legitimate interests.
We must also inform the Data Subject of the logic involved in the decision making or profiling, the significance and envisaged consequences and give the Data Subject the right to request human intervention, express their point of view or challenge the decision.
Where you utilise a form of ADM or Automated Processing, a DPIA must be carried out before any such activities are undertaken.
Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the Personal Data we hold with other Company Personnel, any agent or representative of the Company or Foresight (which includes Foresight’s subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information, is authorised to see the data and the transfer complies with any applicable cross-border transfer restrictions.
You may only share the Personal Data we hold with third parties, such as our service providers if:
(a) they have a need to know the information for the purposes of providing the contracted services;
(b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
(c) the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
(d) the transfer complies with any applicable cross border transfer restrictions; and
(e) a fully executed written contract that contains GDPR approved third party clauses obtained.