Definition of Data
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, email address or telephone number.
In its everyday business operations Auto Integrate makes use of a variety of personal data about identifiable individuals (‘natural persons’), including personal data about:
- Current, past and prospective employees and consultants
- Current, past and prospective external visitors (e.g. auditors)
- Users of its website
- Other relevant stakeholders
In collecting and using this data, the company is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
The purpose of this Policy is to set out the relevant legislation and to describe the steps Auto Integrate is taking to ensure it complies with it.
This control applies to all systems, people and processes that constitute the company’s information systems, including directors, employees, suppliers and other third parties who have access to Auto Integrate’s systems.
Auto Integrate is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
Articles 4 and 9 of the GDPR define the following key terms thus:
Personal Data – Any information relating to an identified or identifiable natural person
Special Category Data – Personal data consisting of or regarding racial or ethnic origin, political opinions, religious of philosophical beliefs, trade union membership, genetic data, biometric, health, sex life or sexual orientation. Additionally, while they are considered “special category data”, children’s data and data relating to criminal convictions are afforded further protections.
Data Subject – An identified, or identifiable natural person
Processing – Any operation (of set of) which is performed on personal data
Restriction of Processing – The marking of stored personal data with the aim of limiting their processing in the future.
Profiling – Any form of automated processing of personal data consisting of the use of personal data to evaluate certain aspects relating to a person
Pseudonymisation – Processing personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately.
There are six data protection principles defined in Article 5 of the GDPR. These require that all personal data be:
- Processed in a lawful, fair and transparent manner
- Collected only for specific, explicit and limited purposes (‘purpose limitation’)
- Adequate, relevant and not excessive (‘data minimization’).
- Accurate and kept up to date where necessary
- Kept for no longer than necessary (‘retention’)
- Handled with appropriate security and confidentiality
Auto Integrate is committed to upholding the data protection principles. All personal data under Auto Integrates’ control must be processed in accordance with these principles.
All processing of personal data must meet one of the six lawful based defined in Article 6(2) of the GDPR:
- Where Auto Integrate have the consent of the subject.
- Where it is in Auto Integrates’ legitimate interests and is not overridden by the rights and freedoms of the data subject.
- Where necessary to meet a legal obligation.
- Where necessary to fulfil a contract, or pre-contractual obligations.
- Where Auto Integrate are protecting someone’s vital interests.
- Where we are fulfilling a public task or acting under official authority.
Any special category data (sensitive types of personal data as a defined in Article 9(1) if the GDPR) must be further processed only in line with one of the conditions specified in Article 9(2).
The most appropriate lawful basis will be noted in the Data Processing Register.
Where processing is based on consent, the data subject has the option to easily withdraw their consent.
Where electronic direct marketing communications are being sent, the recipient should have the option to opt-out in each communication sent, and this choice should be recognised and adhered to by Auto Integrate.
Roles and Responsibilities
Auto Integrate has overall responsibility for ensuring it has complied with the Data Protection Act 2018 and the GDPR. However, all employees who process personal data in the course of their employment are also responsible for ensuring compliance with the Data Protection Act and the GDPR.
Auto Integrate will provide support, assistance, advice and training to all relevant staff to ensure that they are able to comply with the legislation. Auto Integrate’s Data Protection Officer (contact details below) will assist the company and its staff in complying with the Data Protection legislation.
Specifically, the following roles and responsibilities apply in relation to the Policy:
All users of Company Information:
- Must complete relevant training and awareness activities provided by the company to support compliance with this policy;
- Should take all necessary steps to ensure that no breaches of information security result from their actions;
- Must report all suspected and actual data security breaches to the Data Protection Officer, so that appropriate action can be taken to minimize harm;
- Must inform the company of any changes to the information that they have provided to the company is connection with their employment (e.g. changes of address or bank account details).
