STUDIO KIBITZ GROUP

Data Protection Policy

STUDIO KIBITZ GROUP Data Protection Policy – to conform with the General Data Protection Regulation (‘GDPR’)

 

Introduction

The purpose of the General Data Protection Regulation is to protect the “rights and freedoms” of individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent. It applies to the processing of personal data both in electronic and in hard copy form.

Definitions


Personal data is any information relating to an identifiable natural person who can be identified, directly or indirectly, by an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

 

A Data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

 

A Data subject is any living individual who is the subject of personal data held by an organisation.

Processing is any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

A Personal data breach is a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

Data subject consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

 

A Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

 

Policy statement

 


STUDIO KIBITZ GROUP Studio Group Data Protection Policy – to conform with the General Data Protection Regulation (‘GDPR’)

 

Introduction

The purpose of the General Data Protection Regulation is to protect the “rights and freedoms” of individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent. It applies to the processing of personal data both in electronic and in hard copy form.

 

 

Definitions


Personal data is any information relating to an identifiable natural person who can be identified, directly or indirectly, by an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

 

A Data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

 

A Data subject is any living individual who is the subject of personal data held by an organisation.

Processing is any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

A Personal data breach is a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

Data subject consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

A Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

 

Policy statement

The Board of Directors and management of STUDIO KIBITZ GROUP are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information STUDIO KIBITZ GROUP collects and processes in accordance with the General Data Protection Regulation 2016 (GDPR).

This policy, alongside STUDIO KIBITZ GROUP`s Information Security Policy and other related policies apply to STUDIO KIBITZ GROUP personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other personal data the organisation processes from any source.

 

The Data Protection Officer is responsible for reviewing the Data Retention Schedules annually in the light of any changes to STUDIO KIBITZ GROUP activities and to any additional requirements identified by means of any data protection impact assessments.

This policy applies to all staff of STUDIO KIBITZ GROUP including any interested parties such as outsourced suppliers. Any breach of the GDPR will be dealt with under STUDIO KIBITZ GROUP disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities. Partners and any third parties working with or for STUDIO KIBITZ GROUP, and who have or may have access to personal data, will be expected to have read, understood and to comply with this policy. No third party may access personal data held by STUDIO KIBITZ GROUP without having first agreed to this policy and to STUDIO KIBITZ GROUP GDPR contract addendum which imposes on the third party obligations no less onerous than those to which STUDIO KIBITZ GROUP is committed, and which gives STUDIO KIBITZ GROUP the right to audit compliance with such obligations.

 

Responsibilities and roles under the General Data Protection Regulation

 

STUDIO KIBITZ GROUP is a data controller and a data processor under the GDPR.

Top Management and all those in managerial or supervisory roles throughout STUDIO KIBITZ GROUP are responsible for developing and encouraging good information handling practices within STUDIO KIBITZ GROUP; responsibilities are set out in individual job descriptions.

 

The Data Protection Officer is accountable to the Board of Directors of STUDIO KIBITZ GROUP for the management of personal data within STUDIO KIBITZ GROUP and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:

development and implementation of the GDPR as required by this policy; and

security and risk management in relation to compliance with the policy.

 

The Data Protection Officer (DPO), who the Board of Directors considers to be suitably qualified and experienced, has been appointed to take responsibility for STUDIO KIBITZ GROUP compliance with this policy on a day-to-day basis and, in particular, has direct responsibility for ensuring that STUDIO KIBITZ GROUP complies with the GDPR, as do Managers in respect of data processing that takes place within their area of responsibility.

 

The DPO is the first point of call for those seeking clarification on any aspect of data protection compliance.

Compliance with data protection legislation is the responsibility of all staff of STUDIO KIBITZ GROUP who process personal data.

Staff of STUDIO KIBITZ GROUP are responsible for ensuring that any personal data about them and supplied by them to STUDIO KIBITZ GROUP is accurate and up-to-date.

 

Data protection principles

All processing of personal data must be conducted in accordance with the data protection principles as set out in Article 5 of the GDPR. STUDIO KIBITZ GROUP policies and procedures are designed to ensure compliance with the principles.

