GDPR PRIVACY NOTICE
Cemkem Ltd (‘The Company’) is fully committed to compliance with the requirements of the General Data Protection Regulations 2018 (‘the Act’).
As an indication of compliance and an act of transparency, this privacy notice and policy details how and why we collect and process the data that we do.
The Company has appointed Daniel Wilson as a Data Protection Officer to oversee the compliance of this privacy notice and policy. Daniel can be contacted at firstname.lastname@example.org should any of our data subjects have any questions regarding how your personal information is handled.
STATEMENT OF POLICY
In order to operate efficiently, The Company has to collect and use information about people with whom it works. These may include current, past and prospective employees, clients, client employees and associates. There are safeguards within the Act to ensure that this personal information is to be handled and dealt with properly however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means.
The Company regards the lawful and correct treatment of personal information as very important to its successful operation and in maintaining confidence between the Company and those with whom it works. The Company will ensure that it treats personal information lawfully and correctly.
DATA PROTECTION PRINCIPLES
Under the GDPR, there are six data protection principles that the Company must comply with.
These provide that the personal information we hold about you must be:
- Processed lawfully, fairly and in a transparent manner.
- Collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to those purposes.
- Accurate and, where necessary, kept up to date.
- Kept in a form which permits your identification for no longer than is necessary for those purposes.
- Processed in a way that ensures appropriate security of the data.
The Company is responsible for, and must be able to demonstrate compliance with these principles. This is called accountability.
WHAT TYPES OF PERSONAL INFORMATION DO WE COLLECT ABOUT YOU?
The Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and ‘sensitive’ personal data.
Personal data is defined as, data relating to a living individual who can be identified from:
- That data;
- That data and other information which is in the possession of, or is likely to come into the possession of The Company and includes an expression of opinion about the individual and any indication of the intentions of The Company, their client, or any other person in respect of the individual.
Sensitive personal data is defined as personal data consisting of information as to:
- Racial or ethnic origin;
- Political opinion;
- Religious or other beliefs;
- Trade union membership;
- Physical or mental health or condition;
- Sexual life;
- Criminal proceedings or convictions.
HOW DO WE COLLECT YOUR PERSONAL INFORMATION?
The Company collects the personal data of its data subjects via the following:
- From The Company customers
- From prospects seeking information via our website
- Directly from the data subject
- From external parties i.e. referees, payroll providers/accountants, recruitment agencies and background check providers
- During the recruitment process
- Throughout the course of any contractual relationship and during working activities
WHY AND HOW DO WE USE YOUR PERSONAL INFORMATION?
We will only use your personal information when the law allows us to. These are known as the legal bases for processing. We will use your personal information in one or more of the following circumstances:
- the individual has consented to the processing
- the processing is necessary for the performance of a contract with the individual,
- the processing is required under a legal obligation (other than one imposed by a contract),
- the processing is necessary to protect vital interests of the individual
- the processing is necessary to carry out public functions e.g. administration of justice
- the processing is necessary in order to pursue our legitimate interests or those of third parties (unless it could unjustifiably prejudice the interests of the individual). Specifically, in relation to legitimate interest processing, employees are permitted to object to their data being processed for this purpose.
The Company GDPR Policy and Legitimate Interest Assessment details the types of personal information we receive and an explanation as to the lawful reasons for processing. The documents address:
- Who the data subject is
- A description of the type of data and why we need it
- A description of where the data is stored
- The frequency that we receive the data (1 to 4 where 1 is very frequent; 2 is frequent; 3 is low frequency and 4 is rarely)
- Whether the data is shared
- Whether consent is needed to process the data
- A record of the legal basis for processing (1 to 6 as above) and an explanation to the basis.
The main purpose for processing is the performance of a contract for example; processing salaries or managing employee attendance. Much of our processing is also required under a UK or EU legal obligation, other than one imposed by a contract for example; for tax purposes, to provide statutory employment entitlements such as annual leave or statutory pay or to comply with employment law.
In some cases, we may also process personal information where it is necessary to pursue our legitimate interests (or those of a third party). The legitimate interests identified are set out in our Legitimate Interest Assessment (LIA).
The Company will comply with the requirements of GDPR in order to protect the rights of a customer’s employees.
WHY AND HOW DO WE USE YOUR SENSITIVE PERSONAL INFORMATION?
Special categories of personal information relating to employees of The Company, i.e. information about health or medical conditions and information about criminal convictions and offences, is processed so that we can perform or exercise our obligations or rights under employment law or social security law and in line with our data protection policy.
Information about health or medical conditions is processed for the purpose of assessing the working capacity of an employee, medical diagnosis and reasonable adjustments. This satisfies the special category condition on sensitive data as the data processed is always carried out under the responsibility of a medical professional and is subject to their professional obligations and again in line with our data protection policy.
