Data protection
Introduction
The GDPR controls how your personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is: used fairly and lawfully.
This policy sets out the obligations of JONBARKERUK LTD regarding data protection and the rights of customers, employees and suppliers regarding their personal data under the General Data Protection Regulation.
Personal data is described as any information relating to an identified or identifiable natural person or data subject. An identifiable natural person is someone who can be identified directly or indirectly, particularly by their name, identification number, location, online identifier or other factors such as physical, physiological, genetic, mental, economic, cultural or social identity of that person.
This document details the processes which must be followed when dealing with personal data by the Company, it’s employees, agents, contractors or other parties working on their behalf.
The Company is committed to the letter and spirit of the law, placing high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy and trust of the people with whom it deals.
Data protection principles
The Company aims to ensure compliance with the GDPR by following the principles with which any party handling personal data must comply.
This includes:
a) processed lawfully, fairly and in a transparent manner in relation to individuals.
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
The controller Jon Barker shall be responsible for, and be able to demonstrate, compliance with the principles.
Lawful, Fair and Transparent Data Processing
GDPR ensures personal data is processed lawfully, fairly and transparently, without adversely affecting the data subject’s rights.
The data processing will be classed as lawful if one of the following applies:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
To ensure fair and transparent data processing the Company must be open and honest about their identity. The Company must tell people how they intend to use and handle any personal data you collect about them (unless this is obvious) in ways you would reasonably expect. Above all, do not use information in ways that unjustifiably have a negative effect on the data subjects.
Process – Specified, Explicit & Legitimate Purpose
The concept of legitimate interests as a lawful basis for processing is based on 3 key principles:
Purpose, Necessity and Balancing.
Processing is necessary for the purposes of the legitimate interests pursued by [DPO] or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The personal data collected and processed may be received directly from data subjects (eg. Contact details when a data subject communicates with us) and data received from third parties (eg. Sales and marketing lists).
The Company only processes personal data for the specific purposes set out in this Policy (or for other purposes expressly permitted by GDPR). The purposes for which we process personal data will be informed to data subjects at the time that their personal data is collected, where it is collected directly from them, or as soon as possible (not more than one calendar month) after collection where it is obtained from a third party.
Adequate, Relevant and Limited Data Processing
The Company will only collect and process personal data for the specific purpose(s) informed to data subjects. We will not hold any more information than is required.
Accuracy of Data and Keeping Data Up To Date
The Company will take reasonable steps to ensure the accuracy of any personal data held. We will ensure that the source of any personal data is made clear to the data subject and will carefully consider any challenges to the accuracy of information and whether it is necessary to update the information. The accuracy of data shall be checked when it is collected and at [regular] intervals.
Personal Data Retention
JONBARKERUK LTD shall not keep personal data for any longer than is necessary for the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay.
The Company will regularly review the personal data held, and delete anything that is no longer needed. Information that does not need to be accessed regularly, but which still needs to be retained, will be safely archived or put offline.
Generally, retention periods follow HMRC guidelines and will be removed after 6 years. However, we take account of any professional rules or regulatory requirements that apply.
The Rights of Individuals
GDPR defines the following rights to individuals:
The right of access to a copy of the information comprised in their personal data.
A right to object to processing that is likely to cause or is causing damage or distress.
A right to prevent processing for direct marketing.
A right to object to decisions being taken by automated means.
A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed.
A right to claim compensation for damages caused by a breach of the Act.
Secure Processing
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. As detailed in this policy.
Accountability
Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
The accountability principle requires the Company to demonstrate that compliance with the principles and states explicitly that this is your responsibility.
To demonstrate accountability we will:
Implement appropriate technical and organisational measures to ensure and demonstrate compliance. Including internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
We will maintain relevant documentation on processing activities.
We have appointed a data protection officer (DPO) Jon Barker, JONBARKERUK LTD, 7 Bell Yard, London, WC2A 2JR, UK.
We have implemented documentation that meets the principles of data protection by design and data protection by default.
We will provide details on personal data, how it is used and shared to the data subject
We will also create and improve security features on an ongoing basis. Following approved codes of conduct and/or certification schemes where appropriate.
Data Protection Impact Assessment
Data protection impact assessments will also be implemented where appropriate, they will be overseen by the DPO.
