- General Policy
1.1 EnvironMentalHealth CIC recognises the legal requirements of the General Data
Protection Regulation (GDPR) and is committed to safeguarding personal data.
1.2 Personal data will be processed fairly and lawfully and, in particular, will
not be processed unless –
a) at least one of the conditions set out in Section 2 below is met, and
b) in the case of special category data, at least one of the conditions in Section 3 below is also met.
1.3 Personal data will be obtained only for one or more specified and lawful purposes, and shall not
be further processed in any manner
incompatible with that purpose or those purposes.
1.4 Personal data will be adequate, relevant and not excessive in relation to the purpose(s) for
which they are processed.
1.5 Personal data shall be accurate and, where necessary, kept up to date.
1.6 Personal data processed for any purpose(s) will not be kept for longer than is necessary.
1.7 Personal data will be processed in accordance with the rights of data subjects under the
1.8 Appropriate technical and organisational measures will be taken against unauthorised or
unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal data.
1.9 Personal data will not be transferred to a country or territory outside the European Economic
Area unless that country or territory ensures an adequate level of protection for the rights and
freedoms of data subjects in relation to the processing of personal data.
- Conditions For Processing Personal Data
2.1 Unless a relevant exemption applies, at least one of the following conditions must be met
whenever we process personal data:
a) The individual has consented to the processing of
their personal data.
b) The processing is necessary in relation to a contract
which the individual has entered into; or because the
individual has asked for something to be done so they
can enter into a contract.
c) The processing is necessary because of a legal obligation that applies to you (except an
obligation imposed by a contract).
DATA PROTECTION POLICY
d) The processing is necessary to protect the individual’s “vital interests”. This condition only
applies in cases of life or death, such as where an individual’s medical history is disclosed to a
hospital’s A&E department treating them after a serious road accident.
e) The processing is necessary for administering justice, or for exercising statutory, governmental,
or other public functions.
f) The processing is in accordance with the “legitimate interests” condition.
- Conditions For Processing Special Category Data
3.1 At least one of the additional conditions listed below must also be met whenever we
process special category data:
a) The individual has consented explicitly to the processing of their
special category data.
b) The processing is necessary to comply with employment law.
c) The processing is necessary to protect the vital interests of:
• the individual (in a case where the individual’s consent cannot be given or
reasonably obtained), or
• another person (in a case where the individual’s consent has been unreasonably
d) The processing is carried out by a not-for-profit organisation and does not involve
disclosing personal data to a third party, unless the individual consents. Extra limitations
apply to this condition.
e) The individual has deliberately made the information public.
f) The processing is necessary in relation to legal proceedings; for obtaining legal advice; or
otherwise for establishing, exercising
or defending legal rights.
g) The processing is necessary for administering justice, or for exercising statutory or
h) The processing is necessary for medical purposes, and is undertaken by a health
professional or by someone who is subject to
an equivalent duty of confidentiality.
i) The processing is necessary for monitoring equality of opportunity, and is carried out with
appropriate safeguards for the rights of individuals.
3.2 In addition to the above conditions – which are all set out in the GDPR itself – regulations set
out several other conditions for
processing special category data. Their effect is to permit the processing of special category data
for a range of other purposes – typically those that are in the substantial public interest, and which
must necessarily be carried out without the explicit consent of the individual.
3.3 Examples of such purposes include preventing or detecting crime and protecting the public
against malpractice or maladministration.