The term ‘company’ refers to us, Stubbings Bros Ltd
The term ‘individual’ refers to anyone the company holds personal data on, including prospects, customers, suppliers and staff.
The company is committed to preserving the privacy of individuals and to comply with the GDPR (General Data Protection Regulation).
The key areas for responsibility are:
The company’s Managing Director is responsible for:
Ultimately ensuring that the business meets its legal obligations.
Appointing a Data Controller
The company’s Data Controller is responsible for:
Overseeing the whole of data and privacy operations
Ensuring the business is always compliant with GDPR.
Ensuring all Data Processors have sufficient proficiency in the privacy notice and related procedures.
Ensuring data protection questions from individuals are handled.
Ensuring subject access requests from individuals are handled.
Ensuring all systems, services and equipment used for storing and managing data meet acceptable security standards.
Ensuring all communications are compliant (including balance test for each type of Communication using Condition: F)
Approving any data protection statements attached to communications such as emails and letters.
Each Data Processor (staff who handle data) is responsible for:
Learning and following applicable procedures.
Ensure personal data is as accurate and up to date as possible
Request help if they are unsure about any aspect.
3. Personal Data Updating
The company will ensure that any personal data collected is within the boundaries of what is required for business, legal and accounting use.
This personal data may be used for communications, business, accounting and legal reasons.
Data is regularly reviewed and updated to help ensure it is accurate and up to date.
When personal data is no longer required, it will be deleted and disposed of.
Personal data will not be given to 3rd parties unless it is for legitimate business reasons, legal reasons or specific consent has been given.
4. Personal Data Security
When personal data is stored electronically:
Access to personal data is secured.
Personal data is only stored on designated devices.
Personal data is backed up frequently and the backups kept securely.
Devices containing personal data and connected to the internet are protected by security software and firewall.
When personal data is stored on paper:
The paper(s) are kept securely.
When no longer required, paper(s) are disposed of securely.
If any breach of data is discovered, then the individuals it relates to will be informed within 72 hours.
5. Personal Data Access
Individuals who have personal data held are entitled to know what personal data the company holds about them. This is known as a Subject access request.
When a Subject access request is made:
The identity of the individual must be verified before handing over any information.
The first request will be Free of charge, subsequent requests may be charged at £10 per subject access request.
The data will be provided within 30 days.
If an individual feels that any personal data is missing or inaccurate then they should inform the company so it may be updated.
Individuals are also entitled to know the company is meeting its data privacy obligations. This information is detailed in this Privacy Notice.
6. Right to be Forgotten
An individual has the right to their personal information being forgotten.
When an individual requests to be forgotten, then personal data concerning them will be deleted, with the exception of details that are required for Business or Legal reasons.
The identity of the individual must be verified before deleting information.
If you wish to change the way we contact you, please click here
7. Conditions to Communicate
Communications may be made at various times by the company to individuals by Email, Mail, Phone or Text.
If an individual requests not to be contacted, then the data will be updated to show this and that individual will be excluded from any communication except from ones required for legal, business or contractual reasons.
Communications are made under GDPR Article 6, Part 1, Condition: B (If entering into a contract with someone and you need to use their data in order to fulfil that contract), or Condition: F (processing is necessary for the legitimate interests of the company, so long as such interests are not overridden by the interests or rights and freedoms of the individual). When Condition: F is used, the comparison of the company interests versus those of the individuals is referred to as the “Balancing test”. This test is documented by the Data Controller to show that the test was carried out. Because these conditions are adhered to, specific consent from individuals is not required.
8. Privacy Notice updates
This document may be updated as necessary to reflect best practice in data management, security and control and to ensure continuing compliance with current GDPR.
In case of any queries or questions in relation to this policy please contact the company’s Data Controller.
Updated 21 May 2018.