Privacy Policy for Entitled1 Media LLC

1. The Policy

1.1 Everyone has the right to know how their personal data is handled by the companies they interact with. At Entitled1, we acknowledge that during our activities as a media and Art business, we will collect, store, and process personal information about our staff. We know that we need to treat this data in a lawful and appropriate manner.

1.2 We may be required to handle several types of information, including details of current, past and prospective employees, suppliers, clients, other people and organisations that we communicate with, and data supplied to us by customers.

We may hold this information on paper, on a computer, or on other media. Regardless, all information held by Entitled1 will be subject to the legal safeguards outlined in the General Data Protection Regulation 2018 (the GDPR). The GDPR imposes strict regulations on how we may use that information.

1.3 This Data Protection Policy does not form part of any employee’s contract of employment, and it may be amended or edited at any time. Breaching this policy is a serious matter and could result in disciplinary action.

2. Status of the Policy

2.1 This policy is designed to clearly set out Entitled1’s rules on data protection and the legal conditions associated with it. Legal conditions related to obtaining, handling, processing, storing, transporting, and destroying personal information must be satisfied for us to be a GDPR compliant company.

2.2 The Data Protection Officer (DPO) is responsible for ensuring GDPR compliance, as well as compliance with this policy. At Entitled1, the DPO is Sam O’Shaughnessy.

2.3 If you believe that the policy has not been followed with regards to personal data – whether your own or someone else’s – you should raise the matter with the DPO.

3. Definition of Data Protection Terms

3.1 Data is information that is stored electronically, on a computer, or in a paper-based filing system.

3.2 A data subject is any person whose personal data is being collected, held or processed. All data subjects have legal rights in relation to the processing and use of their personal data.

3.3 Personal data is, according to the Information Commissioner’s Office, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

3.4 A data controller is any person or organisation that determines the purposes for which and the means by which personal data is processed. So, if your company or organisation decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. We are the data controller of all personal data used in our business.

3.5 A data user is anyone whose work involves the use of personal data: our employees are data users. They are bound by a duty to protect the information they handle by always following our data protection and security policies.

3.6 A data processor is anyone who processes personal data on behalf of a data controller. This can include suppliers that handle personal data on our behalf.

3.7 The ‘processing’ of personal data refers to any activity that involves using the data. Data processing includes obtaining, recording, and holding the data in questions, as well as carrying out any operation or set of operations on the data such as organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring personal data to any third parties.

3.8 Sensitive personal data involve any data relating to a person’s ethnic or racial origin, political opinions, religious or non-religious beliefs, mental and physical health, trade union membership, and sexual life and condition. It also includes the commission of, or proceedings for, any offence committed (or alleged to have been committed) by any individual, the disposal of such proceedings, or the sentence of any court in such proceedings. Because of this, sensitive personal data can only be processed under extremely strict principles, and under normal circumstances will require the express permission of the individual in question.

4. Data Protection Principles

Anyone involved in the processing of personal data at Entitled1 is legally required to comply with the eight enforceable principles of good practice. These provide that personal data must be:

(1) Processed fairly and lawfully.

(2) Processed for limited purposes and in an appropriate way.

(3) Adequate, relevant and not excessive for the purpose.

(4) Accurate.

(5) Not kept longer than necessary for the purpose.

(6) Processed in line with data subjects’ rights.

(7) Secure.

(8) Not transferred to people or organisations situated in countries without adequate protection.

5. Fair and Lawful Processing

5.1 The purpose of the Act is not to prevent personal data being processed, but instead to ensure that any processing is done fairly and without adversely affecting the rights of the data subject. The data subject must be made aware of who the data controller is (Entitled1, in this case), who the data controller’s representative is Sam O’Shaughnessy the purpose for which the data is to be processed by Entitled1, and the identities of anyone to whom the data may be disclosed or transferred.

5.2 Lawful processing of personal data demands that certain conditions be met. These may include requirements that the data subject has provided explicit consent for the processing, or that the processing itself is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed.

6. Processing for Limited Purposes

Personal data processed by Entitled1 may only be processed for the specific subjects either consented to by the data subject, or for any other purposes specifically permitted by the Act.

Because of this, personal data must not be collected for one purpose and then used for another. Should the personal data need to be used for any other purpose, the data subject will need to be notified and then consent to the new processing.

7. Adequate, relevant and non-excessive processing

When collecting personal data from a data subject, Entitled1 will notify them of the specific purpose for which the data will be used. Then, data will be collected only enough to satisfy the requirements of this purpose.

