GB 0208 704 1807

Privacy Policy – Compliance With General Data Protection Regulation (GDPR)

May 24, 2018

 

 

 

 

 

 

Data Protection Policy

 

 

CMS Chemstore Engineering Ltd is committed to conducting its business in accordance with all applicable Data Protection laws and regulations in line with the highest standards of ethical conduct.

This policy outlines the expected behaviours of CMS Chemstore Engineering Ltd employees and any third parties in relation to the use, retention, disclosure, transfer and destruction of any personal data belonging to a Data Subject CMS Chemstore Engineering Ltd is associated with.

Organisational methods for keeping data secure are essential and CMS Chemstore Engineering Ltd believes that it is good practice to keep clear records supported by strong procedures.  Line managers are responsible for ensuring compliance with the principles of the GDPR and to adhere to CMS Chemstore Engineering Ltd’s Data Protection Policy.

This policy is designed to comply with the requirements set out under the General Data Protection Regulations (GDPR).

This policy will be implemented in conjunction with the other CMS Chemstore Engineering Ltd Data Privacy documents including:

  1. The Data Protection Notice
  2. Data Processor Agreements
  3. Data Protection Impact Statement

Definitions

Term Definition
Data Information in a form that can be processed.  It includes both automated data and manual data.
Automated data Any information on computer or information recorded with the intention of putting it on a computer.
Manual data Information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system.
Data Controller A person who (either alone or with others) controls the contents and use of personal data.  A data controller is the individual or the legal person who controls and is responsible for the keeping and use of the personal information on computer or in a structured manual file.
Data Processor A person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment.  If an organisation or person holds or processes personal data but does not exercise responsibility for or control over the personal data, then they are deemed to be a “data processor”.
Data Protection Officer (DPO) A CMS Chemstore Engineering Ltd officer with responsibility for the Data Protection compliance of the organisation.
Data Subject A data subject is an individual who is the subject of personal data that is held by a data controller or processed by a data processor
 

 

Data Protection Impact Statement (DPIA)

  

 

A DPIA describes the process designed to identify the risks arising out of the processing of personal data and minimisation of these risks as far and as early as possible.  DPIAs are important tools for negating risk, and for demonstrating compliance, including ongoing compliance, with the GDPR.
GDPR The new EU General Data Protection Regulations (GDPR) – Regulation 2016/679 which comes into effect in May 2018 and replaces the current Data Protection Directive 95/46/EC and the Irish Data Protection Acts.
Personal data Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of a data controller.
Processing Processing means performing any operation or set of operations on data, including:

·       Obtaining, recording or keeping data;

·       Collecting, organising, storing, altering or adapting the data;

·       Retrieving, consulting or using the data;

·       Disclosing the information or data by transmitting;

·       Disseminating or otherwise making it available;

·       Aligning, combining, blocking, erasing or destroying the data.

 
Retention Policy How long will CMS Chemstore Engineering Ltd hold an individual’s personal data?  This will be influenced by a number of factors. Data must be retained for the least amount of time and will be stored securely and deleted at the appropriate time.
Sensitive Personal Data Any personal data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life’; criminal convictions or the alleged commission of an offence; trade union membership.

Principles

Pursuant to the GDPR, the personal data that CMS Chemstore Engineering Ltd holds will be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Collected for specified, explicit and legitimate purposes and not processed in a manner which is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accurate and where necessary, kept up to date. CMS Chemstore Engineering Ltd will take all reasonable steps to ensure that all data which are irrelevant for the purposes for which they are collected shall be deleted.
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Held securely and protected against unauthorised or unlawful processing and against accidental loss or damage.
  • The DPO shall be responsible for, and be able to, demonstrate compliance and that the above principles are met and to give a copy of the Data Subject’s data on request or to delete it where appropriate.

