1. POLICY STATEMENT
1.1 Everyone has rights with regard to the way in which their personal data is handled. During the course of your activities you may collect, store and process personal data about our customers, suppliers, employees and other third parties and as a business we are committed to correct and lawful treatment of this data in order to maintain confidence in our organisation.
1.2 You must comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.
2. THIS POLICY
2.1 The types of personal data you may be required to handle include those listed out in Schedule 1.
2.2 The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the General Data Protection Regulation (GDPR) and other regulations.
2.3 This policy and any other documents referred to in it sets out the basis on which you must process any personal data we collect from data subjects, or that is provided to you by data subjects or other sources.
2.4 This policy does not form part of your contract of employment and may be amended at any time.
3. DEFINITION OF GDPR TERMS
3.1 Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.
3.2 Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the GDPR. We are the data controller of all personal data used in our business for our own commercial purposes.
3.3 Data processors include any person or organisation that is not a data user that processes personal data on the behalf of or on the instructions of a Data controllers. We are the data processors of all personal data used in our business for our client’s purposes and this could include suppliers which handle personal data on our behalf.
3.4 Data recipients are those of our employees whose work involves processing personal data. Data recipients must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
3.5 Data subjects for the purpose of this policy include all identifiable natural living persons about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.
3.6 Personal data means information concerning an identified or identifiable living person who can be, directly or indirectly, identified from that data (or from that data and other information in our possession). Personal data can be factual. For example, a name, address, IP address, date of birth or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
3.7 Personal data breach includes a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
3.8 Processing is any activity that involves use of the data. It includes collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmitting, disseminating or other making available, aligning or combining, restricting, erasing or destroying it. Processing also includes transferring personal data to third parties.
3.9 Sensitive personal data includes information about a person’s genetic characteristics, in particular, from an analysis of a biological sample from the natural person in question, racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings.
4. DATA PROTECTION PRINCIPLES
4.1 If you are processing personal data you must comply with the principles under Article 5 of the GDPR. These provide that personal data must be:
4.1.1 Processed lawfully, fairly and in a transparent manner in relation to individuals.
4.1.2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.1.3 Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4.1.4 Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
4.1.5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
4.1.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5. LAWFULLY, FAIRLY AND TRANSPARENT PROCESSING
5.1 The current Data Protection Laws and regulations are not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
5.2 Wherever we process personal data, we need to be able to show a “lawful basis” for the processing. The lawful process for each type of data we process is set out in Schedule 1 of this policy.
5.3 We expect you to maintain and comply with these requirements and standards.
6. PURPOSE LIMITATION
6.1 In the course of business, you may collect and process the personal data. This may include:
6.1.1 data the company may receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise); and
6.1.2 Data the company may receive from the data subject’s use of our services (for example, CCTV footage)
6.1.3 data the company may receive from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
6.2 You should only process personal data for the specific purposes set out in the Schedule 1 or for any other purposes specifically permitted by the GDPR. These purposes should be notified to the data subject when the company first collects the data or as soon as possible thereafter.
7. NOTIFYING DATA SUBJECTS
7.1 If you collect personal data directly from data subjects, please notify them of the company’s Privacy Notice which can be found here: www.clearsoundsecurity.co.uk and in particular bring their attention to:
7.1.1 The purpose or purposes for which we intend to process that personal data.
7.1.2 The types of third parties, if any, with which we will share or to which we will disclose that personal data.
7.1.3 The means, if any, with which data subjects can limit our use and disclosure of their personal data.
8. ADEQUATE, RELEVANT AND LIMITED PROCESSING
8.1 You will only collect personal data to the extent that it is required for the specific purpose as set out in Schedule 1, and the Company’s Quality Assurance Procedure.
9. ACCURACY AND STORAGE LIMITATION
9.1 You will ensure that personal data held is accurate and kept up to date.
9.2 Where a data subject notifies the company in relation to any changes to their personal details, you shall ensure that any update is completed within twenty one (21) days of such notification.
