Privacy Policy

PRIVACY POLICY

Data Protection Policy

This data protection policy is to ensure compliance with the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act (DPA) 2018. It aims to depict regulatory data protection aspects in one summarising document, which can be used as the basis for data protection inspections, for example, by customers within the scope of a data processing agreement. This policy is not only to ensure compliance but also to provide proof of compliance.

1. Introduction

ProFire Compliance Limited (“the Company”) is committed to ensuring the security and protection of the personal information that we process, and to providing a compliant and

consistent approach to data protection. Our policies and procedures are designed to meet the requirements of the UK GDPR and DPA 2018.

2. Purpose

The purpose of this Data Protection Policy is to ensure that the Company:

Complies with data protection law and follows good
Protects the rights of staff, customers, and
Is open about how it stores and processes individuals’
Protects itself from the risks of a data

3. Scope

This policy applies to all employees, contractors, and third-party service providers who process personal data on behalf of ProFire Compliance Limited.

4. Data Protection Principles

The Company is committed to processing data in accordance with its responsibilities under the UK GDPR. The principles of the UK GDPR are:

Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent
Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those
Data Minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy: Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
Storage Limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

5. Data Subject Rights

Data subjects have the following rights regarding data processing and the data that is recorded about them:

Right to be Informed: Data subjects must be informed about how their data is being
Right of Access: Data subjects can request access to their personal
Right to Rectification: Data subjects can request that inaccurate or incomplete data be
Right to Erasure: Data subjects can request deletion or removal of their personal
Right to Restrict Processing: Data subjects can request the restriction or suppression of their personal data.
Right to Data Portability: Data subjects can obtain and reuse their personal data for their own purposes across different
Right to Object: Data subjects can object to the processing of their personal
Rights Related to Automated Decision Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing.

6. Lawful Basis for Processing

The Company will ensure that one or more of the following lawful bases apply whenever personal data is processed:

Consent: The individual has given clear consent for their personal data to be processed for a specific purpose.
Contract: The processing is necessary for a contract the Company has with the individual, or because they have asked the Company to take specific steps before entering into a contract.
Legal Obligation: The processing is necessary for the Company to comply with the
Vital Interests: The processing is necessary to protect someone’s
Public Task: The processing is necessary for the Company to perform a task in the public interest or for the Company’s official
Legitimate Interests: The processing is necessary for the Company’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

7. Data Security

The Company will ensure the security of personal data by:

Using strong encryption for data at rest and in
Restricting access to personal data to authorised personnel
Implementing appropriate physical and technical security
Regularly reviewing and testing security
Ensuring that any data processors the Company uses also implement appropriate security

8. Data Breach Management

In the event of a data breach, the Company will follow the procedures outlined in our Data Breach Response Plan, including:

Containing and recovering from the
Assessing the risks associated with the
Notifying the relevant supervisory authority and affected individuals where
Reviewing the incident and implementing measures to prevent future breaches.

9. Data Retention

Personal data will not be kept for longer than is necessary for the purpose for which it is processed. The Company will:

Establish and adhere to retention schedules for different categories of personal
Regularly review data retention practices and update them as
Ensure that data is securely deleted or anonymized when no longer

10. Training and Awareness

All employees and contractors who handle personal data will receive training on data protection law and the Company’s data protection policies and procedures. Regular updates and refresher training will be provided as necessary.

11. Responsibilities

Data Protection Officer (DPO): The DPO is responsible for overseeing this policy and ensuring the Company’s compliance with data protection
Employees and Contractors: All employees and contractors must comply with this policy and report any breaches or potential issues to the DPO.

12. Review

This policy will be reviewed annually or as necessary to ensure continued compliance with data protection laws and best practices.