Legal Basis for collecting data

CMS Chemstore Engineering Ltd will process Personal Data in accordance with all applicable laws and contractual obligations.  CMS Chemstore Engineering Ltd will not process personal data unless at least one of the following requirements are met:

  1. The Data Subject has given consent to the processing of their personal data for one or more specific purposes
  2. Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the Data Controller is subject
  1. Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person
  2. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
  3. Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a Third Party (except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject).

Rights of Users

Right to be informed.

The privacy notice supplied to individuals in regard to the processing of their personal data will be written in clear, plain language which is concise, transparent and easily accessible.

Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided.  Where data is not obtained directly from that data subject, information regarding the source the personal data originates from and whether it came from publicly accessible sources, will be provided.

Right to access. Any Data Subject may contact CMS Chemstore Engineering Ltd to confirm whether or not the Data Subject’s personal data is being processed. The categories of personal data processed will be clarified as well as the purposes for processing, the categories of recipients to whom personal data have been or will be disclosed and the envisaged storage period or criteria to determine that period.  Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged.  All requests will be responded to without delay and at the latest, within one month of receipt.

Right to withdraw consent. Where consent is the basis for the processing of data the Data Subject may withdraw the consent at any time by contacting the DPO.

Right to rectification. Any Data Subject has the right to have inaccurate or incomplete personal data stored about them rectified.  Requests for rectification will be responded to within one month; this will be extended by two months where the request is complex.

Right to object. In case processing is based on a legitimate interest to run, maintain and develop the business CMS Chemstore Engineering Ltd, any Data Subject has the right to object at any time to processing of the Data Subject’s personal data unless for the provision of business or if CMS Chemstore Engineering Ltd demonstrate other compelling legitimate grounds for processing that override the Data Subject’s interests, rights and freedoms, or for legal claims. Notwithstanding any consent granted beforehand for direct marketing purposes, any Data Subject has the right to prohibit CMS Chemstore Engineering Ltd from using his/her personal data for direct marketing purposes, by contacting the DPO or by unsubscribing from direct marketing messages.

Right to restriction of processing. Individuals have the right to block or suppress CMS Chemstore Engineering Ltd processing of personal data.  The processing of personal data will be restricted:

  1. Where an individual contests the accuracy of the data held and where CMS Chemstore Engineering Ltd has verified the inaccuracy.
  2. Where an individual had objected to the processing and CMS Chemstore Engineering Ltd is considering whether their legitimate grounds override those of the individual
  • Where the processing is unlawful and the individual opposes erasure and requests restriction instead
  1. Where CMS Chemstore Engineering Ltd no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.

Right to data portability. Any Data Subject has the right to receive Data Subject’s personal data from us in a structured, commonly used and machine-readable format.

Right to erasure. Data Subjects may request the deletion or removal of personal data where there is no compelling reason for its continued processing.  This would include:

  1. Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  2. When the Data Subject withdraws their consent
  • When the Data Subject objects to the processing and there is no overriding legitimate interest for continuing the processing
  1. The personal data was unlawfully processed
  2. The personal data is required to be erased in order to comply with a legal obligation.

CMS Chemstore Engineering Ltd may object to a request for erasure:

  1. To exercise the right of freedom of expression and information
  2. To comply with a legal obligation
  • For public health purposes in the public interest
  1. The exercise or defence of a legal claim.

Privacy Impact Assessment (PIA) and Data Protection Design

PIAs are compulsory under the GDPR.  It is essentially a risk assessment of proposed processing of personal data that is likely to result in a high risk of the data subject’s rights.  A PIA must be carried out prior to commencing that processing.  It should be noted that if CMS Chemstore Engineering Ltd comes to the attention of the Office of the Data Protection Commissioner, the PIA will be the first line of defence.

