Code Monkey Studios is the Data controller and the parent company of GPSBob Limited

Code Monkey Studios needs to collect personal information to effectively carry out our everyday business functions and activities and to provide the products and services defined by our business type. Such data is collected from employees, customers, suppliers and clients and includes: (but is not limited to)

Name
Address
Email address
Phone Numbers
IP address
Identification numbers
Location Data from Vehicles
Location Data from Phones

In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are
committed to processing all personal information in accordance with the United Kingdom
General Data Protection Regulation (UK GDPR).

Code Monkey Studios has developed policies, procedures, controls and measures to ensure
maximum and continued compliance with the UK GDPR and principles, including
staff training, procedure documents, audit measures and assessments. Ensuring
and maintaining the security and confidentiality of personal and/or special
category data is one of our top priorities and we are proud to operate a 'Privacy by
Design' approach, assessing changes and their impact from the start of
designing and implementing systems and processes to protect personal
information.

“UK GDPR” means the United Kingdom General Data Protection Regulation, tailored by the Data Protection Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019/2020

The purpose of this policy is to ensure that the Company meets its legal, statutory and
regulatory obligations under the UK GDPR and to ensure that all personal and
special category information is processed compliantly and, in the individuals,
best interest.

The UK GDPR includes provisions that promote accountability and governance and as such Code Monkey Studios has put comprehensive and effective governance measures in place to meet these provisions. The aim of such measures is to ultimately minimise
the risk of breaches and to uphold the protection of personal data. This policy
also serves as a reference document for employees and third parties on the
responsibilities of processing, handling and accessing personal data and data
subject requests.

Personal Data

Code Monkey Studios ensures that a high level of care is afforded to personal data falling within the UK GDPR’s special categories, due to the assumption that this type of information could be used in a negative or discriminatory way and is of a sensitive, personal nature to the persons it relates to. The UK GDPR advises that, “Processing
of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.”

The UK GDPR Principles

Article 5 of the UK GDRP requires that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the UK GDPR principles’ (‘accountability’)
and requires that firms show how they comply with the principles, detailing and summarising the measures and controls that they have in place to protect personal information and mitigate the risks of processing and that personal data shall be:

Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be incompatible with the initial purposes (‘purpose limitation’)

Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay (‘accuracy’)

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The Information Commissioners Office (ICO)
The Information Commissioners Office (ICO) (hereinafter referred to as the Commissioner), is an independent regulatory office who report directly to Parliament and whose role it is to uphold information rights in the public interest. The legislation they have oversight for includes: -

o The UK GDPR (tailored by the Data Protection Act 2018)
o The Privacy and Electronic Communications Regulations (PECR)
o Freedom of Information Act 2000
o The Environmental Information Regulations 2004

The Commissioners’ mission statement is “to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” and they can issue enforcement notices and fines for breaches in any of the Regulations, Acts and/or Laws regulated by them.

Under the UK GDPR, the Commissioner are responsible for the oversight and enforcement of the UK GDPR and Data Protection Act 2018 and for responding to complaints with regards to UK GDPR and those firms located solely in the UK.

Code Monkey Studios is registered with the ICO.
Our Data Protection Registration Number is ZB335767

Data Protection Officer

Code Monkey Studios appointed Data Protection Officer is: Tom Smith.

Articles 37-39, and Recital 97 of the UK GDPR detail the obligations, requirements and
responsibilities on firms to appoint a Data Protection Officer and specifies the duties that the officer themselves must perform. A Data Protection Officer (DPO) must be appointed by a firm where: -

• The processing is carried out by a public authority or body (except for courts acting in their judicial capacity)
• The core activities of the controller/processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
• The core activities of the controller/processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10

Code Monkey Studios have appointed the Data Protection Officer in accordance with the UK GDPR requirements and have ensured that the assigned person has an adequate and
expert knowledge of data protection law. They are fully capable of ensuring
Code Monkey Studios are monitoring its internal compliance with the Regulation,
supporting and advising employees and associated third parties about the data
protection.

Objectives
We are committed to ensuring that all personal data processed by Code Monkey Studios is done so in accordance with UK GDPR and its principles, along with any associated regulations and/or codes of conduct laid down by the Commissioner and local law. We ensure the safe, secure, ethical and transparent processing of all personal data and have stringent measures to enable data subjects to exercise their rights.

Code Monkey Studios has developed the below objectives to meet our data protection obligations and to ensure continued compliance with the legal and regulatory requirements.

• We protect the rights of individuals about the processing of personal information.
• We develop, implement and maintain a data protection policy, procedure, audit plan and training program for compliance with the UK GDPR.

• Every business practice, function and activity carried out by Code Monkey Studios is monitored for compliance with the UK GDPR and its principles.