We will ensure they are used when using new technologies and if the processing is likely to result in a high risk to the rights and freedoms of individuals.
Also, processing that is likely to result in a high risk includes (but is not limited to):
systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
large scale processing of special categories of data or personal data relation to criminal convictions or offences.
This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms eg based on the sensitivity of the processing activity.
Finally, large scale, systematic monitoring of public areas (CCTV).
Right to be informed
The information provided to a data subject about processing personal data must be concise, transparent, intelligible and easily accessible. It will be written in clear and plain language, particularly if addressed to a child and is free of charge.
When personal data is collected directly from the data subject we will provide (At the time the data are obtained):
The identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer.
The purpose of the processing and the lawful basis for the processing.
The legitimate interests of the controller or third party, where applicable.
Details of any recipient or categories of recipients of the personal data.
Details of transfers to third country and safeguards
Details of transfers to third country and safeguards
Retention period or criteria used to determine the retention period
The existence of each of data subject’s rights
The right to withdraw consent at any time, where relevant
The right to lodge a complaint with a supervisory authority
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
When personal data is collected not directly from the data subject we will provide (Within a reasonable period of having obtained the data (within one month) / If the data are used to communicate with the individual, at the latest, when the first communication takes place; or If disclosure to another recipient is envisaged, at the latest, before the data are disclosed):
Right of Access
Under GDPR individuals will have the right to obtain confirmation that their data is being processed, access to their personal data and any other supplementary information – this largely corresponds to the information provided in the privacy notice. This is so that data subjects can confirm the lawfulness of the processing.
A charge will only be made if a request is manifestly unfounded or excessive, particularly if it is repetitive. Or if requests for further copies of the same information are made, however, this does not mean charges can be made for all subsequent access requests. The fee is based on the administrative cost of providing the information.
Information must be provided without delay and at the latest within one month of receipt. An extension the period of compliance of a further two months where requests are complex or numerous can be made. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
We will verify the identity of the person making the request, using ‘reasonable means’. If the request is made electronically, we will reply by email.
All subject access requests received must be forwarded to Jon Barker, the Company’s data protection officer. JONBARKERUK LTD 7 Bell Yard, London, WC2A 2JR, UK.
The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.
Right to Rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
Response must be within one month. This can be extended by two months where the request for rectification is complex. Where you are not taking action in response to a request for rectification, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.
Right to Erasure
This is also known as ‘the right to be forgotten’. It does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances.
If a data subject requests the right to be forgotten, the Company must comply in the following situations:
Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
When the individual withdraws consent.
When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
The personal data has to be erased in order to comply with a legal obligation.
The personal data is processed in relation to the offer of information society services to a child.
Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
To exercise the right of freedom of expression and information.
To comply with a legal obligation for the performance of a public interest task or exercise of official authority or the exercise or defence of legal claims.
For public health purposes in the public interest.
For archiving purposes in the public interest, scientific research historical research or statistical purposes
If you have disclosed the personal data in question to third parties, you must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
Right to Restrict Personal Data Processing
Where an individual contests the accuracy of the personal data, or has objected to the processing we will restrict the processing until you have verified the accuracy of the personal data.
When processing is deemed unlawful and the individual opposes erasure and requests restriction instead.
If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
Where these requests are made, we will only retain the personal data necessary and no further processing will take place.
Any personal data disclosed to third parties, will be informed about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
Right to Data Portability
The right to data portability only applies to personal data an individual has provided to a controller. Or where the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means.
We will provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
The information will be provided free of charge. If the individual requests it and it is technically feasible you may be required to transmit the data directly to another organisation.
If the personal data concerns more than one individual, we cannot provide the data on other individuals without their prior consent. We will respond without undue delay, and within one month. This can be extended by two months where the request is complex or you receive a number of requests. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
The Company processes personal data using automated means.
Where data subjects have given their consent to the Company to process their personal data in such a manner or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the legal right under the Regulation to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers, e.g. other organisations).
Right to Object to data processing
Individuals must have an objection on “grounds relating to his or her particular situation”.
If you receive a notification from a data subject you must stop processing the personal data unless:
you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual or the processing is for the establishment, exercise or defence of legal claims.
You must inform individuals of their right to object “at the point of first communication” and in your privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
If you process personal data for direct marketing purposes you must stop processing personal data as soon as you receive an objection. There are no exemptions or grounds to refuse.