9.3 You will keep personal data for the minimum amount of time solely for the purpose or purposes for which they were collected. The company’s retention period is set out in Schedule 1 and
10. PROCESSING IN LINE WITH DATA SUBJECT’S RIGHTS
10.1 You must process all personal data in line with data subjects’ rights, in particular their right to:
a. Request access to any data held about them by a data controller (see also Clause 15).
b. Prevent the processing of their data for direct-marketing purposes.
c. Ask to have inaccurate data amended and where we have disclosed personal data of a data subject to third parties notify those third parties that the data subject has exercised this right (see also Clause 9).
d. Ask to have personal data permanently erased and where we have disclosed personal data of a data subject to third parties notify those third parties that the data subject has exercised this right.
e. Ask to have data transferred to another data controller.
f. Prevent processing that is likely to cause damage or distress to themselves or anyone else.
11. DATA SECURITY
11.1 The company takes security of personal data very seriously and has implemented the following processes:
11.1.1 Access to databases where personal data is stored is on a need-to-know basis;
11.1.2 Access-control systems are in place in relation to storage of any personal information stored in physical files at the premises;
11.1.3 Regular review of cyber security systems and suppliers of cyber security services;
11.1.4 All employees are provided individual log-in details which should not be shared.
11.1.5 All employees are provided regular training in respect of the protection of personal data and the GDPR
12. BREACHES
12.1 Personal data breaches may cause real harm and distress to our clients and business. A data breach can occur in many different ways including:
12.1.1 loss or theft of data or equipment on which data is stored
12.1.2 unauthorised access or use of personal data either by a member of staff or other third party
12.1.3 loss of data resulting from an equipment or systems (including hardware and software) failure
12.1.4 human error such as accidental deletion or alteration of data or disclosure
12.1.5 unforeseen circumstances such as a fire or flood
12.1.6 deliberate attacks on systems, such as hacking, viruses or phishing scams, and
12.1.7 ‘blagging’ offences where information is obtained by deceiving the organisation which holds it
12.2 If there is an actual data breach or if you suspect a data breach, you should report to the Office Manager who will assess the severity and take appropriate action.
12.3 The company shall retain a record and log of any personal data breaches.
12.4 You may be required to provide reasonable assistance in ensuring the company has sufficient information to investigate the data breaches and assist with any steps the company decides to take such as: informing customers of the breach and following any procedures to maintain the breach.
13. TRANSFERRING PERSONAL DATA TO THIRD PARTIES
The company may share data and transfer personal data to other third party service providers, agents, subcontractors and online services in accordance with the legal bases and purposes set out in the Privacy Notice and in paragraph 6.1 of this policy.
You should not use any online services or software that have not been approved by the Company and should not transfer any personal data to any third parties that have not been audited and approved by the company.
14. TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA
Personal data processed by the company is currently stored and processed by our third party services who have databases and servers in the UK.
However, in the future, personal data may be transferred across various IT services, monitoring centres and suppliers that may have databases and servers outside on the European Economic Area (“EEA”) such as the United States.
The company is obliged to ensure that any personal data being transferred to such third parties have an adequate level of protection and will have reviewed, approved and/or negotiated an agreement with these services. As such, where you are required to process personal data using any third party services, you should not use any online services or software that have not been approved by the company.
15. DISCLOSURE AND SHARING OF PERSONAL INFORMATION
You may also need to disclose personal data held to third parties in the event that the company sell or buy any business or assets, in which case you may need disclose personal data held to the prospective seller or buyer of such business or assets.
16. DEALING WITH SUBJECT ACCESS REQUESTS
Data subjects may request access to the information that the company holds about them, also known as a Data Subject Access Request. They also have a number of rights (for example, a right to have their personal data deleted) which the company has set out in the Privacy Notice. In order to exercise any of these rights, data subjects must make a formal request in writing and must include identification documents sufficient for us to confirm the identity of the requestor.
Where we process personal data on behalf of a customer, the customer will have its own rules and policies with regards to dealing with these.
Should you receive a written request from any data subject, you should forward it to the Office Manager immediately.
17. CHANGES TO THIS POLICY
We reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or email.