Personal data must be processed lawfully, fairly and transparently Lawful – identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing”, for example consent. Fairly – in order for processing to be fair, the data controller has to make certain information available to the data subjects as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources. The GDPR has increased requirements about what information should be available to data subjects, which is covered in the ‘Transparency’ requirement. Transparently – the GDPR includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. Information must be communicated to the data subject in an intelligible form using clear and plain language. 

 

Personal data can only be collected for specific, explicit and legitimate purposes Data obtained for specified purposes must not be used for a purpose that differs from those agreed with the data subject.

Personal data must be adequate, relevant and limited to what is necessary for processing

 

The DPO is responsible for ensuring that STUDIO KIBITZ GROUP does not collect information that is not strictly necessary for the purpose for which it is obtained.

 

Personal data must be accurate and kept up to date with every effort to erase or rectify without delay

Data that is stored by the data controller must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate.

 

The DPO is responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.

It is also the responsibility of the data subject to ensure that data held by STUDIO KIBITZ GROUP is accurate and up to date.

Staff should be required to notify STUDIO KIBITZ GROUP of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of STUDIO KIBITZ GROUP to ensure that any notification regarding change of circumstances is recorded and acted upon.

 

The DPO is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.

On at least an annual basis, the DPO will review the retention dates of all the personal data processed by STUDIO KIBITZ GROUP, by reference to the data retention schedules, and will identify any data that is no longer required in the context of the registered purpose. This data should be securely deleted/destroyed.

 

The DPO is responsible for responding to requests for rectification from data subjects within a reasonable timescale.

Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.

Personal data will be retained in line with the Data Retention Schedules and, once its retention date is passed, it must be securely destroyed as set out in the schedule.

 

The DPO must specifically approve any data retention that exceeds the retention periods defined in the Data Retention Schedules, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.

 

Personal data must be processed in a manner that ensures the appropriate security The Data Protection Officer will carry out a risk assessment taking into account all the circumstances of STUDIO KIBITZ GROUP controlling or processing operations. STUDIO KIBITZ GROUP compliance with this principle is contained within STUDIO KIBITZ GROUP Information Security Policy.

The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability) The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. The accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. STUDIO KIBITZ GROUP will demonstrate compliance with the data protection principles by implementing data protection policies, adhering to codes of conduct, and implementing technical and organisational measures.

 

Data subjects’ rights

Data subjects have the following rights regarding data processing, and the data that is recorded about them:

To make subject access requests regarding the nature of information held and to whom it has been disclosed.

To prevent processing likely to cause damage or distress.

To prevent processing for purposes of direct marketing.

To be informed about the mechanics of automated decision-taking process that will significantly affect them.

To not have significant decisions that will affect them taken solely by automated process.

To sue for compensation if they suffer damage by any contravention of the GDPR.

To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.

To request the supervisory authority to assess whether any provision of the GDPR has been contravened.

To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.

To object to any automated profiling that is occurring without consent.

STUDIO KIBITZ GROUP ensures that data subjects may exercise these rights:

Data subjects may make data access requests.

Data subjects have the right to complain to STUDIO KIBITZ GROUP relating to the processing of their personal data, the handling of a request from a data subject and appeals from a data subject on how complaints have been handled in line with the STUDIO KIBITZ GROUP Complaints Procedure.

 

Consent

STUDIO KIBITZ GROUP understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw their consent at any time.

STUDIO KIBITZ GROUP understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them.

There must be some active communication between the parties to demonstrate active consent. Consent cannot be inferred from non-response to a communication.

For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.

 

Security of data

STUDIO KIBITZ GROUP IT Security Policy governs how STUDIO KIBITZ GROUP protects personal data.

 

Disclosure of data

STUDIO KIBITZ GROUP must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of STUDIO KIBITZ GROUP business.

All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the DPO.

 

Retention and disposal of data

STUDIO KIBITZ GROUP shall not keep personal data in a form that permits identification of data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.

The retention period for each category of personal data will be set out in the STUDIO KIBITZ GROUP Retention Schedules along with the criteria used to determine this period including any statutory obligations STUDIO KIBITZ GROUP has to retain the data. Personal data must be disposed of securely in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects.

