This GDPR (General Data Protection Regulation) Policy outlines the principles and practices that Tornado Brewing follows to ensure compliance with the data protection laws in the UK, specifically the General Data Protection Regulation (GDPR). We are committed to safeguarding the privacy and protecting the personal data of our customers, employees, suppliers, and other stakeholders.
This policy applies to all personal data processed by Tornado Brewing, whether held electronically or in manual formats, and to all employees, contractors, and third parties who process personal data on our behalf.
- Lawfulness, Fairness, and Transparency: We will process personal data lawfully, fairly, and transparently. We will provide individuals with clear and concise information about how their data will be used.
- Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes, and will not be further processed in a way that is incompatible with those purposes.
- Data Minimisation: We will only collect and process the personal data that is necessary for the purpose for which it is being processed.
- Accuracy: We will ensure that personal data is accurate and kept up to date. We will take reasonable steps to rectify or erase inaccurate or incomplete data.
- Storage Limitation: Personal data will be kept in a form that permits identification for no longer than is necessary for the purposes for which it is being processed.
- Integrity and Confidentiality: We will process personal data in a manner that ensures its security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.
4. Data Subjects' Rights
We will respect and uphold the rights of data subjects as specified under GDPR, including the right to access, rectification, erasure, restriction of processing, data portability, and objection. Requests from data subjects to exercise their rights will be promptly addressed and responded to.
5. Lawful Basis for Processing
We will only process personal data when we have a lawful basis to do so, such as the necessity of processing for the performance of a contract, compliance with a legal obligation, protection of vital interests, consent, the performance of a task carried out in the public interest or in the exercise of official authority.
6. Data Breach Response
In the event of a data breach, we will take immediate steps to assess and mitigate the impact. If necessary, we will notify the relevant authorities and affected individuals within the required timeframes.
7. Data Protection Officer (DPO)
[Name of DPO], our designated Data Protection Officer, will oversee data protection activities and ensure compliance with GDPR and related regulations.
8. Third-Party Processors
We will only engage third-party processors who provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of GDPR.
9. Review and Update
This policy will be reviewed regularly to ensure its continued accuracy and effectiveness in line with changing regulations and business practices.
GDPR Policy 23’