skip to Main Content

Privacy Policy

DATA PROTECTION POLICY OF TORAH ACTION LIFE

1. POLICY STATEMENT
1.1 Everyone has rights with regard to the way in which their personal data in handled. During the course of our activities we will collect, store and process personal data about our customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in our organisation and the services we provide.

2. ABOUT THIS POLICY
2.1 The types of personal data that Torah Action Life (We) may be required to handle include information about current, past and prospective users. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) (unless and until the GDPR is not applicable in the UK), each as amended and/or updated from time to time, and other regulations (Data Protection Legislation).
2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
2.3 This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.
2.4 The Data Protection Compliance Manager is responsible for ensuring compliance with the Data Protection Legislation and with this policy. That post is held by Simy Vaz Mouyal at info@torahactionlife.com ; Tel 07792460986. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager. TAL identifies itself as a Data Controller and is registered with the UK Information Commissioner’s Office (ICO), registration number CSN9880506. You may lodge a complaint with the ICO in the event of TAL’s noncompliance with UK Data Protection law.

3. DEFINITION OF DATA PROTECTION TERMS
3.1 Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3.2 Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.
3.3 Data subjects for the purpose of this policy include all living individuals about whom we holds personal data. A data subject need not be a UK or an EEA national or resident. All data subjects have legal rights in relation to their personal information.
3.4 Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Data Protection Legislation.
3.5 Data users are those of our employees and contractors whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
3.6 Data processors include any person or organisation that is not a data user that processes personal data on behalf of a data controller or on its instructions. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on the data controller’s behalf.
3.7 Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
3.8 Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
3.9 Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
3.10 Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
3.11 Sensitive personal data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

4. DATA PROTECTION PRINCIPLES
Anyone processing personal data must comply with the enforceable principles of good practice. These provide that personal data must be:
(a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
(b) Processed for specified, explicit and legitimate purposes and not further processed in a manner that is in compatible with those processes (‘purpose limitation’).
(c) Adequate, relevant and limited to what is necessary in relation to the purpose for which the data is processed (‘data minimisation’).
(d) Accurate and where necessary kept up to date (every reasonable step must be taken to ensure that personal data that is inaccurate having regard to the purpose for which it was processed is erased or rectified without delay) (‘accuracy’).
(e) Kept in a form which permits the identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed (‘storage limitation’).
(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (‘integrity and confidentiality’).
(g) Processed in line with data subjects’ rights.
(h) Not transferred to people or organisations situated in countries without adequate protection.

5. LAWFULNESS, FAIRNESS AND TRANSPARENCY
5.1 The Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
5.2 For personal data to be processed lawfully, they must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation. These include, among other things, the data subject’s consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, additional conditions must be met. When processing personal data as data controllers in the course of our business, we will ensure that those requirements are met.

6. PURPOSE LIMITATION
6.1 In the course of our business (including the provision of services involving data processing to our clients), we may collect and process the personal data set out in the Schedule. This may include data we receive directly from a data subject (for example, by completing a form on a website) and data we receive from other sources (for example, the data that we receive from our clients concerning the users of their websites and other systems).
6.2 We will only process personal data for the specific purposes set out in the Schedule or for any other purposes specifically permitted by the Data Protection Legislation.

7. DATA MINIMISATION
Personal data will only be collected to the extent that it is required for the specific purpose notified to the data subject by the data controller.

8. ACCURACY
We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

9. STORAGE LIMITATION
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.

10. INTEGRITY AND CONFIDENTIALITY
10.1 Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Data Protection Legislation and to protect the rights of data subjects
10.2 In order to ensure data protection by design and by default, we will:
(a) take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
(b) put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
(c) maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
(i) Confidentiality means that only people who are authorised to use the data can access it.
(ii) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
(iii) Availability means that authorised users should be able to access the data if they need it for authorised purposes.
(d) Unless otherwise agreed with the data subjects in writing in advance, all data processing takes place within the UK and all personal data remains within the UK.

