Data Protection Policy

Introduction

The Company is committed to working in accordance with the General Data Protection Regulation and with the highest standards of ethical conduct.

This policy outlines the rules, behaviours and standards required of the organisation, employees, workers and third parties working on behalf of the Company in relation to the collection, retention, transfer, disclosure, use and destruction of any personal data. All workers will be responsible for data protection and must abide by the rules and policies of the Company.

Personal Data and Sensitive Personal Data

There are two types of personal data that fall under the GDPR and for which the Company, its employees, workers and third parties are responsible for. These are:

Personal Data
This is defined as any information relating to an identified or identifiable natural person. Identification can be by means of “an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” This will include IP addresses and cookie strings.

Sensitive Personal Data
Sensitive personal data includes data relating to genetic and biometric data as well as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or a person’s sex life, sexual orientation or criminal offences.

Data Protection Principles

The Organisation is committed to adhering to the Data Protection Principles which state:

Data must be processed lawfully, fairly and in a transparent manner.
Data must be obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data processed must be adequate, relevant and limited to what is necessary.
Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure data that are inaccurate, are erased or rectified without delay.
Data must not be kept for longer than is necessary for the purposes for which the data are processed.
Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.

Information is kept and processed about individuals for legal purposes (such as for payroll), for administration purposes and for the purposes of day-to-day people-management. The Company is aware that in order to process personal data, or sensitive personal data, the Company must rely on the data being:

necessary for the performance of a contract, or;
in preparation for a contract, or;
to comply with our legal obligations, or;
for our legitimate business interests or;
to perform a task carried out in the public interest or in the exercise of an official authority.

If the organisation wishes to hold and process data which does not fall within conditions listed above, then it will seek to obtain the consent of the individual.

If it is necessary to obtain consent then the Company will write to the individual to ask for consent, ensuring that the consent is:

Freely given, specific, informed and unambiguous.
Separate from other terms.
Clear and in plain language.
As easy to give as to withdraw.
‘Explicit’ for sensitive data.
Given in a way that can be evidenced.
Unless consent to processing data is critical to the performance of a contract, the performance of a contract will not be made conditional on the basis that consent is given.

Personal Data

The Organisation collects and processes the following personal data:

Employee data: name, address, bank details, salary, NI number, pension and employee benefit details, contact details, next of kin for the purposes of payroll; health monitoring and emergency contact details driving licence for Health & Safety compliance; CV and performance documentation.
Customer data: business contact details; customer usage of OAS website statistics

Rights of Data Subjects

The Company will recognise that individuals have the following rights under data protection legislation:

the right to be informed, which encompasses the obligation on employers to provide transparency as to how personal data will be used;
the right of access;
the right to rectification of data that is inaccurate or incomplete;
the right to be forgotten under certain circumstances;
the right to block or suppress processing of personal data; and
the new right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services under certain circumstances.

Right of Access

Individuals have the right to access the information stored about them. Employees can ask for access to their own personal details held electronically or held manually. Employees who wish to see their records should give notice electronically, in writing, using the Subject Access Request Form which can be found on P:\Administration\Administration Templates\GDPR. Non-employees can contact privacy@oxfordsurfaces.com.

The Company has up to 1 month to provide the information following the subject access request, which it will usually do in electronic format.

In complex cases, or where there are numerous related requests, the Company will liaise with the individual to inform them of progress of their request(s), and if it is not possible to complete this within 1 month, the Company will inform the individual of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.

In the event that data is retained with third parties, the Company will ensure that the request is communicated and actioned by the third party in line with the timescales outlined above, unless impossible or if it would require disproportionate effort.

The Company reserves the right to charge a fee or to refuse to respond to a request if it is manifestly unfounded or excessive. Similarly, the Company reserves the right to withhold personal data if disclosing it would adversely affect the rights and freedoms of others.

Rectification of Data

The Company is committed to keeping data that is accurate and up to date. Data will be checked for accuracy where possible, and any data that is in accurate, out of date or unnecessary will be corrected or erased as appropriate.

Where an individual identifies that their personal data is incorrect or incomplete, or where they are aware that their personal data has changed, they must inform the organisation as soon as possible. The organisation will then take steps to rectify any inaccuracies as soon as possible, and at the latest within 1 month.

In complex cases, or where there are numerous cases, the Company will liaise with the individual to inform them of progress of their request, and if it is not possible to complete this within 1 month, the Company will inform the individual of the delay and the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months.

In the event that data has been disclosed to third parties, the Company will ensure that the request for rectification is communicated and actioned by the third party in line with the timescales outlined above, unless this is impossible or if it would involve disproportionate effort.

The Right to be Forgotten

Also known as ‘the right to erasure’, the right to be forgotten doesn’t provide an absolute right to be forgotten, but data subjects have a right to have personal data erased and to prevent processing in some circumstances i.e.

Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
When the individual withdraws consent.
When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
The personal data was unlawfully processed.
The personal data has to be erased in order to comply with a legal obligation.
The personal data is processed in relation to the offer of information society services to a child.

If you wish to ask for your own personal data to be partially/fully erased and no longer processed, please write to privacy@oxfordsurfaces.comwith full details of your request. The Company has up to 1 month to respond to you and either delete the data or explain why it is unable to comply with your request. Circumstances where the Company may be unable to comply include where it is required to retain the information by law, or if the data is needed in connection with legal proceedings.

In complex cases, or where there are numerous related requests, the Company will liaise with you to inform you of progress of the request, and if it is not possible to respond to this within 1 month, the Company will inform you of the delay, the reasons for the delay and reserves the right to extend the timescale for completion by up to a further 2 months, if necessary.

In the event that data is retained with third parties, the Company will ensure that the request is communicated and if appropriate actioned by the third party in line with the timescales outlined above.

Security of Data

The Company is committed to taking steps to ensure that personal data is protected, and to prevent any unauthorised access, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of our security systems and by regular training and awareness raising.

Any data breaches will be managed according to the procedures documented in our Data Protection Breach Reporting Policy and Procedure.

Data Retention

The Company is committed to ensuring that subject data is kept for no longer than necessary and only kept as long as it’s relevant and necessary for legitimate purposes. As soon as data is no longer necessary for the purposes for which it was originally collected, it will be securely deleted, unless it is necessary to keep the data for some other legitimate reason.

The Company does not intentionally keep data longer than necessary and when data is no longer required, the Company is committed to securely deleting it as soon as possible.

For more information and our retention guidelines, please refer to our Data Retention Policy.

Data Breaches

All staff are responsible for data protection and should be alert to any actual, suspected, threatened or potential data protection breaches. As soon as a data protection breach has been discovered, where possible, the member of staff should complete a Data Protection Breach Reporting Form, available at P:\Administration\admin Templates\GDPR (to the fullest extent possible at that time), which provides full details concerning the breach. This form should then be passed to the Administrator as soon as possible and within 24 hours of the discovery of the breach. If you need help completing the form, or are unable to complete the form, then any delay should be avoided and instead the matter should be reported immediately, either verbally or using electronic means, such as email.

For more information regarding managing data protection breaches, please refer to the Data Protection Breach Reporting Policy and Procedure.

Transferring Personal Data to a Country Outside the EEA

We may transfer the personal information that we collect from you to a destination outside of the UK and, in some cases, outside of the European Economic Area (EEA) if necessary for the processing purposes we have described above (including where we transfer your personal information to third parties), for example to our bulk emailing service MailChimp and our CRM database Insightly. In these cases, staff operating outside of the EEA who work for one of our suppliers may process your personal information.

We may share your private personal information with such service providers subject to obligations consistent with this privacy notice and any other appropriate confidentiality and security measures, and on the condition that the third parties use your private personal data only on our behalf and in line with our instructions.

Data Portability

On occasion you may wish to allow your data to be transferred to another Organisation either by you receiving the data and transferring it, or by the data being transferred directly.

This right to data portability only applies to data that you have provided to the Company, where the data processing is based either on your consent or the performance of the contract and where the processing is carried out by automated means, and it will only be transferred where it is technically feasible to do so.

If you wish to make a request for your data to be transferred, you must write to us at XXX, and we will respond to you within 1 month. If the requests are numerous or complex we reserve the right to extend this timescale by a further 2 months. If we are unable to complete your request, we will write to you to inform you why, along with your right to complain to the Information Commissioner’s Office (ICO).

Objections to Personal Data Processing

You have the right to object to data processing where the Company is:

processing information based on its legitimate business interests, or the performance of a task in the public interest/exercise of official authority (including profiling)
direct marketing

If you wish to object to processing, you should write to privacy@oxfordsurfaces.com outlining the grounds relating to your particular situation and we will stop the processing unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is in relation to legal claims. If we are unable to agree to your request, we will write to inform you why, along with your right to complain to the ICO.

Organisational Data Protection Measures

The Company is committed to ensuring the security of your data and to processing it in line with the Data Protection rules. As such, the organisation will:

Ensure that all staff are aware of their responsibilities and the Organisation’s obligations and responsibilities in relation to data protection.
Ensure that all Organisations who handle data on our behalf are carrying out data processing in line with the Data Protection rules.
Regularly review the Organisation’s methods of data collection, handling, processing and storage.

Monitoring

We are committed to monitoring this policy and will update it as appropriate every three years or more frequently if necessary.

Any queries or concerns can be addressed directly to privacy@oxfordsurfaces.com

May 2018