• complies with data protection law and follows good practice
• protects the rights of staff, customers, suppliers and other contacts
• is open about how it stores and processes individuals data
• protects itself from the risks of a data breach
General Data Protection Regulations
The General Data Protection Regulations (GDPR) came into effect in May 2018 and replaced the Data Protection Act 1998; bringing with them a wider scope of protections for individuals, and greater accountability for the data controller and processor. These regulations describe how organisations must collect, handle and store personal information. The GDPR applies to ‘personal data’ meaning any information relating to a person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Regulations are underpinned by six important principles. These say that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition, Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Lawfulness of Processing
Under the GDPR, The Business processes data within the scope of the following clauses:
- 6(1)(a) With the consent of the data subject. Applicable to all data held on employees, suppliers, customers and to any person who contacts the business in a personal capacity (e.g. sales or job enquiry)
- 6(1)(b) Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
- Applicable to people in a contractual relationship with organisations that have a contractual relationship with The Business to provide a product or service (e.g. drivers).
- 6(1)(c) Processing is necessary for compliance with a legal obligation
- Applicable to information held that is required for statutory reporting. (e.g. employees’ P60 returns).
- 6(1)(f) Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
- Applicable to information held on employees to enable The Business (and third parties contracted by The Business) to discharge its contractual obligations as an employer (e.g. payroll, pension administration).
- 9(2)(b) Processing is necessary for carrying out obligations under employment, social security or social protection law, or collective agreement
Applicable to information held on employees, and to people in a contractual relationship with organisations that have a contractual relationship with The Business to provide a product or service (e.g. P46 or P11d reporting for drivers of a company car).
Under the GDPR, there are a variety of methods for obtaining consent for storing personal data, and these closely link to how the data is lawfully processed.
The majority of individuals covered under the scope of the GDPR, the consent to store and process the data is derived from The Business (including third parties contracted by The Business) under clause 6(1)(f) above. Consent is obtained at the time that the personal information was provided to the business by the individual.
Individuals have a right to withdraw their consent from The Business at any time. It should be noted that the withdrawal of consent may affect an individual’s ability to fulfill their contractual or non-contractual obligation to either The Business or a third party, and so The Business would recommend that the individual consult with the relevant party in the first instance.
The Rights of the Individual
There are a number of enhanced rights for individuals under the scope of the GDPR:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
Right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. We will provide individuals with information including: our purposes for processing their personal data, our retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
We will provide privacy information to individuals at the time we collect their personal data from them. If we obtain personal data from other sources, we will provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month. There are a few circumstances when we do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them. The information we provide to people will be concise, transparent, intelligible, easily accessible, and it will use clear and plain language. We will regularly review, and where necessary, update our privacy information. We will bring any new uses of an individual’s personal data to their attention before we start the processing.
Right of Access
You have a right to access the personal information we hold about you. To do this, please contact firstname.lastname@example.org.
We aim to respond to any requests in writing within one month, however, if your request is particularly complex, we may take a further two months to process your request, however, we will contact you to explain this within one month.
Within the scope of the GDPR, we always aim to provide this information free of charge. However, in line with the regulations, we reserve the right to charge a reasonable fee for any manifestly unfounded, excessive or repeated requests; or where multiple copies of the response are required. This fee will be aligned to the actual cost of providing the information.
Under certain exceptional circumstances, we may refuse your request for information. This would generally be because we cannot legally disclose it. If we do this, we will explain why we have taken this action, and provide you with an escalation point within the relevant supervisory authority.
Right to Rectification
The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing to email@example.com. We will respond to a request within one month. In certain circumstances, we can refuse a request for rectification.
Right of Erasure
You have the right to request that we erase any personal data held about you, subject to you providing a valid reason for this request within the scope of the GDPR. The Business will not ordinarily refuse such a request, unless it would render The Business liable for a breach of its legal obligations.
If you wish to make a representation under the Right of Erasure, please write to firstname.lastname@example.org stating what data you wish to have erased, and the reason for the request.
The Business will respond in writing within one month stating the action taken. It should be noted that the withdrawal of consent may affect an individual’s ability to fulfil their contractual or non-contractual obligation to either The Business or a third party, and so The Business would recommend that the individual consult with the relevant party in the first instance.
Right to Restrict Processing
You have the right to restrict the processing of your personal data. This means that The Business can retain enough data to meet its legal obligations, but may not further process the data.
If you wish to make a representation under the right to restrict processing, please write to email@example.com, stating what data you wish to restrict from processing. The Business will respond in writing within one month stating the action taken.
It should be noted that the withdrawal of consent may affect an individual’s ability to fulfill their contractual or non-contractual obligation to either The Business or a third party, and so The Business would recommend that the individual consult with the relevant party in the first instance.
Right of Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. The right only applies to information an individual has provided to a controller (e.g. employer).
Right to Object
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases, where the right to object applies we may be able to continue processing if we can show that we have a compelling reason for doing so. We will inform you of your right to object. An individual can make an objection verbally or in writing to firstname.lastname@example.org. We will respond to an objection within one month.
Rights in relation to automated decision making and profiling
The GDPR has provisions on automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
Complaints or Corrections
In the first instance, please address any complaint or correction to email@example.com. This will be dealt with an aim to resolve the complaint in a satisfactory and timely manner.
Where a correction in data relates to information provided by a third party for processing on their behalf, we may request that you contact them to correct the data ‘at source’, or afford us permission to do this on your behalf.
If you are unable to reach a satisfactory resolution, you may report a concern to the Information Commissioners Office on 0303 123 1113.
If you have any questions about this policy, please email firstname.lastname@example.org or write to: EHS Data Ltd, Halifax Court, Fernwood Business Park, Newark-On-Trent, NG34 3JP. United Kingdom