What is GDPR?
GDPR (General Data Protection Regulation) is a new European law which enforces the safe and responsible use of personal data. This law protects all European citizens which in turn means that any company that directly or indirectly deals with European citizens with have to comply.
The regulations determine that any entity must be able to demonstrate it’s legal right to process data on one of 6 bases: Consent, Contractual, Legally, for Vital interests, in a public function or if it is in the legitimate interest of the data subject. In this instance the entity would be a “Data Processor”.
In addition where an entity controls and circulates data to third parties regarding data subjects they become a “Data Controller” and are responsible for ensuring that the data is handled responsibly and legally. Similarly the entity must demonstrate a legal basis for controlling data. Spaceright is both a data processor and a data controller.
What data do we hold?
There are two categories of data:
- Personal data: Name, Address, Phone Number, Email address etc....
- Special Category Personal Date: Age, Sex, Religion, Health, Biometric etc...
Spaceright hold personal data on customers, engaged third parties and employees. We do not hold special category data for customers or engaged third parties. We only hold special category data on our employees for contractual, legal and vital reasons in the best and legitimate interest of our employees.
What do we do with the data we hold?
We use the personal data of our customers to contractually fulfil orders and deliver services either directly or through one of our long standing intermediate customers. In situations such as this these customers act as Data Controllers and we comply with the policies they deem appropriate as their data processor. Where ever possible we will minimize the data we collect on any data subjects.
We will not use customer, employee or third party personal data in proactive marketing and sales initiatives unless we have a legal basis to do so. We do not use customer, employee or third party personal data to systematically profile data subjects for any purpose. We will never sell customer, employee or third party personal data.
Simple as that.
What about Data Security?
Spaceright believes strongly that data integrity is the foundation of the future of business and the security of that data is paramount. All personal data that Spaceright processes or controls is securely stored on encrypted servers and any files that contain personal data are password protected. Spaceright’s policy on the retention period for customer data is 20 years from last order. This data is only retained for contractual and operational purposes and due to the practical complexity of erasure. Only designated, responsible persons have access to our employee special category data. This data undergoes additional security measures in addition to those laid out above which are detailed separately.
Who has responsibility for this policy?
Spaceright is an SME (a small or medium enterprise), we do not systematically process personal data and we only hold special category personal data for employees. As such we have determined that there is not a legal requirement to employ a Data Protection Officer (DPO) but instead have nominated a Data Protection Manager (DPM) to have overall responsibility for the implementation of this policy.
The DPM can be contacted on 01236 853120 or via email DPM@spacerighteurope.com In addition to the DPM there are 3 other nominated individuals important to this policy:
- The IT Manager: Responsible for the data security of Spaceright.
- The Marketing Manager: Responsible for the filing of data subjects that consent to be contacted.
- The Employee Data Manager: Responsible for the special category employee data.
How do we keep our data compliant?
Spaceright will conduct regular audits of our data to supplement active, continuous data integrity. Our full policy on GDPR and Data protection can be supplied on request, all employees are required to comply with the full policy at all times.
What about me? What do you know?
Spaceright believes in transparency and are happy to comply with subject access requests within the confines of the law and within a reasonable time period.
What if I don’t want you to know about me?
If you’re a customer or third party and you’d like to be forgotten or erased from our records then we will comply with this within the confines of the law, our policy and if we are contractually able to do so. If this will conflict with your vital or best interests then we will let you know. While we will be sad to see you go we respect your privacy.
What if data is lost?
Should any personal data be lost (a Data Breach) then this must be reported to the DPM immediately. The DPM will then report this to the board of directors and, if appropriate, the ICO (Information Commissioners Officer) as is legally required.
OK. So what do I do now?
Nothing! As we have always processed data on a contractual or legal basis in your vital or best interest please rest assured that we will continue to do so.
Last updated: 25th May 2018