Terms, Conditions and GDPR policy

W Ball & Sons Ltd

Burr Lane

Ilkeston

DERBYSHIRE

DE7 5JD

www:Baltex.co.uk

01159 322 403

 

Data Protection Policy

 

Contents

This policy covers the following:

 

Background

Applicable data protection law

Key concepts of applicable data protection law

The data protection principles

Data subjects’ rights

Other requirements

Third party processors

Further information

1. 

Background

 

In the course of running its day to day business, W Ball and Sons Ltd (the ‘Company’), may collect and process customer and staff as well as customer and supplier. The use of such information (‘personal data’, as explained in more detail below) is regulated by data

protection law (the ‘Data Protection Legislation‘, explained below). This policy sets out how the

Company intends to comply with the key rules that apply to the processing of personal data in the

United Kingdom.

 

Description of the Company's Processing Activities

 

The Company regularly processes the following categories of personal data:

 

Employees: The Company has employees, about whom it holds personal data such

as employment history, education and qualifications, and identifiers such as contact details and

record of employment with the Company. Very occasionally, the Company may process information

about its employees‘ health or medical details. The Company processes such employee personal

data  for ordinary staff administration purposes, including salary payment and conferring other

benefits, conducting appraisals, training and management. It so collects personal data about

prospective candidates in the recruitment process. The Company holds some information about its

employees and former employees for archival and historical research purposes.

 

Customers: The Company holds the personal data of its past, present and prospective customers

The personal data held includes customers name, company name, company address(s), delivery addresses, previous orders, as well as financial and contact details. The Company processes such personal data in order to administer deliveries, send update on policy, prices, payment terms, and to collect payments. 

 

Third Parties: The Company will hold details if your details have been given as a delivery address.  The Company may also process personal data for historical and archiving purposes.

 

Suppliers: The Company processes personal data concerning its suppliers of goods and services,

Including identifiers such as   contact details,  financial  information and purchase   history.               The

Company processes such information in order to purchase goods and services, to pay its suppliers and to maintain its accounts and records.

This policy does not document every part of the Data Protection Legislation which may be relevant, but merely focuses on the key aspects that are likely to be applicable to the Company. Should other issues arise in practice not covered by this policy, the Company will consider these separately at the time. The Company will review this policy annually, and may amend it from time to time as it sees fit.

 

 

2  Applicable Data Protection Law

 

Data protection law in England and Wales is primarily found in the Data Protection Act 1998 (‘DPA’).

With effect from 25"‘ May 2018, the DPA will be repealed and superseded by the General Data

Protection Regulation (‘GDPR'). The GDPR will be supplemented by the Data Protection Act 2017.

In this policy, any reference to the Data Protection Legislation means the DPA, or the GDPR, as

supplemented by the Data Protection Act 2017 (‘DPA 17'), whichever is in force at the time.

 

The   DPA   is   enforced  in   England   by  the   Information Commissioner, operating through the

Information Commissioner’s Office (the ‘lCO’). The ICO publishes guidance on the DPA and has a

broad range of powers, including the ability to issue fines of up to £500,000 for breaches. The ICO

will enforce the GDPR when it takes effect in May 2018. Under the GDPR, the ICC will have greater

powers,                       including    the              ability                    to     issue            fines            of up to        4%          of annual               turnover,              or €20,000,000,

(whichever is greater) and to conduct compulsory audits of organisations’ data handling practices.

 

 

3  Key Concepts of Applicable Data Protection Law

 

The Data Protection Legislation relies on a number of key definitions, which are explained below.

 

‘Personal Data’ means any information relating to an identified or identifiable natural person (a

‘data subject’, which is explained in more detail below). An identifiable natural person is one who

can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an

identification number, location data, an online identifier, or to one or more factors specific to the

identity of that natural person.

 

The Company will hold personal data about its past, present and prospective customers, staff and members, as well as its suppliers. The Company may hold such personal data both in electronic and hard copy format, in records, correspondence and minutes.

 

‘Processing’ means any operation or set of operations which is performed on personal data or on

sets  of  personal data,  whether or  not by automated means,  such  as  collection, recording,

organisation, structuring, storage, adaption or alteration, retrieval consultation, use, disclosure by

transmission, dissemination or otherwise making available, alignment or combination, restriction,

organisations carry out in relation to their personal data are captured by the definition.

 

The Company will generally be deemed to be processing any personal data that it may collect,

record, store and/or disclose.

