DataProtection Policy for Careless Technologies Limited (careless™) company number 14504628, an InsurTech startup providing mobile-only insurance solutions for UK consumers.
1. Introduction
Careless Technologies Limited ("Company") is committed to protecting the privacy and security of personal data This GDPR/Data Protection Policy ("Policy") provides the principles and guidelines the Company follows in processing personal data
2. Purpose
The purpose of this Policy is to ensure that the Company complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
3. Scope
This Policy applies to all employees, contractors, and vendors of the Company involved in the collection, processing, and management of personal data It covers all personal data processed by the Company, regardless of the medium on which that personal data is stored.
4. Definition
• Personal Data: Any information relating to an identified or identifiable natural person (data subject).
• Processing: Any operation or set of operations performed on personal data, whether or not by automated means.
• Data Subject: The identified or identifiable natural person whose personal data is being processed.
• Data Controller: The entity that determines the purposes and means of processing personal data
• Data Processor: The entity that processes personal data on behalf of the data controller.
5. Data Protection Principles
The Company adheres to the following data protection principles:
• Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and transparently.
• Purpose Limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Data Minimisation: Personal data shall be adequate, relevant, and limited to what is necessary.
• Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
• Storage Limitation: Personal data shall be kept in a form that permits identification of data subjects for no longer than necessary.
• Integrity and Confidentiality: Personal data shall be processed in a manner that ensures appropriate security.
6. Lawful Bases for Processing
The Company will only process personal data when there is a lawful basis, including:
• Consent: The data subject has given explicit consent.
• Contract: Processing is necessary for the performance of a contract.
• Legal Obligation: Processing is necessary for compliance with a legal obligation.
• Vital Interests: Processing is necessary to protect the vital interests of the data subject.
• Public Task: Processing is necessary for the performance of an official function or task.
• Legitimate Interests: Processing is necessary for the legitimate interests of the data controller or third party.
7. Data Subject Rights
Data subjects have the following rights:
• Access: Data subjects can request access to their personal data
• Rectification: Data subjects can request correction of inaccurate personal data
• Erasure: Data subjects can request erasure of their personal data
• Restriction: Data subjects can request restriction of processing.
• Portability: Data subjects can request a copy of their personal data in a structured format.
• Objection: Data subjects can object to processing.
8. Security Measures
The Company shall implement appropriate technical and organizational measures to ensure the security of personal data
9. Data Breaches
9.1 Breach Identification
• If any employee or representative of Careless Technologies Limited becomes aware of, or suspects, a data security breach, they must immediately report the incident to the Data Protection Officer (DPO) or a designated representative.
9.2 Assessment and Containment
• The DPO will promptly assess the nature and scope of the potential breach. Initial steps will be taken to contain the breach and prevent any further unauthorized access to or disclosure of personal data
9.3 Notification to Regulatory Authorities
• If the breach is likely to result in a high risk to the rights and freedoms of individuals, the Information Commissioner's Office (ICO) or relevant supervisory authority will be informed without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, as required by the GDPR.
• If for any reason the notification is not made within 72 hours, it will be accompanied by reasons for the delay.
9.4 Communication to Data Subjects
• Affected individuals will be notified directly without undue delay if the breach is likely to result in a high risk to their rights and freedoms, so they can take necessary precautions.
• The communication will describe, in clear and plain language, the nature of the breach, the name and contact details of the DPO or other contact point, the likely consequences, and measures taken or proposed to address the breach.
9.5 Documentation of Breaches
• Each breach, irrespective of its nature and the outcome, will be documented and recorded. This record will include the facts relating to the breach, its effects, and the remedial actions taken.
• This will serve both as an audit tool and as a resource to assess and improve data security strategy.
10. Training and Awareness
Employees shall receive training on data protection and the requirements of the GDPR.
11. Policy Review
This Policy will be reviewed at least annually or as needed.