• Personal data is only processed where we have verified and met the lawfulness of processing requirements

• We only process special category data in accordance with the UK GDPR requirements and in compliance with the Data Protection Act 2018 Schedule 1 conditions

• We record consent at the time it is obtained and evidence such consent to the Commissioner where requested

• All employees are competent and knowledgeable about their UK GDPR obligations and are provided with in-depth training in the UK GDPR, principles, regulations and how these apply to specific roles and Code Monkey Studios

• Individuals feel secure when providing us with personal information and know that it will be processed in accordance with our obligations and their rights under the UK GDPR

 We maintain a continuous program of monitoring, review and improvement about compliance with the UK GDPR and identify gaps and non-compliance before they become a risk, implementing mitigating actions where necessary

• We keep up to date with any information or guidance published by the ICO, as well as any relevant adequacy regulation lists published by the Secretary of State

• We have robust and documented Complaint Handling and Data Breach controls for identifying, investigating, reviewing and reporting any breaches or complaints regarding data protection

• We have appointed a Data Protection Officer who takes responsibility for the overall supervision and ongoing compliance with the UK GDPR and performs specific duties as set out under Article 37 of the UK GDPR

• We have a dedicated Audit & Monitoring Program in place to perform regular checks and assessments on how the personal data we process is obtained, used, stored and shared. The audit program is reviewed against our data protection policies, procedures and the relevant regulations to ensure continued compliance

• We provide clear reporting lines and supervision regarding data protection

• We store and destroy all personal information, in accordance with legal, regulatory and statutory requirements and suggested timeframes

• Any information provided to an individual in relation to their personal data held is provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language

• Employees are aware of their own rights under the UK GDPR and are provided with the Article 13/14 information disclosures in the form of an Employee Privacy Notice found in the Employee Handbook.

• Where applicable, we maintain records of processing activities in accordance with the Article 30 requirements

• We have developed and documented appropriate technical and organisational measures and controls for personal data security and have a robust Information Security program in place

Accountability and Compliance
Due to the nature, scope, context and purposes of processing undertaken by Code Monkey Studios, we carry out frequent risk assessments and information audits to identify, assess, measure and monitor the impact of such processing. We have implemented adequate and appropriate technical and organisational measures to ensure the safeguarding of personal data and compliance with the UK GDPR and can evidence such measures through our documentation and practices. Our main governance objectives are to:

Educate senior employees about the requirements under the UK GDPR and the possible impact of non-compliance.

Provide a dedicated and effective data protection training program for all employees.

Allocate responsibility for data protection compliance and ensure that the designated person has sufficient access, support and resources to perform the role.

Identify, create and disseminate the reporting lines within the data protection governance structure.

The technical and organisational measures that Code Monkey Studios has in place to ensure and demonstrate compliance with the UK GDPR, regulations and codes of conduct, are detailed in this document.

Privacy by Design
We operate a 'Privacy by Design' approach and ethos, with the aim of mitigating the risks associated with processing personal data through prevention via our processes, systems and activities. We have developed controls and measures that help us enforce this ethos, these include but are not limited to a two-factor authentication password process as well as mandatory password changes when prompted.

Data Minimisation
Under Article 5 of the UK GDPR, principle (c) advises that data should be 'limited to what is necessary', which forms the basis of our minimalist approach. We only ever obtain, retain, process and share the data that is essential for carrying out our services and/or meeting our legal obligations and only retain data for as long as is necessary.

Our systems, employees, processes and activities are designed to limit the collection of personal information to that which is directly relevant and necessary to accomplish the specified purpose. Data minimisation enables us to reduce data protection risks and breaches and supports our compliance with the UK GDPR.

Measures to ensure that only the necessary data is collected includes: -

Electronic collection (i.e. forms, website, surveys etc) only have the fields that are relevant to the purpose of collection and subsequent processing. We do not include 'optional' fields, as optional denotes that it is not necessary to obtain

Physical collection (i.e. face-to-face, telephone etc) is supported using scripts and internal forms where the required data collection is ascertained using predefined fields. Again, only that which is relevant and necessary is collected

We have service level agreements (SLA's) and bespoke agreements in place with third-party controllers who send us personal information (either in our capacity as a controller or processor). These state that only relevant and necessary data is to be provided as it relates to the processing activity we are carrying out

We have documented destruction procedures in place where a data subject or third-party provides us with personal information that is surplus to requirement

Forms, contact pages and any documents used to collect personal information are reviewed every month to ensure that they are fit for purpose and are only obtaining necessary personal information in relation to the legal basis being relied upon for the processing

Pseudonymisation
We utilise pseudonymisation* where possible to record and store personal data in a way that ensures it can no longer be attributed to a specific data subject without the use of separate, additional information (personal identifiers). Encryption and partitioning are also used to protect the personal identifiers, being kept separate from the pseudonymised data sets. When using pseudonymisation, we ensure that the attribute(s) being removed and replaced, are unique and prevent the data subject from being identified through the remaining markers and attributes. Pseudonymisation can mean that the data subject is still likely to be identified indirectly and as such, we use this technique in conjunction with other technical and operational measures of risk reduction and data protection.

* Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms.

Encryption
We utilise encryption as a further risk prevention measure for securing the personal data that we hold. Encryption with a secret key is used to make data indecipherable unless decryption of the dataset is carried out using the assigned key.

We utilise encryption via secret key for transferring personal data to any external party and provide the secret key in a separate format. Where special category information is being transferred and/or disclosed, the Data Protection Officer is required to authorise the transfer and review the encryption method for compliance and accuracy.


