1. Introduction of this GDPR Group Policy
This GDPR policy ensures TRIDEX Global Ltd1 (referred to in this policy as "we", "us" or "our"):
- Complies with data protection law and follows good practice.
- Protects the rights of staff, clients and partners.
- Is open about how it stores and processes individuals’ data.
This policy applies to:
- All TRIDEX Global Ltd businesses.
- All staff of TRIDEX Global Ltd businesses.
- All contractors, suppliers and other people working on behalf of TRIDEX Global Ltd businesses.
The General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 from 25th May 2018. It applies to both data controllers and data processors, which have day-to-day responsibility for data protection.
A controller is the natural or legal person, public authority, agency or other bodies which alone or jointly with others determine the purposes and means of processing personal data.
A processor is a natural or legal person, public authority, agency or other bodies that process personal data on behalf of the controller.
The data subject is the individual who is the subject of the relevant personal data.
The GDPR applies to a wide range of personal data, such as names, email adddresses, identification numbers, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR does not apply to data that is rendered anonymous in such a way that individuals can't be identified from the data.
2. Why We Process Data
- Our lawful basis for processing personal data of clients is that processing is necessary to perform or enter into the contract we have with them. Such processing will allow us to carry out accounting, audit, payroll, bookkeeping and other related services.
- Our lawful basis for processing personal data of employees is that processing is necessary to perform or enter into the employment contract we have with them. It is also necessary in relation to PAYE, pension contributions and other personal data shared with HMRC to ensure compliance with the law.
- Our lawful basis for holding the personal data of potential employees/candidates is that we have a legitimate interest in deciding whether to recruit them. Should a candidate be unsuccessful, this legitimate interest will cease to exist and any personal data held must be deleted/destroyed within 6 months.
We process personal data in relation to marketing activities if we:
- Have clear consent from the data subject.
- Have legally purchased a database from a third-party in order to market our products/services to prospects we believe will have a legitimate interest. We will only engage with third-parties who have a robust GDPR policy in place that we believe aligns with our own.
This covers contacting clients and prospects regarding:
- Networking and similar events.
- Email newsletters and updates.
- Additional products/services we can offer that we believe could be of legitimate interest.
We will also process your personal data for the following reasons:
- We will need to hold an individuals data in a suppression file to ensure a record of their objection to direct marketing.
- To inform marketing strategy and enhance customer experience.
- For assessing website analytics (such as page views) in order to optimise future marketing campaigns and improve user experience. Please note, when you visit our websites we may collect information about your online browsing behaviour and any devices you have used to access our websites (including your IP address, browser type and mobile device identifiers).
Our legitimate business interests do not automatically override the interests of data subjects. Therefore, we will not use personal data for activities where our interests are overridden by the impact on the data subject(s), unless we have your consent or are otherwise required or permitted to by law.
We are also under legal obligation to hold company and accounting records for 6 years from the end of the last company financial year they relate to, or longer if:
- They show a transaction that covers more than one of the company’s accounting periods.
- The company has bought something that it expects to last more than 6 years.
- The Company Tax Return was sent late.
- HMRC has started a compliance check into the Company Tax Return.
We therefore have a legal obligation to hold personal data relating to these company records for approximately 6 years. We may keep these records for longer than 6 years if we have a legitimate interest to do so. Payroll records will be kept for 3 years.
3. Our Processing Activities
We process personal information in order to:
- Provide accounting, auditing, taxation and related services.
- Maintain our own accounts.
- Support and manage our employees.
- Process our own payroll.
We process personal information about customers and clients, advisers and other professional experts and employees. This information may include:
- Personal details.
- Family, lifestyle and social circumstance.
- Goods and services.
- Financial details.
- Education details.
- Employment details.
We also process sensitive classes of information that may include:
- Physical or mental health details.
- Racial or ethnic origin.
- Religious or other beliefs.
- Trade union membership.
4. Sharing Personal Data
We may need to share personal information with the individual themselves and also with other organisations. We may also share personal data between TRIDEX Global Ltd companies.
Where sharing personal data is necessary, we are required to comply with all aspects of the GDPR. Where necessary or required, we share information with:
- Business associates, professional advisers, etc.
- Family, associates and representatives of the person whose personal data is being processed.
