Data Protection Policy

Introduction

1) The Company is committed to being transparent about how it collects and uses personal data, and to meeting its data protection obligations. This policy sets out the Company’s commitment to data protection, and individual rights and obligations in relation to personal data and should be read in conjunction to the privacy notice issued.

DEFINITIONS

Company Personnel: all employees, workers (including contractors, agency workers and consultants), directors, members and others (including volunteers, interns and apprentices).

Controller: a person or Company that determines when, why and how to process Personal Data. As a data controller the Company is responsible for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data. This could be you, your colleagues, customers and suppliers or indeed any other person.

General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access, including but not limited to, data held in a filing system. Personal Data includes Special Categories of Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour. This could include information in an electronic, paper or other format (e.g. images, multimedia, etc.)

Personal Data Breach: any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of Personal Data.

Privacy Notices: separate notices setting out information that may be provided to Data Subjects when the Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one time privacy statements covering Processing related to a specific purpose.

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Special Category: any data set which includes details or reveals: race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, generic data, biometric data, data concerning health, sex, sexual orientation or sex life.

WHAT AND WHO DOES THIS POLICY APPLY TO?

2) This Policy applies to all Personal Data that we Process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject.

3) This policy applies to all Company Personnel (“you”, “your”). You must read, understand and comply with this Policy when Processing Personal Data on our behalf and attend training on its requirements. This Policy sets out what we expect from you in order for the Company to comply with applicable law. Any breach of this Policy may result in disciplinary action.

HOW WILL THE COMPANY PROCESS PERSONAL DATA?

4) The Company will process Personal Data in accordance with the following data protection principles:

a) the Company will process personal data lawfully, fairly and in a transparent manner.
b) the Company will collect personal data only for specified, explicit and legitimate purposes.
c) the Company will process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
d) the Company will keep accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
e) the Company will keep personal data only for the period necessary for processing.
f) the Company will adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

5) The Company will tell individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons.

6) The Company will update Personal Data promptly if an Employee advises that his/her information has changed or is inaccurate. The Employee is under an obligation to keep the Company updated of any changes to their personal data.

7) Personal data gathered during employment, engagement as a worker, contractor or volunteer, or an apprenticeship or internship, is held in the individual’s personnel file (in hard copy or electronic format, or both), and on HR systems. The periods for which the Company holds personal data are contained in its privacy notices as issued to individuals at the point data is collected, or at other points as the Company deems its obligations require.

 

WHAT ARE MY OWN RIGHTS, AS A DATA SUBJECT?

8) As data subjects, employees have a number of rights in relation to their personal data. These are detailed in the relevant privacy notice provided to you. If you require a copy of this privacy notice it is available from the Payroll and HR Manager.

 

HOW DO I MAKE A DATA SUBJECT ACCESS REQUEST?

9) Individuals have the right to make a subject access request. If an individual makes a subject access request, the Company will tell him/her:

a) whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
b) to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
c) for how long his/her personal data is stored (or how that period is decided);
d) his/her rights to rectification or erasure of data, or to restrict or object to processing;
e) his/her right to complain to the Information Commissioner if he/she thinks the Company has failed to comply with his/her data protection rights; and
f) whether or not the Company carries out automated decision-making and the logic involved in any such decision-making.

10) The Company will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise.

11) To make a subject access request, the individual should send the request the HR and Payroll Manager. In some cases, the Company may need to ask for proof of identification before the request can be processed. The Company will inform the individual if it needs to verify his/her identity and the documents it requires.

12) The Company will normally respond to a request within a period of one month from the date it is received. In some exceptional cases, such as where the Company processes large amounts of the individual’s data, it may respond within two months of the date the request is received. The Company will write to the individual within one month of receiving the original request to tell him/her if this is the case.

13) If a subject access request is manifestly unfounded or excessive, the Company is not obliged to comply with it. Alternatively, the Company may agree to respond but will charge an administrative fee. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the Company has already responded. If an individual submits a request that is unfounded or excessive, the Company will notify the individual that this is the case and confirm whether or not it will respond to it.

WHAT SHOULD I DO IF I RECEIVE A DATA SUBJECT ACCESS REQUEST, OR IF SOMEONE ASKS ME TO PROVIDE THEIR DATA TO THEM?

14) You must immediately forward any Data Subject request you receive to The Payroll and HR Manager and take steps to comply with the above Data Subject response process.

 

HOW SHOULD YOU PROCESS PERSONAL DATA FOR THE COMPANY?

15) Everyone who works for, or on behalf of, the Company has some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and the Company’s Data Security and Data Retention policies.

16) The Payroll and HR Manager is responsible for reviewing this policy and updating the Board of Directors on the Company’s data protection responsibilities and any risks in relation to the processing of data. You should direct any questions in relation to this policy or data protection to this person.

17) You should only access personal data if you need it for the work you do for, or on behalf of the Company and only if you are authorised to do so. You should only use the data for the specified lawful purpose for which it was obtained.

18) You should not share personal data informally.

19) You should keep personal data secure and not share it with unauthorised people.

20) You should regularly review and, where required or requested, update personal data you deal with. This includes telling us if your own contact details change.

21) You should not make unnecessary copies of personal data and should keep and dispose of any copies securely.

