1.1 JW Filshill Limited and its subsidiaries take the security and privacy of data seriously. We need to gather and use information or ‘data’ as part of our business and to manage our relationships. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and, for so long as it has effect in the UK, the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. The 2018 Act and GDPR are together referred to in this policy as the ‘Data Protection Legislation’). We have a duty to notify you of the information contained in this policy.
1.2 The Company may collect personal data in relation to job applicants, customers, employees workers and consultants, suppliers and other business contacts. Copies of our specific policies and privacy notices for these may, if they are relevant to you, be obtained by contacting us at email@example.com.
1.3 The Company is a ‘data controller’ for the purposes of personal data. This means that we determine the purpose and means of the processing of personal data.
1.4 This notice explains how the Company will hold and process information. It explains your rights as a data subject.
1.5 This notice can be amended by the Company at any time. It is intended that this notice and our full Data Protection Policy are fully compliant with the Data Protection Legislation. If any conflict arises between those laws and this policy, the Company intends to comply with the Data Protection Legislation.
2 Data Protection Principles
2.1 Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:
We are accountable for these principles and must be able to show that we are compliant.
3 How we define personal data
3.1 ‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
3.2 This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
3.3 This personal data might be provided to us by the individual concerned, or someone else or it could be created by us.
3.4 We will collect and use the following types of personal data about you:
4 How we define special categories of personal data
4.1 ‘Special categories of personal data’ are types of personal data consisting of information as to:
We do not hold any of these special categories of personal data for customers.
5 How we define processing
5.1 ‘Processing’ means any operation which is performed on personal data such as:
This includes processing personal data which forms part of a filing system and any automated processing.
6 How will we store and process personal data?
6.1 The Company will process personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act.
6.2 We will use personal data for:
These legitimate interests include: the sale of products and delivery of our services to our customers, the investigation, process and/or defence of potential or actual complaints and legal proceedings; the proper processing of financial transactions for the purposes of our business including credit checking and debt recovery; and the marketing and promotion of our products and services.
6.3 We can process personal data for these purposes without the individuals knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
6.4 Other situations in which we will process your personal information include to make you aware of special promotions and other business opportunities specific to your contract.
6.5 The company will hold data in accordance with our internal policies. A copy of this can be obtained from firstname.lastname@example.org. We will only hold data for as long as necessary for the purposes for which we collected it and this will be deleted within 12 months of the purpose it was collected for no longer being required. Thereafter we will store any personal information securely and dispose of it appropriately once it is no longer required.
6.6 If you choose not to provide us with certain personal data you should be aware that we may not be able to carry out certain parts of the business relationship between us. For example, if you do not provide us with your bank account details we may not be able to pay you. It might also stop us from complying with certain legal obligations and duties.
6.7 We do not take automated decisions about you using your personal data or use profiling in relation to you.
7 Sharing personal data
7.1 Personal data may be shared internally between departments where it is necessary for the performance of our business but will not be shared in a way incompatible with the purpose(s) for which it was originally obtained.
7.2 Sometimes we might share personal data with group companies, suppliers or our contractors and agents to carry out our obligations under our contracts or for our legitimate interests. For example; Credit Referencing, to comply with regulatory and external audit services, to obtain professional advice such as legal.
7.3 We require those companies to keep personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process our data for the lawful purpose for which it has been shared and in accordance with our instructions.
7.4 We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the whole or a part of the Company’s business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
7.5 We may also need to share your personal information with a regulator or to otherwise comply with the law. This may include making returns to HMRC, and disclosures to shareholders.
7.6 We do not send personal data outside the European Economic Area. If this changes you will be notified of this and the protections which are in place to protect the security of the data will be explained.
8 Protecting personal information
8.1 The Company has in place, measures to protect the security of personal information. It has internal policies, procedures and controls in place to try and prevent personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to personal information to those employees, workers, agents, contractors and other third parties who have a business need to know in order to perform their job duties and responsibilities.
8.2 Where personal information is shared with third parties, we require all third parties to take appropriate technical and organisational security measures to protect personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process personal information for specified purposes and in accordance with our written instructions and we do not allow them to use personal information for their own purposes.
9 How to deal with data breaches
9.1 We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals then we must also notify the Information Commissioner’s Office within 72 hours.
9.2 If you are aware of a data breach we request that you contact a Director immediately to inform us, and that you keep and make available to us any evidence you have in relation to the breach.
10 Subject access requests
10.1 You can make a ‘subject access request’ (‘SAR’) to find out the information we hold about you. This request must be made in writing.
10.2 We must respond to SAR requests within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.
10.3 There is no fee for making a SAR. However, if the request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to the request.
11 Data subject rights
11.1 You have the right to information about what personal data of yours we process, how and on what basis as set out in this policy.
11.2 You have the right to access your own personal data by way of a subject access request (see above).
11.3 You have the right to correct any inaccuracies in your personal data by contacting our Information Technology Manager.
11.4 You have the right to request that we erase personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected.
11.5 While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do this contact our Information Technology Manager.
11.6 You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that you rights and interests outweigh our own and you wish us to stop.
11.7 You have the right to object if we process your personal data for the purposes of non-relevant direct marketing.
11.8 You have the right to receive a copy of your personal data and to transfer your personal data to another data controller. We will not charge for this and will in most cases aim to do this within one month.
11.9 With some exceptions, you have the right not to be subjected to automated decision-making.
11.10 You have the right to be notified of a data security breach concerning your personal data.
11.11 In most situations we will not rely on consent as a lawful ground to process personal data. If we do however request consent to the processing of personal data for a specific purpose, you have the right not to consent or to withdraw consent later. To withdraw consent contact our Marketing Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
11.12 You also have the right to complain to the Information Commissioner. You can do this by contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on their rights and obligations.
12 Contact details
If you have any queries about this policy, you should contact:
J.W. Filshill Limited (t/a Filshill Group)
Telephone: 0141 883 7071
Fax: 0141 883 2224