English
T H E   O R D E R   O F   T H E   K N I G H T S   O F   S T   C O L U M B A
English
Serve God by Serving Others

DATA PROTECTION & PRIVACY POLICY
d) All employees, agents, contractors, or other parties working on behalf of the Organisation handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise; 
e) Methods of collecting, holding, and processing personal data shall be regularly evaluated and 
reviewed; 
f) All personal data held by the Company shall be reviewed periodically, as set out in the Organisation's Data Retention Policy; 
g) The performance of those employees, agents, contractors, or other parties working on behalf of the Organisation handling personal data shall be regularly evaluated and reviewed; 
h) All employees, agents, contractors, or other parties working on behalf of the Organisation handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract; 
i) All agents, contractors, or other parties working on behalf of the Organisation handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Organisation arising out of this Policy and the GDPR; and 
 
j) Where any agent, contractor or other party working on behalf of the Organisation handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Organisation against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure. 
 
 
Transferring Personal Data to a Country Outside the EEA 

I. The Organisation will not transfer ('transfer' includes making available remotely) personal data to countries outside of the EEA. 
 
Where the Organisation provides services to third-party data controllers, it is a requirement in the contract for the provision of such services that the data controller does not transfer or allow access to driver record data sourced from the DVLA from outside the EEA without first obtaining written approval from the DVLA. The DVLA will not provide such approval unless it is satisfied that there are appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner's Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.