- Local and central government.
- Financial organisations.
- Regulatory authorities.
- Credit reference and debt collection agencies.
- Healthcare professionals, social and welfare organisations.
- Current, past or prospective employers.
- Examining bodies.
- Service providers, such as third-party marketing agencies to help facilitate marketing campaigns, or third-party processers to produce business information, insight and help improve IT systems.
We may, on occasion, need to transfer personal information outside of the European Economic Area (EEA) to locations that might not provide the same level of protection as the UK. When this is needed, we'll only transfer your personal information if we've put in place appropriate safeguards and protections as stated under UK law.
5. Retention of Personal Data
It has been agreed that personal data held on clients, including data within accounts, taxation and payroll records, will be kept by us for 6 years after:
- The date at which the client ceases to be our client; or
- The date at which the client’s last return to HMRC was submitted.
After this, the records will be deleted/destroyed. We may, however, keep clients’ records for longer than 6 years where we believe we have a legitimate interest/reason to do so.
Any personal data held on potential employees / candidates, which prove unsuccessful, will be deleted/destroyed within 6 months.
Retention of personal data held on employees is not outlined in this policy document but details can be obtained from the board.
6. Data Subject Rights
Data subjects have the following rights:
- Right to correct: the right to have personal information rectified if it's inaccurate or incomplete.
- Right to erase: the right to request that we delete or remove personal information from our systems.
- Right to restrict our use of your information: the right to 'block' us from using personal information or limit the way in which we can use it.
- Right to data portability: the right to request that we move, copy or transfer personal information.
- Right to object: the right to object to our use of personal information, including where we use it for our legitimate interests, or where we use personal information to carry out profiling to inform our market research and user demographics. If an objection is raised, we will stop processing the data subject's personal information unless very exceptional circumstances apply, in which case we will let them know why we're continuing to process their personal information.
We will use reasonable efforts consistent with our legal duty to provide these rights in accordance with data protection legislation.
To make enquiries or exercise any of these rights please contact email@example.com or write to:
Data Protection at Swift360, Venture Park, Selborne Road, Alton, Hampshire, GU34 3HL.
7. Our Responsibilities
Everyone who works for or with businesses within the TRIDEX Global Ltd group has some degree of responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure it's handled and processed in line with this policy and data protection principles. The board of directors is ultimately responsible for ensuring that TRIDEX Global Ltd meets its legal obligations.
Key areas of responsibility
The board must be kept updated about GDPR responsibilities, risks and issues.
- We must demonstrate compliance with the data protection principles and the GDPR.
- We should implement appropriate technical and organisational measures to ensure and to demonstrate that processing activities are compliant with the GDPR.
- All data protection procedures and related policies will be reviewed every year.
- Training and advice on data protection should be arranged for the people covered by this policy.
- The Data Protection Officer should handle data protection questions from staff and anyone else covered by this policy.
- We should deal with requests from individuals such as right of access or right to be forgotten.
- Any third party services we are considering using to store or process data should be evaluated.
- Contracts with third parties and processors that may handle our sensitive data should be checked and reviewed.
- All systems, services and equipment used for storing data must meet relevant security standards.
- Regular checks/scans should be performed to ensure security hardware and software is functioning properly.
- Data protection statements attached to communications such as emails should be approved and updated when necessary.
- Marketing campaigns should abide by GDPR principles.
- Adequate data protection procedures should be in place for when an employee leaves.
- Data breaches should be recorded, serious data breaches should be reported to the ICO and high-risk breaches should be reported to the affected data subjects.
- We should make sure individuals are aware that their data is being processed, how the data is being used and how to exercise their rights.
- We must have a lawful basis for all processing activities.
- This policy document is made available to potential and existing clients and employees.
8. Security Measures
Our building is alarmed outside of office hours.
- Visitors can only enter the building with authorisation from an employee.
- Employees require key fobs to enter the building.
- Cleaners are subject to a duty of confidence.
- Employees should keep all data secure by taking sensible precautions.
- We will provide training to all employees to help them understand their responsibilities.
- Employees should request help from the Data Protection Officer if they're unsure about any area of data protection.
- The only people able to access data covered by this policy should be those who need it for their work.
- Personal data shouldn't be disclosed to unauthorised people, either within the company or externally.