Any data that is not necessary for this purpose will not be collected by Entitled1 in the first place.

8. Accurate Data

Personal data must be accurate and kept up to date. Information that is misleading or incorrect is not accurate, and therefore steps should be taken to check the accuracy of any personal data at the point of collection, and at regular intervals afterwards.

Legally, out-of-date or inaccurate data should be destroyed.

9. Timely Processing

Personal data will not be kept at Entitled1 for longer than is necessary for the purpose. Data that is no longer required will be destroyed or erased from our systems.

10. Processing in line with data subject’s rights

Data that is handled by Entitled1 will be processed in line with the rights of the data subject. Data subjects have a right to:

(a) Request access to any data held about them by a data controller.

(b) Prevent the processing of their data for direct-marketing purposes.

(d) Prevent processing that is likely to cause damage or distress to themselves or anyone else.

11. Data Security

11.1 At Entitled1, we must be sure to take appropriate security measures against unlawful or unauthorised processing of personal data, as well as against the accidental loss of – or damage to – personal data.

11.2 To be in accordance with The Act, Entitled1 must put in place technologies and procedures to maintain the security of all personal data from the point of collection to the point of erasure or destruction. Personal data collected by Entitled1 can only be transferred to a third-party data processor if they agree to comply with these procedures and policies, or if they put in place adequate measures themselves.

11.3 To maintain data security, Entitled1 must guarantee the confidentiality, availability, and integrity of the personal data, which is defined as follows:

(a) Confidentiality means that only people who are authorised to use the data will be able to access it

(b) Availability means that any authorised users should be able to access the data if, and only if, they need it for authorised purposes. Personal data at Entitled1 is stored on our central computer system instead of individual PCs.

(c) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed. When Entitled1 processes data for clients we only keep the relevant details needed for the pre-agreed data usage purposes.

11.4 Security procedures at Entitled1 are important for satisfying the criteria mentioned in 11.3. Our internal security procedures include:

(a) Securely locked filing cabinets, desks, and cupboards for storing physical copies of confidential information and personal data

(b) Entry controls – at Entitled1, we will immediately report any unauthorised individual found to have accessed/be accessing an entry-controlled area.

(c) Methods of disposal – At Entitled1, we must shred paper documents containing confidential information; as well as physically destroy or wipe hard-drives, CDs, and USBs containing confidential or personal data when they are no longer required.

(d) Data users at Entitled1 understand the importance of logging off their computer when it is left unattended, as well as ensuring confidential information cannot be seen by passers-by.

(e) Entitled1 data servers (which may store confidential information or data) is protected by encryption protocols, secure passwords, and firewalls.

12. Dealing with Subject Access Requests

Data subjects have the right to formally request any information that we hold about them by enquiring in writing to Entitled1. Any member of staff who receives a written request should forward it to the Data Protection Compliance Manager (Sam O’Shaughnessy) immediately.

13. Providing Information over the Telephone

At Entitled1, all our staff will; at some point; have to deal with a telephone enquiry. It is therefore important that they know to be careful about disclosing any personal information held by us. Staff at Entitled1 should:

(a) Check the caller’s identity to make sure that information is only given to a person who is entitled to it.

(b) If the member of staff is not sure about the caller’s identity, they may suggest that the caller put their request in writing to allow for further identity checks.

(c) Refer to the DPCM (Sam O’Shaughnessy) for assistance in a difficult situation. Staff at Entitled1 retain the right not to be bullied into disclosing personal information.

14. Monitoring and Review of the Policy

14.1 This policy is reviewed annually by Entitled1 staff. Recommendations for any amendments are reported and considered by all senior members of staff.

14.2 As time goes on, we will continue to regularly review the effectiveness of this policy to ensure it is achieving its stated objectives.

15. Controlling your Personal Information

Entitled1 will not sell, distribute, or lease your personal information to third parties unless we have your explicit consent, or are required by law to do so.

As the data subject, you have the right to restrict the collection or use of your personal information in the following ways:

(a) You may submit a request for details of any personal information which we hold about you under GDPR. If you would like a copy of the information that Entitled1 holds on you, please send a written request to Entitled1 LLC : 1445 16th Street #1003, Miami Beach, FL 33139.

(b) If you believe that any of the information we are holding on you is incomplete or incorrect, please write to us at the above address to correct this promptly.