CSL Data Protection & Privacy Policy V1.0

2. Overview

2.1. Purpose and objective of this document

The purpose of this Data Retention Policy is to provide guidance on the retention of the various types of data held; this document strives to balance the need to store information so that it can be accessed for as long as it is needed with legal obligations to destroy the data safely when it is no longer required. It is anticipated that this policy will assist securing compliance with legal and regulatory requirements, including Data Protection and Privacy Act, 2019.  Appropriate and effective protection is required for all types of data held to promote

business continuity and avoid breaches of statutory, regulatory and/or contractual obligations. The policy will apply to two key types of data that are held: the company’s data and the customer’s data (Records).

 

This Data Retention Policy applies to information in all its various forms. It may be on paper, stored electronically or held on film, or other media. It includes text, pictures, audio and video. It covers information transmitted by post, by electronic means, and by oral communication, including telephone and voicemail. It applies throughout the lifecycle of the information from creation through storage and utilisation to disposal..

2.2. Scope

This policy applies to all Core Synergies, subsidiaries and their employees.

2.3. Review and changes

This policy is reviewed and approved annually or after any significant events by the Managing Director.

3. Policy

3.1 Definitions

Personal data: Information relating to identifiable individuals, such as customers, current and former employees, agency, contract and other staff, suppliers, marketing contacts and job applicants. Personal data may include: individuals' contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.

 

Sensitive personal data: Personal data about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings—any use of sensitive personal data should be strictly controlled in accordance with this policy.

 

Business purposes: The purposes for which personal data may be used by us: Personnel, administrative, financial, regulatory, payroll and business development purposes.

 

3.2 Applicable Legislation

Data Protection and Privacy Act, 2019 (Act): An Act to protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; to provide for the rights of the persons whose data is collected and the obligations of data collectors, data processers and data controllers; to regulate the use or disclosure of personal information: and for related matters.

3.3 Data Retention Principles

As ‘data controller’ we determine the purpose for which, and the manner in which, any personal data are, or are to be, processed. We therefore ensure that we operate within the framework of the following principles:

-       information is only held for only as long as necessary, giving due regard to the legal, regulatory,

-       business and individual needs;

-       records are stored in a manner which is appropriate to their purpose;

-       time-periods for retention, are discussed, agreed and documented; and

-       at the point of destruction, appropriate procedures are followed.

-       Purpose limitation: Data will be collected for specific and legitimate purposes and can’t be processed for other reasons which

-       haven’t been declared.

-       Data Minimisation: Information will be adequate, and relevant. It will be limited to what is necessary in relation to the purpose of

-       the processing.

-       Accuracy: Effort must be taken to ensure the accuracy of the information held, and where it is incorrect it will be

-       corrected as quickly as possible.

-       Storage Limitation: Information cannot be held for longer than is necessary for the purposes for which it was originally collected.

-       Integrity and Confidentiality: Information must be processed in a way that ensures the confidentiality and integrity of the information.

3.4 Legal basis for processing

We have reviewed the purposes of our processing activities and selected the most appropriate lawful based on which we are relying on. We will collect personal information in the following circumstances:

-       Where we have obtained consent to do so. (Especially in cases of targeted marketing communications)

-       Where we need the personal information to perform a contract with the involved party (e.g., to deliver gambling services to our customers, to enter into a contract of employment with permanent of temporary staff, to establish working relationships with 3rd party providers.),

-       Where we have a legal obligation to collect personal information. (e.g. to meet obligations under gambling regulation frameworks, AML and CFT regulations, integrity in sports as well as employment laws.)

-       Where the processing is in our or a third party’s legitimate interests and not overridden by their data protection interests or fundamental rights and freedoms. (e.g. statistical purposes, product personalization (bespoke offering)

 

We have included information about both the purposes of the processing and the lawful basis for the processing in our Privacy Policy which is available to customers via the app and our website, to employees as part of their employment contract and to 3rd party providers as part of any non-disclosure and commercial agreements.

3.5 Sensitive personal data

For the purposes of our processing activities, we do not intend to capture sensitive personal data for any of the customers nor for the purposes of entering into a service contract with a 3rd party provider.

 

Sensitive personal data related to health may be recorded in cases where an employee (permanent or temporary) presents a disability. In which case the legal basis for processing will rely on a legal obligation placed on us under the laws of Uganda.

3.6 Consent

3.6.1 Obtention of Consent

Consent is obtained from customers at the time of their account creation with a request to review and accept our Privacy Policy. Approval of the policy requires a positive action from the customer and is separate from any positive action required with respect to reviewing and approving our Terms and Conditions.

 

For employees and 3rd party providers, consent is obtained at the time when the relevant contracts are signed by both parties.

 

Records of the obtention of consent are maintained. Whenever the Privacy Policy is updated and requires new consent, a record of the new consent is also kept and does not override previous historical records. Records of the different versions of the Privacy Policy are also maintained.

