GDPR Policy

Introduction

The General Data Protection Regulation (GDPR) is a new legal framework set up by the European Union in April 2016 to build upon existing data protection legislation. GDPR came into effect on 25th May 2018, and has introduced a range of fresh guidelines spelling out the rights of consumers and dictating how companies can store and share information.

As a hugely significant change to the global business landscape, it is critical that Crystal Moon Tree Ltd embraces all aspects of GDPR to maintain full compliance.

Our obligations for GDPR compliance

Here at Crystal Moon Tree Ltd, we fully appreciate and support the European Union’s focus on expanding upon digital rights. As a company, we strongly believe in the need for greater business transparency and accountability concerning the collection and handling of personal data.

That is why Crystal Moon Tree Ltd is a firm advocate of GDPR and its many implications. These include among many other aspects:

  • The Right to Object to Processing
  • The Right to Be Forgotten
  • The Right to Data Portability
  • The Right to Withdraw Consent

As part of our commitment to GDPR and the rights of our customers and clients, Crystal Moon Tree Ltd vows to ensure our organisation considers and actions all necessary changes surrounding data processing, data storage and the disposal of personal data.

This includes a commitment to fully fulfil Breach Disclosure Requirements by notifying authorities and concerned individuals of any compromise within 72 hours. Moreover, as part of our GDPR strategy, Crystal Moon Tree Ltd will complete impact assessments wherever possible, to identify and deliver the best service possible, as well as to extend our customers a guarantee that data is being kept secure.

Furthermore, we pledge to uphold the following key values and responsibilities:

Crystal Moon Tree Ltd’s strategic values and responsibilities

  • We vow to demonstrate full responsibility and dutiful respect as a keeper of customer, client and employee data.
  • We totally support GDPR and its requirements, and will do everything within our power to appropriately resource and fund any changes we must enforce to ensure Crystal Moon Tree Ltd can meet its obligations.
  • We promise to maintain ownership and transparency concerning data protection and privacy across all elements of our company.
  • We pledge to create and maintain a purposeful data processing inventory documenting all data operations, including collection, processing and storage.
  • We guarantee to extend every possible show of support to individuals intent on exercising their rights as outlined under GDPR legislation.
  • We will conduct a regular review to assess the legality and purpose for the collection, processing and storage of personal data.
  • We vow to act upon identified gaps and develop robust processes to maintain full GDPR compliance.
  • We promise to clearly communicate the business purpose and legal grounds for any transfer of data – including transfer outside of the European Union.
  • We will contact all partner organisations, contractors or other third parties to identify their own GDPR commitments, establish relevant contract terms and solidify GDPR compliance controls.

Your Data Protection Policy

Our data security policies

Crystal Moon Tree Ltd takes data security extremely seriously, and we place the rights of the individual and regulatory adherence at the heart of everything we do as a company.

In light of our commitments, it is mandatory all staff members must observe and adhere to the following data security policies:

Data storage policy

  • All information or data that is collected and processed is subject to all of the applicable requirements as outlined and documented within this policy. This includes information collected electronically, by paper, telephone or data collected through any other means.
  • All data must be collected, stored and protected in a secure location appointed by Crystal Moon Tree Ltd, for a retention period as predefined by corresponding legislature or company policy.
  • Staff members are strictly forbidden to retain confidential information or personal data not relating to themselves on their personal devices. Exceptions to this policy include information that is needed for a purpose that is work-related, temporary and specified and approved by a relevant manager.
  • Staff members should avoid downloading sensitive files or confidential information to local devices wherever possible. Information being necessarily processed for work purposes may be exempt from this policy.
  • Employees must install and use software and systems that have been licensed and approved by the company on devices while carrying out the duties of their role. Downloading or using any software, app or system that is not preapproved by the company will require prior approval from the company’s IT Manager.
  • All mobile and portable devices used by staff members should be approved by the company’s IT Manager and secured to prevent unauthorised access or breach. Personal devices could include a laptop, smartphone, tablet or any other handheld computing devices. This policy also applies to any shared cloud storage spaces.
  • All internet access and online operations carried out by employees could be subject to monitoring and filtering in accordance with relevant legislation and company policy. This monitoring should be carried out only by the IT Manager or an authorised member of staff.
  • Employees must adhere to all applicable elements of this policy when using personal devices to access company resources. Similarly, employees must observe and adhere to all applicable elements of this data security policy when using equipment provided by Crystal Moon Tree Ltd to access information externally.
  • Employees are forbidden from using public access devices. This practice is allowed in some circumstances; however, prior and explicit approval from a line manager for regular public access must be obtained and recorded.
  • Employees must use access tools provided to them by a client or partner of Crystal Moon Tree Ltd if access is granted to any third-party storage system or data storage facility.
  • It is forbidden to send, forward or submit any of the information or data referred to within this data security policy to a third-party unless deemed essential to complete approved processes.
  • If an employee needs to carry out an approved submission of data to any relevant third-party, that data must be made secure in accordance with company policy and any relevant third-party data protection protocols.

