Tectric 2

1. Data protection contact

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

2. What do terms used in this policy mean?

3. Responsibility for data protection

As a data controller, we are responsible for establishing practices and policies in line with the GDPR and any other laws governing data protection. It is important that we do more than just say that we are complying with data protection laws, but that we are also able to demonstrate compliance. We do this principally by:

implementing processes and policies that enable us to comply with data protection laws, such as not collecting more personal data than we need, providing comprehensive, clear and transparent privacy notices, and creating and improving security features;

undertaking data protection impact assessments, where appropriate, when using new technologies where the processing is likely to result in a high risk to the rights and freedoms of data subjects;

introducing new technical measures (such as new software, hardware, or processes) where appropriate;

undertaking periodic internal audits of personal data held by us; and training staff.

4. How should personal data be processed?

Any personal data that we process must:

be processed fairly, lawfully and in a transparent manner;

be processed ONLY for specified, explicit and legitimate purposes;

be relevant and limited to what is necessary for the legitimate purpose(s) for which it is processed;

be accurate and kept up to date, ensuring, where reasonably possible, that inaccurate personal data is erased or rectified without delay;

not be kept for any longer than is necessary to fulfil the purpose(s) for which it was collected; and

be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

5. Lawfulness, fairness and transparency

The GDPR is not intended to prevent the processing of personal data; rather, the GDPR aims to ensure that it is done lawfully and transparently, minimising any adverse effect on the rights of the data subject. For personal data to be processed lawfully, it must be processed for one of the specific reasons set out in the GDPR.

The following are some of the basis upon which we will rely as a business to process personal data. Where processing is necessary:

for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;

for compliance with a legal obligation to which we are subject; and/or

in the pursuit of our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. In addition to the basis set out above, we can also process a data subject's personal data where they have given consent to the processing for one or more specified purposes, provided that the consent is a freely given, specific, informed and unambiguous indication of the data subject's wishes. A data subject will have the right to withdraw any consent given. For special categories of personal data to be processed lawfully, there are additional conditions which must be met, in addition to satisfying one of the above bases for processing personal data. Legitimate basis for processing special categories of personal data include that:

the data subject has given explicit consent to the processing of that data for one or more specified purposes;

the processing is necessary for carrying out obligations under employment law, social security or social protection law, or a collective agreement;

the processing is necessary for the purposes of preventive or occupational medicine, or for the assessment of the working capacity of an employee;

the processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent;

the processing relates to personal data which has been made public by the data subject; and/or

the processing is necessary for establishing or defending legal claims.

6. Central data record

7. Keeping personal data secure

When we process personal data, we will do our best to ensure that it remains secure and is protected against unauthorised or unlawful processing and accidental loss, destruction or damage.

We will do this by:

encrypting personal data where appropriate/possible;

ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data;

ensuring the restoration of access to personal data in a timely manner in the event of a physical or technical incident; and

facilitating regular testing, assessment and evaluation of the effectiveness of technical and organisational measures for ensuring data security.

In assessing the appropriate level of security, we shall take into account the risks associated with the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data that we process.

Desks and cupboards should be kept locked if they hold personal data or confidential information of any kind. Data users must ensure that individual monitors/screens do not show personal data or confidential information to passers-by and that they log off from or lock their computer/tablet when it is left unattended.

Whenever we transfer personal data or confidential information outside our own systems or offices (for example when information is taken off site by employees to visit customers or for home working) there is a risk that the personal data or confidential information may be lost, misappropriated, or accidentally released. Steps should be taken to minimise the risk of theft, loss, destruction, damage or unauthorised use of personal data or other confidential information when data is transferred. Such steps could include:

taking only the personal data that you need to take, ensuring that it is anonymised where possible and kept secure;

ensuring that bags or cases containing paper records are not left visible or unattended for longer than is absolutely necessary. If it is unavoidable to leave paper records in a vehicle (e.g. whilst refuelling) the data must be locked in a secure compartment or boot of the vehicle;

ensuring that paper records are not carried 'loosely' but instead kept in a file or folder so that they are not visible to onlookers.

You should have permission from your manager before taking personal data off site. It must also be brought back and securely stored at the earliest opportunity.

8. Personal data breach

It is very important that we are alive to the risks of personal data breaches, and that we react quickly to an apparent breach.

