Easa Group Ltd is required to process relevant personal data regarding members of staff, suppliers and customers as part of its operation and will take reasonable steps to do so in accordance with this policy.
Security policy and responsibilities in the company
The Company shall so far as is reasonably practicable comply with the GDPR (the Principles) contained in the GDPR to ensure all data is:-
Fairly and lawfully processed
Processed for a lawful purpose
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than necessary
Processed in accordance with the data subject’s rights
Not transferred to other countries without adequate protection
The Company is Easability Showers Limited trading as Easa Group Limited incorporated by Easability Showers Limited.
Data Subject, an individual who is the subject of the personal data.
Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary or attendance records. Personal data may also include sensitive personal data as defined in the GDPR.
Processing of Personal Data
Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.
The Company processes some personal data for direct marketing and fund-raising purposes, data subjects have the right to request an opt-out to these activities, which must be respected.
Sensitive Personal Data
The Company may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.
Rights of Access to Information
Data subjects have the right of access to information held by the Company, subject to the provisions of the GDPR and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the Commercial Director. The Company will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 40 days for access to records and 21 days to provide a reply to an access to information request. The information will be imparted to the data subject as soon as is reasonably possible after it has come to the Company’s attention and in compliance with the relevant Acts.
Certain data is exempted from the provisions of the GDPR which includes the following:-
National security and the prevention or detection of crime
The assessment of any tax or duty
Where the processing is necessary to exercise a right or obligation conferred or imposed by
law upon the Company, including Safeguarding and prevention of terrorism and radicalisation.
The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the ICO.
The Company will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased.
If an individual believes that the Company has not complied with this Policy or acted otherwise than in accordance with the GDPR, the member of staff should utilise the Company grievance procedure and should also notify the ICO.
The Company will take appropriate technical and organisational steps to ensure the security of personal data.
All staff will be made aware of this policy and their duties under the GDPR.
The Company and therefore all staff are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.
An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and encrypted when transported offsite. Other personal data may be for publication or limited publication within the Company, therefore having a lower requirement for data security.
The Company must ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation. Any data being forwarded will only be done so with the consent of the data subject.
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
Retention of Data
The Company may retain data for differing periods of time for different purposes as required by statute or best practices, individual departments incorporate these retention times into the processes and manuals. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data.
The Company may store some data such as registers, photographs, achievements,. indefinitely in its archive.
The Company owns and operates a CCTV network for the purposes of crime prevention and detection, and Safeguarding.
Where a data subject can be identified, images must be processed as personal data. This data is held on record for 10 weeks maximum unless required for different purposes.
Existing Technical and Organisational measures
Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Right to Erasure
Data subjects have the right to have personal data erased to prevent processing in specific circumstances such as if the data is no longer necessary, they withdraw consent, there is no legitimate reason for processing, it was unlawfully processed or if the data must be erased to comply with legal obligations. Easa will make every effort that external supplier who may hold data transferred comply with a request for erasure. These requests may be refused if; the company has need to comply with legal obligations, public health purposes for instance