The Company needs to collect personal information to effectively carry out our everyday business functions and activities and to provide the products and services defined by our business type. Such data is collected from employees, workers, contractors, guests, customers and suppliers.
We are committed to processing all personal information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws and any other relevant data protection laws and codes of conduct (herein collectively referred to as “the data protection laws”).
Processing means any activity that involves using personal information. This includes collecting personal information, recording it, storing it, retrieving it, using it, amending it, disclosing it, destroying it, and transferring it to third parties.
The purpose of this policy is to ensure that the Company and its staff meets their legal, statutory and regulatory requirements under the data protection laws and to ensure that all personal and special category information is processed compliantly and in the individual’s best interest. This will ensure that we are protecting individuals whose personal information we process and maintaining confidence in our organisation and our business reputation.
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas), and pertains to the processing of personal information.
This policy does not form part of your terms and conditions of employment or engagement except to the extent that it imposes obligations on you. We may amend this policy at any time and may vary it as appropriate to a particular case.
As the Company processes personal information regarding individuals (data subjects), we are obligated under the GDPR to protect such information, and to obtain, use, process, store and destroy it, only in compliance with the data protection laws and principles.
We have appointed a Privacy Officer. If you have any questions about this policy or your data protection obligations, please contact the Privacy Officer. They can be contacted via email: firstname.lastname@example.org
Information protected under the GDPR is known as “personal data” and is defined as: –
- Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, date of birth, opinion about a person’s actions or behavior (for example expressed in an email or interview notes). an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Personal Data
The Company ensures that a high level of care and measures are afforded to personal data falling within the GDPR’s ‘special categories’ (previously sensitive personal data), due to the assumption that this type of information could be used in a negative or discriminatory way and is of a sensitive, personal nature to the persons it relates to.
Special categories of Personal Data’ includes: –
- Information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The GDPR Principles
The data protection laws require that personal data shall be: –
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’)
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’)
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The Company will ensure that: –
- We protect the rights of individuals with regards to the processing of personal information
- We develop, implement and maintain a data protection policy for compliance with the data protection laws
- Every business practice, function and process carried out by the Company, is monitored for compliance with the data protection laws and its principles
- Data is only processed where we have met the lawfulness of processing requirements
- We only process special category data in accordance with the data protection laws
- We record consent at the time it is obtained and evidence such consent to the Supervisory Authority where requested
- All staff (including new starters and agents) are competent and knowledgeable about their GDPR obligations and are provided with training in the data protection laws, principles, regulations and how they apply to their role and our business
- Individuals feel secure when providing us with personal information and know that it will be handled in accordance with their rights under the data protection laws
- We maintain a continuous program of monitoring, review and improvement with regards to compliance with the data protection laws and to identify gaps and non-compliance before they become a risk
- We monitor the Supervisory Authority, European Data Protection Board (EDPB) and GDPR news and updates, to stay abreast of updates, notifications and additional requirements
- We have robust and documented Data Breach controls for identifying, investigating, reviewing and reporting any breaches or complaints with regards to data protection. The Company Data Breach Procedure can be located in the Employee Handbook.
- We have a Privacy Officer who takes responsibility for the overall supervision, implementation and ongoing compliance with the data protection laws
- We have in place an audit/monitoring program in place to perform regular checks and assessments on how the personal data we process is obtained, used, stored and shared. The audit program is reviewed against our data protection policies, procedures and the relevant regulations to ensure continued compliance
- We store and destroy all personal information, in accordance with the data protection laws timeframes and requirements
- Any information provided to an individual in relation to personal data held or used about them, with be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language
- Employees are aware of their own rights under the data protection laws
- We have developed and documented appropriate technical and organisational measures and controls for personal data security
Our approach is applied with the aim of mitigating the risks associated with processing personal data through prevention via our processes, systems and activities. We therefore have additional measures in place to adhere to this ethos, including: –
We only ever obtain, retain, process and share the data that is essential to carry out our services and legal obligations and we only keep if for as long as is necessary.
Our systems, employees, processes and activities are designed to limit the collection of personal information to that which is directly relevant and necessary to accomplish the specified purpose.
Measures to ensure that only the necessary data is collected includes: –
- Electronic collection (i.e. forms, website, surveys etc) only have the fields that are relevant to the purpose of collection and subsequent processing.