Restriction
Our Privacy by Design approach means that we use company-wide restriction methods for all personal data activities. Restricting access is built into the foundation of Code Monkey Studios processes, systems and structure and ensures that only those with authorisation and/or a relevant purpose, have access to personal information.

Special category data is restricted at all levels and can only be accessed by Tom Smith

Hard Copy Data
Due to the nature of our business, it is sometimes essential for us to obtain, process and share personal and special category information which is only available in a paper format without pseudonymisation options. Where this is necessary, we utilise a tiered approach to minimise the information we hold and/or the length of time we hold it for. Steps include: -

In the first instance, we always ask the initial data controller to send copies of any personal information records directly to the data subject

Where step 1 is not possible or feasible, we will obtain a copy of the data and if applicable redact to ensure that only the relevant information remains (i.e. when the data is being passed to a third-party for processing and not directly to the data subject)

When only mandatory information is visible on the hard copy data, we utilise electronic formats to send the information to the recipient to ensure that encryption methods can be applied (i.e. we do not use the postal system as this can be intercepted).

Recipients (i.e. the data subject, third-party processer) are reverified and their identity and contact details checked

The Data Protection Officer authorises the transfer and checks the file(s) attached and encryption method and key

Once confirmation has been obtained that the recipient has received the personal information, where possible (within the legal guidelines and rules of the UK GDPR), we destroy the hard copy data and delete the sent message

If for any reason a copy of the paper data must be retained by the Company, we use a physical safe to store such documents as opposed to our standard archiving system.

Information Audit
To enable Code Monkey Studios to comply with the UK GDPR, we have carried out a company-wide data protection information audit to better enable us to record, categorise and protect the personal data that we hold and process.

The audit has identified, categorised and recorded all personal information obtained, processed and shared by our company in our capacity as a controller/processor and has been compiled on a central register which includes: -

What personal data we hold
Where it came from
Who we share it with?
Legal basis for processing it
What format(s) is it in
Who is responsible for it?
Disclosures and Transfers

Legal Basis for Processing
At the core of all personal information processing activities undertaken by Code Monkey Studios, is the assurance and verification that we are complying with Article 6 of the UK GDPR and our lawfulness of processing obligations. Prior to carrying out any personal data processing activity, we identify and establish the legal basis for doing so and verify these against the regulation requirements to ensure we are using the most appropriate legal basis.

The legal basis is documented in our Privacy Notice and, where applicable, is provided to the data subject and the Commissioner as part of our information disclosure obligations. Data is only obtained, processed or stored when we have met the lawfulness of processing requirements, where: -

The data subject has given consent to the processing of their personal data for one or more specific purposes

Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract

Processing is necessary for compliance with a legal obligation to which we are subject

Processing is necessary to protect the vital interests of the data subject or of another natural person

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Code Monkey Studios

Processing is necessary for the purposes of the legitimate interests pursued by Code Monkey Studios or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, where the data subject is a child).

Processing Special Category Data
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.
Where Code Monkey Studios processes any personal information classed as special category or information relating to criminal convictions, we do so in accordance with Article 9 of the UK GDPR regulations and in compliance with the Data Protection Act 2018 Schedule 1 Parts 1, 2, 3 & 4 conditions and requirements.

We will only ever process special category data where: -

The data subject has given explicit consent to the processing of the personal data.

Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection la

Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious or trade union aim

Processing relates to personal data which are manifestly made public by the data subject

Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity

Processing is necessary for reasons of substantial public interest

Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Processing is necessary for reasons of public interest around public health

Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)

Schedule 1, Parts 1, 2 & 3 of The Data Protection Act 2018 provide specific conditions and circumstances when special category personal data can be processed and details the requirements that organisations are obligated to meet when processing such data.

Where Code Monkey Studios processes personal information that falls into one of the above categories, we have adequate and appropriate provisions and measures in place prior to any processing. Measures include: -

Verifying our reliance on one of the UK GDPR Article 9(1) clauses, and where applicable The Data Protection Act 2018 Sch.1, Pt.1, Pt.2 and/or Pt.3 conditions prior to processing

Documenting the Schedule 1 condition and Article 6(1) legal basis relied upon from processing on our Processing Activities Register (where applicable)

Having an appropriate policy document in place when the processing is carried out, specifying our: -

procedures for securing compliance with the UK GDPR principles

policy with regard the retention and erasure of personal data processed in reliance on the condition

retention periods and reason(s) (i.e. legal, statutory etc.)

procedures for reviewing and updating our policies in this area.

Records of Processing Data
As an organisation with less than 250 employees, Code Monkey Studios does not maintain records of our processing activities. However, we continually review all such activities and company size to ensure that we will being to record such information as detailed in the UK GDPR Article 30 where: -

1. We employee 250 or more employees
2. Processing personal data could result in a risk to the rights and freedoms of individual
3. The processing is not occasional
4. We process special categories of data or criminal convictions and offences
5. Such records are maintained in writing, are provided in a clear and easy to read format and are readily available to the Commissioner upon request.

As part of our obligations under the UK’s Data Protection Act 2018, Sch.1, Pt.4, where we are required to maintain a record of our processing activities in our capacity as a controller and are processing special category or criminal conviction data, as specified in Sch.1, Pt.1-3 of the Act, we also record the below information on the register: -

Which condition is relied on?