Where sensitive personal data is processed, The Company will always aim to obtain express written consent (examples as outlined in Appendix A). In this case, we will first provide full details of the personal information we would like and the reason we need it, so that individuals can properly consider whether they wish to consent or not. It is entirely an individual’s choice whether or not to consent. Consent can be withdrawn at any time.
However, for circumstances in which explicit consent has not been obtained, The Company ensure that at least one of the above conditions has been met before undertaking any further processing.
CHANGE OF PURPOSE
We will only use your personal information for the purposes for which we collected it. If we need to use your personal information for a purpose other than that for which it was collected, we will provide you, prior to that further processing, with information about the new purpose, we will explain the legal basis which allows us to process your personal information for the new purpose and we will provide you with any relevant further information. We may also issue a new privacy notice to you.
WHO HAS ACCESS TO YOUR PERSONAL INFORMATION?
Personal information is shared internally within the Company in order to carry out our contractual obligations for clients.
With The Company employees, personal information is shared with management as necessary for the performance of the contract.
The Company may also share some personal information of The Company employees with third-party service providers (and their designated agents) where necessary, including our:
- payroll provider
- pension provider
- occupational health providers
- external IT services
- HR software provider
- external auditors
- professional advisers, such as lawyers and accountants
HANDLING OF PERSONAL/SENSITIVE INFORMATION
The Company will, through appropriate management and the use of strict criteria and controls:
- Observe fully conditions regarding the fair collection and use of personal information;
- Meet its legal obligations to specify the purpose for which information is used;
- Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
- Ensure the quality of information used;
- Apply checks to determine the length of time information is held;
- Take appropriate technical and organisational security measures to safeguard personal information;
- Ensure that personal information is not transferred without suitable safeguards;
- Ensure that the rights of people about whom the information is held can be fully exercised under the Act.
- The right to be informed that processing is being undertaken;
- The right of access to one’s personal information within one month of the request, (three months in the case of complex requests) and are free of charge (unless the request is manifestly unfounded or excessive)
- The right to prevent processing in certain circumstances;
- The right to data portability;
- The right to correct, rectify, block or erase information regarded as wrong information.
The Act also stipulate provisions in relation to automated individual decision-making and profiling. The Company does not undertake such automated activities however, should any be used in the future, data subjects shall be notified in writing in advance.
In the limited circumstances where consent has been provided to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not however, affect the lawfulness of processing based on your consent before its withdrawal.
If you wish to withdraw your consent, please contact our Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.
If you wish to exercise any of these rights, including updating any of your personal information that we hold, please contact our Data Protection Officer. As a security measure, you may be asked to provide further specific information or identification to confirm your identity before any of the requests are actioned as a further precaution to protect the disclosure of your personal data.
If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues.
In managing the security of your data The Company will ensure that:
- There is someone with specific responsibility for data protection in the organisation;
- Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
- Everyone managing and handling personal information is appropriately trained to do so;
- Everyone managing and handling personal information is appropriately supervised;
- Anyone wanting to make enquiries about handling personal information, whether a
member of staff, client or associate knows what to do;
- Queries about handling personal information are promptly and courteously dealt with;
- Methods of handling personal information are regularly assessed and evaluated;
- Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.
All members of staff are to be made fully aware of this policy and of their duties and responsibilities under the Act.
HOW DOES THE COMPANY PROTECT YOUR PERSONAL INFORMATION?
The Company has put in place measures to protect the security of your personal information. We limit access to your personal information to those employees who have a business need to know in order to perform their job duties and responsibilities.
The Company stores information about employees, customers/suppliers, customer/supplier employees and associates on its computers and in paper files. All staff within the Company will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
- Personal data held on computers and computer systems is protected by the use of secure passwords;
- Individual passwords are such that they are not easily compromised
- All computers are kept in a secure office environment with limited access
- Sensitive data is kept securely and access to them should be controlled on a ‘need to know basis;
- Locations in which paper records are stored are locked whenever they are left unattended
The personal information held on its computers are on our In-house database, email system, electronic computer storage files and, for The Company employees, on an external HR management system.
All of The Company internal computer data is contained within a secure UK based server. All computers are password protected and can only be accessed by user name and password. All computers are anti-virus protected and firewalled.
Employees of The Company will only be provided access to areas of the Company computer network which are necessary for the execution of their day to day duties.
Employees are not permitted to hold personal information on memory sticks or portable hard drives. Memory sticks and portable hard drives are not used to back up computer files. All of The Company computer data is backed up remotely with a high degree of security by an authorised professional IT provider. Personal information contained in paper format is kept only on the premises and securely locked away when not in use.