- Physical collection (i.e. face-to-face, telephone etc) is supported using scripts and internal forms where the required data collection is ascertained using predefined fields. Again, only that which is relevant and necessary is collected
- We have agreements in place with third-party controllers who send us personal information. These state that only relevant and necessary data is to be provided as it relates to the processing activity we are carrying out.
In the course of your work for us, you must only process personal information in accordance with our privacy notices and any relevant policies, guidelines and procedures that we put in place.
You must ensure that you have read and understood the privacy notices and any relevant policies, guidelines and procedures. Contact the Privacy Officer if you are unsure about any aspect of these.
You must contact the data protection office immediately if you are unsure whether particular processing of personal information is within the terms of the relevant privacy notice, or you are otherwise unsure as to whether we have a lawful basis for processing particular personal information.
In the course of your work for us, you must ensure that:
- You only access and process personal information that is necessary to perform your work. You must not access or process personal information for any reason unrelated to your work.
- You only collect personal information that we actually need – it must be relevant, given the purpose for its collection. Do not collect excessive personal information.
- As far as possible, the personal information you process is accurate and up to date.
- You maintain accurate records of your work and the personal information that you process.
- You use appropriate language if you record an opinion about someone (for example, in an email) bearing in mind that they may be entitled to see this.
- You don’t mislead anyone as to how their personal information may be used.
- You keep personal information secure and perform your work in such a way as to protect the personal information that we hold. In particular, you must comply with all policies, guidelines and procedures that we put in place to secure personal information (including the use of any technology). You must take particular care in protecting special categories of personal information from loss or unauthorised access, use or disclosure.
- You do not attempt to circumvent the safeguards we use to protect personal information (including administrative, physical and technical safeguards).
- Unless our policies specifically allow you to do otherwise, you store all personal information in our systems or, for paper records, on our premises, and you do not remove personal information from our premises (in electronic or paper format) or store personal information elsewhere (for example, on a computer, laptop or mobile phone not provided by us).
- If you have permission to remove personal information from our premises, when outside of our premises, you do not leave any paperwork containing personal information, or any device or material on which personal information is stored, unattended at any time.
- You keep all passwords secure and do not reveal them to anyone else.
- You only dispose of paperwork containing personal information in the confidential waste bins provided on our premises.
- You do not create unnecessary copies of personal information.
- You check that the addresses are correct on letters, emails or other communications you are sending that contain personal information, and that any attachments or enclosures are correct. Take particular care to check email addresses when using a predictive (auto-complete) email address function, or if an email is going to multiple addressees.
- When communicating with someone by email for the first time, you send a test message to establish that you have the correct email address before sending any personal information.
- You consider whether the means you are using to communicate personal information is appropriate, taking account of the sensitivity of the content.
- You do not use your personal email address for work purposes.
- You do not discuss or reveal personal information which relates to workplace matters in a public setting where it may be seen or overheard.
- You comply with any policies, guidelines or procedures relating to the sharing of personal information.
- You only share personal information with another of our employees, workers or contractors, or with one of our agents or representatives, if that person has a work-related need to know the information.
- You only share personal information with third parties (including, for example, our service providers) if:
- they have a need to know the personal information (for example, in order to provide services to us);
- the relevant privacy notice gives notice that the personal information may be shared with that third party; and
- you are satisfied that the third party will comply with the data protection principles at outlined above, in particular that the personal information will be kept secure.
- You have received data protection training and, if you are a line manager, that your team has received all such training.
- If you are responsible for the deletion or anonymization of personal information, this is done in accordance with any relevant privacy notice or policy. We must not keep personal information for longer than necessary.
- If you are responsible for collecting the personal information of any individual indirectly (i.e. not from the individual themselves but, for example, from a third party or publicly available source) you ensure that the individual receives the relevant privacy notice either:
- within a reasonable period after you collect the information (maximum one month), unless this would involve disproportionate effort; or
- if you use the personal information to communicate with the individual before then, when the first communication with them takes place (at the latest); or
- if you are disclosing the personal information to someone else, before this happens.
- You contact the Privacy Officer immediately if you are concerned that personal information provided to you by a third party has not been collected in accordance with the data protection principles outlined above.
- You inform the Privacy Officer immediately if you acquire any personal information in error.