Auto Integrate Management Team (AIMT)
- The AIMT is responsible for reviewing and approving this Policy as recommended by the Data Protection Officer;
- Each member of the AIMT is responsible for ensuring compliance with the Data Protection Act 2018 and the GDPR and this policy is their area of responsibility;
Staff of the Company
All staff are expected to:
- Acquaint themselves with, and abide by, the terms of the Data Protection Policy;
- Understand what is meant by ‘personal data’ and ‘special categories of personal data’ and know how to handle such data;
- Understand the lawful bases for processing personal data;
- Not jeopardize individuals’ rights or risk contravention of the Data Protection Act;
- Report all data security breaches to the Data Protection Officer immediately;
- Contact the Data Protection Officer if in any doubt
Data Protection Breaches
Failure to observe the data protection principles within this policy may result in an employee incurring personal criminal liability. It may also result in disciplinary action up to and including dismissal where there are significant or deliberate breaches of this policy, such as accessing employee or customer personal data without authorisation or a legitimate reason to do so.
Employees must immediately report to the Data Protection Officer any actual or suspected data protection breaches, which will be investigated in accordance with Auto Integrate’s Data Protection Breach DR policy.
If Auto Integrate discovers that there has been a breach of employee related personal data that poses a risk to the rights and freedoms of individuals, it is required to report into the Information Commissioner within 72 hours of discovery. Auto Integrate will record all breaches regardless of their effect.
If the breach is likely to result is a high risk to the rights and freedoms of individuals, it will tell the affected individuals that there has been a breach and provide them with information about its likely consequences and mitigation measures it has taken.
Where Auto Integrate engages third parties to process personal data on its behalf, such parties do so based upon written instructions, and are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measure to ensure security of data.
Data Subject Rights
The GDPR provides the following rights for individuals:
- The right to be informed – The right to be told how their personal data is being used in clear and transparent language
- The right of access – The right to know and have access to the personal data Auto Integrate hold about them
- The right to rectification – The right to have their personal corrected where it is inaccurate of incomplete
- The right to erasure – The right to have their personal data erased
- The right to restrict processing – The right to limit the extent of the processing of their personal data.
- The right to data portability – The right to receive their data in a common and machine-readable format
- The right to object – The right to complain and to object to processing
- Rights in relation to automated decision making and profiling – The right not to be subject to decisions without human involvement,
Auto Integrate will uphold individuals’ rights under data protection laws and allow them to exercise their rights over the personal data it holds about them. Privacy information will acknowledge these rights and explain how individuals can exercise them. Most rights are not absolute, and the individual will be able to exercise them depending on the circumstance, and exemptions may apply in some cases.
Any request in respect of these rights should preferably be made in writing to email@example.com, but Auto Integrate will also accept verbal requests.
There is no fee for facilitating a request, unless the request is ‘manifestly unfounded or excessive’, in which case administrative costs can be recovered.
Requests that are ‘manifestly unfounded or excessive’ can be refused.
Auto Integrate will take reasonable measures to require individuals to prove their identity where it is not obvious that they are the data subject.
Auto Integrate will respond to the request within one month from the date of request or being able to identify the person, unless it is particularly complex (in which case Auto Integrate will respond in no longer than 90 days).
The DPO will ensure that required actions are taken and that the appropriate response is facilitated within the deadline.
The DPO will draw up procedures for responding to requests where necessary, for example, for facilitating Subject Access Requests.
Principle (f) of the GDPR states that organisations must ensure “appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction of damage, using appropriate technical or organisational measures”. With continual changes to both technology and the demand for ever-easier ways by which information can be accessed and shared, it is important that a consistent approach be adopted to safeguard information.
Auto Integrate will ensure that appropriate technical and organisational measures are in place, supported by privacy impact and risk assessments, to ensure a high level of security for personal and confidential data, and a secure environment for information held both manually and electronically.
Records management refers to a set of activities required for systematically controlling the creation, distribution, use, maintenance and disposition of recorded information maintained as evidence of business activities and transactions. It is impossible to be compliant with information law without robust records management policies and practices.
Good records management practices ensure that not only record quality, but that the personal data is only kept for as long as necessary for its original purpose and help support data minimisation. They are integral to information security methodology, and the ensuring the integrity and confidentiality of personal data. It is a key feature of risk management.
Auto Integrate is committed to implementation robust records management policy, process and practices to ensure compliance with the GDPR.
If you have any queries in relation to this policy, please contact:
The Data Protection Officer
Auto Integrate Ltd
Review of this Policy
We keep this policy under regular review. This policy was last updated in January 2020.