 

‘Controller’ means the natural or legal  person, public authority, agency or other body, which

determines the purposes and  means of the processing  of personal data. The   Data  Protection

Legislation applies to controllers, who must comply with its requirements.

 

The Company will generally be a controller in relation to the personal data of its members, staff,

and enquirers, and suppliers.

 

‘Processor’ means  a  natural or legal  person, public authority,            agency    or     other         body    which

processes personal data on behalf of the controller. Where a controller uses a processor to process

personal data on its behalf,  the controller must only use    a                      processor that provides          sufficient

guarantees to  ensure that personal data  is processed securely, and  in accordance  with  the

requirements of the GDPR. Controllers must engage processors by way of a contract incorporating

the provisions specified by Article 28 of the GDPR.

 

The Company may use processors for a variety of purposes; for instance, to store personal data,

to send email communications, or to calculate staff payroll. In each case, it must have conducted

sufficient due diligence to be able to evaluate whether the processor offers sufficient guarantees to

protect personal data and must ensure that the processor is bound by a contract that incorporates

the  provisions               specified           by    the                GDPR.  The           requirements around appointing processors          are

explained in more detail below (see Section 7, below).

 

‘Special Categories of Personal Data’ means personal data revealing racial or ethnic origin,

political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric

data,  data concerning health (including                       medical data, and medical records, for example), or

concerning an individual’s sex life or sexual orientation. Special categories of personal data is the

term used in the GDPR which, broadly speaking, replaces the concept of ‘sensitive personal data’

from the DPA.

 

The special categories of personal data require a higher standard of care. If a personal data breach

(as defined below) occurs that involves the loss of any of the special categories of personal data,

the ICC will regard this as a serious breach. The GDPR also requires that personal data relating to

criminal convictions and offences is treated with a higher standard of care.

 

The Company is generally unlikely to hold a significant volume of the special categories of personal

data, though in the event that it does, it must ensure the information is handled accordingly.

 

‘Data Subject’ means an individual to whom personal data relate. Typically, these are employees,

customers, and suppliers.

 

The categories of data subject whose personal data the Company is likely to process will include

members, staff, suppliers and members of the public.

 

‘Personal Data Breach’ means a   breach of  security leading to  the accidental or unlawful

destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

 

A personal data breach may be accidental, such as a system failure, or loss of an electronic or

physical file, or malicious, such as a cyberattack. In the event that the Company suffers a personal

data breach, it must take specific steps, explained below in this policy.

 

 

 

 

 

                                4  The Data Protection Principles

 

The data protection principles are standards which the Company must observe when processing

personal data. These principles are as follows:

 

i Fairness, Lawfulness and Transparency

 

This is the most important of the data protection principles and comprises three elements;

fairness, lawfulness and transparency. Considering these in more detail:

 

Fairness: Organisations generally cannot process individuals‘ personal data in a way that

an individual would not have reasonably expected. Collecting personal data on the pretext

of one purpose and then using it for another, unrelated purpose is unlikely to be fair. The

Company should  consider whether its  uses  of  personal data  would fall  within         the

reasonable expectations of the affected data subjects.

 

Transparency: Organisations must provide certain prescribed information to individuals

when processing their personal data, including the organisation's identity, the purposes for

which personal data are being processed, or are to be processed, and any third     party

recipients of the personal data. A complete list of the information that must be provided to

data  subjects can  be  found in Articles 13 and  14 of the   GDPR.   The  transparency

information must accurately reflect the controller's use of personal data. This is frequently

provided                                 by way of a website        privacy notice,    but        may    also      be        provided          by way of a

disclaimer on a paper form, or a pre-recorded message in the context of recorded telephone

calls.

 

The Company must ensure that its website privacy notice, and any other means by which

it makes the transparency information available to data subjects (such as a disclaimer on

a paper form) accurately and comprehensively reflect its processing activities.

 

Lawfulness: Organisations must establish at least one of a number of lawful grounds for

processing. These lawful grounds are set out in Article 6 of the GDPR and are as follows:

 

1)  The data subject has given his or her consent to the processing.  Note that to be valid,

consent must be freely-given, informed (by way of the transparency notice, explained

above) specific, and capable of withdrawal at any time, without detriment to the data

subject. Consent must be indicated by way of an unambiguous, positive affirmation by

the data subject.  Consent cannot be inferred from the absence of an objection, and

will not be valid where the data subject does not have a genuine choice.