How the processing satisfies Article 6 of the UK GDPR (lawfulness of processing)

Whether the personal data is retained and erased in accordance with the policies described in paragraph 30(b) of the Act (and if not, the reasons for not following those policies).

Codes of Conduct & Certification Mechanisms
These codes and certification mechanisms are approved by the Commissioner and have been disseminated throughout Code Monkey Studios to ensure competency and compliance from all staff.

The codes of conduct that we adhere to help us to: -

Improve transparency and accountability

Demonstrate to the public and the Commissioner that we meet the requirements of the data protection law and that we can be trusted with personal data

Mitigate against enforcement action(s)

Improve standards by establishing best practice

Carry out fair and transparent processing

Ensure appropriate safeguards within the framework of personal data transfers to third countries or international organisations

We submit to frequent and unscheduled monitoring and audits by the codes of conduct association/trade body and by the data protection certification scheme and understand that where we are deemed to be non-compliant in any area relating to the UK GDPR, we may lose our certification/seal of approval and/or the Commissioner will be informed.

Third Party Processors
Code Monkey Studios utilise external processors for certain processing activities. We use information audits to identify, categorise and record all personal data that is processed outside of Code Monkey Studios, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible. Such external processing includes (but is not limited to): -

Legal Services

Debt Collection Services

Payroll

Hosting or Email Servers

Direct Marketing/Mailing Services

We have strict due diligence and Know Your Customer procedures and measures in place and review, assess and background check all processors prior to forming a business relationship. We obtain company documents, certifications, references and ensure that the processor is adequate, appropriate and effective for the task we are employing them for.

We audit their processes and activities prior to contract and during the contract period to ensure compliance with the data protection regulations and review any codes of conduct that they are obligated under to confirm compliance.

The continued protection of data subjects’ rights and the security of their personal information is always our top priority when choosing a processor and we understand the importance of adequate and reliable outsourcing for processing activities as well as our continued obligations under UK GDPR for data processed and handled by a third-party.

We draft bespoke Service Level Agreements (SLAs) and contracts with each processor as per the services provided and have a dedicated Processor Agreement template that details: -

The processors data protection obligations

Our expectations, rights and obligations

The processing duration, aims and objectives

The data subjects’ rights and safeguarding measures

The nature and purpose of the processing

The type of personal data and categories of data subjects

Each of the areas specified in the contract are monitored, audited and reported on. Processors are notified that they shall not engage another processor without our prior specific authorisation and any intended changes concerning the addition or replacement of existing processors must be done in writing, in advance of any such changes being implemented.

The Processor Agreement and any associated contract reflects the fact that the processor: -

Processes the personal data only on our documented instructions

Seeks our authorisation to transfer personal data to a third country or an international organisation (unless required to do so by a law to which the processor is subject)

Shall inform us of any such legal requirement to transfer data before processing

Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

Takes all measures to always secure the personal data

Respects, supports and complies with our obligation to respond to requests for exercising the data subject's rights

Assists Code Monkey Studios in ensuring compliance with our obligations for data security, mitigating risks, breach notification and privacy impact assessments

When requested, deletes or returns all personal data to Code Monkey Studios after the end of the provision of services relating to processing, and deletes existing copies where possible

Makes available to Code Monkey Studios all information necessary to demonstrate compliance with the obligations set out in the agreement and contract

Allows and supports audits, monitoring, inspections and reporting as set out in the contract

Informs Code Monkey Studios immediately of any breaches, non-compliance or inability to carry out their duties as detailed in the contract

Data retention and disposal
Code Monkey Studios have defined procedures for adhering to the retention periods as set out by the relevant laws, contracts and our business requirements, as well as adhering to the UK GDPR requirement to only hold and process personal information for as long as is necessary. All personal data is disposed of in a way that protects the rights and privacy of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and prioritises the protection of the personal data in all instances.

Data protection impact assessments (DPIA)
Code Monkey Studios does not currently carry out any processing activities that are defined as requiring a DPIA, however we continually monitor all activities against the UK GDPR Article 35 requirements and have robust DPIA procedures already developed should they be necessary.

Consent and the right to be informed
The collection of personal and sometimes special category data is a fundamental part of the products/services offered by Code Monkey Studios and we therefore have specific measures and controls in place to ensure that we comply with the conditions for consent under the UK GDPR.

The data protection law defines consent as; ‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.

