01622 632 918
Commercial & Industrial HVAC Hire

Data Protection Policy

Rev C

View the policy here

Introduction

In the course of your work with our Company, you are likely to collect, use, transfer or store personal information about employees, clients, customers and suppliers, for example, their names and home addresses. The UK’s data protection legislation, including the General Data Protection Regulations (GDPR), contains strict principles and legal conditions which must be followed before and during any processing of any personal information.

The purpose of this policy is to ensure that you are aware that everyone has a responsibility to comply with the principles and legal conditions provided by the data protection legislation, including the GDPR and failure to meet those responsibilities is likely to lead to serious consequences. Firstly, a serious breach of data protection is likely to be a disciplinary offence and will be dealt with under the Company’s disciplinary procedure. If you access another employee’s personnel records or any sensitive personal information without authority, this will constitute a gross misconduct offence and could lead to your summary dismissal. Additionally, if you knowingly or recklessly disclose personal data in breach of the data protection legislation, including the GDPR, you may be held personally criminally accountable for any such breach.

Breach of the data protection legislation, including the GDPR rules, can cause distress to the individuals affected by the breach and is likely to leave the Company at risk of serious financial consequences.

If you are in any doubt about what you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice from your Line Manager, HR Manager or hire@idealheatsolutions.co.uk

This policy does not form part of a contract of employment. However, all employees, workers, or contractors must read, understand and comply with the content of this policy. Failure to adhere to this policy is likely to be regarded as a serious disciplinary matter and will be dealt with under the Company’s disciplinary rules and procedures.

Definitions

Data Subject: a living individual.
Data Controller: the person or organisation that determines the means and the purpose of processing the personal data.
Data Protection Legislation: The Data Protection Act was replaced in May 2018 by the General Data Protection Regulations (GDPR).

Personal data: is any information that identifies a living individual (data subject) either directly or indirectly. This also includes special categories of personal data. Personal data does not include data which is entirely anonymous, or the identity has been permanently removed, making it impossible to link back to the data subject.

Processing: is any activity relating to personal data which can include collecting, recording, storing, amending, disclosing, transferring, retrieving, using or destroying.

Special categories of personal data: this includes any personal data which reveals a data subject’s ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic, biometric or health data, sex life and sexual orientation.

Criminal records data: means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

What are the GDPR principles?

Ideal Heat Solutions Ltd is a data controller. This means that we are required by law to ensure that everyone who processes personal data and special categories of personal data during their work with us does so in accordance with the data protection legislation, including the GDPR principles.

In brief, the principles say that:

  • Personal data must be processed in a lawful, fair and transparent way.
  • The purpose for which the personal information is collected must be specific, explicit and legitimate.
  • The collected personal data must be adequate and relevant to meet the identified purpose.
  • The information must be accurate and kept up to date.
  • The personal data should not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which it is used.
  • The personal data must be kept confidential and secure and only processed by authorised personnel.

Other rules under the GDPR state that:

  • The transfer of personal data to a country or organisation outside the EEA should only take place if appropriate measures are in place to protect the security of that data.
  • The data subject must be permitted to exercise their rights in relation to their personal data.

The Company and all employees must always comply with these principles and rules in their information-handling practices. We are committed to ensuring that these principles and rules are followed, as we take the security and protection of data very seriously.

You must inform us immediately if you become aware that any of these principles or rules have been breached or are likely to be breached.

Lawful reasons for processing personal data

The lawful basis may be:

a. Consent from the data subject
b. Performance of a contract
c. Legal obligation
d. Legitimate interests

Other occasions:

e. Protecting the data subject’s interests
f. Public interest or official purposes

You must keep a documentary inventory of the legal basis relied upon for each processing activity.

Privacy Notice

  • Personal data must be processed lawfully, fairly and transparently.
  • Purpose must be specific and legitimate.
  • Data must be adequate and relevant.
  • Data must be accurate and up to date.
  • Data must not be kept longer than necessary.

Different categories of personal data will be retained for varying periods depending on legal, operational and financial requirements. Data no longer required will be destroyed in accordance with the retention policy.

Personal data must be kept confidential and secure and only processed by authorised personnel.

Security Requirements

  • Follow all technical and organisational security measures.
  • Store data securely (locked cabinets, password protection, encryption).
  • Do not access records without authority.
  • Do not record inappropriate opinions.
  • Do not remove personal data without authorisation.
  • Dispose of hard copy data securely (cross-shredded).
  • Store removable media securely.
  • Ensure network backups are in place.

Data Subject Rights

Under GDPR, data subjects can:

  • Access their personal data
  • Request corrections
  • Request erasure
  • Object to processing
  • Request processing restrictions
  • Request data transfer
  • Object to automated decision making
  • Be notified of a data breach

Data Subject Requests

  • Verify identity
  • Seek explicit written consent
  • Keep audit trail
  • Do not share with third parties without consent
  • Take care to avoid deception

Special Categories of Data

Extra care must be taken with health, disability, equal opportunity data, legal claims, and criminal conviction information.

If unsure, contact Line Manager or HR Manager.

Exemptions

  • Confidential references given
  • Management forecasts/planning
  • Publicly required data
  • Legally privileged documents

Data Breach

A breach includes loss, destruction, corruption, unauthorised disclosure or access.

Follow the Data Breach Policy immediately. Line Manager must assess within 72 hours whether ICO or data subjects must be notified.

Training

All employees handling personal data must understand GDPR requirements and attend training.

Sharing Personal Data

Only share with authorised persons and according to privacy notices. Extra care required when sharing special category data or transferring externally.