Our policy for processing data
To ensure GDPR compliance Astaura will:
- Only act upon the written instructions of our clients (normally the data controllers).
- Be subject to a duty of confidence and ensure the same of all relevant staff members.
- Ensure the appropriate measures are taken to ensure the security of the processing.
- Only engage a sub-processor on written consent of the data controller
- Assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
- Assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
- Ensure to delete or return all personal data to the controller as requested at the end of any relevant contracts.
- Submit to audits and inspections and provide the controller with whatever information it needs to ensure that they are meeting their article 28 obligations. Tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
- Train our staff to comply with these regulations.
Our direct responsibilities under GDPR are to:
- Only act on the written instructions of the controller (Article 29);
- Not use a sub-processor without the prior written authorisation of the controller (Article 28.2);
- Co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
- Ensure the security of its processing in accordance with Article 32;
- Keep records of its processing activities in accordance with Article 30.2;
- Notify any personal data breaches to the controller in accordance with Article 33;
- Employ a data protection officer if required in accordance with Article 37; and
- • Appoint (in writing) a representative within the European Union, if required in accordance with Article 27.
Our policy for controlling data
To ensure GDPR compliance Astaura will:
- Only collect and retain information necessary to transact with our customers and prospects
- Ensure that revoked consent requests are managed with 30 days of revocation
- Ensure to enable right to access within 30 days of the request, unless otherwise specified in writing.
- Train our staff to comply with these regulations.
Subject access requests
Upon receiving a written subject access request Astaura will:
- Ensure to verify the identity of the person requesting the information.
- Respond in writing within 30 calendar days with the requested information.
- If requested, initiate the right to erasure process.
What we will do should there be a data protection breach
Should there be a data breach, staff are trained to inform their line manager immediately who will, in turn, inform an authorised member of the client’s personnel team and the ICO within 24 hours.
The information provided to the client and the ICO will include:
- What has happened;
- When and how we found out about the breach
- The people that have been or may be affected by the breach;
- What we are doing as a result of the breach.
The management team at Astaura are responsible for the compliance and maintenance of this policy. If you have any questions, please do not hesitate to contact us on 01768 892292.