 

Data transfers

STUDIO KIBITZ GROUP shall not export data to non-European Economic Area Countries without the data subject’s express consent.

 

Information asset register/data inventory/data mapping

STUDIO KIBITZ GROUP is aware of the risks associated with the processing of particular types of personal data.

STUDIO KIBITZ GROUP assesses the level of risk to individuals associated with the processing of their personal data and manages these risks accordingly are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information STUDIO KIBITZ GROUP collects and processes in accordance with the General Data Protection Regulation 2016 (GDPR).

This policy, alongside STUDIO KIBITZ GROUP`s Information Security Policy and other related policies apply to STUDIO KIBITZ GROUP personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other personal data the organisation processes from any source.

The Data Protection Officer is responsible for reviewing the Data Retention Schedules annually in the light of any changes to STUDIO KIBITZ GROUP activities and to any additional requirements identified by means of any data protection impact assessments.

This policy applies to all staff of STUDIO KIBITZ GROUP including any interested parties such as outsourced suppliers. Any breach of the GDPR will be dealt with under STUDIO KIBITZ GROUP disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities. Partners and any third parties working with or for STUDIO KIBITZ GROUP, and who have or may have access to personal data, will be expected to have read, understood and to comply with this policy. No third party may access personal data held by STUDIO KIBITZ GROUP without having first agreed to this policy and to STUDIO KIBITZ GROUP GDPR contract addendum which imposes on the third party obligations no less onerous than those to which STUDIO KIBITZ GROUP is committed, and which gives STUDIO KIBITZ GROUP the right to audit compliance with such obligations.

 

Responsibilities and roles under the General Data Protection Regulation

STUDIO KIBITZ GROUP is a data controller and a data processor under the GDPR.

Top Management and all those in managerial or supervisory roles throughout STUDIO KIBITZ GROUP are responsible for developing and encouraging good information handling practices within STUDIO KIBITZ GROUP; responsibilities are set out in individual job descriptions.

The Data Protection Officer is accountable to the Board of Directors of STUDIO KIBITZ GROUP for the management of personal data within STUDIO KIBITZ GROUP and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:

development and implementation of the GDPR as required by this policy; and

security and risk management in relation to compliance with the policy.

The Data Protection Officer (DPO), who the Board of Directors considers to be suitably qualified and experienced, has been appointed to take responsibility for STUDIO KIBITZ GROUP compliance with this policy on a day-to-day basis and, in particular, has direct responsibility for ensuring that STUDIO KIBITZ GROUP complies with the GDPR, as do Managers in respect of data processing that takes place within their area of responsibility.

The DPO is the first point of call for those seeking clarification on any aspect of data protection compliance.

Compliance with data protection legislation is the responsibility of all staff of STUDIO KIBITZ GROUP who process personal data.

Staff of STUDIO KIBITZ GROUP are responsible for ensuring that any personal data about them and supplied by them to STUDIO KIBITZ GROUP is accurate and up-to-date.

 

Data protection principles

All processing of personal data must be conducted in accordance with the data protection principles as set out in Article 5 of the GDPR. STUDIO KIBITZ GROUP policies and procedures are designed to ensure compliance with the principles.

Personal data must be processed lawfully, fairly and transparently Lawful – identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing”, for example consent. Fairly – in order for processing to be fair, the data controller has to make certain information available to the data subjects as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources. The GDPR has increased requirements about what information should be available to data subjects, which is covered in the ‘Transparency’ requirement. Transparently – the GDPR includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. Information must be communicated to the data subject in an intelligible form using clear and plain language. 

Personal data can only be collected for specific, explicit and legitimate purposes Data obtained for specified purposes must not be used for a purpose that differs from those agreed with the data subject.

Personal data must be adequate, relevant and limited to what is necessary for processing

The DPO is responsible for ensuring that STUDIO KIBITZ GROUP does not collect information that is not strictly necessary for the purpose for which it is obtained.

Personal data must be accurate and kept up to date with every effort to erase or rectify without delay

Data that is stored by the data controller must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate.

The DPO is responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.

It is also the responsibility of the data subject to ensure that data held by STUDIO KIBITZ GROUP is accurate and up to date.

