GDPR: Data Protection Policy
The purpose of this policy is to outline how Valasys Business Solutions has established measures to maintain compliance with the EU General Data Protection Regulation (also known as the GDPR).
For business purposes, provision of our services, marketing, and business administration, we at Valasys collect and process individual information. This includes personal data that relates to our customers, suppliers, business contracts, employees and other people our organization has a relationship with or may need to contact.
In order to ensure that personal data remains safe, business operations are secure and the rights of individuals are respected, compliance with data protection law is essential. Valasys is a controller under data protection law, meaning we decide how and why we will use personal data. In relation to personal data, this policy explains our procedures for complying with data protection law and sets out the obligations we have when processing any personal data during the course of our employment.
Specific training regarding data protection procedures will be given to the staff that routinely handles individuals’ personal data. As set out in this policy, our obligations will be supplemented by this training.
Apart from this policy, there will be other policies that will be implemented that will impact the way we deal with personal data and data protection. We expect all of our employees to comply with our Electronic Communications Policy, where relevant.
Who does this policy apply to?
This policy applies to current, former and prospective employees, workers, volunteers, apprentices, and consultants. Those who fall into one of these categories are known as ‘data subject’ for the purposes of this policy. This policy should be read alongside the employment contract or service contract and any other notice the Company issues from time to time in relation to data.
Who is responsible for data protection at Valasys?
Valasys has appointed a Data Protection Officer (DPO) who is responsible for overseeing, advising and administering Valasys’ compliance with this policy and data protection law. It is the responsibility of each department head to ensure full compliance of this policy and data protection law by all staff members in their department/team.
All Valasys employees have a certain modicum of responsibility for the security of personal data and to ensure the data is processed in a lawful manner.
Why is data protection compliance important?
In the UK, data protection law is regulated and enforced by the Information Commissioner’s Office (ICO). There will be serious legal liabilities for Valasys, and in some cases individual employees, if there is any failure in complying with the data protection law. These can include criminal offenses and fines of up to EUR20 million (approximately £18 million) or 4% of total worldwide annual turnover, whichever is higher. Under data protection law, if rights are breached, an individual can seek damages from us in the courts. There will also be severe damage to our brand and reputation in the event of a breach in the data protection law.
What is personal data?
Personal data can be defined as any information that relates to an identified or identifiable person (data subject). This information contains identifiers like a name, an identification number, location data, an online identifier or other factors that are specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
The personal data we gather may include an individuals’ phone number, email address, educational background, financial and payment details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.
Relevant individuals can include colleagues, consumers, members of the public, business contacts, etc. Personal data can be factual (e.g. contact details or date of birth), an opinion about a person’s behaviour, or information that may otherwise impact that individual – personal or business related.
Personal data may be stored through an automated process e.g. electronic records such as computer files or in emails or in manual records which are part of a filing system or are intended to form part of a filing system e.g. structured paper files and archives.
What does ‘processing’ personal data mean?
‘Processing’ personal data is defined as any activity that involves the use of personal data – obtaining, recording or holding the data, amending, retrieving, using, disclosing, sharing, erasing or destroying. Processing also includes sending or transferring personal data to third parties.
Data Protection Obligations
Valasys is responsible for and must be able to demonstrate compliance with data protection law. To ensure that responsibilities are met when processing personal data, it is essential that Valasys employees comply with the data protection law and any other Valasys policies, guidelines or instructions that relate to personal data.
We have set out below the key obligations under data protection law and details of how Valasys expects employees to comply with these requirements.
1. Personal data should be processed in a fair, lawful and transparent manner
Legal grounds for processing
According to the data protection law personal data can be processed only when there are fair and legal grounds that justify using the information. Where consent is relied upon, it must be freely given, specific, informed and unambiguous, and Valasys must effectively demonstrate that consent has been given.
In most standard business activities that involve the use of customer or supplier data, consent is not required, but it may be needed for activities not required when managing the main business relationship, such as direct marketing activities.
According to the data protection law, we are required to process personal data in a transparent manner by providing individuals with appropriate, clear and concise information about how we process their personal data.