Where employee personal information is shared with third-party service providers, we require all third parties to take appropriate technical and organisational security measures to protect employee personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.
The Company also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and any affected stakeholder of a suspected breach where we are legally required to do so.
FOR HOW LONG DOES THE COMPANY KEEP YOUR PERSONAL INFORMATION?
The Company will only retain personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.
- Employee records will be retained for 12 months following termination of employment, subject to: (a) any minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records, and (b) the retention of some types of personal information for up to 6 years to protect against legal risk, e.g. if they could be relevant to a possible legal claim in a tribunal, County Court or High Court.
- Prospective employee records will be retained for a period of 6 months post recruitment.
- Payroll and tax records (including salary, expenses, pension information, National Insurance number, PAYE records, tax code and tax status information) is held for 6 years following termination of employment
- Health and Safety records, including occurrences and incidents which require notification to regulatory bodies are held for a period of 6 years.
- Electronic or paper customer/supplier records are stored for a minimum of 6 years to protect against legal risk, e.g. if they could be relevant to a possible legal claim. Records on The Company CRM system may be kept indefinitely unless an individual requests removal.
Information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and, for employee data, we will also require third parties to destroy or erase such personal information where applicable. Shredding is the preferred method of disposal for paper documents.
CHANGES TO THIS PRIVACY NOTICE
The Company reserves the right to update or amend this privacy notice at any time, including where the Company intends to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information. We will issue you with a new privacy notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.
The Company will be responsible for ensuring that this Policy is implemented and will be responsible for:
- The provision of data protection training for staff
- For carrying out compliance checks to ensure adherence, throughout the organisation
- Notifying the Information Commissioner where applicable.
All staff are responsible for ensuring:
- Records are archived and stored in a manner which complies with statutes, regulations and insurance requirements, held in secure and safe storage, and are retrievable.
- Documents will be disposed of in a manner which protects confidentiality.
- All archived records which contain the name and/or personal details of an individual will be stored with the same security restrictions as if they were live. Documents which require locked storage and/or restricted access when live must be similarly protected when archived.
The Company GDPR: LEGITIMATE INTERESTS ASSESSMENT (LIA)
An essential part of the concept of Legitimate Interests is the balance between the interests of the Controller and the rights and freedoms of the individual:
‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’
- IDENTIFY THE LEGITIMATE INTEREST
The legitimate interest is to perform our contractual obligations with our customers and suppliers.
The legitimate interests are:
Customers/Suppliers – to protect and progress their business (commercial and organisational).
Employees – to be treated fairly and reasonably (individual).
The Company – to carry out our business (commercial).
If the data wasn’t processed, these benefits and aims could not be carried out.
“Legitimate Interests” means the interests of The Company in conducting and managing our business to enable us to give interested parties the best service/products and the best and most secure experience.
For example, we utilise a CRM system for storing contact information for our customers, prospects and suppliers. This system logs:
Business email address,
Position within the business
Business telephone number
This information is logged and used for processing so we can contact data subjects to help manage our business with them or their company. Visit and call reports are also saved into the CRM to aid in conducting and managing our business and enable us to give data subjects the best service/products.
It can also apply to processing that is in data subject’s interests as well.
For example, we may process a subject’s information to protect them against fraud and to ensure our websites and systems are secure.
When we process personal information for our legitimate interests, we make sure to consider and balance any potential impact on data subject (both positive and negative), and their rights under data protection laws. Our legitimate business interests do not automatically override the interests of data subjects – we will not use Personal Data for activities where our interests are overridden by the impact on data subjects (unless we have their consent or are otherwise required or permitted to by law).
- SHOW THAT THE PROCESSING IS NECESSARY TO ACHIEVE IT
The Company only hold the minimum data required to allow us to carry out our legitimate business processes. Name, company name, business address, business email address, position within the business and business telephone number are logged for this purpose. Records of communication (meetings, emails and telephone conversations) are saved in our CRM system to enable us to conduct and manage our business and also, enable us to give you the best service/products. Without this information we would be unable to contact people or log the correct requirements in order to conduct business with customers or suppliers and this would not be in the interests of either The Company or our customers and suppliers.
- BALANCE IT AGAINST THE INDIVIDUAL’S INTERESTS, RIGHTS AND FREEDOMS
Legitimate interests is an appropriate basis as, given the nature and scope of our business, we consider that customers and suppliers reasonably expect their data to be used in the way it is.
Safeguards have been put in place for protection of any data we hold and we have the necessary procedures to remove or update any data we hold at the data subject’s request.
In summary, we are confident that legitimate interests is an appropriate basis for processing as the legitimate interests are not overridden by the individuals interest rights or freedoms.