We are committed to ensuring the secure and safe management of data held in relation to customers, staff and other individuals. Our staff members have a responsibility to ensure compliance with the terms of this policy and to manage individuals’ data in accordance with the procedures outlined in this policy and documentation referred to herein.
We need to gather and use certain information about individuals. Such information can include customers, employees and other individuals that we have a relationship with. We manage a significant amount of data from a variety of sources. This data contains personal data and sensitive personal data (known as special categories of personal data under the GDPR).
This policy sets out our duties in processing that data, and the purpose of this policy is to set out the procedures for the management of such data.
It is a legal requirement that we process data correctly; we must collect, handle and store personal information in accordance with the relevant legislation.
The relevant legislation in relation to the processing of data is:
3.1 We hold a variety of data relating to individuals, including customers and employees (also referred to as data subjects) which is known as personal data. The personal data we hold and process is detailed within the Fair Processing Notice at Document ref: DP004 and the Data Protection Addendum of the Terms and Conditions of Employment which has been provided to all employees.
3.1.1 “Personal data” is that from which a living individual can be identified either by that data alone, or in conjunction with other data held by the company.
3.1.2 We also hold personal data that is sensitive in nature (i.e. relates to or reveals a data subject’s racial or ethnic origin, religious beliefs, political opinions, relates to health or sexual orientation). This is “special category personal data” or “sensitive personal data”.
4.1 We are permitted to process personal data on behalf of data subjects provided it is doing so on one of the following grounds:
4.2 Fair Processing Notice
4.2.1 We have produced a Fair Processing Notice (FPN) which is provided to all data subjects whose personal information we hold. Our FPN is provided to data subjects from the outset of processing their personal data.
4.2.2 The Fair Processing Notice at Document reference DP004 sets out the personal data processed by us and the basis for that processing.
4.3.1 Employee personal data and, where applicable, special category personal data or sensitive personal data, is held and processed by the company. Details of the data held and processing of that data is contained within the employee Fair Processing Notice which is provided to employees at the same time as their contract of employment.
4.3.2 A copy of any employee’s personal data held by the company is available upon written request by that employee from the company’s HR Manager.
Consent, as a ground of processing will require to be used from time to time by the company when processing personal data. In the event that we are required to obtain consent, It should be used by the us where no other alternative ground for processing is available. In the event that we require to obtain consent to process a data subject’s Personal Data. The consent should be obtained as a positive confirmation and shall not be the subject of default.
The consent provided by you must be freely given. Any consent to be obtained by us will be for a specific and defined purpose (i.e. general consent cannot be sought).
4.5 Processing of Special Category Personal Data or Sensitive Personal Data
In the event that the company processes special category personal data or sensitive personal data, the company must do so in accordance with one of the following grounds of processing:
Personal data is from time to time shared amongst us and third parties who’re required to process the personal data that we process as well. We and the third party will be processing that data in our individual capacities as data controllers.
5.1.2 Where we share in the processing of personal data with a third party organisation (e.g. for processing of the employees’ pension), it shall require the third party organisation to enter in to a Data Sharing Agreement with ourselves in accordance with the terms of the model Data Sharing Agreement set out in Data sharing form (see document ref DP003.)
5.2 Data Processors
A data processor is a third party entity that processes personal data on behalf of the company, and are frequently engaged if certain aspects of the company’s work is outsourced (e.g. payroll, maintenance and repair works).
5.2.1 A data processor must comply with data protection laws. The company’s data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify the company if a data breach is suffered.
5.2.2 If a data processor wishes to sub-contract their processing, prior written consent of the company must be obtained. Upon a sub-contracting of processing, the data processor will be liable in full for the data protection breaches of their sub-contractors.
5.2.3 Where the company contracts with a third party to process personal data held by the company, it shall require the third party to enter in to a Data Protection Addendum with the company in accordance with the terms of the personal data map (document ref DP005).
All personal data that we hold will be stored securely.
6.1 Paper Storage
If personal data is stored on paper it should be kept in a secure place where unauthorised personnel cannot access it. Employees should make sure that no personal data is left where unauthorised personnel can access it. When the personal data is no longer required it must be disposed of by the employee so as to ensure its destruction. If the personal data requires to be retained on a physical file then the employee should ensure that it is affixed to the file which is then stored in accordance with the company’s storage provisions.
6.2 Electronic Storage
Personal data stored electronically must also be protected from unauthorised use and access. Personal data should be password protected when being sent internally or externally to the company’s data processors or those with whom the company has entered in to a Data Sharing Agreement. If personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media must be stored securely at all times when not being used. Personal data should not be saved directly to mobile devices and should be stored on designated drivers and servers.
We take the security of data very seriously and in the event of a breach will take the following steps:
7.2 Internal reporting
The company takes the security of data very seriously and in the unlikely event of a breach will take the following steps:
7.3 Reporting to the ICO
The DPO is required to report any breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach to the ICO within 72 hours of the breach occurring. The DPO must also consider whether it is appropriate to notify those data subjects affected by the breach.
8.1 A Data Protection Officer is an individual who has an over-arching responsibility and oversight over compliance by the company with data protection laws. The company has elected to appoint a Data Protection Officer whose details are noted on the company’s website and contained within the Fair Processing Notice at document reference DP004.
8.2 The DPO will be responsible for:
9.1 Certain rights are provided to data subjects under the GDPR. Data subjects are entitled to view the personal data held about them by the company, whether in written or electronic form.
9.2 Data subjects have a right to request a restriction of processing their data, a right to be forgotten and a right to object to the company’s processing of their data. These rights are notified to the company’s employees and other data subjects in the company’s Fair Processing Notice.
9.3 Subject Access Requests
You are permitted to view your data held by us upon making a request to do so (a Subject Access Request). Upon receipt of your request, we will respond to the Subject Access Request within one month.
We will comply with your request in accordance with these rules. Please email email@example.com.
9.3 Subject Access Requests
You are permitted to view your personal data held by us upon making a request to do so (a Subject Access Request). Any requests should be made to firstname.lastname@example.org where we will comply with your request in accordance with these rules and respond with one month from the date of receipt.
9.4 The Right to be Forgotten
9.4.1 You can exercise your right to be forgotten by submitting a request in writing to email@example.com seeking that we erase your personal data in its entirety.
9.4.2 Each request that we receive will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time.
9.4.3 The DPO will have responsibility for accepting or refusing your request in accordance with clause 9.4 and will respond in writing to the request.
9.5 The Right to Restrict or Object to Processing
9.5.1 You may request that we restrict our processing of your personal data, or object to the processing of that data.
18.104.22.168 In the event that any direct marketing is undertaken from time to time by us, you have an absolute right to object to processing of this nature, in which case please send a written request to firstname.lastname@example.org to cease processing for this purpose, and we will do so within 72 hours.
9.5.2 Each request that we receive will be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with clause 9.5 and will respond in writing to the request.
10.1 Privacy Impact Statements (PIA) are a means of assisting the company in identifying and reducing the risks that our operations have on the personal privacy of data subjects.
10.2 The company shall:
10.3 The company is required to consult the ICO in the event that a PIA identifies a high level of risk which cannot be reduced. The DPO will be responsible for such reporting, and where a high level of risk is identified by those carrying out the PIA, they are required to notify the DPO within five (5) working days.
The company cannot store and retain personal data indefinitely. It must ensure that personal data is only retained for the period necessary. The company shall ensure that all personal data is archived and destroyed in accordance with the regulation.