Staff should be required to notify STUDIO KIBITZ GROUP of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of STUDIO KIBITZ GROUP to ensure that any notification regarding change of circumstances is recorded and acted upon.

 

The DPO is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.

On at least an annual basis, the DPO will review the retention dates of all the personal data processed by STUDIO KIBITZ GROUP, by reference to the data retention schedules, and will identify any data that is no longer required in the context of the registered purpose. This data should be securely deleted/destroyed.

The DPO is responsible for responding to requests for rectification from data subjects within a reasonable timescale.

Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.

Personal data will be retained in line with the Data Retention Schedules and, once its retention date is passed, it must be securely destroyed as set out in the schedule.

The DPO must specifically approve any data retention that exceeds the retention periods defined in the Data Retention Schedules, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.

Personal data must be processed in a manner that ensures the appropriate security The Data Protection Officer will carry out a risk assessment taking into account all the circumstances of STUDIO KIBITZ GROUP controlling or processing operations. STUDIO KIBITZ GROUP compliance with this principle is contained within STUDIO KIBITZ GROUP Information Security Policy.

The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability) The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. The accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. STUDIO KIBITZ GROUP will demonstrate compliance with the data protection principles by implementing data protection policies, adhering to codes of conduct, and implementing technical and organisational measures.

 

Data subjects’ rights

Data subjects have the following rights regarding data processing, and the data that is recorded about them:

To make subject access requests regarding the nature of information held and to whom it has been disclosed.

To prevent processing likely to cause damage or distress.

To prevent processing for purposes of direct marketing.

To be informed about the mechanics of automated decision-taking process that will significantly affect them.

To not have significant decisions that will affect them taken solely by automated process.

To sue for compensation if they suffer damage by any contravention of the GDPR.

To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.

To request the supervisory authority to assess whether any provision of the GDPR has been contravened.

To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.

To object to any automated profiling that is occurring without consent.

 

STUDIO KIBITZ GROUP ensures that data subjects may exercise these rights:

Data subjects may make data access requests.

Data subjects have the right to complain to STUDIO KIBITZ GROUP relating to the processing of their personal data, the handling of a request from a data subject and appeals from a data subject on how complaints have been handled in line with the STUDIO KIBITZ GROUP Complaints Procedure.

 

Consent

STUDIO KIBITZ GROUP understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw their consent at any time.

 

STUDIO KIBITZ GROUP understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them.

There must be some active communication between the parties to demonstrate active consent. Consent cannot be inferred from non-response to a communication.

For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.

 

Security of data

STUDIO KIBITZ GROUP IT Security Policy governs how STUDIO KIBITZ GROUP protects personal data.

 

Disclosure of data

STUDIO KIBITZ GROUP must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of STUDIO KIBITZ GROUP business.

All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the DPO.

 

Retention and disposal of data

STUDIO KIBITZ GROUP shall not keep personal data in a form that permits identification of data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.

The retention period for each category of personal data will be set out in the STUDIO KIBITZ GROUP Retention Schedules along with the criteria used to determine this period including any statutory obligations STUDIO KIBITZ GROUP has to retain the data. Personal data must be disposed of securely in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects.

 

Data transfers

STUDIO KIBITZ GROUP shall not export data to non-European Economic Area Countries without the data subject’s express consent.

 

Information asset register/data inventory/data mapping

STUDIO KIBITZ GROUP is aware of the risks associated with the processing of particular types of personal data.

STUDIO KIBITZ GROUP assesses the level of risk to individuals associated with the processing of their personal data and manages these risks accordingly.
 

We can help with any questions you have with the courses.
Please get in touch!

0784 579 4707

STUDIO KIBITZ GROUP

STUDIO KIBITZ GROUP is a creative studio that brings together a team of professionals in CGI arts, who will apply their knowledge, creative potential and latest technology to help you understand the process of developing video games, animation, virtual reality, special effects, and commercials, whilst using the most advanced tools and software.

Newsletter

Sign up for our newsletter and be first to get the latest updates from STUDIO KIBITZ GROUP!

  • LinkedIn | STUDIO KIBITZ
  • Facebook | STUDIO KIBITZ
  • Instagram | STUDIO KIBITZ

© 2020 STUDIO KIBITZ GROUP