You must deal with an objection to processing for direct marketing at any time and free of charge.
You must inform individuals of their right to object “at the point of first communication” and in your privacy notice. This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
If you process data for research purposes, individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes. If you are conducting research where the processing of personal data is necessary for the performance of a public interest task, you are not required to comply with an objection to the processing.
If your processing activities are carried out online you must offer a way for individuals to object online.
Automated decision making and profiling
You can only carry out solely automated decision making that has legal or similarly significant effects on them. Also, if the decision is necessary for the entry into or performance of a contract, or authorised by Union or Member state law applicable to the controller or based on the individual’s explicit consent.
In this instance we will give individuals information about the processing and introduce simple ways for them to request human intervention or challenge a decision. We will also carry out regular checks to make sure that the systems are working as intended.
The GDPR restricts you from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.
You can only carry out solely automated decision-making with legal or similarly significant effects if the decision is:
necessary for entering into or performance of a contract between an organisation and the individual.
authorised by law (for example, for the purposes of fraud or tax evasion) or based on the individual’s explicit consent.
If you’re using special category personal data you can only carry out processing if you have the individual’s explicit consent or the processing is necessary for reasons of substantial public interest.
Profiling
Where the Company uses personal data for profiling purposes, the following shall apply:
Clear information explaining the profiling will be provided, including its significance and the likely consequences;
Appropriate mathematical or statistical procedures will be used;
Technical and organisational measures necessary to minimise the risk of errors and to enable such errors to be easily corrected shall be implemented; and
Because this type of processing is considered to be high-risk the GDPR requires you to carry out a Data Protection Impact Assessment (DPIA) to show that you have identified and assessed what those risks are and how you will address them.
As well as restricting the circumstances in which you can carry out solely automated individual decision-making the GDPR also:
requires you to give individuals specific information about the processing.
obliges you to take steps to prevent errors, bias and discrimination.
gives individuals rights to challenge and request a review of the decision.
These provisions are designed to increase individuals’ understanding of how you might be using their personal data. We will:
provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual;
use appropriate mathematical or statistical procedures;
ensure that individuals can: obtain human intervention, express their point of view and obtain an explanation of the decision and challenge it;
put appropriate technical and organisational measures in place, so that you can correct inaccuracies and minimise the risk of errors;
secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.
International Transfers
You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Adequate safeguards may be provided for by:
a legally binding agreement between public authorities or bodies;
binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
standard data protection clauses in the form of template transfer clauses adopted by the Commission;
standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
compliance with an approved code of conduct approved by a supervisory authority;
certification under an approved certification mechanism as provided for in the GDPR;
contractual clauses agreed authorised by the competent supervisory authority; or
provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
A transfer, or set of transfers, may be made where the transfer is:
made with the individual’s informed consent;
necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;
necessary for the performance of a contract made in the interests of the individual between the controller and another person;
necessary for important reasons of public interest;
necessary for the establishment, exercise or defence of legal claims;
necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
Personal Data
The following personal data may be collected, held, and processed by the Company:
- Current and former employees, personal data held is required for administering Payroll under HMRC requirements, in line with employment contract, and also for daily staff management, no sensitive personal data is held;
- Recruitment data, held for a brief period of time to facilitate recruitment process.
- Customer data, necessary information held for daily administration;
- Supplier data, necessary information held for daily administration;
- Marketing data, held for direct marketing;
- Basic Client Employees Data, necessary data held for the provision of the software;
Data Breach notifications
All personal data breaches must be reported immediately to the Company’s data protection officer.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors.
So, on becoming aware of a breach, you should try to contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen.
If you use a processor, the requirements on breach reporting should be detailed in the contract between you and your processor.
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
When reporting a breach, the GDPR says you must provide:
- a description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. Again, you will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. You should also remember that the ICO has the power to compel you to inform affected individuals if we consider there is a high risk. In any event, you should document your decision-making process in line with the requirements of the accountability principle.
When notifying individuals you need to describe, in clear and plain language, the nature of the personal data breach and, at least:
- the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the data protection officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
Policy effective from 24/05/2018
Policy approved and authorised by:
Name: Jon Barker
Position: Company Director & DPO
Date: 01/02/2024
Due for Review: 01/02/2025
JON BARKER 