Privacy & GDPR

General Data Protection Regulation (GDPR) Policy Statement

This policy sets out the requirements for the management of data in relation to the collection, storage and use relating to the business.

The ‘Company’ shall abide by the principles of the GDPR by:

• Processing personal data lawfully, fairly and in a transparent manner;
• Collecting only for specified, explicit and legitimate purposes and not further processed in an incompatible manner;
• Collecting minimal data that is adequate, relevant and limited to what is necessary;
• Keeping only accurate and up-to-date data;
• Not keeping, any longer than necessary, and in a form which permits identification of a data subject
• Providing appropriate security ensuring protection against unauthorized or unlawful processing and against accidental loss, destruction nor damage.

The scope of this policy covers the personal, operational and business data related to the Company in compliance with the General Data Protection Regulation.

Responsibilities

It is the responsibility of:

• The ‘Company’ to assume the role of Data Controller. As Data Controller the ‘Company’ is responsible for establishing policies and procedures in order to comply with the regulation.
• The ‘Company’ shall assume the responsibility of Data Processor responsible for:
  • Providing guidance, giving advice and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of information;
  • The appropriate compliance with subject access rights and ensuring that data is released in accordance with subject access legislation under the regulation;
  • Ensuring that any data protection breaches are resolved, documented and reported appropriately in a swift manner and in line with guidance from the Information Commissioners Office;
  • Investigating and responding to complaints regarding data protection including requests to cease processing personal data.
  • Those who process personal data must comply with the requirements of this policy.
• Employees are responsible for ensuring that their personal data provided to the ‘Company’ is accurate and up-to-date, of any changes to information previously provided i.e. change of address, health status that may affect their day to day work or errors in the information provided.
• Contractors and third parties working on behalf of WSC shall ensure that any data provided by them is accurate and up-to-date in compliance with the regulation. We shall ensure that contractors and third parties are vetted for the data that they are processing or using on behalf of the ‘Company’ and, ensure that:
  • Any personal data collected or processed in the course of the work is kept securely and confidentially;
  • All personal data is returned to the ‘Company’ on completion of the work, including any copies that may have been made or, alternately, the data is destroyed and the ‘Company’ notified;
  • The ‘Company’ receives prior notification of a disclosure of personal data to any other organization or any person who is not a direct employee of the contractor;
  • Any personal data made available by the ‘Company’, or collected in the course of the work, is neither stored nor processed outside the UK unless written comment to do so has been received from the ‘Company’.
  • All practical and reasonable steps are taken to ensure that contractors do not have access to any personal data beyond what is essential for the work to be carried out properly.

Subject Access Requests

The ‘Company’ shall permit access to an individual’s personal data. Any individual wishing to exercise this right shall do so in writing, stored and documented. The ‘Company’ aims to comply with any request for access to personal information as soon as possible and within the confines of the regulation.

A requester shall:

• Know what personal information we are processing or have processed;
• Why we have processed your personal data – the reason(s) and purpose(s) for the processing of your personal information;
• Know if we have shared your personal information and if so, with whom and for what purpose(s).

Individuals will not be entitled to access information to which any of the exemptions of the regulation applies. However, only those specific items of information to which the exemption applies will be withheld and determining the application exemptions will be with the company.

Data Protection Breaches

Where a data protection breach occurs, or is suspected, it should be reported immediately to us and include full and accurate details of the incident including who is reporting the incident and what data is involved. All incidents will be managed under the Non-conformance procedure.

Data Security

Data relating to operational and business is held in the quality management system located on the server, accessible to authorized persons. WSC may need to share your information with third parties (client and NQA audits) but will always be to enable us to undertake our statutory functions, to regulate effectively and/or to comply with our legal and regulatory obligations.

When personal data is shared it will be done so in line with the regulation. The employee is entitled to know why and how the ‘Company’ is sharing your personal information and the organization or individual receiving your personal information will be required to protect your information in accordance with the regulation.

Backup: Backup is through iCloud, protection being with the storage provider.

Personal: Employees, contractors and other persons acting on behalf of WSC shall, where personal data is to be collected, stored and used, shall give their consent for their data to be stored and used. Whenever an individual’s data is to be shared with a third party this shall not happen without the explicit agreement, in writing, of that individual. Where personal data has been stolen or lost the individual shall be informed of the situation and, with management, identify and agree what corrective actions are required to control and rectify the situation.

Breaches of data shall be investigated using the non-conformance procedure, the report discussed with individual(s), corrective actions agreed monitored for effectiveness.

Where an individual refuses collection, storage and use of his/her data then this shall be discussed with us to ascertain the reasons why and if, agreement could be reached with agreed limitations. However, where this information is required for business or legislative (employment and the right to work in the UK) purposes and refusal cannot be acceptable, a suitable and sufficient resolution shall be identified and agreed, if not, then WSC shall need to review the situation and the terms of employment.

