DATA PROTECTION POLICY
AVTEK Ltd manufactures and installs aluminium curtain walling solutions for a wide range of public and private sector clients. AVTEK Ltd is committed to meeting the requirements of the General Data Protection Regulations.
AVTEK Ltd is required to keep certain personal information, for example staff details, in order to fulfil its purpose and to meet its legal obligations. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the company must comply with the guidelines set out in the General Data Protection Regulations.
Personal data shall: –
- be obtained and processed fairly and lawfully;
- be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
- be adequate, relevant and not excessive for those purposes;
- be accurate and kept up to date;
- not be kept for longer than is necessary for that purpose;
- be kept secure from unauthorised access, accidental loss or destruction not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data;
The company, and all staff who process or use personal information, must ensure that they follow these principles at all times. In order to ensure that this happens, the Company has developed this Data Protection Policy.
STATUS OF THE POLICY
This policy has been approved by the company and any breach will be taken seriously and may result in more formal action.
Any member of staff who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with their line manager, or the company Data Controller, in the first instance.
NOTIFICATION OF DATA HELD AND PROCESSED
All staff are entitled to: –
- ask what information the company holds about them, and why
- ask how to gain access to it
- request consent from the company to keep and maintain any person information held;
- on leaving the company seek assurances that any information held about them is destroyed (right to be forgotten)
- be informed how to keep data up to date
- be informed what the company is doing to comply with its obligations under the General Data Protection Regulations
RESPONSIBILITIES OF STAFF
All staff are responsible for: –
- checking that any personal data they provide to the company is accurate and up to date
- informing the company of any changes to data which they have already provided, e.g. change of address
- checking the accuracy of any data that they may have to send out on behalf of the company from time to time
If, as part of their work responsibilities, staff collect information about other people (e.g. personal circumstances regarding members of staff in their department), they must comply with this Policy and with the Data Protection Guidance Notes.
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff are responsible for ensuring that:
- any personal data which they hold is kept securely
- personal information is not disclosed verbally, in writing or in any other way to any unauthorised third party.
Detailed advice on data security is contained in the Data Protection Guidance Notes.
RIGHTS TO ACCESS INFORMATION
Employees of the company have the right to access any personal data that is being kept about them, regardless of whether it is held on computer systems or is paper-based. Any person who wishes to exercise this right should make the request in writing to the company, using the standard form which is available from the company Data Controller.
AVTEK Ltd aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days of receipt of a completed form, unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
PUBLICATION OF COMPANY INFORMATION
Information that is already in the public domain is exempt from the regulations. This would include, for example, information on staff contained within externally circulated publications. Any individual who has good reason for wishing details in such publications to remain confidential should contact the company Data Controller.
The need to process data for normal purposes has been communicated to all staff. In some cases, if the data is sensitive – for example information about health, race or gender, etc. – express consent to process the data must be obtained. Processing of the data may be necessary in order to comply with other company policies, such as health and safety and equal opportunities.
RETENTION OF DATA
It is a requirement that the Company has to keep some forms of information for longer than others. The company has a Records Retention Schedule.
THE COMPANY’S DESIGNATED DATA CONTROLLER
The company is the data controller under the regulations and is therefore ultimately responsible for implementation. However, day to day matters will be dealt with by Administration. Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the company Data Controller.
This policy will be reviewed on an annual basis and is available to interested parties on request.