Where processing is based on consent, Code Monkey Studios have reviewed and revised all consent mechanisms to ensure that: -

Pre-ticked, opt-in boxes are never used

Where consent is given as part of other matters (i.e., terms & conditions, agreements, contracts), we ensure that the consent is separate from the other matters and is not a precondition of any service (unless necessary for that service)

Along with our company name, we also provide details of any other third party who will use or rely on the consent

Consent is always verifiable, and we have controls in place to ensure that we can demonstrate consent in every case

We keep detailed records of consent and can evidence at a minimum: –

• that the individual has consented to the use and processing of their personal data
• that the individual has been advised of our company name and any third party using the data
• what the individual was told at the time of consent
• how and when consent was obtained
  

We have ensured that withdrawing consent is as easy, clear, and straightforward as giving it and is available through multiple options, including: -

• Opt-out links in mailings or electronic communications
  
• Opt-out process explanation and steps on website and in all written communications
  
• Ability to opt-out verbally, in writing or by email

Consent withdrawal requests are processed immediately and without detriment

Controls and processes have been developed and implemented to refresh consent, especially those relating to parental consents

For special category data, the consent obtained is explicit (stated clearly and in detail, leaving no room for confusion or doubt) with the processing purpose(s) always being specified

Consent Controls
Code Monkey Studios maintain rigid records of data subject consent for processing personal data and are always able to demonstrate that the data subject has consented to processing of his or her personal data where applicable. We also ensure that the withdrawal of consent is as clear, simple and transparent and is documented in all instances.

Where the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent is presented in a manner which is clearly distinguishable from those matters, in an intelligible and easily accessible form, using clear and plain language. All such written declarations are reviewed and authorised by the Data Protection Officer prior to being circulated.

Consent to obtain and process personal data is obtained by Code Monkey Studios through: -

• Face-to-Face
• Telephone
• In Writing
• Email/SMS
• Electronic (i.e. via website form)

Any electronic methods of gaining consent are regularly reviewed and tested to ensure that a compliant Privacy Notice is accessible and displayed and that consent is clear, granular and utilises a demonstrable opt-in mechanism. Where consent is obtained verbally, we utilise scripts and checklists to ensure that all requirements have been met and that consent is obtained compliantly and can be evidenced.

Electronic consent is always by a non-ticked, opt-in action (or double opt-in where applicable), enabling the individual to provide consent after the below information has been provided. This is then followed up with an email, SMS or written confirmation of the consent to process, store and share the personal information.

Privacy Notices are used in all forms of consent and personal data collection, to ensure that we are compliant in disclosing the information required in the UK GDPR in an easy to read and accessible format.

Alternatives to Consent
Code Monkey Studios recognise that there are six lawful bases for processing and that consent is not always the most appropriate option. We have reviewed all processing activities and only use consent as an option where the individual has a choice.

When reviewing the processing activity for compliance with the consent requirements, we ensure that none of the below are a factor: –

• Where we ask for consent but would still process it even if it was not given (or withdrawn). If we would still process the data under an alternative lawful basis regardless of consent, we recognise it is not the correct lawful basis to use
• Where we ask for consent to process personal data as a precondition of a service we are offering, it is not given as an option and consent is not appropriate
• Where there is an imbalance in the relationship (i.e., with employees)

Information Provisions
Where personal data is obtained directly from the individual (i.e. through consent, by employees, written materials and/or electronic formats (i.e. website forms, subscriptions, email etc)), we provide the below information in all instances in the form of a privacy notice:

The identity and the contact details of the controller and, where applicable, of the controller's representative

The contact details of our data protection officer

The purpose(s) of the processing for which the personal information is intended

The legal basis for the processing

Where the processing is based on point (f) of Article 6(1) "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party", details of the legitimate interests

The recipients or categories of recipients of the personal data (if applicable)

If applicable, the fact that Code Monkey Studios intends to transfer the personal data to a third country or international organisation and the existence/absence of an adequacy decision by the Commission

• where Code Monkey Studios intends to transfer the personal data to a third country or international organization without an adequate regulation by the Secretary of State, reference to the appropriate or suitable safeguards Code Monkey Studios has put into place and the means by which to obtain a copy of them or where they have been made available
  

The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period

The existence of the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability

Where the processing is based on consent under points (a) of Article 6(1) or Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

The right to lodge a complaint with the Commissioner

Whether providing personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data

The existence of any automated decision-making, including profiling, as referred to in Article 22(1) and (4) and explanatory information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

The above information is provided to the data subject at the time the information is collected and records pertaining to the consent obtained are maintained and stored for 6 years from the date of consent unless there is a legal requirement to keep the information longer.

Privacy Notice
Code Monkey Studios defines a Privacy Notice as a document, form, webpage or pop-up that is provided to individuals at the time we collect their personal data (or at the earliest possibility where that data is obtained indirectly).

Our Privacy Notice includes the Article 13 (where collected directly from individual) or 14 (where not collected directly) requirements and provides individuals with all the necessary and legal information about how, why and when we process their data, along with their rights and obligations.

We have a link to our Privacy Notice on our website and provide a copy of physical and digital formats upon request. The notice is the customer facing policy that provides the legal information on how we handle, process and disclose personal information.

The notice is easily accessible, legible, jargon-free and is available in several formats, dependant on the method of data collection: -

• Via our website
• Linked to or written in full in the footer of emails
• Worded in full in agreements, contracts, forms, and other materials where data is collected in writing or face-to-face
• In employee contracts and recruitment materials
• Verbally via telephone or face-to-face
• Via SMS
• Printed media, adverts, and financial promotions
• Digital Products/Services
• On Mobile Apps
• Automated phone service

With lengthy content being provided in the privacy notice and with informed consent being based on its contents, we have tested, assessed and reviewed our privacy notice to ensure usability, effectiveness and understanding.
We follow the below ICO preferred steps for testing, reviewing and auditing our privacy notice(s) and opt-in consent formats prior to use and to record such assessments.

