Data Protection Policy and Privacy Notice
PERSONAL DATA
Any personal data provided to EJ Inventory Services will be held strictly in accordance with the GDPR Regulations
DATA CONTROLLER
A data controller is an inventory clerk who is directly employed by a client. The clerk
is responsible for handling that personal data and responsible if the data is passed to
a third party (eg estate agent). If a data breach occurs the clerk is responsible as the data controller and may haveto report the breach to the ICO within 72 hours.
DATA PROCESSOR
A data processor is an inventory clerk who is given data not directly by the client but
by a company a client has employed (eg estate agent). In this case the client would
be the data controller and the clerk the data processor. If the clerk sends the personal information to the wrong person and a breach occurs they would need to inform the Data Controller of the breach and possibly report it to the ICO within 72 hours.
OTHER ORGANISATIONS
We must ensure that any organisation who we pass personal data to and receive
personal data from are GDPR compliant. It is recommended that we sign an
agreement regarding the processing and breach reporting procedures with them.
DATA STORAGE
We must have a legal reason to store personal data otherwise we require consent.
By consent, we will collect any personal data when you register to use our services
as an individual. If data is provided by a third party we will be the data processor.
If the information relates to addresses then we will store information by address. We
must delete the personal data if we do not have a legal basis or consent to store it. If
there is a legal claim then we have a legal basis to store the information.If we store
personal data we must have a retention period clearly stated and obtain consent.
Data must only be stored digitally on telephones or electronic items such as tablets or laptops which Date: 30th April 2018.
NEW SYSTEMS
We must carry out a risk assessment of any new/existing data systems that may risk
the rights and freedoms of individuals and design new systems to be private and secure.
HR AND PERSONNEL
The same processing factors must be considered when processing employee personal data. Standard data under contract in article 6 and special category data must only be processed with consent under Article 9.
LEGAL BASIS FOR PROCESSING DATA
Article 6
To process personal data one condition from Article 6 must apply.
• Consent (Individual has given clear consent for you to process their personal data
for a specific purpose)
• Contract (Necessary for a contract you have with the individual)
• Legal obligation (To comply with the law, not including contractual obligations)
• Vital interests (Protecting someone’s life) CCTV?
• Public task (Task in the public interest or a clear basis in law. Public authorities )
• Legitimate interests (Processing data in ways you would reasonably expect with
minimal privacy impact on individuals rights and freedoms)
Special Category Data – Sensitive Data
• Racial ethnic origin
• Political Opinion
• Religious of philosophical beliefs
• Trade union membership
• Genetic Data
• Biometric data
• Health
• Sex life
• Sexual orientation
We will only share your data with our employees or sub contractors instructed by us
to carry out any work in relation to your request. We will not use your data for any other purposes. Date: 30th April 2018
TO PROCESS SPECIAL CATEGORY DATA WE MUST HAVE A CONDITION
UNDER ARTICLE 6 ABOVE AND ARTICLE 9 BELOW
Article 9
• Consent
• Vital interests (Protecting someone’s life)
• Obligation under employment, collective agreement, social security or social
protection
law
• Not for profits bodies (Carrying out legitimate activities within with safeguards in
place.
Consent required for disclosure outside the organisation)
• Already made public
• Legal claims
• Substantial public interest
• Health
• Public health
• Archiving (In the public interest)
In most cases to process Special Category Data we will need to use Consent
as the other conditions do not generally apply.
CONSENT
• Consent must be freely given, specific, informed and unambiguous. There must be
a positive
opt-in
• Consent cannot be inferred from silence, pre-ticked boxes or inactivity.
• Consent can be withdrawn at any time in writing either by email or letter.
INDIVIDUALS’ RIGHTS
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing (inaccurate, unlawful, legal claim)
• The right to data portability (You return data after use on paper/ memory stick etc.)
• The right to object (legitimate interests, research purposes - except public task)
• The right not to be subject to automated decision-making including profiling
DATA BREACHES
If a data breach occurs, we must ensure that every effort is made to rectify or
mitigate the loss immediately.
All people concerned must be notified about the breach of their data within 24 hours.
Data breaches must be reported to the ICO within 72 hours only where it is likely to
result in a risk to
the rights and freedoms of individuals – if it could result in:
• Discrimination,
• Damage to reputation,
• Financial loss,
• loss of confidentiality
• Any other significant economic or social disadvantage.
Serious breaches phone 0303 123 1113
Email Data Protection Act (GDPR not available yet) security breach notification form