 

Please note that Crystal Moon Tree Ltd will carry out regular system audits to monitor and ensure ongoing compliance with this data security policy and all regulatory requirements as outlined under GDPR.

Data retention policy

While Crystal Moon Tree Ltd must routinely collect and store data, we are committed to the rights of individuals. That’s why we retain all information and personal data for no longer than we need to.

The necessary length of retention will often be decided on a case-for-case basis, bearing in mind the rationale and original purpose surrounding data collection and retention. Decisions of this nature must be made in a way that is compatible with our existing data retention guidelines under GDPR.

For additional guidance, consult the following corresponding documents: Data retention and erasure policy document

International data transfer policy

Employees must observe a series of restrictions that apply towards the international transfer of data or personal information. Employees are not permitted to transfer personal information or data outside of the United Kingdom without having obtained explicit permission in the first instance from the company’s Data Protection Officer.

Data encryption and anonymisation policy

Crystal Moon Tree Ltd deploys encryption to secure and protect data that is stored on devices from unlawful processing or unauthorised access. Encryption is also used to protect information that is in transit.

We also use the anonymisation of personal data wherever deemed prudent to ensure the rights of the individual are fully protected and observed.

In line with these principles, we are committed to the use both encryption and anonymisation as a risk management tool alongside existing systems, to protect the company from accidental loss, as well as from the damage or destruction of data or personal information.

Date Protecton Notice

Crystal Moon Tree Ltd collects, processes and stores the information and personal data you submit to our website as needed to provide my services, such as when I use your information to fulfil your order, to settle disputes, or to provide customer support;
when you have provided your affirmative consent, which you may revoke at any time, such as by signing up for my mailing list; if necessary to comply with a legal obligation or court order or in connection with a legal claim, such as retaining information about your purchases if required by tax law; and as necessary for the purpose of my legitimate interests, if those legitimate interests are not overridden by your rights or interests, such as providing and improving my services.

All processing activities shall be carried out in accordance with your individual rights as defined by the European Union’s General Data Protection Regulation.

Please note that by submitting information about yourself through our website, you are agreeing for Crystal Moon Tree Ltd to process and store that data. This data shall be stored only for the duration of the previously outlined purpose for collection. We never store or process your data longer than we need to, and we do not use your data for any purpose other than those you have agreed to.

The data you submit to our website will never be shared with or transferred to a third-party organisation.

You reserve the right to request Crystal Moon Tree Ltd update your personal data at any time. You can also request information about your personal data, withdraw your consent for us to process your information or request a transfer or deletion of your data.

For more information about Crystal Moon Tree Ltd and how we protect and secure your data, consult our Privacy Policy [HYPERLINK].

By ticking the pop-up box about accepting cookies, you are indicating that you have read and consent to our Privacy Policy

Data Classification Policy

1. Policy introduction

Here at Crystal Moon Tree Ltd, we are committed to data security, the privacy of the individual and upholding all our compliance obligations under GDPR. We take our responsibilities seriously, and we recognise that the use of information assets and data form a crucial aspect of our business activity. That is why we’ve devised the following Data Classification Policy to outline the way in which we classify and use data.

