Privacy Policy, GDPR, Cookies & T&C's

Processing of personal data

We share our data with various third-parties for numerous reasons in order that day to day activities are carried out in accordance with our relevant policies and procedures. In order that we can monitor compliance by these third-parties with data protection laws, we will require the third-party organisations to enter in to an agreement with us to govern the processing of data, security measures to be implemented and responsibility for breaches.

Data sharing
Personal data is from time to time shared amongst us and third-parties who require to process personal data that we process as well. Both us and the third-party will be processing that data in their individual capacities as data controllers.

Where we share in the processing of personal data with a third-party organisation (e.g. for processing of the employees’ pension), we shall require the third-party organisation to enter in to a data sharing agreement with us in accordance with the terms of the model data sharing agreement set out in Appendix 3 to this policy.

Data processors
Personal data is from time to time shared amongst us and third-parties who require to process personal data that we process as well. Both us and the third-party will be processing that data in their individual capacities as data controllers.

Where we share in the processing of personal data with a third-party organisation (e.g. for processing of the employees’ pension), we shall require the third-party organisation to enter in to a data sharing agreement with us in accordance with the terms of the model data sharing agreement set out in Appendix 3 to this policy.

A data processor is a third-party entity that processes personal data on behalf of us and are frequently engaged if certain parts of our work is outsourced (e.g. payroll, maintenance and repair works).

A data processor must comply with data protection laws. Our data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify us if a data breach is suffered.

If a data processor wishes to sub-contact their processing, our prior written consent must be obtained. Upon a sub-contracting of processing, the data processor will be liable in full for the data protection breaches of their sub-contractors.

Where we contract with a third-party to process personal data held by us, it shall require the third-party to enter in to a data protection addendum with us in accordance with the terms of the model data protection addendum set out in Appendix 4 to this policy.

Data storage and security

All personal data held by us must be stored securely, whether electronically or in paper format.

Paper storage
If personal data is stored on paper it should be kept in a secure place where unauthorised personnel cannot access it. Employees should make sure that no personal data is left where unauthorised personnel can access it. When the personal data is no longer required it must be disposed of by the employee so as to ensure its destruction. If the personal data requires to be retained on a physical file then the employee should ensure that it is properly secured within the file (e.g. stapled, or the documents are put on a Treasury Tag within the file), which is then stored in accordance with our storage provisions.

Electronic storage
Personal data stored electronically must also be protected from unauthorised use and access. Personal data should be password protected when being sent internally or externally to our data processors or those with whom we have entered in to a data sharing agreement. If personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media must be stored securely at all times when not being used. Personal data should not be saved directly to mobile devices and should be stored on designated drivers and servers.

Breaches

A data breach can occur at any point when handling personal data and we have reporting duties in the event of a data breach or potential breach occurring. Breaches which pose a risk to the rights and freedoms of the data subjects who are the subject of the breach require to be reported externally in accordance with clause 7.3 hereof.

Internal reporting
We take the security of data very seriously and in the unlikely event of a breach will take the following steps:

As soon as the breach or potential breach has occurred, and in any event no later than six (6) hours after it has occurred, the data protection officer (DPO) must be notified in writing of(i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s); we must seek to contain the breach by whatever means available;
The DPO must consider whether the breach is one which requires to be reported to the Information Commissioner’s Office (ICO) and data subjects affected and do so in accordance with this clause 7;
Notify third parties in accordance with the terms of any applicable data sharing agreements

Reporting to the ICO and Data Subjects
The DPO is required to report any breaches, which pose a risk to the rights and freedoms of the data subjects who are the subject of the breach to the ICO within 72 hours of the breach occurring. The DPO must also consider whether it is appropriate to notify those data subjects affected by the breach.

Data protection officer

A DPO is an individual who has an over-arching responsibility and oversight over compliance by us with data protection laws. We have elected to appoint a DPO whose details are noted on our website and contained within the fair processing notice at Appendix 3 hereto.

The DPO will be responsible for:
Monitoring our compliance with data protection laws and this policy;
co-operating with and serving as our contact for discussions with the ICO;
reporting breaches or suspected breaches to the ICO and data subjects in accordance with part 7 hereof.

Data subject rights

Certain rights are provided to data subjects under the GDPR. Data subjects are entitled to view the personal data held about them by us, whether in written or electronic form. We have one month to respond to requests from data subjects exercising their rights.

Data subjects have a right to request a restriction of processing their data, a right to be forgotten and a right to object to our processing of their data. These rights are notified to our customers in our FPN.

Subject access requests
Data subjects are permitted to access a copy of their data held by us upon making a request to do so (a subject access request). Upon receipt of a request by a data subject, we must respond to the subject access request within one month of the date of receipt of the request. We:

Must provide the data subject with an electronic or hard copy of the personal data requested, unless any exemption to the provision of that data applies in law;
Where the personal data comprises data relating to other Data subjects, must take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the subject access request; or where we do not hold the personal data sought by the data subject, must confirm that we do not hold any personal data sought by the data subject as soon as practicably possible, and in any event, not later than one month from the date on which the request was made.

The right to be forgotten
A data subject can exercise their right to be forgotten by submitting a request in writing to us seeking that we erase the data subject’s personal data in its entirety.

Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with this clause and will respond in writing to the request.

The right to restrict or object to processing
A data subject may request that we restrict our processing of the data subject’s personal data, or object to the processing of that data.

In the event that any direct marketing is undertaken from time to time by us, a data subject has an absolute right to object to processing of this nature by us, and if we receive a written request to cease processing for this purpose, then we must do so immediately.

Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with clause 9.5 and will respond in writing to the request.

Data Protection Impact Assessments

Data Protection impact assessments (DPIAs) are a means of assisting us in identifying and reducing the risks that our operations have on personal privacy of data subjects.

We shall:
Carry out a DPIA before undertaking a project or processing activity which poses a high risk to an individual’s privacy. High risk can include, but is not limited to, activities using information relating to health or race, or the implementation of a new IT system for storing and accessing personal data.

In carrying out a DPIA, include a description of the processing activity, its purpose, an assessment of the need for the processing, a summary of the risks identified and the measures that we will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data.

We will require to consult the ICO in the event that a DPIA identifies a high level of risk which cannot be reduced. The DPO will be responsible for such reporting, and where a high level of risk is identified by those carrying out the DPIA they require to notify the DPO within five (5) working days.

Archiving, retention and destruction of data
We cannot store and retain personal data indefinitely. We must ensure that personal data is only retained for the period necessary. We shall ensure that all personal data is archived and destroyed timeously and at the point that we no longer need to retain that personal data in accordance with the periods specified within the table at Appendix 5 hereto.

Translate »