We are committed to the principles inherent in the GDPR and particularly to the concepts of privacy by design, the right to be forgotten, consent and a risk-based approach. In addition, we aim to ensure:
- transparency with regard to the use of data
- that any processing is lawful, fair, transparent and necessary for a specific purpose
- that data is accurate, kept up to date and removed when no longer necessary
- that data is kept safely and securely.
Our Data Protection Officer (DPO), who works to promote awareness of GDPR within the Pivotal Group. Our DPO oversees the Group’s commitment to best practice and inform and advise the Group and monitors compliance.
“Right to be forgotten”
We recognise the right to erasure, also known as the right to be forgotten, laid down in the GDPR. Individuals can make a request for erasure verbally or in writing, responses will be made within one month from date of request.
Subject access requests
We recognise that individuals have the right to access their personal data and supplementary information and will comply with the one month timeframe for responses set down in the GDPR. As a general rule, a copy of the requested information will be provided free of charge although we reserve the right to charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive. If this proves necessary, the data subject will be informed of their right to contest our decision with the appropriate supervisory authority ( For the UK this is the Information Commissioner’s Office (ICO) and for ROI this is the Data Protection Commission (DPC)).
As set out in the GDPR, any fee will be notified in advance and will be based on the administrative cost of providing the information.
We will implement data protection “by design and by default”, as required by the GDPR. Safeguards will be built into products and services from the earliest stage of development and privacy-friendly default settings will be the norm. The privacy notice, which is on our website and which is provided to anyone from whom we collect data, explains our lawful basis for processing the data and gives the data retention periods. It makes clear that individuals have a right to complain to the ICO or to the DPC. We have conducted a privacy impact assessment (PIA) to ensure that privacy risks have been properly considered and addressed.
Data transfers outside the EEA
The Company respects the rights of individual’s personal data and will ensure that all personal data to which there is a requirement to transfer outside of the UK or EEA will be appropriately protected.
If a data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, the people affected will be informed as soon as possible and the ICO or DPC will be notified within 72 hours.