Our Data Classification Policy is designed to ensure that:

  • Crystal Moon Tree Ltd adheres to all necessary legal obligations
  • We implement controls to maximise return on investment
  • Crystal Moon Tree Ltd maintains availability, confidentiality and integrity where necessary for all data
  • Our company has the ability to chart data protection levels that protect both Crystal Moon Tree Ltd as well as the individuals whose personal data we must collect, process or store
  • We are able to avoid threats of disclosure and/or unauthorised access to data

2. Policy values

Data classification is a vital process our company must carry out to ensure the individuals who claim a legitimate right to access information we hold are able to do so. Our data classification process must also ensure our data and any other piece of information we hold is protected from any and all individuals or organisations that should not have access to that information.

Crystal Moon Tree Ltd’s Data Classification Policy identifies and elaborates upon the correct handling and classification processes our company must use, as per the regulatory requirements that we:

  • Make data available to all those individuals who have a legitimate reason to access it
  • Manage all data in line with its corresponding classification
  • Maintain the integrity of all data
  • Ensure all data our company holds is accurate, complete and consistent

3. Policy objectives

Crystal Moon Tree Ltd ‘s Data Classification Policy has been developed to meet the following objectives:

  • To outline the duties and responsibilities of Crystal Moon Tree Ltd employees that ensure data is kept safe and secure
  • To establish a robust data classification process that is consistent and compliant with UK regulatory requirements
  • To ensure data is sufficiently protected and encrypted so that unwarranted actions will not be taken against Crystal Moon Tree Ltd in the event data is lost, damaged or accessed illegally
  • To avoid and minimise reputational or operational damage to Crystal Moon Tree Ltd, our stakeholders, clients, customers or partners associated with compromised data

4. Policy implementation

To make sure our Data Classification Policy is effective, Crystal Moon Tree Ltd will implement the following procedures:

  • All users of data will be identified and provided access to data in which they have a legitimate need to access
  • All data will be classified, managed and controlled in relation to its correct categorisation, as per the processes and requirements outlined within this policy
  • Crystal Moon Tree Ltd must ensure control mechanisms are created and implemented to protect data we collect, process or store
  • All control mechanisms and classification protocols must be reviewed and amended as required by law on a regular basis
  • Data users and data controllers must implement and maintain adequate levels of physical security as required, in relation to computer facilities or access terminals from which data can be viewed or accessed
  • Crystal moon Tree Ltdmust ensure that all data and relevant equipment is safely disposed of, as and when required

5. Obligations under GDPR (2018) and Data Protection Act 2018 (DPA)

Crystal moon Tree Ltd is committed to meet its regulatory obligations under GDPR and DPA. That is why we are committed to ensure that adequate and appropriate measures are taken to prevent the unauthorised access or illegal processing or storage of data. We are required to do everything we can, within reason, to protect the data we use and hold against destruction, accidental loss or damage.

6. Data classifications

Data that is sensitive in nature must be adequately protected at all times. To properly assign safeguards, all data that our company collects, processes or stores must be assigned one of the following classification categories:

  • Public
  • Open
  • Confidential
  • Strictly Confidential
  • Secret

A vast amount of the data Crystal moon Tree Ltd uses will most likely be classed as being either ‘Public’ or ‘Open’ data. Any information relating to an individual or organisation that could identify them or is personal or private in nature must be assigned a category of either ‘Confidential’ or ‘Strictly Confidential’.

This is to ensure Crystal moon Tree Ltd upholds its regulatory commitment to uphold the rights of individuals, as outlined under GDPR.

On rare occasions, Crystal moon Tree Ltd may wish to class data as ‘Secret’. If an employee is unsure as to whether they should categorise a piece of data as being secret – or if they need assistance in classifying any other piece of data, they should consult a line manager. If no manager is available for consultation, data should default to a ‘Confidential’ classification.