Privacy & Cookies Policy

Overview:

The Company views the correct and lawful handling of personal data as key to its success and dealings with third parties and its employees.

The Company obligation is to ensure compliance with the EU Regulation 2016/679 General Data Protection Regulation (“GDPR”). The Company directors are accountable for compliance and promote good practice.

Who is covered by this policy?

This policy sets the Company’s obligations regarding the collection, processing, transfer, storage and disposal of all personal data held relating to data subjects and covers all formats, examples are; electronic, paper, digital and video. This will also extend to all future formats that will be capable of recording, holding and storing personal information.

Contractors, Agency and Temporary employees working for or on behalf of The Company are expected to work comply with the data protection policy, failure to do so may result in termination of your contract.

Definitions:

  • Data Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller may be designated by those laws.

  • Data Processor "Processing" means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

  • Personal Data: as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

  • Sensitive Personal Data: data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation.

Employer Responsibilities:

The Company ensure that they comply with the GDPR principles.

These principles are:

  • Personal data shall be processed fairly and lawfully and in a transparent manner.

  • Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

  • Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

  • Personal data shall be accurate and, where necessary/ possible kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.

  • Personal data shall be kept in a form which permits identification of data subjects and not be kept for longer than is necessary.

  • Personal data shall be processed in accordance with the rights of data subject, that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss; destruction or damage.

  • Technical and organisational measures shall be in place to keep personal data secure. Data must be stored and archived appropriately and in keeping with GDPR requirements in order to safeguard the rights and freedoms of the data subject

  • Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Details

The company will adhere to the GDPR and promote good practice in respect of obtaining, using and holding personal data.

In particular we will ensure that all personal data is processed lawfully, fairly and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data should be lawful if at least of the following applies:

  • The data subject has given consent to the processing of their personal data for one or more specific purposes;

  • The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;

  • The processing is necessary for compliance with a legal obligation to which the data controller is subject;

  • The processing is necessary to protect the vital interests of the data subject or of another natural person;

  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or

  • The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The Company will make sure information will be held in the strictest of confidence and will not be distributed to anyone other than relevant parties, unless required to do so by law.

We will hold only personal data necessary to enable it to perform its functions. Every effort will be made to ensure that information is accurate and up to date and that inaccuracies are corrected without unnecessary delay.

We will retain personal data only for as long as is absolutely necessary in order to comply with legal, statutory or legitimate business function purposes.

Any personal data will be kept in an appropriately controlled and secure environment. This includes:

  • Controlled User Access Rights.

  • Any data damage is limited by both physical as well as firmware/software security measures.

  • Where necessary, agreements with 3rd parties highlighting data privacy clauses will be implemented.

  • Data will only be used for legitimate business needs.

  • Data will always be obtained in a lawful manner and not distributed or sold without the owner’s consent and appropriate legal checks.

Under no circumstances will personal data be passed to any department or any individual within the Company that does not reasonably require access to that personal data.

Accountability and Record-Keeping

  • The Data Protection Officer shall be responsible, working together with the Managing Director and/or appointed Consultant for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.

  • The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:

    • The name and details of the Company, its Data Protection Officer, and any applicable third-party data processors;

    • The purposes for which the Company collects, holds, and processes personal data;

    • Details of the categories of personal data collected, held, and processed by the Company, and the categories of employee data subject to which that personal data relates;

    • Details of any transfers of personal data to non-EEA countries including all mechanisms and security safeguards;

    • Details of how long personal data will be retained by the Company, and

    • Detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of personal data.

Data Protection Impact Assessments

  • The Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data

  • Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:

    • The type(s) of personal data that will be collected, held, and processed;

    • The purpose(s) for which personal data is to be used;

    • The Company’s objectives;

    • How personal data is to be used;

    • The parties (internal and/or external) who are to be consulted;

    • The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;

    • Risks posed to employee data subjects;

    • Risks posed both within and to the Company; and

    • Proposed measures to minimise and handle identified risks.

Health Records

  • The Company holds health records on employee data subjects which are used to assess the health, wellbeing, and welfare of employees and to highlight any issues which may require further investigation. In particular, the Company places a high priority on maintaining health and safety in the workplace, on promoting equal opportunities, and on preventing discrimination on the grounds of disability or other medical conditions.

  • In most cases, health data on employees falls within the GDPR’s definition of special category. Any and all data relating to employee data subjects’ health, therefore, will be collected, held, and processed strictly in accordance with the conditions for processing special category personal data.

  • No special category personal data will be collected, held, or processed without the relevant employee data subject’s express consent.

  • Health records shall be accessible and used only by Senior Managers or appointed HR Consultants and shall not be revealed to other employees, agents, contractors, or other parties working on behalf of the Company without the express consent of the employee data subject(s) to whom such data relates, except in exceptional circumstances where the wellbeing of the employee data subject(s) to whom the data relates is at stake.

  • Health records will only be collected, held, and processed to the extent required to ensure that employees are able to perform their work correctly, legally, safely, and without unlawful or unfair impediments or discrimination.

  • Employee data subjects have the right to request that the Company does not keep health records about them. All such requests must be made in writing and addressed to the General manager or HR Consultant/Manager.

Benefits

  • In cases where employee data subjects are enrolled in benefit schemes which are provided by the Company, it may be necessary from time to time for third party organisations to collect personal data from relevant employee data subjects.

  • Prior to the collection of such data, employee data subjects will be fully informed of the personal data that is to be collected, the reasons for its collection, and the way(s) in which it will be processed

  • The Company shall not use any such personal data except insofar as is necessary in the administration of the relevant benefits schemes.

Employee Rights:

Employees are required to ensure all required information provided is accurate and kept up to date.

All employees can exercise their rights as Data Subjects as set out in the GDPR.

  • The right to be informed that their personal data is being processed;

  • The right to access any of their personal data held by The Company within 1 month of making a request;

  • The right to prevent the processing of their personal data in limited circumstances; and

  • The right to rectify, block, erase or destroy incorrect personal data

  • The right to erasure (also known as the ‘right to be forgotten’)

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights with respect to automated decision-making and profiling.

Employees may provide written notification to the (General Manager) to make a data subject access request, or make their intentions regarding the private and sensitive data held by the company clear.

Visitors to our website

Our website is built on a software platform called Squarespace. It is also hosted by them. You can read more about the way they ensure site users’ privacy is protected under EU Data Protection laws here:

Squarespace and GDPR

Squarespace Privacy Policy

When someone visits our website we use Google Analytics and Squarespace Analytics to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. You can find out more about all of this here:

Squarespace Analytics

Google Analytics and Squarespace

Google Privacy Policy

Use of cookies

We use cookies, small pieces of data that websites store on a device, to help our website run effectively and to provide the best experience for our site visitors. Some of these are functional and required cookies that allow visitors to navigate around the website. Others are analytical and performance cookies. You can find more information here about the cookies in use on our website.

You are in control of cookies and so this article also describes how you can change your settings. You can also find out more about cookies on these two websites www.aboutcookies.org or www.allaboutcookies.org