Existing personal data that it no longer valid or required shall be shredded or electronically deleted, only data that is current and required shall be held.

Personal data, in paper format, shall be held in a locked filing cabinet and accessible by the Director or an authorized nominated person.

Personal data held electronically shall be available to only those who have been given authorized access. Access by others, not authorized, shall be prohibited.

Client, Supplier and Third Party:

Data related to clients, suppliers and other third parties associated with the business/project shall be retained as agreed by the client, supplier or third party in a secure location either in the VPS office or client site office and available only to authorized persons.

Disposal shall be with the agreement of the document owner; minimal documentation shall be retained.

The Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is “the UK’s independent authority set up to uphold information rights in the public interest, prompting openness by public bodies and data privacy for individuals and responsible for administering the provisions of the regulation.

General Data Protection Regulation (GDPR) Privacy Statement

Introduction

This Privacy Statement sets out details about how Walkers Sales Consultants (hereafter referred to as WSC) gather, use and share personal information and about individual privacy rights. How we use this data depends on the context in which data is made available to us.

WSC is the data controller and data processor.

This Privacy Statement provides current information on how WSC use personal information, will be updated as necessary (legislative and business changes) and a copy issued as required. If major changes are made to the content, those affected will be informed and the appropriate processes amended, communicated and issued.

Personal Information

WSC use a variety of personal information depending on the circumstances under which personal information is presented for use. WSC may use personal information in the following circumstances:

Employee: We hold names, job titles, pay details, employee details; such as home address, driving license, passport number, national insurance, in order for us to verify the validity of an individual to work in the UK, and medical/occupational health details to ensure that an individual is fit to undertake the work allocated by WSC. Personal information is held securely electronically, using passwords, available to only those persons authorized access by us. Long term contracted consultants/advisors are treated as though they are employees, the same restrictions on the data held applies.

Information related to the qualifications and competency to undertake work allocated, or on behalf of WSC, are held securely in the WSC Office.

Job related information may be made available to clients/customers at their request to ensure competency or as required by legislation.

Business contacts: We hold information on client contacts (phone, email addresses etc.), training, suppliers, contractor/sub-contractor contacts and interested parties who WSC have dealings with related to our business. WSC do not advertise/market ourselves to the UK or overseas markets; business opportunities are managed through the web, internet orders and ‘word of mouth’.

Job Applicants: None envisaged.

Use and Gathering of Personal Information

Employees: WSC only use personal information which we have obtained directly for business and operational purposes. Personal data is gathered directly by the Director.

Business: Data gathered and used from business contacts is as necessary for the legitimate interests of managing the day to day operation of the business, including correspondence (including emails), engaging suppliers and third-party contractors on behalf of clients/customers and us.

Government/Accreditation Bodies: We may be required by law or as a part of an external audit to share personal information with government/accreditation bodies and regulators through business and/or operational requirements.

Sending Personal Information Overseas: WSC do not have any reason to send, by any means, personal information overseas.

Privacy Rights: Individuals are entitled to exercise any of the following privacy rights in respect of our processing of personal information;

• Access: Individuals can request access to a copy of their personal information held in the Office, along with details of what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision-making.
• Rectification: Individuals can ask us to change or complete any inaccurate or incomplete personal information held about them. WSC require the individual to inform us of any change in their circumstance(s) that may affect their ability to undertake the work allocated by us. Failure to do so is a disciplinary offence as both us and the individual have, under law, a ‘duty of care’ by what they do or do not do.
• Erasure: Individuals can ask us to delete their personal information where it is no longer necessary for us to use it, or where we have no legal basis for keeping it.
• Restriction: Individuals can ask us to restrict the personal information we use about them where we are not able to erase their personal information or where an individual has objected to our use of their personal information. WSC shall restrict the use of their personal information to work and employee aspects only.
• Object: Individuals can object to WSC processing of their personal information provided that the information is not mandatory for the work or client requirements.
• Portability: Individuals can ask us to provide them or a third party with some of the personal information we hold about them in a structured, commonly used, electronic format so it can be easily transferred.
• Withdraw Consent: We do not request consent to process personal information but we do to hold information on an individual via the consent form. Individuals have the right to withdraw their consent at any time provided that this does not compromise the business and operational requirements.

We are required to verify the identity of the individual requesting to exercise their privacy rights and may ask to be provided with valid identification documents when making a request to allow us to do this.

We will not make any charge for responding to any request from an individual exercising their privacy rights and will respond to any requests in accordance with our obligations under data protection legislation.

Website

WSC do not include personal information on our website, only information related to the business is included.

Personal information required for proof of competency (qualifications, training etc.) required by a client/customer is transmitted through emails, posted or handed direct to the client/customer.


For further understanding/clarification of this Privacy Statement, contact us.