Request a Callback Get Directions

GENERAL DATA PROTECTION POLICY

General Data Protection Regulation (GPDR) 25th May 2018

 

ANDY HIRE SALES & SERVICE LTD DATA PROTECTION POLICY

PREPARED JANUARY 2018

 

To: All staff members From:- Sharon Blackstone – Data Protection Officer

 

Preparing for the General Data Protection Regulation (GPDR) 25th May 2018

The Data Protection Act 1998 was designed to protect personal data stored on computers or on paper in filing systems.

The Data Protection Act 1998 is being replaced on 25th May 2018 by the General Data Protection Regulation (GDPR). This regulation is intended to strengthen and unify data protection for all individuals within the EU. It aims primarily to give control back to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It also addresses the export of personal data outside the EU.

For our Company, this means that our (1) Data Protection Policy and (2) Privacy Policies will be altered to comply with the (GDPR) and any alterations made will have to be adhered to by all personnel involved with handling, storage and electronic transmission of personal data for customers, suppliers and staff.

Further information can be found on the internet. The source used for this document was https://en.wikipedia.org

(1) & (2) copies of these documents are available on request.

Please sign to confirm that you have read this document.

Staff Member signature................................                           

Date …......................

 

INFORMATION HELD

ACCOUNT CUSTOMERS

What information does the Company hold

We hold names, address, telephone numbers, e:mail addresses and bank details on all our Account Customers.

Who provides this information

Details are provided by:- The Customer on application for a credit account

Where is this information held/stored

This information is held:- in the A-Z files located on the shelf in the main office

on the computer data base (bank details are not held on the computer)

on the copy of invoices attached to the contract - located on the shelf's in the main office at Scarborough Depot - if in current date

on the shelf's in the boardroom awaiting archiving

if archived – in boxes in the boardroom

or if over 2 years old – held in storage at our Bridlington Depot

in the filing cabinet on the “live”contract – at Scarborough Depot

in the filing cabinet on the “live”contract – at Bridlington Depot

on USB stick – backup taken each night

printed e:mail list in openOffice

on desks in main office

mobile phones for credit control and access purposes

What is this data used for

The data is used to enable us to supply goods/equipment as required and to manage your account.

On occasions information is verified in the form of a written or verbal trade reference request from another organisation

Who has access to this data

All counter staff, delivery drivers and all administrative staff have access to this information during working hours.

CASH CUSTOMERS

What information does the Company hold

We hold names, addresses, telephone numbers, credit/debit card details for all our Cash Customers.

Who provides this information

Details are provided by:- The Cash Customer at point of order/sale

 This information is held:- in the filing cabinet on the “live” contract – at our Scarborough Depot

in the filing cabinet on the “live”contract – at Bridlington Depot

attached to the copy invoice attached to contract – located on the shelf's in the main office at Scarborough Depot – if in current date

on the shelf's in the boardroom awaiting archiving

if archived – in boxes in the boardroom

or if over 2 years old – held in storage at our Bridlington Depot

on the computer data base (bank details are not held on the computer)

on USB stick - backup taken each night

Where is this information held/stored

This information is held:- in the A-Z files located on the shelf in the main office

on the computer data base (bank details are not held on the computer)

on the copy of invoices attached to the contract - located on the shelf's in the main office at Scarborough Depot - if in current date

on the shelf in the boardroom awaiting archiving

if archived – in boxes in the boardroom

or if over 2 years old – held in storage at our Bridlington Depot

in the filing cabinet on the “live”contract – at Scarborough Depot

in the filing cabinet on the “live”contract – at Bridlington Depot

on backup stick taken each night

What is this data used for

The data is used to enable us to supply goods/equipment as required.

Send information of offers

Who has access to this data

All counter staff, delivery drivers and all administrative staff have access to this information during working hours.

SUPPLIERS

What information does the Company hold

We hold names, addresses, telephone numbers, credit/debit card and bank details for all Suppliers.

