The General Data Protection Regulations (GDPR) gives rights to individuals (data subjects) whose personal data we collect, process, store, share and dispose of and this Policy sets out the Company’s obligations, principles and policies with which it will comply in relation to personal data.
The regulations require that any personal data held should be:
The regulations also give employees certain rights. For employment purposes, the most important rights are the right to be informed, the right to access the personal data held about the employee and the right to be forgotten.
Purposes for which Personal Data may be Held
Employee personal data will be collected to comply with our statutory requirements as an employer, to fulfil the performance of the employment contract and the legitimate business use of maintaining a successful employment relationship. Examples include:
The Company considers that the following, falls within the categories set out above:
Employees or potential employees will be advised by the Company of the personal data which has been obtained or retained, its source, and the purposes for which the personal data may be used or to whom it will be disclosed, as well as how long we will keep it for. For more information, please refer to the Company’s Privacy Notice.
The Company will review the nature of the information being collected and held on an annual basis to ensure there is a legitimate reason for requiring the information to be retained.
Special Category (Sensitive) Personal Data
Sensitive personal data includes information relating to the following matters. This type of data will only be processed where it is necessary for the purpose of carrying out our obligations and exercising our rights and that of the data subject in the field of employment.
Responsibility for the Processing of Personal Data
The Company will appoint a Data Protection Lead as the named individual responsible for ensuring all personal data is controlled in compliance with the General Data Protection Regulations (GDPR).
Employees who have access to personal data must comply with this Policy and adhere to the procedures laid down by the Data Protection Lead. Failure to comply with the Policy and procedures may result in disciplinary action up to and including summary dismissal.
Use of Personal Data
To ensure compliance with the General Data Protection Regulations (GDPR) and in the interests of privacy, employee confidence and good employee relations, the disclosure and use of information held by the Company is governed by the following conditions:
Disclosure of Personal Data
Personal data may only be disclosed outside the Company where disclosure is required by law, in order to facilitate performance of the employment contract, where there is immediate danger to the employee’s health or when explicit consent has been received.
Where the company is relying on an employee’s consent to process their data, the employee has a right to restrict processing or withdraw their consent for their data to be processed. Please speak to the Data Protection Lead or a member of management for further queries or to exercise your rights.
Accuracy of Personal Data
The Company will review personal data regularly to ensure that it is accurate, relevant and up to date.
In order to ensure the Company’s files are accurate and up to date, and so that the Company is able to contact the employee or, in the case of an emergency, another designated person, employees must notify the Company as soon as possible of any change in their personal details (e.g., change of name, address; telephone number; loss of driving licence where relevant; next of kin details, etc.).
The Company will review personal details records from time to time for the purposes of ensuring the data is up to date and accurate. Employees will be entitled to amend any incorrect details and these corrections will be made to all files held on the Company’s information systems. In some cases, documentary evidence, e.g., qualification certificates, will be requested before any changes are made.
Once completed, these records will be stored in the employee’s personnel file.
The Company will not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.
When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.
For full details of the Company’s approach to data retention, including retention periods for specific personal data types held by the Company, please refer to our Data Retention Policy.
The Company will ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. For further information about how we keep personal data secure, please refer to our Information Security Policy and our Acceptable IT Use Policy.
Accountability and Record-Keeping
The Company’s Data Protection Lead is Mark Sowerby.
The Data Protection Lead is responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, other data protection-related policies and with the General Data Protection Regulations.
The Company will keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:
Data Protection Impact Assessments
The Company will carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR.
Data Protection Impact Assessments shall be overseen by the Data Protection Lead and shall address the following:
THE RIGHTS OF DATA SUBJECTS
Keeping Data Subjects Informed
The Company shall provide information to every data subject in line with the requirements of the GDPR via a Privacy Notice.
Data Subject Access
Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.
Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s Data Protection Lead at Woodacres Riding Stable, Rakes Lane, Old Edlington, Doncaster, South Yorkshire, DN12 1QB, United Kingdom.
Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.
All SARs received shall be handled by the Company’s Data Protection Lead.
The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
Rectification of Personal Data
Data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.
The Company shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.
Erasure of Personal Data
Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:
Restriction of Personal Data Processing
Data subjects may request that the Company ceases processing the personal data it holds about them. If a data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
The Company processes personal data using automated means.
Where data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).
To facilitate the right of data portability, the Company shall make available all applicable personal data to data subjects when requested, when it is appropriate and in a format that is reasonable and manageable. Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.
All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.
Objections to Personal Data Processing
Data subjects have the right to object to the Company processing their personal data based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.
Where a data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing immediately.
Where a data subject objects to the Company processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. The Company is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.
Personal Data Collected, Held, and Processed
Personal data is collected, held, and processed in line with the Company’s Data Retention Policy and Schedule.
For full details of the organisational and technical measures the Company has taken please refer to the Information Security Policy.
Data Breach Notification
All personal data breaches must be reported immediately to the Company’s Data Protection Lead.
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
Data breach notifications shall include the following information:
Employee monitoring covers monitoring of employees’ use of telephones, fax, e-mails, Internet use, recording of images of employees by CCTV and vehicle location monitoring. Monitoring may include the following:
Monitoring Without Employees’ Knowledge
Any monitoring that is carried out without the employee’s knowledge will only be done where they are suspected of being involved in criminal activity. Any monitoring will be carried out in accordance with the General Data Protection Regulations.
Monitoring With Employees’ Knowledge
The Company reserves the right to introduce additional monitoring from time to time. Before doing so, the Company will:
The Company will ensure employees are aware of when, why and how monitoring is to take place and the standards they are expected to achieve.
If disciplinary action results from information gathered through monitoring, the employee will be given the opportunity to see or hear the information in advance of the disciplinary meeting and make representations about it. The Company will ensure data collected through monitoring is kept secure, and access is limited to authorised individuals.
If the Company monitors telephones it will make employees aware of this. The Company will make available upon request a telephone in a private area, not subject to monitoring, for employees to make urgent personal calls.