11. PROCESSING IN LINE WITH DATA SUBJECT’S RIGHTS
11.1 We will process all personal data in line with data subjects’ rights, in particular their right to:
(a) Request access to any data held about them by a data controller or a data processor (right to make a subject access request).
(b) Request that any in accurate data held about them by a data controller or a data processor be amended (right to request rectification).
(c) Request that any data held about them by a data controller or a data processor be deleted in certain circumstances (right to be forgotten).
(d) Request that processing of any data held about them by a data controller or a data processor be restricted in certain circumstances (right to request restriction of processing).
(e) Request that any data held about them by a data controller or a data processor be transferred to another data controller (right to data portability).
(f) Object to the processing of any data about them by a data controller or a data processor where such processing is based solely on automated processing (including profiling) (right to object to automated individual decision-making, including profiling).
(g) Object to the processing of any data about them by a data controller or a data processor where such processing is for the purpose of direct marketing (right to object to direct marketing).
11.2 Where processing is based on consent:
(a) The controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
(b) If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of the Data Protection Legislation will not be binding.
(c) The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed accordingly. It shall be as easy to withdraw as to give consent.
(d) When assessing whether consent is freely given, the data controller shall take account of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
(e) Where processing person data relating to a child on the basis of consent, the processing of that personal data shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child (and the data controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology).

12. TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA
12.1 Personal data may be transferred outside the European Economic Area (EEA), provided that one of the following conditions applies:
(a) The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
(b) The data subject has given his consent.
(c) The transfer is necessary for one of the reasons set out in the Data Protection Legislation, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
(d) The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
(e) The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
12.2 We will only transfer personal data outside the EEA where one of the conditions set out in clause 12.1 has been complied with.

13. DISCLOSURE AND SHARING OF PERSONAL INFORMATION
13.1 We may share personal data we hold with any member of our group.
13.2 We may also disclose personal data we hold to third parties:
(a) In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.
(b) If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
13.3 If we are under a duty to disclose or share a data subject’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
13.4 We may also share personal data we hold with selected third parties for the purposes set out in the Schedule.

14. DEALING WITH REQUESTS BY THE DATA SUBJECT
14.1 Data subjects may make a request regarding any of the rights set out in clause 11.
14.2 All such requests should be made in writing and sent to the Data Protection Compliance Manager as specified in clause 2.5 .
14.3 When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:
(a) We will check the caller’s identity to make sure that information is only given to a person who is entitled to it.
(b) We will suggest that the caller put their request in writing if we are not sure about the caller’s identity and where their identity cannot be checked.

15. CHANGES TO THIS POLICY
This policy may change from time to time. Where appropriate, we will notify data subjects of those changes by mail or email.
Torah Action Life, [December 2017]

Schedule Data processing activities of Torah Action Life (TAL)
TAL system: A TAL system will be one of the following:

• Website
• Mobile App
• Web Application

Standard types of data processing

System to email

How we do this:

• We provide web forms to collect the data fields as listed in the specification (e.g. registration forms, contact forms, enquiry forms, call me back forms). Upon submission, the System processes the data to create one or more emails which are sent to Client or User specified recipients.
• Email data transmission is inherently insecure, once data has left the System, TAL have no access or responsibility over the servers or transport mechanisms over which the email is transmitted.
• The transmitted data reside on third party systems outside of our control.

System to Database

How we do this:

• We provide web forms to collect the data fields as listed in the specification (e.g. registration forms, contact forms). Upon form submissions, the system processes the data to store it directly within a database located within the same environment as the hosting server.
• Our databases are strictly locked down to limit access.
• No client or third party has access to the server databases, except for our datacentre support engineers who log any access and are contracted to only access during a TAL initiated service request or TAL created monitoring trigger than requires investigated.

