1. Introduction
This document is designed to set out the obligations of Stage Electrics Group Ltd. (“the Company”) and its employees, and also to explain to you your rights as a data subject under the General Data Protection Regulation (“the GDPR”). It also sets out the processes and standards which The Company must follow at all times when working with your personal information. Anybody who performs work for The Company must also stick to this policy.
The Company’s data controller can be contacted on datacontroller@stage-electrics.co.uk or by writing to:
The Data Controller,
Encore House,
Unit 3 Britannia Road,
Patchway Trading Estate,
Patchway,
Bristol
BS34 5TA
2. The GDPR in a nutshell
The GDPR describes the following six principles for handling your personal data. All personal data must be:
- Processed fairly, according to the law, and transparently
- Collected for a specific, legitimate reason which must be described to you, and not processed in a way which goes against the spirit of the GDPR
- Relevant, and limited only to what is genuinely needed in order to fulfil the reason it was collected
- Accurate and kept updated
- Stored in an identifiable form no longer than is necessary
- Processed in a way that makes sure your personal information is kept safe, including protection from accidents and from unauthorized handling, using appropriate technical and human safeguards
3. Lawfulness, fairness and transparency
The GDPR seeks to make sure that personal information is processed fairly, in accordance with the law, and transparently, without affecting your rights as a data subject. The GDPR says that handling of personal information will be lawful if at least one of these cases applies:
- If you have given your consent to the processing of your personal information, for one or more purposes
- If it is necessary to process your data in order to fulfil a contract which you are part of, or in order to take actions that you ask for before a contract is made
- If the Company is requested to cooperate with a Police or Trading Standards investigation
- If the Company is required to process your data in order to comply with the law
- If the Company has to process your data in order to protect your or somebody else’s vital interests, for example during a medical emergency
- If the Company needs to process your data to perform a task carried out in the public interest
- Where we have a legitimate interest in promoting our goods and services
4. Processing for specific and legitimate purposes
The Company collects and handles personal information, which is described in the Privacy Policy. This may include information you give The Company directly (for example, contact details revealed when you communicate with us) and information received from other people and companies.
The Company only processes personal data for specific purposes, which are described in the Privacy Policy, or for other purposes which the GDPR gives us permission for. If we collect your information directly, we will explain it to you at the time, or if we collect your information from another person or organization we will notify you as soon as possible (no later than one month).
5. Adequate, relevant, and limited data
The Company will only handle personal information according to Part 4 of this policy.
6. Accuracy of data
The Company will make sure that all personal information we process will be kept accurate and updated wherever possible. This means we will check the accuracy of your information when we collect it, and at appropriately regular intervals afterwards. Where we find data to be out of date or inaccurate, we will make all reasonable efforts to correct or erase it in a timely manner.
7. Retaining data
The Company will not keep hold of personal information any longer than we need it for the reasons we originally collected it. When the Company no longer needs your information, we will make all reasonable efforts to delete it in a secure manner.
8. Secure processing
The Company will make sure that all personal information we collect and process is kept safe and protected against unauthorized or illegal processing, and also against accidental loss or damage. We go into more detail about this in Parts 11 and 12 of this document.
9. Accountability
The Company will keep internal records of what we do with your personal data. These records will contain the following information:
- The name and details of the Company, its data controller, and any relevant third-party data controllers;
- The reasons for which The Company holds and processes your personal information;
- Details of the types of information The Company collects, holds and works with;
- Details of any other people or organizations who will receive personal information from The Company;
- Details of any personal information that gets transferred outside the EU, including security safeguards and mechanisms;
- Details of how long The Company will retain your personal information, or the criteria used for deciding whether or not to delete it;
- Detailed descriptions of all measures we take to make sure your personal information is kept safe
10. The rights of data subjects
The GDPR gives you the following rights as a data subject:
- The right to be informed
- The right of access
- The right of rectification
- The right to deletion
- The right to restrict processing
- The right to data portability
- The right to object
- Rights with respect to automated decision making and profiling
There are specific processes that you and The Company must follow when you wish to exercise your rights under the GDPR.
