East Bergholt Parish Council
Data Protection Policy
Policy Owner Parish Clerk
Approved By East Bergholt Parish Council
Approval Date [Insert date]
Next Review Date [Insert date]
Version 1.0
Statutory Framework UK GDPR and Data Protection Act
2018
1. Policy Statement
East Bergholt Parish Council is committed to protecting the rights and freedoms
of individuals whose personal data it processes. The Council will comply with the
UK General Data Protection Regulation (UK GDPR) and the Data Protection Act
2018 when handling personal data.
2. Scope
This policy applies to all councillors, employees, contractors, volunteers and any
third parties processing personal data on behalf of the Council.
Information routinely made available by the Council is published through the
Council’s Publication Scheme in accordance with the Freedom of Information Act
2000.
3. Legal Framework
This policy operates within the requirements of:
• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Freedom of Information Act 2000
• Environmental Information Regulations 2004

For the purposes of this policy, processing refers to any operation performed on
personal data including collecting, recording, organising, storing, using, sharing
or deleting information.
4. Data Protection Principles
Personal data will be:
• Processed lawfully, fairly and transparently
• Collected for specified purposes
• Adequate, relevant and limited
• Accurate and kept up to date
• Retained only as long as necessary
• Processed securely
5. Lawful Basis for Processing
The Council processes personal data under the following lawful bases:
• Legal obligation
• Public task
• Contract
• Consent (where required)
Special category data will only be processed where permitted under Article 9 UK
GDPR.
6. Roles and Responsibilities
Council – Overall accountability for compliance.
Parish Clerk – Operational responsibility for ensuring compliance.
Data Protection Officer – Provides independent advice and monitoring.
East Bergholt Parish Council will appoint a Data Protection Officer (DPO)
in accordance with the requirements of the UK GDPR. The role may be
fulfilled through an external or shared service arrangement
Councillors and Staff – Must handle personal data in accordance with this policy.

7. Data Governance
The council will:
• Maintain Records of Processing Activities in accordance with Article 30 UK
GDPR.
• Conduct Data Protection Impact Assessments where appropriate.
• Ensure contracts with data processors contain appropriate data protection
provisions.
• Use data sharing agreements where necessary.
• Maintain a retention and disposal schedule.
• Ensure agendas, minutes and other public Council documents avoid the
inclusion of personal data wherever possible unless there is a clear lawful basis.
8. Data Security
Appropriate technical and organisational measures will be implemented including
secure IT systems, password protection, restricted access and secure storage of
physical records.
9. Personal Data Breaches
Where a breach is likely to pose a risk to individuals the Council will notify the
Information Commissioner’s Office within 72 hours of becoming aware of the
breach.
10. Compliance Monitoring
Compliance will be monitored periodically and the policy reviewed as required.