Notify the Privacy Officer of certain activities
It may be necessary for the data protection to carry out a ‘data protection impact assessment’ before you undertake certain activities that involve processing personal information.
A ‘data protection impact assessment’ will consider the impact of the activities; identify privacy risks and steps to minimise those risks; and evaluate whether the activities are permitted by data protection law.
As such, you must not do any of the following without first notifying (as early as possible) the Privacy Officer so they can decide whether a data protection impact assessment is required:
- Process new types of personal information i.e. personal information which has not been collected before.
- Process personal information in a new or significantly different way, including via the use of new technologies.
- Use personal information for a purpose other than that for which it was collected.
- Enter a contract with a third party that involves disclosing or sharing personal information.
- Any new or significantly different use of automated processing of personal information to evaluate an individual, for example to analyse or predict an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- Any new or significantly different use of automated decision-making i.e. where a decision is made on a solely automated basis without meaningful human involvement, and it has a significant effect on individuals.
- Any new or significantly different large scale processing of special categories of personal information; or large scale, systematic monitoring of a publicly accessible area. Whether processing is ‘large scale’ will depend on, for example, the number of individuals, volume of data, range of data, duration of processing, or geographical extent – if you are in any doubt as to whether processing is large scale, contact the Privacy Office.
- Implement significant changes to systems or the business (including new or different technology) which involve processing personal information.
- Any new direct marketing activity (including electronic marketing by email, telephone, fax or text message) that is not clearly authorised by the Managing Director and/or Marketing Consultant.
- Transmit or send personal information to, or view or access personal information in, a country outside of the European Economic Area (EEA), where this has not been previously authorised by the Privacy Officer. The EEA is the 28 countries in the European Union, along with Iceland, Liechtenstein and Norway.
You must comply with any directions from the Privacy Officer in relation to the above, and the terms of any data protection impact assessment.
Legal Basis for Processing (Lawfulness)
At the core of all personal information processing activities undertaken by the Company, is the assurance and verification that we are complying with Article 6 of the data protection laws and our lawfulness of processing obligations. Prior to carrying out any processing activity on personal information, we always identify and establish the legal basis for doing so and verify these with the regulations.
Data is only obtained, processed or stored when we have met the lawfulness of processing requirements, where: –
- The data subject has given consent to the processing of their personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which we are subject
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company
- Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child).
The Company utilise external processors for certain processing activities. Such external processing includes (but is not limited to): –
- IT Systems and Services
- Legal and Insurance Services
- Payroll Services
- Human Resources
- Pension and benefit providers
- Direct Marketing Services
We have strict due diligence and measures in place and review, assess and background check all processors prior to forming a business relationship. We audit their processes and activities prior to contract and during the contract period to ensure compliance with the data protection regulations and review any codes of conduct that they are obligated under to confirm compliance. The continued protection of the rights of the data subjects is our priority when choosing a processor and we understand the importance of outsourcing processing activities as well as our continued obligations under the data protection laws even when a process is handled by a third-party.
Data Retention & Disposal
The Company have defined procedures for adhering to the retention periods as set out by the relevant laws, contracts and business requirements, as well as adhering to the data protection laws requirement to only hold and process personal information for as long as is necessary. All personal data is disposed of in a way that protects the rights and privacy of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion) and prioritises the protection of the personal data at all times.
Please refer to our Data Retention & Erasure Policy for full details on our retention, storage, periods and destruction processes.
Consent & The Right to be Informed
The collection of personal and sometimes special category data is a fundamental part of the products/services offered by the Company and we therefore have specific measures and controls in place to ensure that we comply with the conditions for consent under the data protection laws.