Conducting a PIA will improve awareness in CMS Chemstore Engineering Ltd of the data protection risks associated with a project.  Carrying out a PIA is good practice and a useful tool to help CMS Chemstore Engineering Ltd as Data Controller to comply with protection law. This will help to improve the design of your project and enhance your communication about data privacy risks with relevant stakeholders. Some of the benefits of conducting a DPIA are as follows:

  • Ensuring and demonstrating that CMS Chemstore Engineering Ltd complies with the GDPR and avoids sanctions.
  • Inspiring confidence in the public by improving communications about data protection issues.
  • Ensuring data subjects are not at risk of their data protection rights being violated.
  • Enabling CMS Chemstore Engineering Ltd to incorporate “data protection by design” into new projects.
  • Reducing operation costs by optimising information flows within a project and eliminating unnecessary data collection and processing.
  • Reducing data protection related risks to CMS Chemstore Engineering Ltd.
  • Reducing the cost and disruption of data protection safeguards by integrating them into project design at an early stage.

Data Protection by design means embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy.

Data Protection Officer (DPO)

A DPO will be appointed to:

  • Inform and advise CMS Chemstore Engineering Ltd and its employees about their obligations to comply with the GDPR and other data protection laws;
  • Monitor CMS Chemstore Engineering Ltd’s compliance with GDPR and other laws, including managing internal data protection activities, advising on data protection impact assessments, conducting internal audits and providing the required training to staff members.

The DPO will report to the highest level of management at CMS Chemstore Engineering Ltd.  Sufficient resources will be provided to the DPO to enable them to meet their GDPR requirements.

All enquiries should be made in writing to privacy@chemstore.ie or privacy@chemstore.co.uk.

Direct Marketing

Direct marketing can be described as the communication (by whatever means) of any advertising or marketing material which is directed at particular individuals. Consent is central to the rules on direct marketing and CMS Chemstore Engineering Ltd will strive to obtain an individual’s consent before sending any marketing material.  To be valid, consent must be knowingly and freely given, clear and specific.  CMS Chemstore Engineering Ltd will keep a clear record of what has been consented to, when are where this consent has been obtained so that compliance may be demonstrated in the event of a complaint.

The clearest way of obtaining consent is to invite the customer to tick an opt-in box confirming that they wish to receive marketing messages via specific channels.  CMS Chemstore Engineering Ltd will strive, in conjunction with their IT Support, to ensure that communication involves a positive action on the part of the individual to consent to direct marketing.  There will be a clear and positive statement explaining that the action indicates consent to receive marketing messages from CMS Chemstore Engineering Ltd.  Best practice is to provide an unticked opt-in box and invite the person to confirm their agreement by ticking.  CMS Chemstore Engineering Ltd will ensure that the language used is clear and easy to understand.

The right to object to marketing is absolute and CMS Chemstore Engineering Ltd must stop processing for these purposes when someone objects. This is so for business to business marketing.

Data Access Request (DAR) and Data Rectification or Deletion Requests (DRDR) – Procedures

  1. All data access requests directed to CMS Chemstore Engineering Ltd must be in writing. On receipt of a request from a data subject please advise them to put the request in writing and address it to the relevant company officer (DPO).
  2. Ensure the letter of request is date-stamped on receipt. CMS Chemstore Engineering Ltd must reply to the request within 40 days of receipt of same.
  3. The relevant company officer must ensure that the request is valid and sufficient identification is required in order to identify the data subject.
  4. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature.
  5. If the request cannot be fully complied with within the time frame the DPO shall provide the following information to the Data Subject
    1. An acknowledgement of the receipt of the request
    2. Any information located to date
    3. Details for any requested information which will not be provided to the Data Subject, the reason(s) for refusal, and any procedures available for appealing the decision
    4. An estimated date by which any remaining responses will be provided
    5. An estimate of any costs to be paid by the Data Subject (e.g. where the request is excessive in nature)
    6. The name and contact details of the CMS Chemstore Engineering Ltd individual to be contacted for follow up.
  6. It should be noted that it may arise where providing the information requested by the Data Subject would disclose Personal data about another individual and in such cases, information must be redacted or withheld a may be necessary or appropriate to protect that person’s rights.
  7. A search should be undertaken within CMS Chemstore Engineering Ltd no matter what the format and all data identified should be reviewed by the DPO.
  8. A final decision on disclosure/deletion of the requested information will be taken by the DPO, in conjunction with any other Director of CMS Chemstore Engineering Ltd where appropriate and as required.
  9. The extracted data is collated into an easily understood format and sent by registered post to the Data Subject.
  10. For DRDR the information is deleted from each of the systems on which it is located, including shredding of hardcopy documents. The IT administrator should be informed that the information should be fully deleted from the system.
  11. The DPO will keep copies of all DAR and DRDR requests on a registered file.