- The Company will make sure that the following information is given to you when we collect your personal information:
- Details of our company, including the name and contact details of our data controller;
- The reason we’re collecting your personal information;
- Where appropriate, the reason the GDPR allows us to collect your information;
- If we didn’t collect it from you, the person or company we collected your information from, and the details they gave us;
- If we transfer your information to another person or company, the details of the person or company we transfer it to;
- If we transfer your information outside the EEA, details of that transfer including the measures we take to keep your information safe;
- Details of the length of time we will keep your personal information for, or details of the criteria we use to decide to delete it;
- Details of your rights under the GDPR;
- Details of your right to complain to the Information Commissioner’s Office
Where appropriate, details of any legal or contractual requirement to collect and process your data;
- Details of any automated systems we may use to make decisions using your personal information, including information on how we will make decisions, the significance of them and any consequences
If you wish to make any requests of The Company regarding your rights under the GDPR, please forward them to our data controller who will be happy to help you.
11. Measures for the protection of data
The Company will make sure that all our employees, and other people who do work for us, stick to the following rules:
- All emails containing sensitive information will be kept secure;
- Where information needs to be destroyed it will be done so securely, and where hard copies need to be disposed of they will be shredded first;
- Personal information will not be transmitted over an insecure network;
- Where personal information is to be sent by fax, the recipient will be warned in advance and will be expected to be waiting at the fax machine to receive it;
- Where personal information is to be transferred in paper form, it will be handed directly to the recipient or addressed as confidential if sent in the post;
- No personal information will be shared informally, and if one of our employees needs information they do not have, it must be requested formally from their line manager;
- All physical copies of any personal information will be stored safely in a locked box, cabinet, drawer or similar;
- No personal information will be passed to any person, whether they work for us or not, without the permission of our data controller;
- Personal information must be handled with care at all times, and will not be left unattended or on view to unauthorized people;
- If personal information is being viewed on a computer screen, the operator must lock the computer with a password before leaving it unattended;
- No sensitive information will be stored on any mobile device (e.g. laptops, mobile phones, tablets) whether the device belongs to The Company or not;
- No personal information should be transferred to any personal devices belonging to an employee, and transfers to personal devices belonging to somebody outside The Company will only be permitted where the person concerned has agreed to stick to this policy;
- Where we use personal information for marketing purposes; all staff will make sure nobody on the list has added their details to any opt-out databases such as the Mail Preference Service, Telephone Preference Service and similar
12. Organisational safeguards and measures
The Company will make sure that the following measures are taken when we collect, hold and process your personal information:
- Everybody who works for us will be made completely aware of their and our responsibilities under the GDPR, and will be given a copy of this policy;
- Only people who need access to personal information in order to do their job will be given access;
- Everybody who handles personal information will be given the appropriate training to do so;
- Everybody who handles personal information will be appropriately supervised;
- Anybody outside the Company who does work for us will be expected to follow the same rules as ourselves when they handle personal information
13. Transfer of personal information outside the UK or EEA
The Company may need to transfer personal information to countries outside of the UK or European Economic Area (“EEA”).
We will only transfer personal information outside the UK or EEA if one or more of the following is true:
- The UK Government & European Commission have determined that the country being transferred to has the appropriate laws to keep personal information safe;
- The transfer is to a country or international organization which has its own binding rules to make sure personal information is kept safe;
- You have given us your informed consent to transfer your data;
- We need to transfer your data outside the UK or EEA in order to fulfil a contract you have made with us, or to do something you have asked us to do prior to forming a contract;
- The transfer is done in the public interest;
- We have an overriding legal reason to transfer your data outside the UK or EEA;
- We need to transfer your data outside the UK or EEA to protect your or another person’s vital interests where you are physically or legally unable to give your consent (e.g. in a medical emergency);
- The information we are transferring is otherwise publicly available.
End.