Huby Domestic Appliances will comply with all statutory requirements of the Data Protection Act by registering all personal data held on its computer and/or related electronic equipment and by taking all reasonable steps to ensure the accuracy and confidentiality of such information.
In this policy:
Act means the Data Protection Act 2018.
Data means information that can be stored electronically or on paper.
Data processor means another organisation, or person who doesn't work for us, that processes the personal data we hold on our behalf.
GDPR means the General Data Protection Regulation.
ICO means the Information Commissioner's Office (ico.org.uk)
Individual means anyone we hold personal data on (including our staff).
Personal data means data we hold (factual or opinion based) that can directly or indirectly identify a living individual (e.g. their name, address or date of birth). Includes sensitive personal data.
Personal data breach means the loss, unauthorised access, disclosure or acquisition of personal data or any act or omission that compromises the security, confidentiality, integrity or availability of the personal data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it.
Privacy notice means a document or other form of notice containing information on how we handle an individual's personal data when we collect it.
Processing or processed means any activity involving the use of personal data. This includes obtaining, recording or holding it and carrying out tasks with it including using, disclosing, retrieving, accessing, organising, amending or erasing it.
Sensitive personal data means special category data, plus information about any committed or alleged criminal offences including the outcome of any criminal proceedings.
Special category data means information about an individual's racial or ethnic origin, political opinion, trade union membership, religion, philosophical beliefs, physical or mental health, sexual orientation or sex life, genetics or biometrics.
Staff means all individuals working for us at every level or grade, whether they're directors, officers, employees, workers, contractors, consultants, agency workers, volunteers, trainees or on work experience.
Stakeholders means any private or public commercial organisations (including charities and 'not for profit' bodies) that provide services to us or on our behalf including, but not limited to, subcontractors, agents, contractors, advisors, suppliers and business and joint venture partners.
We'll process all personal data we hold in accordance with the Act and the GDPR. Personal Data is subject to the legal safeguards specified in the GDPR.
While staff work for us we'll collect and process their personal data for personnel, management and administrative purposes and to enable us to meet our legal obligations as an employer.
In the course of our business, we'll also collect and process personal data that we receive from various organisations. This may include data on individuals who currently, or used to, work for our clients or customers, business partners and stakeholders.
The purpose of this policy is to explain individuals' data protection rights, how we'll handle their personal data and how our staff must handle the personal data of others.
Data may be obtained by completing forms or by corresponding with us by mail, phone, email or social media. It could also be obtained from other sources, such as from our business partners and stakeholders.
Staff should be aware that they could be criminally liable if they knowingly or recklessly disclose personal data in breach of the GDPR. A serious data protection breach is a disciplinary offence. If a member of staff accesses another staff member’s personnel records without authority, this will be a gross misconduct offence.
As a data controller we must fully comply with our legal obligations under the Act and the GDPR. Failure to do so may result in criminal prosecution and/or a fine by the ICO. We will only process personal data:
That we legitimately require for the purposes of our business and our employment relationship with our staff
Using one or more of the lawful grounds stated in the GDPR/the Act
After having informed the individual of what that purpose is, using clear and plain language.
We'll securely store all processed data, and regularly review it to ensure it remains complete, accurate and necessary for the purpose for which we hold it. If appropriate we'll securely delete it in accordance with our retention criteria.
We'll make all individuals aware of the risks, rules, safeguards and rights in relation to processing their data and how they can exercise their rights. We'll do this using various documents (such as this policy) to demonstrate our compliance with the data protection principles.
We'll provide training in data protection compliance to all staff who need it to perform their roles.
The following list is central to the Act and the GDPR. It must be applied at all times when processing personal data. Personal data must be:
Processed lawfully, fairly and transparently, i.e. the information given to the individual must be easy to access and read, using clear and plain language;
Collected only for specified, explicit and legitimate purposes and not processed in a way that's incompatible with those purposes, i.e. processed only if there is no other way to fulfil the purpose;
Adequate, relevant and limited to what is necessary for the reason for processing it, i.e. data can't be collected for general or future use;
Accurate and, where necessary, kept up to date, i.e. every reasonable step must be taken to ensure that any inaccurate data (taking into consideration the reason why it is being processed) is erased or corrected without delay;
Kept in a format that identifies an individual for no longer than is necessary for the purposes of the processing, unless the data is being processed only with the intention of archiving in the public interest, scientific or historical research or statistical purposes (subject to appropriate technical and organisational procedures being implemented). I.e. the personal data shouldn't be kept for longer than necessary;
Processed in a way that ensures it'll be protected using appropriate security (using technical or organisational measures) including protection against unauthorised or unlawful processing, accidental loss and destruction or damage.
We must both comply with these principles at all times when handling personal data. We must also be able to demonstrate that we comply with them.
This policy explains how we and our staff must comply with these principles in the day-to-day running of the business. It also explains to our staff how we must comply with these principles in our capacity as their employer.
To ensure that an individual's privacy is protected, only personal data that we legitimately require for the purposes of our business and the employment relationship with our staff should be processed, using one or more of the following lawful grounds specified in the GDPR:
This should only be used if we cannot rely on one of the other lawful grounds.
This can only be used where an individual has freely given clear and unambiguous consent for us to process their personal data for a specific purpose. Before the processing begins, we must inform them in clear and plain language of what the purpose is and that they can withdraw consent at any time.
It must be a positive action that, wherever possible, is given by a very clear and specific written statement (i.e. not just an action).
Wherever possible we'll inform the individual from the start of all the purposes for which consent is required, as it'll have to be re-obtained if we later need the personal data for a different purpose.
We must not get consent using pre-ticked boxes, silence or when we have an unequal bargaining position with the individual (e.g. when we are in a position of power over the individual).
If we're processing the individual's personal data for automated decision making or cross-border data transfers, we'll usually need to get their clear, specific written consent, unless we can rely on another lawful ground.
We'll keep evidence of the consent so that we can demonstrate compliance.