Personal data is information relating to an identifiable living individual. Whenever personal data is processed, collected, recorded, stored or disposed of it must be done within the terms of the General Data Protection Regulation (GDPR).
Data must be collected under one of six lawful reasons:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone's life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party.
As a normal part of our activities StuntRocket Ltd has to keep personal data, the data we collect is limited to:
- Data relating to the contracts and projects we undertake with our customers.
This data will be held and processed in accordance with the requirements of the GDPR.
The information we hold on our customers, will be collected under the following lawful reasons:
- Contract: information necessary for us to identify a suitable temporary or permanent employment contract to be formed such as name, address, contact telephone numbers, qualifications.
- Legal obligations: information necessary to comply with legislation, for example for immigration, payroll and HMRC records.
How we will do it:
When requesting data we will ensure we are compliant with the GDPR, and we undertake the following principles:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for necessary and lawful purposes and shall not be further processed in any manner incompatible with that purpose.
- Where we want to process your data for a reason not falling under a necessary and lawful purpose, we will seek your consent for the processing of your data.
- Personal data shall be adequate, relevant and not excessive.
- Personal data shall be accurate and, where necessary and appropriate, kept up to date.
- Personal data processed for any purpose shall not be kept for longer than is necessary for the purpose it was processed.
- We shall take appropriate measures against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data. This might include disciplinary action if the breach was internal.
- Individuals have the right to be informed about the collection and use of their personal data and so we will provide details of why we are collecting the data, how long we need to keep it, and who we will share it with. This information will be given to the individual when we ask for the personal data.
- If we change the use of your personal data we will let you know beforehand.
Whilst we will apply the same principals to all data, we have defined procedures on how we deal with the data according to the reason we need to have / use it. We will therefore identify:
- What we need the data for.
- What data we actually need.
- How we will use it.
- How we will keep it safe.
- Who it needs to be shared with.
- How long we must keep it.
- How we will destroy it once it is no longer lawful or necessary to keep it.
In collecting and processing data, we will consider and comply with the following individual rights:
- The right to be informed - we will provide you with 'privacy information'. This will include our purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with.
- The right of access - access to your personal data so that you are aware of and can verify the lawfulness of the processing.
- The right to rectification - a right for you to have inaccurate personal data rectified, or completed if it is incomplete.
- The right to erasure - also known as the 'right to be forgotten', this gives you the right to have your data erased (where circumstances allow).
- The right to restrict processing - gives individuals the right to restrict the processing of their personal data (in certain circumstances).
- The right to data portability - allows individuals to obtain and reuse their personal data for their own purposes across different services, allowing data to be moved, copied or transferred easily from one IT environment to another in a safe and secure way.
- The right to object - a right for you to object to certain processing and marketing.
- Rights in relation to automated decision making and profiling.
Subject Access Request (SAR)
All customers are entitled to ask for, in writing, what information on them the company holds, and ask to see it (subject access request).
The Management (or any other nominated 'Data Controller') will usually provide the information without delay and in any case within 28 days. If the request or data is complex and we cannot do this within that timescale then we will advise you in writing as to the reason for the delay and provide the information not later than a further 2 months in duration.
Customers may challenge the accuracy of the information and also update information where it is found to be incorrect.
We will not usually charge you for any information, however we may charge a "reasonable fee" based on the actual administrative cost of providing you with the information where your request is 'manifestly unfounded, excessive or repetitive'.
Where our employees collect, process or use personal information about our customers they must follow these guidelines:
- Our procedures must be followed.
- Proposals to collect or use personal data in a new way should always be discussed with management before proceeding.
- Any personal data that they hold is kept securely i.e. so that access is restricted to those authorised and is protected from loss or damage - this means by physical means such as a locked office or filing cabinet and by electronic means such as computer passwords and access systems.
- Personal information must not be disclosed to any unauthorised third party. Great care must be taken not to discuss such information face-to-face or over the telephone nor to disclose information in writing or in other ways such as via email.
- Personal information should be collected or used with the approval of the subject. In many cases this is obtained through general consent but in the case of sensitive data such as information concerning health or race, express consent must be obtained to use the data.
Destroying data (the right to be forgotten)
We will always keep track of where any data has been shared or stored (or made public) enabling us to destroy that data effectively when it is no longer appropriate to keep.
We will only share data with suitable, trustworthy and necessary persons or organisations.
When a request is made to destroy data, or that data is no longer valid to keep, we will ensure it is destroyed from all the places it was shared. We will advise any third party that had access to that data to also destroy it.
This will apply to all forms of data including electronic data.
We will only share data with other persons who also have a legitimate reason for requiring that data. In sharing data we will ensure that the person(s) / organisations requiring the data can also provide details to us on:
- What they need the data for.
- The extent of the data they need.
- How they will use it.
- How they will keep it safe.
- That they will not further share it.
- How they will destroy it once it is no longer lawful or necessary to keep it.
Controlling the Data
We have appointed a Data Controller, this person determines the purposes for which, and the manner in which any personal data is to be processed. This person within our organisation is: Daniel Harding. He may take advice and support from any professional person or organisation in fulfilling his duties in this role.
Currently our processing of data does not warrant the appointment of a Data Protection Officer.
Information Notice For Customers
Under the new General Data Protection Regulation (GDPR) you (our customer) are entitled to be informed about the processing of personal data we request from you, hold on you, use or need to share. The following is intended as a full explanation to satisfy this requirement.
Document updated: 10th June 2018