Introduction
If you are submitting your details to receive information, your details are used to send you the information that you have requested. If you are submitting your details for the purposes of receiving a quote for services, the information will be used for the purposes of sending a quote and then as appropriate to provide you with the services contracted for.
We may also use your information to send you other information about us and the services we offer. Unless required by law or for administrative purposes, we do not pass on the information you provide to third parties.

Data protection officer
Mr Dan Bakewell is the Fine Print data protection officer and is responsible for the implementation of this policy.

Data protection principles
The Data Protection Act 1998 requires that eight data protection principles be followed in the handling of personal data. These principles require that personal data must:

• be fairly and lawfully processed;
• be processed for limited purposes and not in any manner incompatible with those purposes;
• be adequate, relevant and not excessive;
• be accurate;
• not be kept longer than is necessary;
• be processed in accordance with individuals’ rights;
• be secure; and
• not be transferred to countries without adequate protection.

“Personal data”
The Data Protection Act 1998 applies only to information that constitutes “personal data”. Information is “personal data” if it:

• identifies a person, whether by itself, or together with other information in the organisation’s possession, or is likely to come into its possession; and
• is about a living person and affects that person’s privacy (whether in his/her personal or family life, business or professional capacity) in the sense that the information has the person as its focus or is otherwise biographical in nature.

Consequently, automated and computerised personal information about employees of Fine Print, our Customers, Suppliers or Prospects is covered by the Act. Personal information stored physically (for example, on paper) and held in any “relevant filing system” is also covered. In addition, information recorded with the intention that it will be stored in a relevant filing system or held on computer is covered.

“The use of personal information”
The Data Protection Act 1998 applies to personal information that is “processed”. This includes obtaining personal information, retaining and using it, allowing it to be accessed, disclosing it and, finally, disposing of it.

“Sensitive personal data”
“Sensitive personal data” is information about an individual’s:

• racial or ethnic origin;
• political opinions;
• religious beliefs or other beliefs of a similar nature;
• trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
• physical or mental health or condition;
• sex life;
• commission or alleged commission of any criminal offence; and
• proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.

The organisation will not retain sensitive personal data without the express consent of the subject in question.

Data subject access requests
Any individual has the right to access information kept about him/her by Fine Print.
The organisation will not charge for allowing subjects access to information about them. The organisation will respond to any data subject access request within 30 calendar days, unless an extension is requested.
The organisation may reserve its right to withhold the subjects right to access data where any statutory exemptions apply.

Requirement to notify breaches
If Fine Print discover that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The company will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

Review of procedures and training
The organisation will provide training to all employees on data protection matters on induction and on a regular basis thereafter.
The organisation will review and ensure compliance with this policy at regular intervals.