- Employees should only process personal data electronically from the company’s remote desktop and keep their credentials secure.
- Employees must maintain their duty of confidence as outlined in their confidentiality agreements.
- Servers containing personal data are sited in a secure location, away from general office space.
- Data should be backed up frequently.
- All servers and computers containing data should be protected by approved security software and a firewall.
- When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts.
- Data should not be saved directly to laptops or other mobile devices like tablets or smart phones.
- Employees shouldn't save copies of personal data to their own computers or the normal desktop.
- Payroll details held electronically should be password protected and payroll details held manually should be retained in files in a secure environment.
- Data transferred to memory sticks should be password protected.
- Employees should keep memory sticks in a secure place when not in use.
- The company should keep account of the number of memory sticks in use; employees should limit how many memory sticks they use.
- Data stored on memory sticks should be cleared regularly.
- Personal data stored or printed on paper should be kept in a secure location where unauthorised people can't see it.
- Data printouts should be shredded and disposed of securely when no longer required.
- When working from home or at clients’ premises, or if visitors are in the office, employees should make sure computer screens are locked if left unattended.
- When taking files and records containing personal data out of the office, employees should take reasonable measures to ensure the data is protected and that no unauthorised persons access the data.
- It's the responsibility of all employees who work with data to take reasonable steps to ensure it's kept as accurate and up to date as possible.
- Staff should take every opportunity to ensure data is updated; data should be updated as inaccuracies are discovered.
• We must make it easy for data subjects to update their information that's held by us.
Emailing Personal Data
- Documents containing personal data should be shared between the company and clients should be encrypted when transmitted over the internet.
- Clients have their own login and create their own password when using our online ordering platform EOS, making the process more secure.
- If a client wishes to use email communication for sharing such data, they should first have a discussion with us and provide written consent.
- Attachments to emails containing personal data should be password protected or encrypted if this is possible.
Procedures for When an Employee Leaves
- Office key fobs must be returned.
- Office memory sticks must be returned.
- Ensure no files and records are still at the employee’s residence.
- Ensure no files are kept on the employee’s desktop at home.
- Remove employee access/login to remote desktop.
- Redirect emails to another employee.
- Check the employee can't access work emails from their phone.
- Remove the employee’s login to any other software used for clients’ data, such as our CRM.
Please note, we do our best to keep the information disclosed to us secure. However, we can't guarantee or warrant the security of any information which is sent to us, and clients/prospects/suppliers/partners do so at their own risk. By using our online services, individual's accept the inherent risks of providing information online and will not hold us responsible for any breach of security in this manner.
9. Reporting a Data Breach
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
Recording a Breach
All data breaches should be recorded internally, using our Data Protection Breach Report Form. This form should be completed by the member of staff who discovered the breach, a member of staff who has knowledge of the company’s data protection procedures in place such as the Data Protection Officer.
The decision as to whether to report the breach must be signed off by the directors. Completing this form will assist the company when and if the breach is reported.
How Do We Decide Whether to Report a Breach?
Each case must be considered individually. Breaches that are considered by the company to be ‘serious’ should be reported to the Information Commissioner’s Office (ICO). The seriousness of a breach will depend on:
- The potential detriment to data subjects.
- The volume of personal data lost/released/corrupted.
- The sensitivity of the data lost/released/corrupted.
The potential detriment to individuals is the overriding consideration in deciding whether to report a breach of security. Detriment includes emotional distress as well as both physical and financial damage.
There is no need to report a breach if it's 'unlikely to result in a risk to the rights and freedoms of natural persons'.
Should We Notify the Data Subject(s) Affected?
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the breach must also be reported to the affected individual(s) without undue delay.
The company has agreed that individuals will be notified of a breach in writing.
10. Contact Details
If you have any queries relating to our use of personal information or any other related data protection questions, please contact us at firstname.lastname@example.org, or write to: Data Protection at Swift360, Venture Park, Selborne Road, Alton, Hampshire, GU34 3HL.
This policy is active from 1st June 2020 and replaces the previous policy.
We may make changes on occasion and this policy will be updated to reflect these.
1 The TRIDEX Global Ltd group includes: Swift Industrial Supplies Ltd, TRIDEX UK Ltd, TraffiSafe Ltd.