The data protection law defines consent as; ‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
Where processing is based on consent, the Company have reviewed and revised all consent mechanisms to ensure that: –
- Consent requests are transparent, using plain language and is void of any illegible terms, jargon or extensive legal terms
- It is freely given, specific and informed, as well as being an unambiguous indication of the individual’s wishes
- Consent is always given by a statement or a clear affirmative action (positive opt-in) which signifies agreement to the processing of personal data
- Consent mechanisms are upfront, clear, granular (in fine detail) and easy to use and understand
- Pre-ticked, opt-in boxes are never used
- Where consent is given as part of other matters (i.e. terms & conditions, agreements, contracts), we ensure that the consent is separate from the other matters and is not be a precondition of any service (unless necessary for that service)
- Along with our company name, we also provide details of any other third party who will use or rely on the consent
- Consent is always verifiable, and we have controls in place to ensure that we can demonstrate consent in every case
- We keep detailed records of consent and can evidence at a minimum: –
- that the individual has consented to the use and processing of their personal data
- that the individual has been advised of our company name and any third party using the data
- what the individual was told at the time of consent
- how and when consent was obtained
- We have ensured that withdrawing consent is as easy, clear and straightforward as giving it and is available through multiple options, including: –
- Opt-out links in mailings or electronic communications
- Opt-out process explanation and steps on website and in all written communications
- Ability to opt-out verbally, in writing or by email
- Consent withdrawal requests are processed immediately and without detriment
- Controls and processes have been developed and implemented to refresh consent, especially those relating to parental consents
- For special category data, the consent obtained is explicit (stated clearly and in detail, leaving no room for confusion or doubt) with the processing purpose(s) always being specified
The Company maintain rigid records of data subject consent for processing personal data and are always able to demonstrate that the data subject has consented to processing of his or her personal data where applicable. We also ensure that the withdrawal of consent is as clear, simple and transparent as it is to give consent.
Where the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent is presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
Consent to obtain, process, store and share data (where applicable), is obtained by the Company through:
- In Writing
- Electronic (i.e. via website form)
Privacy Notices are used in all forms of consent and personal data collection, to ensure that we are compliant in disclosing the information required in the data protection laws in an easy to read and accessible format.
This document is our Data Protection Policy and includes how we comply and how our staff must comply with the data protection laws principles, the manner in which we process data, guidelines and procedures for ensuring that data subjects can exercise their rights and our approach to data protection by design and default. This policy provides detail on how we apply the principles, what procedures we follow in the compliance with the data protection laws and any specific individual and/or departmental responsibilities.
Our Privacy Notice is separate from our Data Protection Policy and is provided to individuals at the time we collect their personal data (or at the earliest possibility where that data is obtained indirectly).
Subject Access Requests (SAR)
Individuals have the right to request to have access to their data. Please refer to our Data Subject Access Request Procedure for the guidelines on how an SAR can be made and what steps we take to ensure that access is provided under the data protection laws.
The Company will provide all personal information pertaining to the data subject to them on request and in a format that is easy to disclose and read. We ensure that we comply with the data portability rights of individuals by ensuring that all personal data is readily available and is in a structured, commonly used and machine-readable format, enabling data subjects to obtain and reuse their personal data for their own purposes across different services.
All data held and processed by the Company is reviewed and verified as being accurate wherever possible and is always kept up to date. Where inconsistencies or inaccuracies are identified we will take every reasonable step to ensure that such inaccuracies are corrected with immediate effect.
Where notified of inaccurate data by the data subject, we will rectify the error within 30 days and inform any third party of the rectification if we have disclosed the personal data in question to them. The data subject is informed in writing of the correction and where applicable, is provided with the details of any third-party to whom the data has been disclosed.
If for any reason, we are unable to act in response to a request for rectification and/or completion, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy.
The Right to Erasure
The Company ensures that personal data which identifies a data subject, is not kept longer than is necessary for the purposes for which the personal data is processed.
All personal data obtained and processed by the Company is categorised when assessed by the information audit and is either given an erasure date or is monitored so that it can be destroyed when no longer necessary.
Please refer to our Data Retention & Erasure Policy for exact procedures on erasing data.
The Right to Restrict Processing
There are certain circumstances where the Company restricts the processing of personal information, to validate, verify or comply with a legal requirement of a data subject’s request. Restricted data is removed from the normal flow of information and is recorded as being restricted on the information audit.
Any account and/or system related to the data subject of restricted data is updated to notify users of the restriction category and reason. When data is restricted it is only stored and not processed in any way.
The Company will apply restrictions to data processing in the following circumstances: –
- Where an individual contests the accuracy of the personal data and we are in the process verifying the accuracy of the personal data and/or making corrections
- Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether we have legitimate grounds to override those of the individual
- When processing is deemed to have been unlawful, but the data subject requests restriction as oppose to erasure
- Where we no longer need the personal data, but the data subject requires the data to establish, exercise or defend a legal claim
Where data is restricted, and we have disclosed such data to a third-party, we will inform the third-party of the restriction in place and the reason and re-inform them if any such restriction is lifted.