 

2)   Processing is necessary for the performance of a contract to which the data subject

is a party, or in order to take steps at the request of the data subject prior to entering

into a contract.

 

3)   Processing is necessary for compliance with a legal obligation to which the controller

is subject.

 

4)   Processing is necessary in order to protect the vital interests of the data subject or

of another person.

 

5)   Processing is necessary for the performance of a task carried out in the public interest

or in the exercise of official authority vested in the controller.

controller or by a third party except where such interests are overridden by the interests

or fundamental rights and freedoms of the data subject which require the protection of

personal data.

 

In practice, the Company will frequently be able to rely on the second and sixth grounds

(performance of a contract, and the legitimate interests ground) for many of its activities.

Note that the grounds for processing the special categories of personal data are different.

 

ii         Purpose Limitation

 

This principle requires that the purposes for which personal data are processed are limited

to those purposes specified in the transparency information that has been provided to the

affected data subjects, and not processed for any further, incompatible purposes. Note that

any further processing operations for archiving purposes in the public interest, scientific or

historical research purposes or statistical purposes are not considered to be incompatible

purposes.

 

The Company should only process personal data it holds for those purposes specified in

the website privacy notice, or other such transparency notice.

 

Data Minimisation

 

Personal data should be adequate, relevant and limited to what is necessary in relation to

the purposes for which they are processed.

 

The Company should only collect the personal data that is strictly necessary for the purpose

for which it was collected, and should not collect additional, unnecessary personal data on

a ‘just in case‘ basis.

 

iv         Accuracy

 

Personal data must be kept accurate, and up to date.

 

The Company must ensure that any requests from data subjects to update their personal

data are dealt with promptly, having satisfied itself as to the requester's identity.

 

v          Storage Limitation

 

Personal data must not be kept for longer than is necessary for the purposes for which the

data are processed. The duration for which personal data are stored will be dictated by

applicable legal,  business or other reasons, such  as  retention             periods    driven      by        tax

legislation.

 

If the  Company cannot establish a valid  legal,  business or other reason  for retaining

personal data, it should be securely deleted.     The Company should specify the periods for

which personal data are stored in a record retention policy. Alter the storage period has

expired, personal data should be deleted.

 

Note that the Company may store some categories of personal data for longer periods

where such processing is solely for archiving purposes in the public interest, or historical

research purposes. In such cases, the Company must implement appropriate safeguards,

such as allowing data subjects to request deletion of some of their personal data.

vi        Integrity and Confidentiality

 

Personal data must be processed in a manner that ensures its security, including protection

against unauthorised or unlawful processing and against accidental loss, destruction or

damage, using appropriate technical or organisational measures.

 

The  Company should take  appropriate                 measures                     that     are           proportionate to the    risk

associated with the personal data it holds. Such   measures may be technical, such as

encryption and password protection of electronic devices and electronic storage media

(e.g. USB drives), or organisational, for example, by operating a layered access policy,

appropriate vetting of staff who have access to personal data, conducting appropriate due

diligence on any third parties that process personal data on the Company's behalf, and

binding them by an  appropriate engagement contract. The Company should  consider

regularly reviewing and testing its security measures.

 

vi         Accountability

 

Controllers are responsible for compliance with the principles explained above, and must

be able to demonstrate compliance.

 

The Company must be in a position of being able to provide evidence of compliance, for

example, by way of a data protection policy, documented data protection reviews and a

record of data protection training.

 

5  Data Subjects’ Rights

 

Data Protection Legislation confers a number of rights upon data subjects, which controllers must

observe. Data subjects‘ rights are a cornerstone of The Data Protection Legislation, and must be

dealt with promptly should one arise. The Company is unlikely to receive data subject requests on

a regular basis so this Policy does not go into detail but the Company must be able to recognise a

request from a data subject to exercise his or her rights, should one arise. The most relevant of

these rights, from the Company's perspective, are summarised below:

 

i   Data Subject Access Requests

 

Data subjects are entitled to access their personal data held by the Company on request

(Article 15 GDPR).   The response to a data subject access request must include certain

information, such as: the purposes of the     processing; the  recipients (or categories of

recipient) to whom the personal data have or will be disclosed; and individuals’ rights to

have their data corrected, deleted or to restrict the processing of their data.

 

Note that under the GDPR, the information must be provided to data subjects free of charge

and within one month of the request.