We usually provide basic information to individuals about how we use their data via data collection forms such as application forms or website forms, and in longer privacy notices we set out details that include: the types of personal data that we hold about them, how we use it, our legal grounds for processing the information, whom we might share it with and the duration we will keep it for.
2. When handling sensitive or special categories of personal data take extra care
There are some categories of personal data that are particularly sensitive which include information that reveals details of an individual’s:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Physical or mental health;
- Sexual orientation;
- Biometric or genetic data and
- Criminal offenses or convictions.
Where special category personal data is concerned, data protection law requires us to have an additional legal ground to justify using this sensitive information.
3. Personal data should be processed only for specified, explicit and legitimate purposes
Valasys will only process personal data in accordance with our legitimate purpose of carrying out our business operations and to administer employment and other business relationships.
4. Personal data must be adequate, relevant and limited to what is necessary for your purposes
Data protection law requires us to ensure that, when we process personal data, it is adequate, relevant to our purposes and limited to what is necessary for those purposes which are also known as ‘data minimization’. In other words, we only ask for information required for our legitimate business purposes, but don’t ask for any more information than we need in order to carry out our business operations.
5. Keep personal data accurate and (where necessary) up-to-date
Valasys must take steps to ensure that personal data is accurate and up-to-date. For example, we request that employees provide us with any change in contact details or personal information by completing the ‘Change of Personal Details’ form and handing it to the HR Department.
6. Keep personal data for no longer than is necessary for the identified purposes
Personal data records are kept for as long as they are needed for the identified purposes. Valasys has put in place data retention, storage, and deletion policies and internal processes/guidelines regarding various types of company records and information that contain personal data.
We take appropriate steps to retain personal data for so long as is necessary, taking into account
- The volume, characteristics, and confidentiality of the personal data;
- The risk from unauthorized use or data breach;
- The purposes for which the personal data has been processed and how long we need the particular data to achieve said purposes;
- The duration for which the personal data is likely to remain accurate and up-to-date;
- The duration the personal data might be relevant to possible future legal claims;
- Legal, accounting, reporting or regulatory requirements that have record duration specified.
7. Appropriate steps must be taken to keep personal data secure
A key responsibility for Valasys and its workforce is keeping personal data safe and complying with Valasys’ security procedures to protect the confidentiality, integrity, availability, and resilience of personal data.
Valasys has an Electronic Communications Policy setting out protocols for Employees on use of technology and communications systems, which also help to ensure appropriate security of personal data, stored or communicated using such systems.
Through regular evaluation, we test the effectiveness of these measures to ensure the security of our personal data processing activities
8. When sharing or disclosing personal data take extra care
As sharing or disclosing of personal data is a type of processing, all the principles described in this policy need to be applied.
Internal data sharing
Through a ‘need to know’ basis, Valasys ensures that personal data is only shared internally.
External data sharing
Personal data will be shared with other third parties (including group entities) only when we have a legitimate purpose and an appropriate legal ground under data protection law which allows us to do so. Commonly, this could include situations where we are legally obliged to provide the information or where necessary when performing our contractual duties to individuals.
We may appoint third party service providers, also known as processors, who will handle information on our behalf, for example, to provide data storage or other technology services. Valasys remains responsible for ensuring that its processors comply with data protection law and this policy in their handling of personal data. Prior to and during the appointment of a processor, we must assess and apply data protection and information security measures. Depending on the nature of activities, the extent of these measures will vary but will include suitable risk assessments and reviews, and contractual obligations.
9. Unless appropriate safeguards are in place do not transfer personal data to another country
When personal data is transmitted or sent to, viewed, accessed or otherwise processed in, a different country, an overseas transfer of the data takes place. European Union data protection law restricts personal data transfers to countries that are outside the European Economic Area (EEA – this is the European Union plus Norway, Liechtenstein, and Iceland), in order to ensure the level of data protection provided to individuals is not compromised; as the laws of such countries may not provide the same level of protection for personal data as within the EEA.
To ensure that data protection is not compromised when personal data is transferred to another country, Valasys assesses the risks of any transfer of personal data outside of the EEA and enforces additional appropriate safeguards where required.
