20 Sept 2018
Scope of the Policy
The General Data Protection Regulations (GDPR) apply to ‘personal information’ which is defined by the Information Commissioners Office (ico) as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”.
DePe Gear Company Ltd recognises that the correct and lawful treatment of personal information is a key part of good business practice and is committed to protecting the confidentiality and integrity of personal data and to respecting privacy.
This policy (and any other documents referred to in it) sets out the basis on which any personal data we collect and/or that is provided to us, will be processed by us.
For the purpose of GDPR and the Data Protection Act 2018 (the Act), the person responsible for reviewing and implementing this policy at DePe Gear Company Ltd is the Support Services Manager.
Information protection principles
DePe will comply with data protection law, so all personal information we hold must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes and not used in any way which is incompatible with those purposes.
- Relevant to the purpose of use and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purpose intended.
- Kept securely.
Lawful bases for processing
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever personal data is processed:
(a) Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests).
According to the relevant particular circumstances, at DePe we rely on one, or more than one, of (a), (b), (c) and (f) as the legal bases for processing personal data.
Personal information collected and retained
The following information may be provided, collected and retained:
- Clients, suppliers and sub-contractors: data needed and provided for the normal process of administering orders and contracts but also data acquired via e-mail, post or by phone. This may include variations of names, positions, copies of qualification certificates and direct contact details i.e. e-mail addresses, phone numbers (company or private) etc
- Employees: data acquired from direct contact. Details may include: the name, address, telephone number, e-mail address, date of birth, gender, marital status, salary, payslips?, tax code, bank, pension, National Insurance, employment detail and any human resources administration i.e. copies of grievance or disciplinary hearings and minutes, records of working time, expense claims, photographs, copies of driving licenses, passports and other documentation providing the right to work in the UK, health assessments etc
Purpose for collecting personal information
Personal information is collected and retained for the following purposes:
- Customer Organisations: for the administration of contracts of work, or inquiries relating to prospective contracts, undertaken as normal business practice between the relevant parties.
- Suppliers and Sub-contractors: for requesting quotations and the completion of orders or contracts consistent with the on-going business relationship and, where appropriate, its continuation.
- Employees: for the contract of employment and associated records and communication.
Uses made of the information
We use information held about individuals in the following ways:
- to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products or services that you request from us;
- to administer your employment with us.
Security Integrity and Confidentiality
Personal Information is secured and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. We ensure:
- Confidentiality & Availability: only people who have a need to know and are authorised can access it.
- Integrity: that personal information is accurate and suitable for the purpose for which it is processed.
Access and sharing
Any data subject has a right to request a copy of their personal data, and to ask for this to be corrected, erased, or its use to be restricted. Data subjects may also object to any processing or request that their data is transferred.
We may need to request confirmation of identity to ensure a right to access the personal information.
Disclosure of your information
We may disclose your personal information to third parties including suppliers and sub-contractors:
- for the performance of any contract we enter into with you,
- in the event that we sell or buy any related business or assets, in which case, if it is necessary we may disclose your relevant personal data to the prospective seller or buyer of such business or assets,
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation.
Storage and Security
- Storage: all personal information is retained on the main DePe server for use for that particular company or in personnel files for that particular person.
Back-ups of the server are to the cloud daily (managed by our outsourced IT) and on a HD retained off site by a DePe Gear Co Ltd employee on a weekly basis.
- Security: all third-party service providers are required to take appropriate security measures to protect your personal information in line with our policy and we do not allow our third-party service providers to use your personal information for their own purposes.
Redant & Microsoft files are protected through Microsoft Office 365’s Avast and Cloudcare and the external back-up also through Avast Cloudcare.
Measures are in place to protect the security of your information to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
- Security Breaches: procedures to deal with any suspected information security breach are in place including immediate communication to any relevant parties regarding the breach and any actions taken.
Personal information is only retained for as long as necessary to fulfil the purposes it was collected for, during the period of the contractual relationship and may also include satisfying any legal, accounting, or reporting requirements. This appropriate retention period will also consider the purpose, amount, nature, sensitivity, potential risk of harm from unauthorised use or disclosure of personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
- Hard Copies: these are shredded or disposed of in a manner such that the details cannot be used.
- Computer Records are deleted from the appropriate storage facility.