Data subjects who have requested restriction of data are informed within 30 days of the restriction application and are also advised of any third-party to whom the data has been disclosed. We also provide in writing to the data subject, any decision to lift a restriction on processing. If for any reason, we are unable to act in response to a request for restriction, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy.
Objections and Automated Decision Making
Data subjects are informed of their right to object to processing in our Privacy Notices and at the point of first communication, in a clear and legible form and separate from other information. We provide opt-out options on all direct marketing material and provide an online objection form where processing is carried out online.
Individuals have the right to object to: –
- Processing of their personal information based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- Direct marketing (including profiling)
- Processing for purposes of scientific/historical research and statistics
Where the Company processes personal data for the performance of a legal task, in relation to our legitimate interests or for research purposes, a data subjects’ objection will only be considered where it is on ‘grounds relating to their particular situation’. We reserve the right to continue processing such personal data where: –
- We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
- The processing is for the establishment, exercise or defence of legal claims
Where we are processing personal information for direct marketing purposes under a previously obtained consent, we will stop processing such personal data immediately where an objection is received from the data subject. This measure is absolute, free of charge and is always adhered to.
Where a data subject objects to data processing on valid grounds, the Company will cease the processing for that purpose and advise the data subject of cessation in writing within 30 days of the objection being received.
The Company understands that decisions absent of human interactions can be biased towards individuals and pursuant to the data protection laws, we aim to put measures into place to safeguard individuals where appropriate. Via our Privacy Notices, in our first communications with an individual and on our website, we advise individuals of their rights not to be subject to a decision when: –
- It is based on automated processing
- It produces a legal effect or a similarly significant effect on the individual
In limited circumstances, the Company will use automated decision-making processes within the guidelines of the regulations. Such instances include: –
- Where it is necessary for entering into or performance of a contract between us and the individual
- Where it is authorised by law (e.g. fraud or tax evasion prevention)
- When based on explicit consent to do so
- Where the decision does not have a legal or similarly significant effect on someone
Where the Company uses, automated decision-making processes, we always inform the individual and advise them of their rights. We also ensure that individuals can obtain human intervention, express their point of view and obtain an explanation of the decision and challenge it.
Security & Breach Management
The Company aims to ensure the maximum security of data that is processed and applies controls to protect personal information and to ensure its security from consent to disposal.
Whilst every effort and measure are taken to reduce the risk of data breaches, the Company has dedicated controls and procedures in place for such situations, along with the notifications to be made to the Supervisory Authority and data subjects (where applicable).
If you know or suspect that there has been a personal information breach, you must preserve all evidence and immediately contact the Privacy Officer via the following contact details: email@example.com You must make this contact immediately (even outside of business hours and at nights or weekends) in order to:
- reduce the risk of damage to any affected individuals and our business; and
- allow us to comply with any obligation to notify the Information Commissioner (the UK supervisory authority for data protection) or the individuals affected.
Please refer to our Data Breach Procedure for specific protocols.
Passwords are a key part of the Company protection strategy and are used throughout the company to secure information and restrict access to systems. Passwords afford a high level of protection to resources and data and are mandatory requirements for all employees and/or third-parties who are responsible for one or more account, system or have access to any resource that requires a password.
Transfers & Data Sharing
The Company takes proportionate and effective measures to protect personal data held and processed by us at all times, however we recognise the high-risk nature of disclosing and transferring personal data and as such, place an even higher priority on the protection and security of data being transferred. We will use only approved and secure methods of transfer
Extensive controls, measures and methods are used by the Company to protect personal data, uphold the rights of data subjects, mitigate risks, minimise breaches and comply with the data protection laws and associated laws and codes of conduct.
The Directors have overall responsibility for due diligence, privacy impact assessments, risk analysis and data transfers where personal data is involved and will also maintain adequate and effective records and management reports in accordance with the data protection laws and our own internal objectives and obligations.
Staff who manage and process personal or special category information will be provided with extensive data protection training and will be subject to continuous development support and mentoring to ensure that they are competent and knowledge for the role they undertake.
Any noncompliance with this policy or any sub policies referenced herein may result in disciplinary action, up to and including dismissal without notice.
Acknowledgement of receipt
You confirm that you have read and understood this Data Protection Policy.