22) You should use strong passwords and not share your passwords with any other person.

23) You should lock your computer screens when not at your desk.

24) Do not save personal data to your own personal computers or other devices.

25) Personal data should never be transferred outside the European Economic Area except in compliance with the law and authorisation of the Board of Directors.

26) You should lock drawers and filing cabinets. Do not leave paper with personal data lying about.

27) You should not take personal data away from Company’s premises without authorisation from your line manager.

28) Personal data should be shredded and disposed of securely when you have finished with it.

29) You should ask for help from the Payroll and HR Manager or QSE Manager if you are unsure about data protection or if you notice any areas of data protection or security we can improve upon.

30) Any deliberate or negligent breach of this policy by you may result in disciplinary action being taken against you in accordance with our disciplinary procedure.

31) It is a criminal offence to conceal or destroy personal data which is part of a subject access request (see below). This conduct would also amount to gross misconduct under our disciplinary procedure, which could result in your dismissal.

32) It should be noted that whilst this list provides examples, this is by no means an exhaustive list and you may be notified of other specific rules from time to time.

 

WHAT PURPOSES CAN PERSONAL DATA BE PROCESSED FOR?

33) Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.

34) Personal Data cannot be used for new, different or incompatible purposes from that disclosed when it was first obtained, unless you have informed the Data Subject of the new purposes and they have consented where necessary.

 

IS THERE A LIMIT TO HOW MUCH PERSONAL DATA CAN BE COLLECTED AND PROCESSED?

35) Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

36) You may only Process Personal Data when performing your job duties requires it. You cannot Process Personal Data for any reason unrelated to your job duties.

37) You may only collect and Process Personal Data that you require for your job duties: do not collect excessive data. Ensure any Personal Data collected is adequate and relevant for the intended purposes.

38) You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Company’s data retention guidelines.

 

WHAT SHOULD I DO IF PERSONAL DATA IS OUTDATED OR INCORRRECT?

39) Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay, where found or reported to be inaccurate.

40) You must ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must follow the Company’s instructions to ensure the accuracy of Personal Data, including instructions related to destroying or amending inaccurate or out-of-date Personal Data.

 

HOW LONG CAN PERSONAL DATA BE STORED?

41) Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

42) You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it, including for the purpose of satisfying any legal, accounting or reporting requirements.

43) The Company will maintain retention policies and procedures to ensure Personal Data is deleted at the point of no longer being required or the Company having no further lawful purpose for processing. This is unless a law requires such data to be kept for a minimum time. If you have any queries related to the retention period for personal data, please address these to the Payroll and HR Manager.

 

PRIVACY BY DESIGN

44) We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and Company measures in an effective manner, to ensure compliance with data privacy principles.

45) Some of the processing that the Company carries out may result in risks to privacy. Where processing would result in a high risk to individual’s rights and freedoms, the Company will carry out a data protection impact assessment to determine the necessity and proportionality of processing.

46) This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

 

HOW WILL PERSONAL DATA BE PROTECTED?

47) Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.

48) We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.

49) You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. You may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

50) You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:

a) Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it.
b) Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.
c) Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.

51) You must comply with, and not attempt to circumvent, the administrative, physical and technical safeguards we implement and maintain in accordance with the GDPR and relevant standards to protect Personal Data.

 

WILL I RECEIVE TRAINING ON DATA PROTECTION?

52) The Company will provide training to all individuals about their data protection responsibilities as part of the induction process.

53) Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, may receive additional training to help them understand their duties and how to comply with them as appropriate.

54) At any time, if you have any questions about the operation of this Policy or the GDPR, not covered in training, please contact the Payroll and HR Manager.

 

WHAT SHOULD HAPPEN IN THE EVENT OF A DATA BREACH OCCURING?

55) If the Company suspects or discovers that there has been a breach of personal data, and that this could pose a risk to the rights and freedoms of individuals, we will report the breach to the Information Commissioner within 72 hours of discovery. The Company will record all data breaches regardless of their effect and employees must therefore report any breach, regardless of any perceived level of severity.

56) If the breach is likely to result in a high risk to the rights and freedoms of individuals, the Company will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken

57) If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact your Line Manager, the Payroll and HR Manager or the QSE Manager. You should preserve all evidence relating to the potential Personal Data Breach. Failure to notify the designated person or team in itself may result in disciplinary action being taken against you.

 

WILL THE COMPANY TAKE DISCIPLINARY ACTION OF THERE IS A DATA BREACH?

58) No disciplinary action would automatically be taken simply as a result of a breach having occurred. An investigation would first need to be carried out, to establish the causes of the breach.

59) Where investigation reveals that a data breach has been caused (wilfully or negligently or without due care and attention) through an employee’s actions or inactions, this may lead to disciplinary action being taken. In the event of a serious breach and/or a failure to follow the appropriate procedures the Company has put in place for data processing, this could amount to an offence of gross misconduct.

60) Failure to report a breach, or suspected breach, could result in disciplinary action. In serious cases this could amount to an offence of gross misconduct.

61) Any disciplinary action taken would be following completion of a full investigation, and in line with the Company’s disciplinary procedure at chapter 14 of the employee handbook.

 

CHANGES TO THIS POLICY

62) We reserve the right to change this policy at any time.