AJN Steelstock Limited is committed to complying with the Data Protection Act and General Protection Data Regulations (GDPR). Safeguarding your personal data is very important to us and we want you to be confident that we process your data in a lawful, fair and transparent manner and that your data is kept securely in line with the requirements of GDPR.
The purpose of this policy is to outline the measures we take in processing your data and your rights as the Data Subject. It will outline how we collect, process, store and retain your personal data across all sites at AJN Steelstock Limited. It will also outline who we share your data with and on what basis. Unless advised otherwise AJN Steelstock Limited will be the Data Controller which means we will determine the purposes and means of processing personal data. We may, on occasions, share your data with a third party. The third party will be a Data Processor and will process the data on behalf of the Data Controller to enable us to fulfil our obligations to you the Data Subject.
We have carried out a data audit to consider the data which we collect, the purpose for collection, the lawful basis for collection, whether any data collected falls within the special category data detailed in the GDPR, who we share the data with, how we store it and for what period we will retain it. We have documented our findings in document number HR029. The lawful basis we have considered for processing data under GDPR legislation are;
- Consent – This is your freely given agreement to us processing your data. Your consent must be specific, informed, affirmative and unambiguous
- Contract – We may collect data that is necessary in order to fulfil our obligations to you under a contract for goods or services between parties or because you have asked us to perform a task before entering into a contract
- Legitimate business interest – The processing is necessary in the interests of AJN Steelstock Limited managing and administering its business or for the legitimate interests of the data subject. To rely on this basis we will consider if there is a legitimate interest, that the processing is necessary to achieve the interest and we will balance this against the data subject’s rights, interests and freedoms
- Legal obligation – The processing of data is necessary to enable us to comply with the law
- Vital interests – We will only rely on this basis for processing personal data where we need to protect someone’s life. The processing must be necessary for this purpose. We will not rely on this basis if there is a less intrusive way of achieving the same outcome or where consent could be given
- Public task – We will rely on this basis for processing personal data in the exercise of an official authority. This will include public functions and powers that are set out in law. We will not rely on this basis where a less intrusive way of processing could be carried out to achieve the same outcome.
Where the lawful basis for processing is a legitimate business interest we shall carryout a legitimate interest assessment, document HR030.
Where the data falls within special category data, as defined by GDPR, we will identify a lawful basis for processing and a special category condition to meet our legal obligations.
Categories of data
Details of the data processed can be found in document HR029 but are categorised in brief below;
Customer & supplier information:
- Company information
- Contact information
- Payment information
- Contract and trading information
- Marketing information
- Performance and quality information.
Other interested parties
- Contact details
- Personal identification information
- Subject matter information and related correspondence
- CCTV footage on site.
Data Processors – third parties
We may on occasions share your information with third parties for the purposes of offering you the services in question or operating the business. Where we share your information we will take all reasonable care to ensure your data is handled in accordance with the GDPR and will make due diligence checks on the third parties in question. Some examples of the categories of third parties with whom we share your data are;
- IT companies
- Payment processing
- Government agencies and departments
- Insurance companies
- Credit reference providers
- Regulatory bodies
- Any other company to enable the performance of a contract between the parties.
We will only share the information that is required in order to carry out the service provided.
Storage of data
Your data may be stored electronically or in hard copy or both. AJN Steelstock Limited will take physical and technical measures to ensure the security, integrity and confidentiality of your data in the following manner;
- Confidentiality means only those persons or organisations that need to know and are authorised can access and use your data
- Integrity means that we will endeavour to ensure all data is accurate and suitable for the purpose for which it is processed
- Security means that we will either password protect and or encrypt electronic data as appropriate and securely store hard copy documents in locked filing systems.
Retention of data
In accordance with GDPR requirements AJN Steelstock Limited will not retain your personal information for any longer than necessary. In deciding the retention period we will take into consideration the nature for which the information was collected and needs to be processed and contractual or legal requirements. Or if we believe there may be a need to bring or defend a legal claim. The length of time we will keep your data is set out in the Quality Records Matrix, document F4.2._4.01, but for the purposes of preforming a contract will be seven years and for the purposes of performing a deed will be 13 years.
Your rights as the Data Subject
As a Data Subject you have certain rights related to the processing of your personal data a brief outline of which are set out below. These rights are set out in full in the GDPR and in brief in our Data Audit, document HR029. Further information is available on your rights, and the GDPR in general, from the Information Commissioners Office website, www.ico.org.uk.
Right to be informed
Right to access
You have a right to obtain a copy of the personal data we hold on you or to confirm that we are processing your personal data, this is known as a subject access request. An individual, however, is only entitled to their own personal data and not to information relating to other people. We may require you to produce identification prior to releasing such data. There may be occasions where supplying personal data would breach the privacy rights of other individuals. In such cases information will be redacted or withheld as necessary or appropriate to protect that person’s rights.
For ease of handling your request we would ask you put your request in writing to the contact details below. However, we acknowledge that requests can also be received verbally. Unless your request is complex we will respond to your request within one month. In some circumstances, where the request is complex or there have been several requests for the same information, we may extend this period by two months. In these circumstances we will write to you within one month to advise you of our extension requirements. There will be no charge made for supplying this information.
Should the subject access request be manifestly unfounded or excessive, taking into account whether the request is repetitive in nature, we have the right to either request a reasonable fee for the administrative costs, or refuse the request and will write to inform you accordingly within one month of receiving the request.
Right to rectification, right to erasure, right to object, right to portability
The Data Subject has a right to have inaccurate personal data rectified or completed if it is incomplete. Should we receive such a request, we will rectify or complete the data if it is found to be inaccurate in relation to any matter of fact, within one month of receiving the notification. Whilst we are checking the accuracy of the information we will restrict the processing of the data in question.
Individuals in certain circumstances have the right to have their data erased, restricted or suppressed. Individuals also have the right to object to the processing of their personal data and a right to request portability of their data. These are not absolute rights, further details on this right are given in our Data Audit, document HR029. Where the right does apply we will act within one month of receiving the request unless the request is complex and then we may request up to a further two months to act. If we need an extension period we will write to you to advise.
Breaches of GDPR
Whilst AJN Steelstock Limited will take all reasonable steps to comply with data legislation if it is felt that there is a breach of said legislation an investigation will be launched in a timely manner. If a breach is confirmed we will take the steps necessary according to GDPR.
There is no legal requirement for us to have a Data Protection Officer (DPO) however as best practice we have appointed a team to work on preparing the Company for the changes in legislation and ongoing compliance. The representatives of this team are the Operations Director and Head of HR.
If you have a complaint or wish to exercise any of your rights under GDPR please put your correspondence in writing to:
AJN Steelstock Ltd
This policy will be available on our Company website at www.ajnsteelstock.co.uk and displayed on notice boards throughout the Company sites. The policy will be reviewed on an annual basis or following any changes to legislation or Company circumstances.