Who provides this information

This information is provided by each supplier on acceptance of application of a credit facility

Where is this information held/stored

Their information is held:- on our data base

in files on the shelf in the main office at Scarborough

if archived – in boxes in the boardroom

or if over 2 years old – held in storage at our Bridlington Depot

on USB stick - backup taken each night

mobile phones

What is this data used for

This data enables us to order and purchase goods from suppliers

To pay bills for goods/services supplied to us

Requesting copy invoices/statements/ proof of delivery

Who has access to this data

All staff involved in the purchase of supplies/services

STAFF/PERSONNEL

What information does the Company hold

We hold the names, addresses, telephone numbers, bank details, National Insurance number, Tax information, driving licence details, passport details.

Who provides this information

This information is provided by the individual Staff member on commencement of employment with the Company.

Where is this information held/stored

This information is stored on our data base, on the PAYE Master software for wages, in the locked filing cabinet in the Directors office, in the filing system for the wages information also locked in Directors office.

On a USB stick locked in Directors office

Mobile phones

What is this data used for

To enable employment with the Company

To enable the processing and payment of wages

To report to HMRC tax and national insurance

Who has access to this data

Dean Thomas, Brad Davison, Sharon Blackstone, Lloyd Dowson Accountants, HMRC.

PROCEDURE FOR ENSURING PERSONAL DATA HELD IS ACCURATE

Account Customers

On notification of any changes to personal details e.g. telephone number, address, these changes must be implemented immediately on the data base and a note placed with application form in the A-Z files located on the shelf in the main office.

Cash Customers

A copy of an up-to-date utility bill and passport/driving licence should be shown at point of hire where ever possible. These details should be up-dated where necessary on the data base when processing hire contract.

Suppliers

On notification from the Supplier of any changes to bank details, address etc, these should be up dated on data base immediately.

Staff/Personnel

All personal information changes should be applied to the PAYE master software on next wage run.

The individuals personnel file should be updated

Inform HMRC etc where necessary of any changes implemented

PRIVACY POLICY – 19 January 2018

Andy Hire Sales & Service Ltd, Wykeham Street, Scarborough, North Yorkshire, YO12 7SB is the data controller for the purpose of the General Data Protection Regulation (EU) May 2018.

Andy Hire Sales & Service Ltd's Lawful Basis' for processing Personal Data are Consent, Contract, Legitimate Interest and Legal Obligation.

By proceeding to use our services you,(consent), agree that we may process your personal data (including sensitive personal data) that we collect from you in accordance with our Privacy Policy to administer your account and to provide the products and services you have requested from us.

This data is held on our data base and is only processed by personnel employed by Andy Hire Sales & Service Ltd. However from time to time, as a valued customer, we may use this information to provide you with information about our products and services (where you have consented to be contacted for such purpose) and to notify you of any changes to our services. If you consent to us contacting you for this purpose please tick to say how you would like us to contact you. You have the right to withdraw consent, where relevant, at anytime.

POST     E:MAIL        TELEPHONE        TEXT

Your information will not be shared for marketing purposes outside our Company. Should we at any point decide to actively communicate privacy information, we will contact you by letter, e:mail or text. Where the data has been disclosed to third parties they will be advised of the erasure/restriction.

Your individual rights to be informed, right of access, right to rectification, right to ensure, right to restrict processing, right to data portability, right to object and right not to be subject to automated decision-making including profiling are not effected where you have consented to us. This information is available on request, free of charge.

 We are required under the UK Tax Law, to keep your basic personal data for a minimum of 6 years after which time it will be destroyed.

INDIVIDUALS' RIGHTS

THE RIGHT TO BE INFORMED

The individual has the right to be informed - Why we process personal data – it is part of the contract entered into to enable goods/services to be provided by Andy Hire Sales & Service Ltd, failing to provide this data means goods/services will be refused.

If your personal data is passed to a third party - Your information will not be shared for marketing purposes outside our Company. Should we at any point decide to actively communicate privacy information, we will contact you by letter, e:mail or text.

The personal data retention period - We are required under the UK Tax Law, to keep your basic personal data for a minimum of 6 years after which time it will be destroyed.