1.Privacy Notices are drafted by the Data Protection Officer using the UK GDPR requirements and with the Commissioners’ guidance

2.We utilise a select customer base to test the Privacy Notice in its varying formats and provide a feedback form for completion, verifying the below points: -

a. How did you use the Privacy Notice (e.g., website, agreement, orally)?
b. Did you find the information in the Privacy Notice easy to read, understand and access?
c. Did you gain a full understanding of how we intend to use your data, who it will be shared with and what your rights are?
d. Did you feel confident in giving consent to use your personal data after reading the notice information?
e. Was there anything you did not understand?
f. Did you find any errors?
g. What, if anything, would you like to see changed about the Privacy Notice?

3.All feedback responses are saved with a copy of the used Privacy Notice and improvements are made and recorded where applicable

4.Re-testing is carried out on a new set of customers to ensure variety and independent assessment and verification

5.After a successful test, the acceptable Privacy Notice is rechecked against the UK GDPR and the Commissioners’ regulations and guidelines to ensure it still complies and is adequate and effective

6.The final Privacy Notice(s) are then authorised by Senior Management/Director(s) before being rolled out

Where we rely on consent to obtain and process personal information, we ensure that it is: -

• Displayed clearly and prominently
• Asks individuals to positively opt-in
• Gives them enough information to make an informed choice
• Explains the different ways we will use their information
• Provides a clear and simple way for them to indicate they agree to different types of processing
• Includes a separate unticked opt-in box for direct marketing

Personal Data not obtained from the Data Subject
Where Code Monkey Studios obtains and/or processes personal data that has not been obtained directly from the data subject, Code Monkey Studios ensures that the information disclosures contain in Article 14 are provided to the data subject within 30 days of our obtaining the personal data (except for advising if the personal data is a statutory or contractual requirement).

In addition to the information disclosures in section 8.1.4, where personal data has not been obtained directly from a data subject, we also provide them with information about: -

• The categories of personal data
• The source the personal data originated from and whether it came from publicly accessible sources

Where the personal data is to be used for communication with the data subject, or a disclosure to another recipient is envisaged, the information will be provided at the latest, at the time of the first communication or disclosure.

Where Code Monkey Studios intends to further process any personal data for a purpose other than that for which it was originally obtained, we communicate this intention to the data subject prior doing so and where applicable, process only with their consent.

Whilst we follow best practice in the provision of the information noted in the relevant section of this policy, we reserve the right not to provide the data subject with the information if: -

• They already have it, and we can evidence their prior receipt of the information
• The provision of such information proves impossible and/or would involve a disproportionate effort
• Obtaining or disclosure is expressly laid down by a provision of domestic law to which Code Monkey Studios is subject and which provides appropriate measures to protect the data subject's legitimate
• Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by domestic law, including a statutory obligation of secrecy.

Employee Personal Data
As per the Data Protection law guidelines, we do not use consent as a legal basis for obtaining or processing employee personal information. Our HR policies have been updated to ensure that employees are provided with the appropriate information disclosure and are aware of how we process their data and why.

All employees have access to our Staff Handbook which informs them of their rights under the UK GDPR and how to exercise these rights and included within the handbook is an Employee Privacy Notice specific to the personal information we collect and process about them.

The right of access
We have ensured that appropriate measures have been taken to provide information referred to in Articles 13/14 and any communication under Articles 15 to 22 and 34 (collectively, The Rights of Data Subjects), in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Such information is provided free of charge and is in writing, or by other means where authorised by the data subject and with prior verification as to the subject’s identity (i.e. verbally, electronic).

Information is provided to the data subject at the earliest convenience, but at a maximum of 30 days from the date the request is received. Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary. However, this is only done in exceptional circumstances and the data subject is kept informed in writing throughout the retrieval process of any delays or reasons for delay.

Where we do not comply with a request for data provision, the data subject is informed within 30 days of the reason(s) for the refusal and of their right to lodge a complaint with the Commissioner.

Subject access request
Where a data subject asks us to confirm whether we hold and process personal data concerning him or her and requests access to such data; we provide them with: -

•The purposes of the processing

•The categories of personal data concerned

•The recipients or categories of recipient to whom the personal data have been or will be disclosed

•If the data has or will be disclosed to a third countries or international organisations and the appropriate safeguards pursuant to the transfer

•Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period

•The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing

•The right to lodge a complaint with the Commissioner

•Where personal data has not been collected by Code Monkey Studios from the data subject, any available information as to the source and provider

•The existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

Subject Access Requests (SAR) are passed to the [Data Protection Officer/Compliance Officer] as soon as received and a record of the request is noted. The type of personal data held about the individual is checked against our Information Audit to see what format it is held in, who else has it has been shared with and any specific timeframes for access.

SARs are always completed within 30-days and are provided free of charge. Where the individual makes the request by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested.

Please refer to our external Subject Access Request Procedures for the guidelines on how an SAR can be made and what steps we take to ensure that access is provided under the UK GDPR.