THE SCHEDULE – DATA PROCESSING ACTIVITIES
Compliance with Legal obligation
| Type of data | Type of data subject | Type of processing | Lawful Basis for processing (s.5) | Purpose of processing | Type of recipient to whom personal data is transferred | Retention period |
| Full Name, Contact Details (Address, telephone Number), personal information contained within CV including work history | Prospective Employee | Collect, Analyse, Store, Delete | Legitimate Interest | Recruitment of suitable employees for the Company (current and future positions) | No transfer | Seven (7) years from the application deadline, if the data subject does not become a Current Employee |
| Full Name, Contact Details (Address, telephone Number), personal information contained within CV including work history, National Insurance number, any medical history, references, bank details, training records | Current Employee | Collect, Analyse, Store, Delete | Legitimate Interest | Complying with legal obligations as an employer Management of employees | No transfer | Seven (7) years from expiry or termination of employment contract. Training records will be kept for at least three (3) years from expiry or termination of the employment contract. |
| Performance of a Contract | Performing or enforcing obligations in the employment contract | |||||
| Full Name, Contact Details (Address, telephone Number) | Employees or Point of Contact of a Prospective Business Client | Collect, Store, Delete | Legitimate Interest | To correspond and negotiate a potential contract
To deliver marketing materials |
No transfer | Two (2) years from last correspondence with the data subject, if the data subject does not become a Employees or Point of Contact of an Existing Business Client) |
| Full Name, Contact Details (Address, telephone Number) | Employees or Point of Contact of an Existing Business Client | Collect, Store, Transfer, Delete | Performance of a Contract | Performing or enforcing obligations in the employment contract | Transfer to monitoring services for performance of the contract. | Twelve (12) years from expiry or termination of a contract for services relating to fire safety monitoring services, or seven (7) years from expiry or termination of contract for all other services |
| Legitimate Interest | Deliver marketing materials | No transfer | ||||
| Compliance with Legal obligation | Compliance with regulations such as the Fire Regulations | No transfer | ||||
| Full Name, Contact Details (Address, telephone Number) | Prospective Domestic Client (B2C) | Collect, Store, Delete | Legitimate Interest | To correspond and negotiate a potential contract | No transfer | Two (2) years from last correspondence with the data subject, if the data subject does not become an Existing Client(B2C) |
| Consent | To deliver marketing materials | No transfer | ||||
| Full Name, Contact Details (Address, telephone Number), bank details | Existing Domestic Client (B2C) | Collect, Store, Transfer, Delete | Legitimate Interest | To correspond and negotiate a potential contract
To deliver marketing materials (unless the data subject gave consent as a Prospective Client, in which case the lawful basis is consent) |
No transfer | Twelve (12) years from expiry or termination of a contract for services relating to fire safety monitoring services, or seven (7) years from expiry or termination of contract for all other services |
| Performance of a contract | Performing or enforcing obligations in the contract | Transfer to monitoring services for performance of the contract. | ||||
| Compliance with Legal obligation | Compliance with regulations such as the Fire Regulations | No transfer | ||||
| Full Name, E-mail Address, Telephone Number, Position at Company | Prospective Supplier
(Employees or Point of Contact) |
Collect, Store, Transfer, Delete | Legitimate Interest | To correspond and negotiate a potential contract | No transfer | Two (2) years from last correspondence with the data subject, if the data subject does not become an Existing Supplier |
| Full Name, E-mail Address, Telephone Number, Position at Supplier company, Bank Details (if an individual supplier), | Existing Supplier
(Employees or Point of Contact) |
Collect, Store, Transfer, Delete | Performance of a Contract | Performing or enforcing obligations in the contract | No transfer | Seven (7) years from expiry or termination of contract |
| IP addresses, Name, Contact details, any personal information contained within submission of contact form | Website Visitors | Collect, Store, Delete | Legitimate interest | Track website visits and access to resources to improve the website user experience
To respond to any enquiries submitted via the contact form. For the provision of products and services offered by the website. |
No transfer | IP Addresses: One (1) year from first entry into logs
Other information provided on Website forms: Two (2) years from submission of forms |
| Information contained within any monitoring systems such as CCTV footage and any access control systems. | Other data subjects whose data is processed on behalf of – Existing Business Client (Employees or Point of Contact); or – Existing Domestic Client (B2C) |
Collect, Store, Delete | Performance of a contract | To deliver footage and any information to an Existing Business Client or an Existing Domestic Client with whom the company has entered into an agreement | Transfer only in accordance with the client’s instructions | In accordance with the client’s storage and retention periods |