The existence of the right to withdraw personal data – You have the right to withdraw consent, where relevant, at anytime.

The right to know who the data controller is – Sharon Blackstone is the data controller for Andy Hire Sales & Service Ltd. Contactable on – sharon@andyhire.co.uk, in writing at, Wykeham Street

Scarborough, North Yorkshire, YO12 7SB or telephone 01723 500601.

The right to complain - If at any point you believe that the information held for you is incorrect you can request to see this information and have it corrected or deleted. Your information can be obtained by sending a request by e:mail to sharon@andyhire.co.uk, in writing at, Wykeham Street

Scarborough, North Yorkshire, YO12 7SB or telephone 01723 500601.

THE RIGHT OF ACCESS

You have the right to access your personal data held with us. Your personal data may be requested by e:mail, letter or telephone and wherever possible and without delay, we will provide in letter or e:mail format, this information within 1 month. Access to this information is free of charge, however, a fee may be chargeable should the request be excessive of repetitive.

THE RIGHT TO RECTIFICATION

If at any point you believe that the information held for you is incorrect you can request to see this information and have it corrected or deleted. Your information can be obtained by sending a request by e:mail to sharon@andyhire.co.uk, in writing at, Wykeham Street, Scarborough, North Yorkshire, YO12 7SB or telephone 01723 500601.

THE RIGHT TO ERASURE/THE RIGHT TO BE FORGOTTEN

You have the right to request the deletion or removal of your personal data where the data is no longer necessary in relation to the purpose for which it was originally collected/processed.

or if you object to the processing of the data

or if the data was unlawfully processed (in breach of GDPR)

or the personal data has to be erased in order to comply with legal obligation

Where the data has been disclosed to third parties they will be advised of the erasure/restriction.

THE RIGHT TO RESTRICT PROCESSING

You have the right to “block” or suppress processing of your personal data. If restricted we are permitted to store the data but not further process it.

If the data accuracy is contested the data process will be restricted until the accuracy has been verified. We will inform you when we have decided to lift a restriction on processing.

THE RIGHT TO DATA PORTABILITY

You have the right to obtain and re-use your personal data provided to us.

THE RIGHT TO OBJECT

You have the right to object to your personal data being used for direct marketing or scientific/historical research and statistics, this should be communicated on our first communication. We are obliged to deal with any objection received immediately. This will be done free of charge.

THE RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION MAKING INCLUDING PROFILING

We have no facility or requirements at present that involve automated decision making or profiling. However, we use human involvement in profiling on application of a credit facility with our Company.

DELETION OF PERSONAL DATA PROCEDURE

PLEASE NOTE

Our data base does not allow deletion of credit accounts holding personal data whilst where is an outstanding balance showing. Therefore, the account will be “closed” until all monies owed have been received and the account has been cleared. The time limit for this is out our Andy Hire Sales & Service Ltd's control as it is controlled by the individuals capacity to pay the outstanding balance .

When the account is clear, we can then transfer to a “Dump” account. All personal data will then be erased.

Also, due to the UK Tax Law, we are obliged to keep all contracts/invoices/statements showing the personal data for 6 years, after which time they will be destroyed.

 

* * *

 

On receipt of request for deletion of personal data we will however:-

Shred the original credit application form and all documentation attached

Remove from e:mail list

Inform any third parties of the erasure/restriction

SUBJECT ACCESS REQUEST PROCEDURE

Individuals have the “right of access” to their personal data held by us

 

The request may be made via e:mail, letter or telephone. The information requested must be provided to them within 1 month of receipt or sooner where possible. The information should be provided free of charge, unless it is thought to be excessive or repetitive then if may become chargeable.

At present our system only allows for this information to be forwarded by e:mail as a PDF file or in letter form.

If a request is refused, we must inform the individual why and tell them they have the right to complain.

LAWFUL BASIS FOR PROCESSING PERSONAL DATA

Andy Hire Sales & Service Ltd's lawful basis for processing personal data are as follows:-

CONSENT

To enable us to provide goods/services the individual has given clear consent for us to process their personal data for a specific purpose. This may have been via a credit account application form or face to face.

