DATA AND PRIVACY POLICY

 

Adopted by DynamicLedger Solutions Limited on the 1st day of January 2025

Last updated: 17th January 2025

Parties

  1. DynamicLedger Solutions Limited whose registered office is at Seven Grange Lane, Pitsford, Northampton, Northamptonshire, United Kingdom, NN6 9AP ("the Company");

  2. This Policy shall apply to all employees, officers, consultants, contractors, agents and other individuals or organisations associated with DynamicLedger Solutions Limited worldwide;

  3. The "Data Subject", defined as any living individual whose Personal Data is processed by the Company;

  4. Any third parties authorized to process Personal Data on behalf of the Company as data processors.

Background

  1. This Data and Privacy Policy (the "Policy") sets out the basis on which DynamicLedger Solutions Limited (the "Company") will process any personal data collected from data subjects, or that is provided to the Company by data subjects or third parties in the course of the Company’s business.

  2. For the purpose of this Policy, "personal data" means any information relating to an identified or identifiable living individual (a "data subject"). An identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural living person. 

  3. The Company is a data controller incorporated and registered in England and Wales. The Company determines the purposes and means of processing personal data as part of its business activities.

  4. This Policy sets out the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data under the UK General Data Protection Regulation ("UK GDPR"). The purposes for which personal data may be used by the Company are defined under the UK GDPR and this Policy.

  5. The Company shall process all personal data in compliance with the principles of the UK GDPR. Personal data shall be:

  6. processed lawfully, fairly and in a transparent manner;

  7. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

  8. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

  9. accurate and, where necessary, kept up to date;

  10. kept in a form which permits identification of data subjects for no longer than is necessary; and

  11. processed in a manner that ensures appropriate security of the personal data.

  12. Definitions

  13. Company means DynamicLedger Solutions Limited.

  14. Data Subject means any living individual whose Personal Data is processed by the Company.

  15. Personal Data means any information relating to a Data Subject.

  16. Processing means any operation or set of operations performed on Personal Data, such as collection, use, storage, disclosure and others.

  17. Special Category Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

  18. Data Controller means the entity that alone or jointly with others determines the purposes and means of the Processing of Personal Data. For the purposes of this Policy, the Company is the Data Controller.

  19. Data Processor means any natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.

  20. Third Party means any natural or legal person, public authority, agency or body other than the Data Subject, Data Controller, Data Processor and persons who process data under the direct authority of the Data Controller or Data Processor.

  21. Scope of Policy

  22. This Data and Privacy Policy (the "Policy") sets out the basis on which the Company will process any personal data collected from data subjects, or that is provided to the Company by data subjects or third parties in the course of the Company’s business.

  23. This Policy applies to all personal data collected and processed by the Company relating to data subjects.

  24. This Policy applies to personal data relating to all identified or identifiable living individuals whose personal data is processed by or on behalf of the Company.

  25. The UK GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the UK. This Policy therefore applies to the processing of personal data by the Company in the UK.

  26. This Policy shall remain in effect until such time as the Company ceases to process personal data and disposes or deletes the data in accordance with the law.

  27. Data Collection excluding Distributed Ledger Data

  28. The Company stores any personal data it does collect in a mutable datastore to enable compliance with UK GDPR.

  29. The Company does not store any personal or identifying data collected on the Distributed Ledger.

  30. The Company collects the following types of personal data from data subjects:

  31. Name, date of birth, gender, contact details including email address and telephone number;

  32. Demographic information such as postcode, preferences and interests;

  33. Website usage data and details of pages visited;

  34. Personal data is collected directly from data subjects through the following methods:

  35. Voluntary completion of forms on the Company's website or mobile applications;

  36. Creation of an account or profile;

  37. Contact with the Company via telephone, email, post or social media.

  38. The Company collects personal data from data subjects for the following purposes:

  39. Responding to enquiries and requests from data subjects;

  40. Improving products and services offered to data subjects;

  41. Compliance with legal and regulatory obligations.

  42. Where personal data is collected based on consent, the data subject shall have the right to withdraw consent at any time.

  43. Data subjects have the right to access, rectify or erase personal data in accordance with Clause 10 of this Policy.

  44. Data collection in the Distributed Ledger

  45. The Company does not store personal or identifying data on the Distributed Ledger in order to comply with UK GDPR.

  46. Data Use

  47. The Company may process personal data for the following purposes:

  48. To provide the data subject with the services or products they have requested including processing payments and contacting the data subject if required. The lawful basis for this processing is contract performance.

  49. To comply with legal obligations such as tax and accounting requirements. The lawful basis for this processing is legal obligation.

  50. To maintain business records in accordance with standard accounting practices. The lawful basis for this processing is legitimate interests.

  51. To analyse website usage and improve a user's experience. The lawful basis for this processing is legitimate interests.

  52. The Company does not process any special category personal data without explicit consent.

  53. The Company will not process personal data for any other purpose than stated in this Policy unless the data subject has given their express consent.

  54. Data Sharing and Disclosure

  55. The Company may disclose personal data to third party service providers who support the Company's business operations, such as IT service providers, payment processors, and customer relationship management platforms. Any sharing of personal data shall be subject to appropriate confidentiality obligations applied on the third party by way of a data processing agreement or other legal contract.

  56. The Company may disclose personal data if required to do so by law or in the good faith belief that such disclosure is reasonably necessary to comply with legal process, enforce this Policy, or protect the rights, property or safety of the Company, employees, clients, or the public.