A personal data breach may not be evident straightaway. However, there may be indicators of a personal data breach, system compromise, unauthorised activity, or signs of misuse. A personal data breach can happen in many ways, including:

loss of a mobile device or hard copy file which contains personal data (e.g. leaving it on a train);

theft of a mobile device or hard copy file which contains personal data (e.g. stolen from a vehicle or home);

human error (e.g. a member of staff sending an email containing personal data to an unintended recipient, or accidentally altering or deleting personal data);

cyber-attack (e.g. opening an attachment to an email from an unknown third party which contains ransomware or other malware);

allowing unauthorised use/access (e.g. permitting an unauthorised third party to access secure areas of the office or our systems);

unusual log-in and/or excessive system activity, in particular from any active user accounts;

unusual remote access activity;

the presence of any spoof wireless (Wi-Fi) networks visible or accessible from our working environment;

equipment failure;

hardware or software key-loggers found connected to or installed on our systems;

unforeseen circumstances such as a fire or flood; or

'blagging' offences where information is obtained from us by a third party through deception. As soon as you become aware of any personal data breach or have any reason to suspect a personal data breach has or is about to occur (for whatever reason), you should contact our data protection contact immediately or, if they are not available, your line manager.

9. Data retention

We will only retain personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with a data subject.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of that personal data, the purposes for which we process that personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. For example, due to limitation periods we will usually retain the majority of the personal data we hold about employees (including contact, identity, and financial Data) for six years after they have ceased being an employee.

In some circumstances data subjects can ask us to delete their data: see paragraph 14 below for further information.

10. Erasing or destroying personal data

11. Transferring personal data outside the EEA

We may transfer any personal data we hold to a country outside the European Economic Area ("EEA"), provided that one of the following conditions applies:

the data subject has given their explicit consent to the proposed transfer, after we have informed them of any possible risk associated with such transfers (e.g. the absence in that country of equivalent safeguards);

the transfer is necessary for the performance of a contract to which the data subject is a party, or which is in the interest of the data subject, or to take steps at the request of the data subject prior to entering into a contract;

the transfer is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or

the transfer is necessary for the establishment or defence of a legal claim.

For each transfer of data outside the EEA, we will record which of the conditions we are relying on.

When data is shared with a third party outside of the EEA, the data is first hashed using the SHA256 hashing algorithm and sent in its hashed form to the third party.

12. Transferring data to third Parties

13. Notifying data subjects

We are required to provide information to data subjects about our processing of their personal data. This information is contained in our Privacy Notices. The Privacy Notices applicable to employees is available on the intranet. Such notices will provide information about:

the types of personal data we process;

the purpose and the legal basis for processing their personal data;

whether the personal data will be disclosed to any third parties in the course of processing;

whether the personal data will be transferred outside of the EEA and, if so, what safeguards will be put in place in this regard;

how long the personal data will be processed for or, if that is not possible, the criteria we will use to determine the period;

how the data subject can obtain a copy of the personal data held about them;

details of their rights, including how to make a complaint;

if the personal data has to be processed in order to comply with a law or a contract, the possible consequences of the data subject failing to provide the data and/or (where applicable) objecting to the processing of it;

the existence and details of any automated decision-making processes.

If we receive personal data about a data subject from a third party, we will in addition provide the data subject with information on:

the type of personal data we have received from a third party; and

the source of the data and whether it came from a publicly accessible source (e.g. a website accessible to the public).

14. Rights of data subjects

If we process personal data, the data subjects will have the right to:

request information about the personal data we hold in respect of them;

have any inaccurate personal data about them corrected and incomplete personal data completed, subject to us satisfying ourselves that the data is in fact inaccurate or incomplete;

object to us processing their personal data where we are doing so in pursuit of our own legitimate interests. We can continue processing the personal data notwithstanding an objection if our legitimate interests outweigh those of the data subject, or if we need to do so for the establishment or defence of a legal claim;

ask us to destroy personal data about them. We can refuse this request if the personal data is still necessary in relation to the purposes for which it is being processed, and there is a legitimate basis for us to continue processing;

ask us to restrict the processing of their personal data to merely storing it. This can only be requested if: the accuracy of personal data has been contested and remains unverified, if we no longer require the personal data but the data subject needs it to establish or defend a legal claim, if the data subject has objected to the processing of personal data and we are deciding whether our legitimate interests override theirs, or if our processing is unlawful.

If a data subject exercises these rights and we have disclosed the personal data in question to a third party, we will do our best to ensure that the third party complies with the wishes of the data subject.

15. Subject access requests

16. Personal data breach response plan

investigating the breach to determine the nature and cause of it, and the extent of the damage or harm that may result;

implementing the necessary steps to stop the breach from continuing or recurring, and limiting the harm to data subjects associated with the breach;

assessing whether there is an obligation to notify other parties, in particular, the Information Commissioner's Office ("ICO") and the affected data subjects and, if so, making those notifications. If there is an obligation to make a notification to the ICO, this will normally need to be done within 72 hours of us becoming aware of the breach and therefore it is essential that any suspected or actual breaches are reported immediately;

recording information about the personal data breach and the steps taken in response to it.

Data Protection