 

Ii  The Right to be Forgotten

 

Data subjects have me right to request the Company erase all data held in respect of them

in various circumstances (Article 17 GDPR).  However, the right to be forgotten is not an

absolute right, and the Company is only obliged to give effect to a request in a number of

specific situations, the most relevant of which are likely to be:

 

1)    Where the purpose for which the personal data were processed no longer applies; or

 

7

 

         2)  Where the Company's processing of the personal data is based on consent and the

    data subject withdraws his or her consent.

 

         iii     The Right to Rectification

 

Data subjects have the right to have incorrect personal data about them corrected without

undue delay (Article 16 GDPR).

 

The Company must endeavor to ensure that any personal data it processes is up to date

and correct. Where an error or inaccuracy is discovered, the Company should correct this

as soon as possible.

 

               iv     The Right to Data Portability

 

Data subjects have the right, in certain circumstances, to access their data in machine-

readable format and, where technically possible, to have their data transferred directly from

the Company to another data controller (Article 20 GDPR). However, the circumstances in

which the right to data portability arises are limited and, at present, seem unlikely to be

relevant to the Company.

 

         v       The Right to Object

 

Data subjects have the right, in a number of specific circumstances, to object to having

their personal data processed (Article 21 GDPR). The most relevant of these circumstances

are where the processing is based on the Company's legitimate interests (explained in

section 4(r)(6) above. Data subjects may also object to their personal data being processed

by the Company for direct marketing purposes.

 

6.   Other Requirements

 

The Company must process personal data in accordance with the principles explained above.

However, the Data Protection Legislation imposes a number of additional requirements, which are

explained below.

 

i       Breach Notification

 

The  ICO  would expect the  Company to  have  a  documented data  protection       breach

management plan in place. In the event of a data protection breach, the ICO would regard

the absence of a breach management plan as an aggravating factor.

 

Reporting Breaches to the ICO

 

Under the GDPR, if a data security breach occurs, the Company (as controller) must notify

the breach to the  ICC  "without undue delay" and, where feasible,  within 72hrs of the

personal data breach occurring.” However, this notification requirement does not apply

where the breach "is unlikely to result in a risk to the rights and freedoms" of the individuals

concerned.

 

The notification must include the information specified in Article 33(3) of the GDPR, and

where it is not possible to provide all the information at once, it may be provided in phases.

 

8

Reporting Breaches to Individuals

 

Where a data security breach occurs, and it is likely to result in a "high risk" to the rights

and  freedoms of  the  individuals                   concerned,      the    Company  must        notify   the       affected

individuals "without undue delay".  Article 34(2) of the GDPR specifies what information

must be provided. However, the Company is not required to notify data subjects if:

 

1)  The personal data concerned had been rendered unintelligible (for example, by way of

encryption); or

 

2)   Subsequent measures have been taken by the Company so that there is no longer a

high risk to the individuals; or

 

3)   It would involve disproportionate effect to communicate to each affected data subject

individually, although where this applies then a general public communication must be

made.

 

The Company must maintain a schedule of data breaches (whether or not notification was

made at the time), to comply with Article 33(5) of the GDPR.

 

ii         Data Protection Impact Assessments (DPlAs)

 

A DPIA consists of a documented consideration and evaluation of the data protection risks

 

arising from a  proposed new processing activity,          along                       with           recommended  mitigation

strategies to address the risks.

 

Under Article 35 of the GDPR, the Company is required to undertake a DPIA "where a type

of processing in particular using new technologies, and taking into account the nature,

scope, context and purposes of the processing, is likely to result in a high risk to the rights

and freedoms of natural persons"

 

The Company does not believe that the nature of its processing is such that there is likely

to be a high risk to the rights and freedoms of the data subjects whose personal data it

holds. As a result, the Company does not believe that it is necessary for it to undertake

any DPlAs.

 

The Company will keep this conclusion under review, including any guidance issued from

ICO, or practice in other similar schemes

 

 

7  Third Party Processors

 

The rules around the appointment of processors (the meaning of which is explained in Section 3,

above) are strict, and amount to an organisational security measure. In the event that the Company

were to suffer a personal data breach involving a third party processor, the ICO would expect to

see that appropriate due diligence had been conducted on that provider and that the appropriate

contract was in place.

 

Before the GDPR comes into force, the Company must ensure that it has a written contract which

meets the requirements of GDPR in place with each processor it uses. The Company must only

use processors that guarantee they will meet the requirements of the GDPR and will protect data

subjects‘ rights.