Given by employees at point of employment – this also enables us to report to HMRC

Given by suppliers to provide us with goods/services

CONTRACT

The processing is necessary for the contract the individual signs to enable us to provide goods/services

To process the employment contract for new employees

To enable us to enter into a contract with suppliers to enable then to supply us with goods/services

LEGITIMATE INTEREST

We process personal information for certain legitimate business purposes, which include some of the following reasons:-

Where the processing enables us to enhance, personalise, modify or otherwise improve our services or communication for the benefit of our customers/suppliers/employees

To identify and prevent fraud

To provide postal communication where necessary

We will ensure that we will keep all personal data rights in high regard and take account of these rights

You have the right to object to this processing. Please do not hesitate to contact us should you wish to do so but please bear in mind should you object this may effect our ability to carry out the above mentioned tasks for your benefit.

LEGAL OBLIGATION

To enable us to comply with HMRC to supply wages information

To supply personal data for a particular use e.g. court proceedings

CONSENT

Consent is the most appropriate one of the basis' for Andy Hire Sales & Service Ltd to process your personal data.

This consent is separate from our Terms and Conditions.

RECORDING CONSENT

A credit account for the individual is opened on our data base with information given on the application form. This application form is then filed and used as a record of the information given at that time. Where face to face, the individuals personal data is recorded on a contract with information given at that time, this is then transferred to our data base.

MANAGING CONSENT

This is done through the administration of the account. Where face to face this is done at point of completion of the contract.

The right to withdraw consent by individuals is easy and can be done by sending a request by e:mail to sharon@andyhire.co.uk or in writing at, Wykeham Street, Scarborough, YO12 7SB or telephone 01723 500601. Our privacy policy is available on request and can be down loaded from our website www.andyhire.co.uk

These withdrawals are acted on immediately where possible however, our data base does not allow the deletion of the individual where monies are outstanding. The time limited for this is controlled by the individuals capacity to pay the outstanding balance.

CHILDREN

 

Andy Hire Sales & Service Ltd is especially interested in protecting the safety and privacy of young people using our services. We do not intent to collect information about children and recommend that children under the age of 18 seek their parents consent before using our services or giving out personal information. Orders should not be placed unless the person placing the order is over the age of 18.

DATA BREACHES

A PERSONAL DATA BREACH – means a breach of security leading to the accidental, unlawful destruction, loss, alteration, unauthorised disclosure of , or access to personal data. This includes breaches that are a result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal date. It can also be broadly defined as a security incident.

There will be a personal data breach whenever any personal data us passed on, destroyed, corrupted or disclosed without proper authorisation, if data is made unavailable and this unavailability has a negative effect on the individuals.

Should such a security incident take place Andy Hire Sales & Service Ltd has the following procedure in place:- (for guidance see*ico2)

Quickly establish whether a person data breach has occurred

Take immediate steps to address it

Establish the risks to peoples rights and freedoms and if it is likely to be a risk

What impact will this incident have on the individuals

How may the data be used e.g. fraud/theft, the individuals may suffer financial loss or other consequences

Is it a lesser data breach e.g. the loss or inappropriate alteration by staff of an e:mail or telephone list

Do we need to notify the ICO (information commissioners office)

or just need to justify or decision not to notify and document the incident

Inform the individuals concerned immediately using clear and plain language offering advice on how to protect themselves from the data protection breaches effects.

Describe the nature of the personal data breach

Provide name and contact details of data protection officer

What the likely consequences of the data breach may be

What measures are or proposed action to be taken to deal with the data breach and where appropriate measures to be taken to mitigate any possible adverse effects

Inform the ICO (information commissioners office) within 72 hours, by completing a data protection breach notification form (Guidance notes are attached *ico1.)– even if the full extent of the data breach is not known. See “Sending this form” for where/how to send form to ICO.

Report this incident to your data protection officer as soon as possible – Sharon Blackstone

Failing to notify a breach when required to do so can result in a significant fine.

