This document sets out The Bigger Boat’s policy in regards to the GDPR.
Where The Bigger Boat is acting as a Data Processor as defined by the GDPR:
1. All processing performed by The Bigger Boat shall be governed by a contract that sets out the subject matter and duration of the processing. The Bigger Boat’s lawful basis for processing is a binding contract.
2. The Bigger Boat will not engage another sub-processor or process data in another country outside the EU without prior written authorisation of the controller.
3. Data will be encrypted where required in accordance with the contract, within the technical constraints of the available technology.
4. The Bigger Boat will take steps to ensure that any person acting under its authority that has access to personal data does not process them except under the written instructions of the contracted controller or processor.
5. At the choice of the controller, The Bigger Boat will delete or return data at the end of the contracted services.
6. The Bigger Boat will keep records of processing activities within the technical constraints of available technology.