10. Report any data protection breaches without delay
Valasys takes any and all data protection breaches very seriously. These can include lost or mislaid data, use of inaccurate or excessive data, failure to address an individual’s rights, accidental sending of data to the wrong person, unauthorized access to, use of or disclosure of data, deliberate attacks on Valasys’ systems or theft of records, and any equivalent breaches by Valasys’ service providers.
Where there has been a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to individuals’ personal data, Valasys will take immediate steps to identify, evaluate and tackle it, including keeping risks low, resolving the breach, and alerting appropriate parties.
In the event of a personal data security breach that poses a risk to the rights and freedoms of individuals, Valasys will report it to the ICO within 72 hours of discovery. Regardless of the effect of a personal data breach, an internal record is maintained along with whether it got reported to the ICO or not.
If a high risk arises to the rights and freedoms of individuals’ personal data breach then it is incredibly vital that we tell affected individuals that there has been a breach and provide them with information about its likely consequences and the measures we have taken to mitigate it.
11. Do not use profiling or automated decision-making unless you are authorized to do so
Automated decision-making or profiling occurs when an individual’s personal data is processed and evaluated through automated means which results in an important decision being taken in relation to that individual. This poses risks for individuals when a decision is made based solely on that profiling or automated processing.
Except in very limited circumstances, data protection law prohibits decision-making based solely on profiling or other automated processes. In addition, where profiling or other automated decision-making is permitted, safeguards are put in place giving individuals the opportunity to express their point of view and challenge the decision.
12. Integrate data protection into operations
Data protection law requires Valasys to build data protection considerations and security measures into all of our operations that involve the processing of personal data, particularly at the start of a new project or activity which may have an impact on the privacy of individuals. This involves taking into account various factors including:
- The risks posed by the processing for the rights and freedoms of individuals;
- Technological capabilities;
- The cost of implementation; and
- The nature, opportunity, framework, and purposes of the processing of personal data.
Data protection risks will be assessed regularly throughout the lifecycle of any project or activity that involves the use of personal data.
Individual Rights and Requests
When it comes to handling personal data, under the data protection law, individuals have certain rights. Some of them are:
- The right to make a Subject Access Request (SAR). This allows an individual to receive a copy of the personal data we have about them, along with information about how and why we process it. This enables them, for example, to check whether we are lawfully processing their data and to correct any inaccuracies.
- The right to request correction of incomplete or inaccurate personal data that we hold about them.
- The right to withdraw previously provided consent.
- The right to request that we delete or remove personal data that we hold about them if there is no good reason for us to continue to process it. Individuals also have the right to ask us to delete or remove their personal data when they exercise their right to object to processing.
- The right to object to the processing of their personal data for the purpose of direct marketing, or where we cannot show a compelling reason to continue using the data for processing.
- The right to request a restriction on the processing of their personal data.
- The right to request that we transfer to them or another party, in a structured format, their personal data which they have provided to us which is also known as the right to ‘data portability’.
- The right to challenge a decision that is based solely on profiling or automated processing, to obtain human mediation, and to be able to express their point of view.
We are required to comply with these rights without undue delay and, in respect of certain rights, within a timeframe of one month. Individuals also have rights to complain to the ICO and to take action in court to enforce their rights and seek compensation for damage suffered from, any breaches.
In order to comply, and demonstrate our compliance, with data protection law, Valasys keeps various records of data processing activities. These include a Processing Record which must contain:
- The purposes of processing;
- Categories of data subjects and personal data;
- Categories of recipients of disclosures of data;
- Information about international data transfers;
- Envisaged retention periods;
- General descriptions of security measures applied;
- Certain additional details for special category data.
All employees are required to undergo basic training in order to comply with data protection law and policy. For specific roles and activities that involve the use of personal data, additional training may be required.
Training is also provided to our new joiners as part of our induction process to Valasys. We operate an ongoing training program to make sure that employees’ knowledge and understanding of compliance information in the context of their role is up-to-date. It is mandatory to attend such trainings and it will be recorded.
Departures from this Policy
Under the data protection law, there are some very limited exemptions, which permit departure from aspects of this policy.
Our staff will be given specific instructions if any exemptions are relevant to their role.
If we think we should be able to depart from this policy in any circumstances, we will consult the Data Protection Officer before taking any action.