POLICY STATEMENT
RL Media (RLM) is committed to its obligations under the law and this document describes how RLM is fully committed to meeting its data protection duties and obligations. This policy sets out the lawful basis on which RLM stores and processes personal data. 

The Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights have been revised and superseded by the Data Protection Act 1998 which came into force 1st March 2000. These are superseded by the EU General Data Protection Regulation (GDPR) that come into force May 25th 2018 and legislated for in the UK via the Data Protection Act 2018. The GDPR was implemented into statute under the Data Protection Act 2018 therefore the UK leaving the EU as of January 31st 2020 is not relevant.

RLM’s Lawful Basis for Processing Data For all Business to Business, Client to Business and Business to Client communications (generally via email) Policy is to fully comply with the EU General Data Protection Regulation in line with the Information Commissioners Office guidelines. 

PURPOSE
RLM is committed to being fully transparent about the data it collects and processes and to meeting its data protection obligations. This policy documents RLM’s purpose of processing activities for all Business to Business, client to Business and Business to client communications (generally via email). 

Should you have any questions or complaints regarding this policy please contact RL-Media.com via email at Robert@RL-Media.com. 

DEFINITIONS UNDER THE ACTS / REGULATIONS 
Data Controller
A data controller is the person who determines the purposes for which and the manner in which any personal data is, or is likely to be, processed as part of the Data Protection Act 1998. 

Under GDPR, a data controller determines how and why personal data is collected and where from. 

Data Processor
A data “processor” acts on behalf of the “controller” to process data according to their guidelines. RLM is both a controller and a processor. 

Processing
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

DATA PROTECTION PRINCIPLES  
RLM will comply with the 8 principles of the schedule 1 to the Data Protection Act, namely that personal data should be: 

1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’). 
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
4. Accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data is accurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’).
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

JUSTIFICATION OF PROCESSING 
In order for data to be processed lawfully, under the first principle, RLM has considered all legal bases for the collection of personally identifiable information via Business to Business, Client to Business and Business to Client communications (generally via email) that; 

We understand our responsibility to protect the individual’s interest;
We believe that there is a limited privacy impact on the individual;
We believe that the individual should reasonably expect us to use their data for business purposes and we do not want to bother them with disruptive consent requests when they are unlikely to object to the processing;
We have identified the legitimate interests;
We have checked that the processing is necessary and there is no less intrusive way to achieve the same result;
We only use individual’s data in ways they would reasonably expect unless we have a very good reason;
We are not using people’s data in ways they would find intrusive or which could cause harm unless we have a very good reason;
We have considered safeguards to reduce impact where possible;
We have considered whether we can offer an opt out;
We keep our Legitimate Interests Assessment under review if circumstances change;
We have therefore decided that we justify processing and storing of personal data obtained via Business to Business, client to Business and Business to client communications (generally via email) on the grounds of legitimate interests and that legitimate interest is the commercial interest of RLMedia.

SECURITY
RLM has put in place adequate security measures to safeguard personal data from destruction, loss, unauthorised access or disclosure, for example, security against hacking on any website that collects visitors’ e-mail addresses.

RIGHTS OF INDIVIDUALS 
RLM affords the following rights to data subjects, in accordance with their application under the GDPR, Data Protection Act 2018 and PECR;

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

An individual may request access to all personal data of which he or she is the subject and which RLM is processing. Requests of this nature may be submitted via the email address at Robert@rl-media.com.

DATA BREACHES 
If RLM discovers that there has been a breach of any personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. RLM will record all data breaches regardless of their effect. If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

RLM RESERVES THE RIGHT TO CHANGE THIS POLICY AT ANY TIME.