Correcting Inaccurate or Incomplete Data
In accordance to Article 5(d), all data held and processed by Code Monkey Studios is reviewed and verified as being accurate wherever possible and is always kept up to date. Where inconsistencies are identified and/or where the data subject or controller inform us that the data we hold is inaccurate, we take every reasonable step to ensure that such inaccuracies are corrected with immediate effect.

The [Data Protection Officer/Responsible Person] is notified of the data subjects request to update personal data and is responsible for validating the information and rectifying errors where they have been notified. The information is altered as directed by the data subject, with the information audit being checked to ensure that all data relating to the subject is updated where incomplete or inaccurate. Once updated, we add an addendum or supplementary statement where applicable.

Where notified of inaccurate data by the data subject, we will rectify the error within 30 days and inform any third party of the rectification if we have disclosed the personal data in question to them. The data subject is informed in writing of the correction and where applicable, is provided with the details of any third-party to whom the data has been disclosed.

If for any reason, we are unable to act in response to a request for rectification and/or completion, we always provide a written explanation to the individual and inform them of their right to complain to the Commissioner.

Retention of Data
Using the ICO’s guidance on storage limitation we know that storage limitation is important, ensuring that we erase or anonymise personal data when it is no longer needed, will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. Personal data held for too long will, by definition be unnecessary.

Employee records, contracts of employment, annual leave, training records - While employment continues and up to 6 years after employment ends

Payroll and wage records, including PAYE, Income tax, national insurance, sick pay - 6 years from the financial year end in which payments were made.

Maternity records - 3 years after the end of the tax year in which the maternity pay period ends.

Job applications (unsuccessful) - 4 months after notifying unsuccessful candidates

Financial transactions, invoices and supplier details - 6 years

Insurance records - Permanently

The Right to Erasure
Also, known as ‘The Right to be Forgotten’, Code Monkey Studios complies fully with Article 5(e) and ensures that personal data which identifies a data subject, is not kept for longer than is necessary for the purposes for which the personal data is processed.

All personal data obtained and processed by Code Monkey Studios is categorised when assessed by the information audit and is either given an erasure date or is monitored so that it can be destroyed when no longer necessary.

The Right to Restrict Processing
There are certain circumstances where Code Monkey Studios restricts the processing of personal information, to validate, verify or comply with a legal requirement of a data subjects request. Restricted data is removed from the normal flow of information and is recorded as being restricted on the information audit.

Any account and/or system related to the data subject of restricted data is updated to notify users of the restriction category and reason. When data is restricted it is only stored and not processed in any way.

Code Monkey Studios will apply restrictions to data processing in the following circumstances: -

•Where an individual contest the accuracy of the personal data and we are in the process verifying the accuracy of the personal data and/or making corrections

•Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether we have legitimate grounds to override those of the individual

•When processing is deemed to have been unlawful, but the data subject requests restriction as oppose to erasure

•Where we no longer need the personal data, but the data subject requires the data to establish, exercise or defend a legal claim

The Data Protection Officer reviews and authorises all restriction requests and actions and retains copies of notifications from and to data subjects and relevant third parties. Where data is restricted, and we have disclosed such data to a third-party, we will inform the third-party of the restriction in place and the reason and re-inform them if any such restriction is lifted.

Data subjects who have requested restriction of data are informed within 30 days of the restriction application and are also advised of any third-party to whom the data has been disclosed. We also provide in writing to the data subject, any decision to lift a restriction on processing. If for any reason, we are unable to act in response to a request for restriction, we always provide a written explanation to the individual and inform them of their right to complain to the Commissioner.

Objections and Automated Decision Making
Data subjects are informed of their right to object to processing in our Privacy Notices and at the point of first communication, in a clear and legible form and separate from other information. We provide opt-out options on all direct marketing material and provide an online objection form where processing is carried out online. Individuals have the right to object to: -

•Processing of their personal information based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)

•Direct marketing (including profiling)

•Processing for purposes of scientific/historical research and statistics

Where Code Monkey Studios processes personal data for the performance of a legal task, in relation to our legitimate interests or for research purposes, a data subjects’ objection will only be considered where it is on 'grounds relating to their particular situation'. We reserve the right to continue processing such personal data where: -

•We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights, and freedoms of the individual

•The processing is for the establishment, exercise or defense of legal claims

Where we are processing personal information for direct marketing purposes under a previously obtained consent, we will stop processing such personal data immediately where an objection is received from the data subject. This measure is absolute, free of charge and is always adhered to.

Where a data subject objects to data processing on valid grounds, Code Monkey Studios will cease the processing for that purpose and advise the data subject of cessation in writing within 30 days of the objection being received.

We have carried out a system audit to identify automated decision-making processes that do not involve human intervention. We also assess new systems and technologies for this same component prior to implementation. The Company understands that decisions absent of human interactions can be biased towards individuals and pursuant to Articles 9 and 22 of the UK GDPR, we aim to put measures into place to safeguard individuals where appropriate.