Data Protection Training

All CMS Chemstore Engineering Ltd employees that have access to Personal Data will have their responsibilities under this policy outlined to them as part of their staff induction training.

Further information and guidance can be obtained on the Data Protection Commissioner’s website www.dataprotection.ie.

Third-Party Processors

In the course of its role as Data Controller, CMS Chemstore Engineering Ltd engages a number of Data Processors to process Personal Data on its behalf. In each case, a formal, written contract is in place with the Processor, outlining their obligations in relation to the Personal Data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the data in compliance with the Irish Data Protection legislation and the GDPR.

These Data Processors include:

–         Salesforce

–         FBS Business Systems

–         Pegasus Opera

–         TNT

–         O’Carroll Crane Hire & Haulage

–         Aqua Trans International Ltd.

–         Gore Transport

–         Expeditors

This list may be amended as required.

Sending Personal Data Outside the EEA

Personal data shall not be transferred to a country or territory outside the EEA unless that county or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

CMS Chemstore Engineering Ltd will transfer personal data only where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.

CMS Chemstore Engineering Ltd will use Model Contract Clauses, Binding Contract Rules or Binding Corporate Rules for Processor or other contractual arrangements in order to establish adequate safeguards to protect the rights and provide remedies to Data Subjects where their data is transferred outside the EEA.

Data Protection Breach

Any loss of personal data in paper or digital format will be responded to and managed in accordance with CMS Chemstore Engineering Ltd data Security Breach Procedures and in compliance with the provisions set out in the Data Protection Commissioner’s personal data Security Breach Code of Practice and available at https://www.dataprotection.ie/docs/Data_Security_Breach_Code_of_Practice/1082.htm

It is essential that all incidents (including suspected incidents) which give rise to the risk of unauthorised disclosure, loss, destruction or alteration or personal data are reported without delay to the DPO.

Incidents can include:

  • Minor incidents which do not actually result in unauthorised disclosure, loss, destruction or alteration of personal data;
  • Major incidents for example: loss or theft of devices such as laptops, files or unauthorised access to the company environment.

A data protection breach can happen for a number of reasons, including:

  • Loss or theft of data or equipment on which data is stored
  • Loss of theft of documents
  • Inappropriate access controls allowing unauthorised use
  • Equipment failure
  • Human error
  • Unforeseen circumstances such as flood or fire
  • A hacking attack
  • Obtaining information from the organisation by deception
  • Misaddressing of e-mails
  • Improper dissemination of information

In the event of a data breach happening, the DPO must be notified immediately.  it must not be assumed that someone else has already notified the breach.

The breach should be notified using a Personal Data Security Breach Form set out in Appendix 1 of this policy.

The DPO will assess the breach and make a decision on the next steps to be taken.

After a review of the breach by the DPO, if the data breached affects the rights of a data subject, the DPO will inform the Office of the Data Protection Commissioner of the breach within 72 hours of CMS Chemstore Engineering Ltd becoming aware of the breach.

A summary of any data breach that occurs, containing the facts relating to the personal data breach, its effects and the remedial action taken, will be recorded in a log maintained by the DPO.

Share this page
Book a site visit today.
Book now