GDPR POLICY 2018 POLICY STATEMENT
PSF, is almost wholly a B2B organisation, with extremely limited need or requirement of personal data. However, certain information is gathered, including from our own employees, in order to carry out the day to day functions of the business. In addition, we may occasionally be required by law to collect and use certain types of personal information to comply with the requirements of the law.
This information can include (but is not limited to), name, address, email address, telephone number, date of birth, pension information, IP address, bank details and sizing information.
We are committed to collecting, processing, storing, protecting and destroying all information in accordance with the GDPR.
The purpose of this policy is to ensure that PSF is meeting and continues to meet its legal, statutory and regulatory requirements under the GDPR and to ensure that all personal and special category data is safe, secure and processed compliantly whilst being used, stored or shared by us.
PSF supports and abides by the principles set out within the GDPR. Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals (lawfulness, fairness and transparency);
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
- Accurate and, where necessary, kept up to date (accuracy);
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
- Processed in a manner that ensures appropriate security of the personal data (integrity and confidentiality);
Article 5 (2) states that the controller shall be responsible for and be able to demonstrate compliance with, the principles (the accountability principle). This principle requires both the data controllers and data processors to document and record their processing activities to show how they comply with the GDPR.
LAWFUL PROCESSING CONDITIONS
Article 6 of the GDPR lists the lawful bases for processing. Prior to carrying out any processing activity on personal information, we always identify and establish the legal basis for processing and verify this with the regulation. We will not process any personal data unless one of the following conditions is met:
- Consent – the data subject has given consent to the processing of his or her personal data for one or more specified purposes;
- Performance of a contract – processing is necessary for the performance of a contract to which the data subject is party;
- Performance of a Legal Obligation – processing is necessary for compliance with a legal obligation to which the data controller (PSF) are subject;
- Vital Interests – processing is necessary in order protect the vital interests (life or death situation) of the data subject or of another natural person;
- Public Task – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (PSF);
- Legitimate Interests – processing is necessary for the purposes of legitimate interests pursued by the controller (PSF) or by a third party.
Our legal basis for processing is documented on our Record of Processing Activity document.
Where any of our processing activities rely on the data subjects’ consent, we will ensure that we will collect their consent in accordance with the GDPR. Under GDPR, consent must be:
Freely given – the data subject must have a genuine choice and where there is an imbalance of power between the data controller and the data subject, for example employer and employee, consent cannot be considered freely given;
Specific – the data controller must explain its purpose(s) for the processing of the personal data so that the data subject can consent to the purpose(s) specifically;
Informed – the data subject must be given all necessary details of the processing activity so that they can comprehend how the processing may affect them;
An unambiguous indication – the data subject’s statement or clear affirmative action must leave no doubt as to their intention to give consent;
A clear affirmative action – the consent is given on an opt-in basis, for example, an unticked box which the data subject can then tick themselves.
Where PSF relies on consent for the processing of personal data, we will also ensure that the data subject can withdraw their consent as easily as they managed to give it and where their consent is withdrawn, we will respect their wishes.
If PSF relies on legitimate interests as our lawful condition for processing, for instance in staff salaries, then we will be transparent with the data subject about what the legitimate interests are.
THE INFORMATION COMMISSIONER’S OFFICE (ICO)
The Information Commissioner’s Office (ICO) is an independent regulatory office who report directly to Parliament and whose role it is to uphold information rights in the public interest.
Under the GDPR, the ICO are the UK’s Supervisory Authority and can issue enforcement notices and fines for breaches in any of the Regulations, Acts and Laws regulated by them.
PSF understands that any infringements on the GDPR are likely to result in action being taken by the ICO, including possible fines. We recognise that under the GDPR, fines may be levied of:
Up to 10 million Euro, or 2% of annual global turnover (whichever is higher) for infringements concerning the obligations of the controller and processor; the obligations of the certification body; and the obligations on the monitoring body, and;
Up to 20 million Euro, or 4% of annual global turnover (whichever is higher) for infringements concerning the basic principles for processing (including conditions for consent), the data subjects’ rights, transfers of personal data to a recipient in a third country or an international organisation, any obligations pursuant to UK law or non-compliance with an order from the supervisory authority (the ICO).
PSF are registered with ICO and appear on the Data Protection Register as a Tier 1 Data Controller with the registration number Z5736066.
To help us meet the regulatory requirements of GDPR, we have developed a set of objectives.
PSF will: Develop, implement and maintain procedures governing the collection, processing and disposal of personal data to ensure they are in accordance with GDPR;
Only obtain, store and process personal data where we have a valid, lawful basis for doing so;
Be open and transparent with our customers so that they feel confident and secure when providing us with their personal data, knowing that it will be processed in compliance with GDPR;
Ensure that all employees are aware of their responsibilities and obligations when handling personal data;
Continually review our business practices and policies with regards to GDPR to identify any non-compliance issues before they become a risk; and
Protect the rights of data subjects provided to them by GDPR and ensure that we have suitable facilities in place to help them exercise their rights.
DATA SUBJECT RIGHTS
Data subjects have the following rights under GDPR:
- The right to be informed;
- The right to access;
- The right to rectification;
- The right to erasure (also known as the “right to be forgotten”);
- The right to restriction of processing;
- The right to data portability;
- The right to object to processing.
According to Article 22 of the GDPR, an individual also has “the right not to be subject to a decision based solely on automated decision making, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”.
PSF has updated its Privacy Notice which will appear on the company’s website and was notified to all IP addresses upon its release. This will cover its policy with regard to any personal information gathered in the performance of the contract between the company and the data subject.
A separate staff notice was issued to all employees covering the collection, processing, storage, security and ultimate destruction of personal information within payroll provision and HR.
DATA SUBJECT ACCESS REQUESTS (SAR’S)
PSF recognises and will facilitate a data subjects’ right to access any personal data we hold or process about that individual. We will supply a data subject with their personal data within one month of receiving their request and this will be provided free of charge, unless continual and persistent requests are made.
In accordance with the storage limitation principle, PSF will not keep an individual’s personal data for longer than necessary. We have specified retention periods and disposal methods for all categories of personal data that we process and these are detailed in our Records Retention and Disposal Policy.
PSF will not share personal data with anyone unless it is a requirement in order to fulfil a contract between us and the data subject (for instance, a credit card processing company) or unless requested by a legal authority.
POLICY REVIEW AND CONTACT DETAILS
Changes to the company’s Privacy Notice or this policy may be made from time to time and it is recommended that you view our website for the latest versions. Should you have any questions on either of these policies you may contact us at firstname.lastname@example.org or by telephone on 0114 2738349 or by writing to us at Progressive Safety Footwear and Clothing Limited, 101 Worthing Road, Sheffield, S9 3JN.
ISSUE DATE: MAY 2018