Data Protection Policy

Interpretation

Definitions:

  • Company Name: Racing Mac (“the Company”).

  • Company Personnel: All employees, workers, contractors, agency workers, consultants, directors, members, and others engaged by the Company.

  • Consent: Freely given, specific, informed, and unambiguous agreement by a Data Subject through a clear statement or action to the processing of their Personal Data.

  • Controller: The person or organisation determining when, why, and how to process Personal Data. The Controller is responsible for compliance with the UK GDPR. Racing Mac is the Controller of all Personal Data relating to its Company Personnel and Personal Data processed for commercial purposes.

  • Criminal Convictions Data: Personal data relating to criminal convictions and offences, including related allegations and proceedings.

  • Data Subject: A living, identified, or identifiable individual whose Personal Data is processed by the Company.

  • Data Protection Manager: The designated individual responsible for overseeing data compliance at Racing Mac.

  • Explicit Consent: Clear and specific consent provided through a direct statement.

  • UK GDPR: The retained EU law version of the General Data Protection Regulation (EU 2016/679) as defined in the Data Protection Act 2018.

  • Personal Data: Any information that relates to an identifiable individual, such as names, contact details, identifiers, or information specific to their physical, mental, cultural, or social identity. Examples include:

    • Contact details such as name, title, email address, and telephone number.

    • Gender.

    • Date of birth.

  • Personal Data Breach: An act or omission compromising the security, confidentiality, integrity, or availability of Personal Data.

  • Privacy by Design: Technical and organisational measures to ensure UK GDPR compliance is embedded in the processing of Personal Data.

  • Privacy Notices: Documents detailing how Personal Data is collected, used, disclosed, and retained by the Company.

  • Processing: Any activity involving Personal Data, including collecting, storing, retrieving, disclosing, or deleting it.

  • Pseudonymisation: Replacing information that identifies an individual with artificial identifiers to safeguard their identity.

  • Special Categories of Personal Data: Information revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, sexual orientation, or genetic/biometric data.

Introduction

This Data Protection Policy outlines how Racing Mac (“we,” “our,” or “us”) processes and protects Personal Data relating to customers, prospective customers, suppliers, employees, and other stakeholders.

This Policy applies to all Personal Data processed by the Company, regardless of storage medium or the relationship between the Data Subject and the Company. All Company Personnel (“you,” “your”) must adhere to this Policy and complete any required training to ensure compliance with applicable laws and regulations.

Non-compliance with this Policy may result in disciplinary action.

Scope of Policy and Responsibilities

We are committed to ensuring the lawful, fair, and transparent processing of Personal Data to maintain trust and confidence. Protecting the confidentiality and integrity of Personal Data is a priority.

Data Protection Manager:
The Data Protection Manager is responsible for overseeing compliance with this Policy. They can be contacted at: admin@racingmac.com.

Please contact the Data Protection Manager if you:

  • Are unsure about the lawful basis for processing Personal Data.

  • Need to draft or update a Privacy Notice.

  • Encounter or suspect a Personal Data Breach.

  • Need guidance on retaining or deleting Personal Data.

  • Require assistance with data transfer, direct marketing compliance, or responding to Data Subject rights.

Data Protection Principles

We adhere to the following principles in line with the UK GDPR:

  1. Lawfulness, Fairness, and Transparency: Personal Data must be processed fairly and transparently.

  2. Purpose Limitation: Personal Data must only be collected for legitimate purposes and not used for unrelated purposes without further consent.

  3. Data Minimisation: Personal Data collected must be adequate, relevant, and limited to what is necessary.

  4. Accuracy: Personal Data must be kept accurate and up-to-date.

  5. Storage Limitation: Personal Data must not be retained for longer than necessary.

  6. Security: Personal Data must be secured against unauthorised access, loss, or destruction.

Lawfulness, Fairness, and Transparency

Personal Data may only be processed under one of the following lawful bases:

  • The Data Subject has provided clear and informed Consent.

  • Processing is necessary for the performance of a contract.

  • Processing is required to comply with legal obligations.

  • Processing is necessary to protect vital interests.

  • Processing is justified by legitimate interests that do not override the Data Subject’s rights.

Consent

Consent must be freely given and can be withdrawn at any time. Records of consent must be retained.

Transparency

Privacy Notices must be provided when Personal Data is collected, detailing how the data will be processed, stored, and shared.

Data Minimisation and Accuracy

Only collect Personal Data necessary for legitimate purposes. Ensure all data is accurate and up-to-date.

Storage Limitation

Personal Data must be deleted or anonymised once no longer needed for its original purpose unless otherwise required by law.

Security

Appropriate technical and organisational measures must be implemented to safeguard Personal Data, including encryption and Pseudonymisation. Only authorised personnel may access sensitive data.

Reporting Personal Data Breaches

Any suspected Personal Data Breach must be reported immediately to the Data Protection Manager.

Data Transfers

Transfers of Personal Data outside the UK must comply with UK GDPR and ensure adequate protection measures.

Data Subject Rights

Data Subjects have the following rights:

  • Access their Personal Data.

  • Request correction or deletion of inaccurate or incomplete data.

  • Object to certain types of processing.

  • Withdraw Consent.

  • Complain to the Information Commissioner’s Office (ICO).

Direct Marketing

All direct marketing activities must comply with applicable privacy laws. “Soft opt-in” rules apply for existing customers, and all marketing communications must provide an option to opt out.

Changes to This Policy

This Policy is reviewed regularly and was last updated on 8th November 2024.

For any questions or concerns, contact the Data Protection Manager at admin@racingmac.com.