Via our Privacy Notices, in our first communications with an individual and on our website, we advise individuals of their rights not to be subject to a decision when: -

•It is based on automated processing
•It produces a legal effect or a similarly significant effect on the individual

In limited circumstances, Code Monkey Studios will use automated decision-making processes within the guidelines of the regulations. Such instances include: -

•Where it is necessary for entering into or performance of a contract between us and the individual
•Where it is authorised by law (e.g., fraud or tax evasion prevention)
•When based on explicit consent to do so
•Where the decision does not have a legal or similarly significant effect on someone

Where Code Monkey Studios uses, automated decision-making processes, we always inform the individual and advise them of their rights. We also ensure that individuals can obtain human intervention, express their point of view, and obtain an explanation of the decision and challenge it.

Security and Breach Management
Alongside our 'Privacy by Design' approach to protecting data, we ensure the maximum security of data that is processed, including as a priority, when it is shared, disclosed and transferred.

We carry out information audits to ensure that all personal data held and processed by us is accounted for and recorded, alongside risk assessments to ascertain the scope and impact a data breach could have on a data subject(s). We have implemented adequate and appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Whilst every effort and measures are taken to reduce the risk of data breaches, the Company has dedicated controls and procedures in place for such situations, along with the notifications to be made to the Commissioner and data subjects (where applicable).

A data breach incident form will be filed and kept on record. (Appendix A)

Identification of an Incident
As soon as a data breach has been identified, it is reported to the direct line manager and the Data Protection Officer immediately so that breach procedures can be initiated and followed without delay.

Reporting incidents in full and with immediate effect is essential to the compliant functioning of the Company and is not about apportioning blame. These procedures are for the protection of Code Monkey Studios, its staff, customers, clients and third parties and are of the utmost importance for legal regulatory compliance.

As soon as an incident has been reported, measures must be taken to contain the breach. Such measures are not in the scope of this document due to the vast nature of breaches and the variety of measures to be taken; however, the aim of any such measures should be to stop any further risk/breach to the organisation, customer, client, third-party, system or data prior to investigation and reporting. The measures taken are noted on the incident form in all cases.

Breach Recording
Code Monkey Studios utilises a Breach Incident Form for all incidents, which is completed for any data breach, regardless of severity or outcome. Completed forms are logged in the Breach Incident Folder (electronic or hard copy) and reviewed against existing records to ascertain patterns or reoccurrences.

In cases of data breaches, the [Data Protection Officer/Compliance Officer] is responsible for carrying out a full investigation, appointing the relevant staff to contain the breach, recording the incident on the breach form and making any relevant and legal notifications. The completing of the Breach Incident Form is only to be actioned after containment has been achieved.

A full investigation is conducted and recorded on the incident form, with the outcome being communicated to all staff involved in the breach, in addition to senior employees. A copy of the completed incident form is filed for audit and documentation purposes.

If applicable, the Commissioner and the data subject(s) are notified in accordance with the UK GDPR requirements (refer to section 6 of this policy). The Commissioner protocols are to be followed and their 'Security Breach Notification Form' should be completed and submitted. In addition, any individual whose data or personal information has been compromised is notified if required, and kept informed throughout the investigation, with a full report being provided of all outcomes and actions.

Transfers and data sharing
Code Monkey Studios takes proportionate and effective measures to protect personal data processed by us; however, we recognise the high-risk nature of disclosing and transferring personal data and as such, place an even higher priority on the protection and security of data being transferred.

Where data is being transferred for a legal and necessary purpose, compliant with all Articles in the UK GDPR, we utilise a process that ensures such data is encrypted with a secret key and where possible is also subject to our data minimisation methods.

We use approved, secure methods of transfer and have dedicated points of contact with each third country or international organisation with whom we deal. All data being transferred outside the UK is recorded on our information audit so that tracking is easily available, and authorisation is accessible. The Data Protection Officer authorises all transfers outside the UK and verifies the encryption and security methods and measures.

Audits and Monitoring
This policy and procedure details in this document shows the extensive controls, measures and methods used by Code Monkey Studios to protect personal data, uphold the rights of data subjects, mitigate risks, minimise breaches and comply with the UK GDPR and associated laws and codes of conduct. In addition to these, we also carry out regular audits and compliance monitoring processes, with a view to ensuring that the measures and controls in place to protect data subjects and their information, are adequate, effective and compliant at all times.

The Data Protection Officer has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement action plans to the Senior employees where applicable. Data minimisation methods are frequently reviewed, and new technologies assessed to ensure that we are protecting data and individuals to the best of our ability.
All reviews, audits and ongoing monitoring processes are recorded by the Data Protection Officer and copies provided to Senior employees and are made readily available to the Commissioner where requested.

The aim of internal data protection audits is to: -

Ensure that the appropriate policies and procedures are in place

To verify that those policies and procedures are being followed

To test the adequacy and effectiveness of the measures and controls in place

To detect breaches or potential breaches of compliance

To identify risks and assess the mitigating actions in place to minimise such risks

To recommend solutions and actions plans to Senior employees for improvements in protecting data subjects and safeguarding their personal data

To monitor compliance with the UK GDPR and demonstrate best practice.

Training
Through our strong commitment and robust controls, we ensure that all staff understand, have access to and can easily interpret the UK GDPR requirements and its principles and that they have ongoing training, support and assessments to ensure and demonstrate their knowledge, competence and adequacy for the role. Employees are continually supported and trained in the UK GDPR and requirements and Code Monkey Studios own objectives and obligations around data protection.