This Policy sets out the obligations of Waddell Ltd T/A Dazed Media, a company registered in England under number 03039139, whose registered office is at 2nd Floor, 2 Arundel Street, London, WC2R 3DA (the ‘Company’, ‘we’, ‘us’, ‘our’) regarding data protection and the rights of our customers, suppliers, business contacts and employees in respect of their Personal Data under EU Regulation 2016/679 General Data Protection Regulation (‘GDPR’).
The GDPR defines ‘Personal Data’ as any information relating to an identified or identifiable natural person (a ‘Data Subject’, ‘you’, ‘your’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
From the 25th May 2018, the GDPR (defined below), as amended or updated from time to time, comes into force. We wish to ensure that we are compliant with our role as set out under the GDPR and as such this policy and the protocols it outlines are the principles which demonstrate our commitment regarding the collection, processing, transfer, storage, and disposal of your Personal Data. The protocols outlined here are followed at all times by the Company, its employees, agents, contractors, or other parties working on our behalf.
We are committed not only to the letter of the law, but also to the spirit of the law and we place a high importance on the correct, lawful, and fair handling of all Personal Data, respecting the legal rights, privacy, and trust of all individuals with whom we deal.
The Company’s nominated Data Protection Officer (‘DPO’) is Thomas Smith who can be contacted by email at thomas.smith@dazedmedia.com, in writing at the Company’s office address above, or by telephone at +44 (0)20 7336 0766. The responsibilities of our DPO are outlined in section B9 below.
B1. Introduction
The GDPR sets out the following principles with which any party handling Personal Data must comply. All Personal Data must be:
processed lawfully, fairly, and in a transparent manner in relation to the Data Subject;
collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay;
kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed. Personal data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the Data Subject; and
processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
B2. Rights of the Data Subject
The GDPR also clarifies and enhances the rights of Data Subjects. As such, you have the right to:
be informed that we hold your Personal Data (section B11 below);
access the Personal Data we hold about you (section B12);
rectify any data which is incorrect, inaccurate, incomplete or obsolete (B13);
erasure of the data we hold about you (also known as the ‘right to be forgotten’) (B14);
restrict how the data is processed and, in particular, how it is used (B15);
obtain your Personal Data in a specific format (B16);
object to your data being used in a specific way (B17); and
determine use of your data in relation to automated decision-making and profiling (B18 and B19).
B3. Lawful, Fair, and Transparent Data Processing
The processing of your Personal Data is lawful if at least one of the following applies:
You have given consent to the processing of your Personal Data for one or more specific purposes;
The processing is necessary for the performance of a contract to which you are a party, or in order to take steps prior to entering into a contract with us;
The processing is necessary for compliance with a legal obligation to which we are subject;
The processing is necessary to protect your vital interests or of another natural person;
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; or
The processing is necessary for the purposes of our legitimate business interests, except where such interests are overridden by your fundamental rights and freedoms which require protection of Personal Data, in particular where the Data Subject is a child.
B4. Specified, Explicit, and Legitimate Purposes
We collect and process the Personal Data set out in section B20. This includes Personal data we have collected directly from you and Personal Data obtained from third parties. We only collect, process, and hold Personal Data for the specific purposes set out in section B20 or for other purposes expressly permitted by the GDPR. You have the right to be informed at all times of the purpose or purposes for which we use your Personal Data, as outlined in section B11.
B5. Adequate, Relevant, and Limited Data Processing
We only collect and process Personal Data for and to the extent necessary for the specific purpose or purposes about which you are informed (or will be informed) as per section B4, above, and as set out in section B20, below.
B6. Accuracy of Data and Keeping Data Up-to-Date
We ensure that all Personal Data collected, processed, and held by us is kept accurate and up-to-date. This includes, but is not limited to, the rectification of your Personal Data at your request, as set out in section B13, below. The accuracy of your Personal Data is checked when it is collected and at regular intervals thereafter. If any of your Personal Data is found to be inaccurate or out-of-date, we will take all reasonable steps without delay to amend or erase that data, as appropriate.
B7. Retaining Data
We will not keep Personal Data for any longer than is necessary in light of the purpose or purposes for which that Personal Data was originally collected, held, and processed. When Personal Data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.
Full details of our approach to data retention, including retention periods for specific Personal Data types held by us, are outlined in our Data Retention Policy below.
B8. Secure Processing
We ensure that all Personal Data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Further details of the technical and organisational measures which are taken are provided in sections B21 to B22.
B9. Accountability and Record-Keeping
Our Data Protection Officer (‘DPO’, named above) is responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy and with the GDPR and other applicable data protection legislation.
We keep written internal records of all Personal Data collection, holding, and processing, incorporating the following information:
The name and details of the Company, its DPO, and any applicable third-party data processors;
The purposes for which we collect, hold, and processes Personal Data;
Details of the categories of Personal Data collected, held, and processed, and the categories of Data Subject to which that Personal Data relates;
Details of any transfers of Personal Data to non-EEA countries including all mechanisms and security safeguards;
Details of how long Personal Data will be retained (see below); and
Detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of Personal Data.
B10. Data Protection Impact Assessments
For any and all new projects and/or uses of Personal Data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of Data Subjects under the GDPR, we will undertake Data Protection Impact Assessments. These assessments will be overseen by our DPO and will address the following:
The type(s) of Personal Data that will be collected, held, and processed;
The purpose(s) for which Personal Data is to be used;
The Company’s objectives;
How Personal Data is to be used;
The parties (internal and/or external) who are to be consulted;
The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;
Risks posed to Data Subjects;
Risks posed both within and to the Company; and
Proposed measures to minimise and handle identified risks.
B11. Keeping Data Subjects Informed
Where Personal Data is collected from you directly, you will be informed of its purpose at the time of collection. Where Personal Data is obtained from a third party, you will be informed of its purpose:
if the Personal Data is used to communicate with you, when the first communication is made; or
if the Personal Data is to be transferred to another party,