  57. If the Company is involved in a merger, acquisition or asset sale, the Company may transfer personal data as part of that transaction provided that the transferee entity agrees to adhere to the standards set out in this Policy and applicable privacy laws. The Company shall notify all affected data subjects of the transfer and their right to object to such transfer prior to carrying out the transfer.

  58. The Company may share aggregated, anonymized data with third parties for research, analytical or other business purposes. No identifiable personal data will be shared without the data subject's consent as required by applicable laws.

  59. Data Retention

  60. The Company will only store personal data for as long as is necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

  61. The criteria used by the Company to determine appropriate retention periods include:

  62. The purposes for which the personal data was collected and whether these purposes can be fulfilled by other means;

  63. Any statutory or regulatory requirements to retain personal data for a minimum period;

  64. Guidelines issued by the ICO or other relevant regulators or industry bodies regarding appropriate retention periods;

  65. The potential risk of harm from destruction of the personal data; and

  66. The rights of data subjects to request erasure or object to processing.

  67. Different categories of personal data may be retained for different periods of time. The specific retention periods applied to the different categories of data can be provided on request by contacting the Company.

  68. Once the retention period has expired, personal data will be permanently deleted or anonymised. All reasonable and proportionate steps will be taken to ensure personal data cannot be recovered or reconstructed once deleted.

  69. On an exceptional basis, personal data may be retained for longer than the standard retention period where this is required by law or is for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

  70. Data Security

  71. The Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data. This includes measures to protect against unauthorized access and against accidental loss, destruction, damage or alteration.

  72. The Company shall ensure that only authorized personnel have access to personal data and that such access is password-protected.

  73. The Company shall provide data privacy/security training to all personnel who have access to personal data to ensure they understand their responsibilities for processing and securing personal data.

  74. The Company shall notify the relevant supervisory authority and data subjects of any personal data breach within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR.

  75. The Company shall conduct regular audits of its data processing activities and security measures to ensure compliance with this Policy and the UK GDPR.

  76. Data Breach

  77. In the case of a personal data breach, the Company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Information Commissioner's Office, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

  78. Where the notification to the Information Commissioner's Office is not made within 72 hours, it shall be accompanied by reasons for the delay.

  79. The notification referred to in clause 8.1 shall at least:

  80. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

  81. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

  82. describe the likely consequences of the personal data breach;

  83. describe the measures taken or proposed to be taken by the Company to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

  84. Where, and in so far as, it is not possible to provide all the information at the same time, the information may be provided in phases without undue further delay.

  85. The Company shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken, and notify the Information Commissioner's Office on request.

  86. Data Subject Rights

  87. Right to be informed - The Company shall provide the data subject with fair processing information, typically through a privacy notice setting out details regarding the personal data processing.

  88. Right of access - The data subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning them is being processed, and where that is the case, access to their personal data.

  89. The Company shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs.

  90. Right to rectification - The data subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data or incomplete personal data concerning them.

  91. Right to erasure - The data subject shall have the right to obtain from the Company the erasure of personal data without undue delay where certain grounds apply, such as where the personal data is no longer necessary in relation to the purposes for which it was collected or processed.

  92. Right to restriction of processing - The data subject shall have the right to obtain from the Company restriction of processing where certain circumstances apply, such as where the accuracy of the personal data is contested by the data subject.

  93. Right to data portability - The data subject shall have the right to receive the personal data concerning them which they have provided to the Company in a structured, commonly used and machine-readable format and the right to transmit that data to another controller without hindrance.

  94. Right to object - The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them, including profiling, unless certain grounds apply.

  95. Rights in relation to automated decision making and profiling - The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

  96. International Data Transfers

  97. The Company may transfer personal data to countries outside of the UK and EEA in order to perform its obligations under this Policy and any Agreement.

  98. The transfer of personal data from the UK and EEA to such countries shall only occur where one of the following conditions apply:

  99. The European Commission has decided that the country or the organisation/sector in the third country ensures an adequate level of protection.

  100. The Company has provided appropriate safeguards in the form of EU Standard Contractual Clauses or equivalent clauses allowing for the transfer.

  101. Binding corporate rules are in place governing the international transfer which have been authorised by the relevant supervisory authority.

  102. The transfer is subject to appropriate safeguards as determined by the UK GDPR.

  103. Data subjects have the same rights regarding their personal data that is transferred internationally as they do for data processed within the UK/EEA.

  104. The Company shall inform data subjects of any international transfers made and the appropriate safeguards in place to protect their personal data.

  105. The Company shall conduct periodic reviews of its international data transfers and update safeguards as required to maintain compliance with applicable data protection laws.

  106. Policy Changes

  107. The Company will communicate any changes made to this Policy to the data subject. Notification will be provided in a concise, transparent and easily accessible form using clear and plain language.

  108. Notification of changes will be provided to the data subject in a timely manner and in any event not less than 15 days before the change comes into effect.

  109. Data subjects have a right to object to any changes made to this Policy. If a data subject objects, the Company will work with them to address any concerns and find a suitable resolution.

  110. The Company will maintain a record of all versions of this Policy in date order with a brief description of the changes made at each version. This record is available to data subjects upon request. This Policy shall be effective from the 1st January 2025 and reflects our commitment to your privacy.