Information Commissioners Office information:-

Help line telephone number 0303 1231113 Mon-Fi 9am – 5pm

Information Commissioners Office

Wycliff House

Water Lane

Wilmslow

CHESHIRE

SK9 5AF

casework@ico.org.uk

 

DATA PROTECTION BY DESIGN & DATA PROTECTION IMPACT ASSEMENTS

DATA PROTECTION BY DESIGN – Andy Hire Sales & Service Ltd has updated its Privacy Policy to comply with the General Data Protection Regulation (EU) May 2018

DATA PROTECTION IMPACT ASSESSMENTS – This is a tool Andy Hire Sales & Service Ltd can use to identify & reduce the privacy risks of projects undertaken from the start.

Privacy impact assessment screening questions.

These questions are intended to help decided whether an assessment is necessary. If the answer to any of these questions is “yes” then this protection impact assessment could be a useful exercise:-

Will the project involve the collection of new information about individuals?

Will the project compel individuals to provide information about themselves?

Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?

Are you using information about individuals for a purpose it is not currently used for or in a way it is not currently used?

Does the project result in making decisions or taking action against individuals in ways that can have a significant impact on them?

Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example health records, criminal records or other information that people would consider to be private?

Will the project require you to contact individuals in ways that they may find intrusive?

 

PRIIVACY IMPACT ASSESSMENT TEMPLATE

 

STEP ONE IDENTIFY THE NEED FOR A PRIVACY IMPACT ASSESSMENT

Explain the aims of the project, the benefits to the organisation, individuals & to other parties

Summarise how the need for the PIA was identified

 

 

 

STEP TWO DESCRIBE THE INFORMATION FLOWS

 

Describe the collection, use and deletion of personal data and how many people are likely to be affected by the project.

 

 

 

CONSULTATION REQUIREMENTS

 

Explain what practical steps you will take to ensure that you identify and address privacy risk. Who should be consulted internally & externally? How will you carry out the consultation?

 

 

 

STEP THREE IDENTIFIY THE PRIVACY AND RELATED RISKS

 

Identify the key privacy risks and the associated compliance and corporate risks.

PRIVACY ISSUE

RISK TO INDIVIDUALS

COMPLIANCE RISK

ASSOCIATED ORGANISATION RISK

 

STEP FOUR IDENTIFY PRIVACY SOLUTIONS

 

Describe the actions you could take to reduce the risks and any future steps which would be necessary

 

RISK

 

 

 

 

 

SOLUTION(S)

RESULT is the risk reduced eliminated or accepted

 

 

 

 

 

 

 

EVALUATION is the final impact on individuals after implementing each solution a justified, compliant & proportionate response to the aims of the project

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

STEP 5 SIGN OFF AND RECORD THE PIA OUTCOMES

 

Who has approved the privacy risks involved in the project? What solutions need to be implemented?

 

RISK

APPROVED SOLUTION

APPROVED BY

 

 

 

 

 

 

 

 

 

 

 

 

 

 

STEP SIX INTEGRATE THE PIA OUTCOMES BACK INTO THE PROJECT PLAN

 

Who is responsible for integrating the PIA outcomes back into project plan & updating any project management paperwork?

Who is responsible for implementing the solutions that have been approved?

Who is the contact for any privacy concerns that may arise in the future?

 

ACTION TO BE TAKEN

DATE FOR COMPLETION OF ACTIONS

RESPONSIBILITY FOR ACTION

 

 

 

 

 

 

 

 

 

 

CONTACT POINT FOR FUTURE PRIVACY CONCERNS

 

 

DATA PROTECTION OFFICERS

Even though we are a small/medium company to comply with the GDPR May 2018 our Data Protection Officer for Andy Hire Service Ltd is:-

 

Sharon Blackstone

Wykeham Street

SCARBOROUGH

YO12 7SB

01723 500601

sharon@andyhire.co.uk

INTERNATIONAL

Andy Hire Sales & Service Ltd does not operate internationally.