3.6.2 Withdrawal of Consent

For data that is not necessary for the performance of a contract or for legal obligations, individuals are informed that they can withdraw their consent at any time.

 

Mechanisms are in place within the applications to allow customers to proactively withdraw consent for the processing of their data for marketing purposes. Processing of customer data for marketing purposes is not considered a pre-condition for the offering of services.

3.7 Individual rights

All individual rights are clearly included in our privacy policy for customers and in contracts for employees and 3rd party providers.

3.7.1 Right of access and Subject access requests

The company welcomes the rights of access to information that are set out in the GDPR and is committed to operating openly and to meeting all reasonable requests for information that are not subject to specific exemption. A separate Subject Access Request Policy is in place to govern this process and set out relevant procedures for the group.

3.7.2 Right of rectification and erasure

We acknowledge that individuals have the right to rectify data that is incorrect or incomplete. Mechanisms are in place for customers to do so via the app or by contacting the Customer Experience team. Employees and contractors can amend their details by contacting the HR team. In all cases we are committed to respond to all requests within one month. Where the personal data was disclosed to third parties, we will endeavour to inform them of the rectification where applicable and possible.

 

We also acknowledge that individuals have the right to erasure or more specifically to request the deletion or removal of personal data where there is no compelling reason for its continued processing (also known as right to be forgotten).

 

However, in the case of our operations and relying on our legal basis for processing in order to perform a legal obligation, we are entitled to refuse to comply with an erasure request. This will be particularly the case where the data processed is used in order to comply with our obligations under our licences and more particularly in the fields of preventing money laundering and terrorist financing and combating problem of any illegal activities.

3.7.3 Right to restrict processing

We acknowledge that individuals have a right to ‘block’ or suppress processing of personal data. Where an individual has made such a request, processing becomes restricted, but storage is still permitted. The right to restrict processing is applicable to data used only for legitimate interest purposes. When a request for processing restriction is made, we will notify any 3rd party with whom the data has been shared so processing can stop on their side as well. Customers can exercise this right by contacting the Customer Experience team.

3.7.4 Right to Data Portability

For personal data processed on the basis of the individual’s consent and/or the performance of a contract; and when processing is carried out by automated means, then individuals have a right to be provided with their data in a structured, commonly used and machine-readable form. For this purpose, we will comply with requests free of charge, within one month of the request being made and provide the data in a CSV format.

3.7.5 Right to Object

Individuals have the right to object to processing based on legitimate interests and especially around direct marketing (including profiling). The right to object is available to customers by contacting the Customer Experience team or via self-service within the apps. Upon receiving such a request, we will immediately apply a “no communication” flag to the relevant account and cease any marketing contact with the individual in question. This no communication flag is also transmitted to every third party used and contracted to send marketing communications on its behalf.

3.7.6 Rights related to automated decision making and profiling

3.8 Documentation of processing activities

As a data controller we document all the applicable information under, all our processing activities are documented in writing, in a granular way with meaningful links between the different pieces of information. We also conduct regular reviews of the personal data we process and update our documentation accordingly.

 

As a small and medium-sized organization we are aware of the requirement to document processing activities that are not occasional; could result in a risk to the rights and freedoms of individuals; or involve the processing of special categories of data or criminal conviction and offence data.

3.9 Data protection by design and by default

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

3.10 Compliance: Suspension of Document Destruction

In the event Tetra Tech is served with the following: claim or request for documents, an employee becoming

aware of an investigation or audit concerning Tetra Tech, or the commencement of any litigation against or

concerning Tetra Tech, the employee shall inform the Data Protection Officer (DPO). Any further disposal of

documents shall be suspended until such time as the DPO determines otherwise. The DPO shall take

3.11 Data Breaches

We are aware of our duty to report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. Our separate Data Breach Reporting Policy contains all the relevant information associated with this process.

 

3.14 Training and compliance with this policy

All staff will receive mandatory training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least a year or whenever there is a substantial change in the law or our policy and procedure.

 

We take compliance with this policy very seriously. Failure to comply with any requirement may lead to disciplinary action.

3.14 Data Retention

We retain personal data for a 10-year retention period which starts to run from the date a customer’s account is closed. We will only continue to hold personal data as permitted under data protection legislation (i) where we are under a legal requirement under gambling or tax legislation to retain personal data; and (ii) to exercise or defend our legal rights.

 

We may be required in certain circumstances to retain customer data indefinitely (for example under our procedures on responsible gambling and self-exclusion). We will take all necessary steps to ensure that the privacy of information is maintained for the period of retention.

 

 

 

We may use cookies or any other tracking technologies when you visit our website, including any other media form, mobile website, or mobile application related or connected to help customize the Site and improve your experience learn more

Allow