Privacy Policy

Personal Data Protection Policy

The Bespoke Pool Company takes the protection of personal data extremely seriously and has taken a ‘data protection by design and default’ approach. The following policy details how The Bespoke Pool Company adheres to the General Data Protection Regulation (‘GDPR’).

1.0 Principles
The Bespoke Pool Company adheres to the following principles as set out by the GDPR, data will be:

a) processed lawfully, fairly and in a transparent manner
b) collected for specified, explicit and legitimate purposes – i.e. it is necessary
c) adequate, relevant and limited to what is necessary
d) accurate and, where necessary, kept up to date
e) kept in a form which permits identification of subjects for no longer than is necessary
f) processed in a manner that ensures appropriate security of the personal data.

2.0 Lawful Basis
The Bespoke Pool Company will only process personal data if it has one of the following lawful bases to do so:

a) Consent
b) Contract
c) Legal obligation
d) Vital interest
e) Public task
f) Legitimate interest

The Bespoke Pool Company will determine & document our lawful basis before we begin processing personal data.

3.0 Rights of the Individual
The Bespoke Pool Company will uphold the rights of the individual as follows:

a) The right to be informed
b) The right of access
c) The right to rectification
d) The right to erasure
e) The right to restrict processing
f) The right to data portability
g) The right to object

Privacy Information & Notices
The Bespoke Pool Company will notify individuals for whom we hold personal data of the following:

– our purposes for processing their personal data
– our lawful basis for processing their personal data
– our personal data retention periods
– who their personal data will be shared with, if at all

Access
The Bespoke Pool Company will allow access to a subject’s personal data upon request by the individual.

Rectification
The Bespoke Pool Company will consider any request to rectify personal data if a request is made either verbally or in writing. The Bespoke Pool Company will respond to any request within one calendar month.

Erasure
The Bespoke Pool Company will consider any request to erase personal data if a request is made either verbally or in writing. This is ‘the right to be forgotten’. The Bespoke Pool Company will respond to any request within one calendar month.

Processing Restriction
The Bespoke Pool Company will consider any request to restrict the processing of personal data if a request is made either verbally or in writing. The Bespoke Pool Company will respond to any request within one calendar month.

Data Portability
The Bespoke Pool Company will consider any request to port personal data if a request is made either verbally or in writing. The Bespoke Pool Company will respond to any request within one calendar month.

Objection
If The Bespoke Pool Company hold personal data on the basis of Legitimate Interest, The Bespoke Pool Company will consider not processing that personal data if an objection is made either verbally or in writing. The Bespoke Pool Company will respond to any request within one calendar month.

4.0
As a data controller, The Bespoke Pool Company will only appoint data processors who can provide sufficient guarantees that the requirements of the GDPR will be met. Processors must only act on the documented instructions of The Bespoke Pool Company and there will be contractual agreements in place to ensure that both parties understand their respective responsibilities and liabilities.

The Bespoke Pool Company will maintain documentation of our processing activities, to include:

– The purposes of our data processing.
– Descriptions of the categories of personal data held.
– The categories of recipients of personal data.
– Transfers to other countries including the transfer mechanism safeguards in place.
– Retention schedules.
– Information required for privacy notices – Records of consent;
– Location of personal data

The Bespoke Pool Company will implement appropriate security measures to ensure confidentiality, integrity and availability of personal data.

The Bespoke Pool Company will record and, where necessary, report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.

The Bespoke Pool Company will conduct data protection impact assessments(DPIA)for uses of personal data that are likely to result in high risk to individuals’ interests.

The Bespoke Pool Company will not be appointing a Data Protection Officer (DPO) as we are neither a public authority nor have core activities that require large scale, regular and systematic monitoring of individuals. However, The Bespoke Pool Company does have sufficient staff and resources to discharge our obligations under the GDPR.