Database providers include but are not limited to:

• MySQL / MariaDB
• SQL Server

System to third party email distributor / email marketing automator

How we do this:
• Data that has been collected on the website and stored within the System database is segmented according to attributes as requested by the Client.
• Using the API provided by the email distributer / email marketing automator, or via a Client initiated manual (.csv) export of data from the System, data required for the email distributer is processed and transferred to the email distributer.
• The email distributor will then process the data on behalf of the Client for the purposes of sending the email, using either content supplied from the system or built in the email distributer terminal.
• The third party APIs are most usually encrypted using SSL and/or an encrypted data payload using an account specific encryption key.
• TAL advise Clients against using APIs where the third party API does not support data encryption
• The transmitted data then resides on third party systems outside of our control.

Third party email distributors / email marketing automators include but are not limited to:

• Mailchimp
• Mailgun
• Sendgrid

System to Payment Service Provider

How we do this:

• Non PCI DSS Data that has been collected on the website for the purposes of completing an online transaction is transmitted to a payment service provider for the purpose of off-site card data capture and payment processing. This will include customer name and address, order details and order value for processing.
• No PCI DSS data is collected or stored on the System
• The third party APIs are most usually encrypted using SSL and/or an encrypted data payload using an account specific encryption key.
• TAL advise Client against using APIs where the third party API does not support data encryption
• Upon authorisation success or failure, only an authorisation field is returned to the System. No PCI DSS is received or stored following payment processing.
• The transmitted data reside on third party systems outside of our control.

Payment Service Providers include but are not limited to:

• Worldpay
• Sagepay
• Stripe
• PayPal
• GoCardless
• EPDQ
• GlobalIris

System to Hosting provider / backup service

How we do this:

• Customer data is stored within Data Centres operated and owned by one of our hosting providers and backup services. As part of our ISO 27001 accreditations data centres go through a compliance check to ensure they mean industry standards (eg ISO 27001 and/or SSAE 16). In-data centre environment backups are managed by the data centre team. Access to backup data and restoration is strictly on instruction by TAL only and is logged.
• Where backup data is transmitted externally from the data centre environment, data is encrypted using AES 256 and then transmitted over AES 128 commination channel with ISO 27001 assessed partners. Access to backup data and restoration is strictly by TAL only.

Hosting providers / backup services include but are not limited to:
• Peer 1
• Rackspace
• Digital Ocean
• CrashPlan

System to client service via API or Alternate Protocol

How we do this:

• Upon instruction by the Client, TAL work with the client service vendor/support team to establish the API requirements. Only data specifically required for the client service is transmitted over the API or alternate protocol.
• The third party APIs are most usually encrypted using SSL and/or an encrypted data payload using an account specific encryption key.
• TAL advise Clients against using APIs or alternate protocols where the third party does not support data encryption
• The transmitted data reside on third party systems outside of our control.

Client Services include but are not limited to:

• Client owned
• Client Contracted

System to Regulators

How we do this:

• Upon instruction by the Client and/or a regulator, TAL work to establish the scope of the data required.
• Only data specifically required for the regulator is transmitted over an API or exported for manual submission.
• The transmitted data reside on third party systems outside of our control.

Regulators include but are not limited to:

• Ofsted

System to Analytics Providers

How we do this:

• The Client provides their unique analytics account details which are used in conjunction with tracking code(s), most usually JavaScript, on the system transmitting data to the analytics provider via an API.
• These codes most frequently tracks anonymised data
• In some circumstances and where instructed by the Client, non-anonymised data can also be transmitted. This data is limited to the scope required by the Client.
• The third party APIs are most usually encrypted using SSL and/or an encrypted data payload using an account specific encryption key.
• TAL advise Clients against using APIs where the third party API does not support data encryption
• The transmitted data reside on third party systems outside of our control.

Analytics Providers include but are not limited to:

• Google Analytics
• Facebook
• Twitter
• TAL Server Analytics
• HotJar

TAL to Law Enforcement

How we do this:

• Upon law enforcement request, and having notified the Client where permitted, TAL will work with law enforcement to establish the scope of assets requiring to be transferred.
• Where user data sits within a database or file-store, an agreed encryption method is used
• Data is transmitted to law enforcement encrypted and confirmation is required to confirm receipt.
• Provision of decryption keys is always via a separate data exchange to the encrypted assets; ideally over another medium.

Back To Top
×Close search
Search
Close search
Cart
X
X