Data Protection Policy

Introduction

This Policy sets out the obligations of Eudemonics regarding data protection and the rights of individuals (“data subjects”) in respect of their personal data under Data Protection Law.

“Data Protection Law” means all legislation and regulations in force from time to time regulating the use of personal data and the privacy of electronic communications, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (as amended).

This Policy explains how Eudemonics collects, processes, transfers, stores, and disposes of personal data. All employees, agents, contractors, and other parties working on behalf of Eudemonics must comply with these procedures and principles.

Definitions

  • Consent: Freely given, specific, informed, and unambiguous agreement by a data subject to the processing of their personal data.
  • Data Controller: The entity that determines the purposes and means of the processing of personal data. Eudemonics Ltd is the data controller.
  • Data Processor: A person or organisation that processes personal data on behalf of the controller.
  • Data Subject: A living individual whom the personal data concerns.
  • Personal Data: Any information relating to an identified or identifiable individual.
  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • Processing: Any operation performed on personal data, whether automated or not, including collection, storage, alteration, use, disclosure, or erasure.
  • Pseudonymisation: Processing personal data so that it can no longer be attributed to a specific individual without additional information kept separately.
  • Special Category Personal Data: Data revealing racial or ethnic origin, political opinions, religious beliefs, health information, genetic or biometric data, or sexual orientation.

Scope

Eudemonics is committed to handling all personal data lawfully, fairly, transparently, and securely, respecting the legal rights, privacy, and trust of all individuals.

The Data Protection Officer for Eudemonics is Sean McCallum, contactable at info@eudemonics.net.

All staff are responsible for ensuring compliance with this Policy and for following associated practices, controls, and training.

Consult the Data Protection Officer when:

  • The lawful basis for processing is unclear.
  • Consent is required or needs to be verified.
  • There is uncertainty regarding retention periods.
  • New or updated privacy notices are required.
  • A data subject exercises their rights.
  • A personal data breach is suspected or confirmed.
  • Security measures require review.
  • Personal data will be shared with third parties.
  • Personal data will be transferred outside the UK.
  • Significant new processing activities or changes are proposed.
  • Automated decision-making or profiling will be used.
  • Direct marketing activities involve personal data.

Data Protection Principles

Eudemonics ensures that all personal data is:

  • Processed lawfully, fairly, and transparently.
  • Collected for specific, explicit, and legitimate purposes.
  • Adequate, relevant, and limited to what is necessary.
  • Accurate and kept up to date.
  • Stored for no longer than necessary for the intended purposes.
  • Processed securely to prevent unauthorised or unlawful processing, accidental loss, destruction, or damage.

The Rights of Data Subjects

Data subjects have the following rights:

  1. The right to be informed about how personal data is collected and used.
  2. The right of access to their personal data.
  3. The right to rectification of inaccurate or incomplete data.
  4. The right to erasure (“the right to be forgotten”) under specific circumstances.
  5. The right to restrict processing under certain conditions.
  6. The right to data portability to move, copy, or transfer personal data.
  7. The right to object to the processing of personal data.
  8. Rights related to automated decision-making and profiling.

Lawful Basis for Processing

Processing of personal data by Eudemonics is lawful if at least one of the following applies:

  • The data subject has provided clear consent.
  • Processing is necessary for the performance of a contract.
  • Processing is necessary for compliance with a legal obligation.
  • Processing protects vital interests.
  • Processing is necessary for a task carried out in the public interest.
  • Processing is necessary for legitimate interests pursued by Eudemonics, provided these are not overridden by the interests or fundamental rights of the data subject.

Special Category Data

Processing special category data requires an additional lawful basis, such as explicit consent or necessity for healthcare purposes. Eudemonics ensures appropriate safeguards are always in place when processing such data.

Data Minimisation and Accuracy

Eudemonics ensures that personal data is:

  • Adequate and relevant for its purpose.
  • Limited to what is necessary.
  • Accurate and kept updated where necessary.

Data Retention

Personal data is retained by Eudemonics only for as long as necessary to fulfil the purposes for which it was collected or as required by law. When data is no longer needed, it is securely deleted or anonymised.

Data Security

Eudemonics uses appropriate technical and organisational measures to secure personal data, including:

  • Access controls.
  • Encryption.
  • Regular data protection training.
  • Physical security measures.
  • Incident response protocols.

Data Sharing and Transfers

Personal data is only shared by Eudemonics with third parties when necessary and where appropriate safeguards are in place. Transfers of personal data outside the UK are carefully managed to ensure lawful compliance and protection of data subjects’ rights.

Personal Data Breaches

All personal data breaches must be reported immediately to the Data Protection Officer. Breaches are investigated and appropriate steps are taken to mitigate harm and prevent recurrence.

Automated Decision-Making and Profiling

Where Eudemonics uses automated decision-making or profiling, individuals are informed, and appropriate human oversight is maintained to protect their rights.