CMS Chemstore Engineering Ltd is committed to conducting its business in accordance with all applicable Data Protection laws and regulations in line with the highest standards of ethical conduct.
This policy outlines the expected behaviours of CMS Chemstore Engineering Ltd employees and any third parties in relation to the use, retention, disclosure, transfer and destruction of any personal data belonging to a Data Subject CMS Chemstore Engineering Ltd is associated with.
Organisational methods for keeping data secure are essential and CMS Chemstore Engineering Ltd believes that it is good practice to keep clear records supported by strong procedures. Line managers are responsible for ensuring compliance with the principles of the GDPR and to adhere to CMS Chemstore Engineering Ltd’s Data Protection Policy.
This policy is designed to comply with the requirements set out under the General Data Protection Regulations (GDPR).
This policy will be implemented in conjunction with the other CMS Chemstore Engineering Ltd Data Privacy documents including:
|Data||Information in a form that can be processed. It includes both automated data and manual data.|
|Automated data||Any information on computer or information recorded with the intention of putting it on a computer.|
|Manual data||Information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system.|
|Data Controller||A person who (either alone or with others) controls the contents and use of personal data. A data controller is the individual or the legal person who controls and is responsible for the keeping and use of the personal information on computer or in a structured manual file.|
|Data Processor||A person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment. If an organisation or person holds or processes personal data but does not exercise responsibility for or control over the personal data, then they are deemed to be a “data processor”.|
|Data Protection Officer (DPO)||A CMS Chemstore Engineering Ltd officer with responsibility for the Data Protection compliance of the organisation.|
|Data Subject||A data subject is an individual who is the subject of personal data that is held by a data controller or processed by a data processor|
Data Protection Impact Statement (DPIA)
A DPIA describes the process designed to identify the risks arising out of the processing of personal data and minimisation of these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance, including ongoing compliance, with the GDPR.
|GDPR||The new EU General Data Protection Regulations (GDPR) – Regulation 2016/679 which comes into effect in May 2018 and replaces the current Data Protection Directive 95/46/EC and the Irish Data Protection Acts.|
|Personal data||Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of a data controller.|
|Processing||Processing means performing any operation or set of operations on data, including:
· Obtaining, recording or keeping data;
· Collecting, organising, storing, altering or adapting the data;
· Retrieving, consulting or using the data;
· Disclosing the information or data by transmitting;
· Disseminating or otherwise making it available;
· Aligning, combining, blocking, erasing or destroying the data.
|Retention Policy||How long will CMS Chemstore Engineering Ltd hold an individual’s personal data? This will be influenced by a number of factors. Data must be retained for the least amount of time and will be stored securely and deleted at the appropriate time.|
|Sensitive Personal Data||Any personal data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life’; criminal convictions or the alleged commission of an offence; trade union membership.|
Pursuant to the GDPR, the personal data that CMS Chemstore Engineering Ltd holds will be:
Legal Basis for collecting data
CMS Chemstore Engineering Ltd will process Personal Data in accordance with all applicable laws and contractual obligations. CMS Chemstore Engineering Ltd will not process personal data unless at least one of the following requirements are met:
Rights of Users
Right to be informed.
The privacy notice supplied to individuals in regard to the processing of their personal data will be written in clear, plain language which is concise, transparent and easily accessible.
Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided. Where data is not obtained directly from that data subject, information regarding the source the personal data originates from and whether it came from publicly accessible sources, will be provided.
Right to access. Any Data Subject may contact CMS Chemstore Engineering Ltd to confirm whether or not the Data Subject’s personal data is being processed. The categories of personal data processed will be clarified as well as the purposes for processing, the categories of recipients to whom personal data have been or will be disclosed and the envisaged storage period or criteria to determine that period. Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged. All requests will be responded to without delay and at the latest, within one month of receipt.
Right to withdraw consent. Where consent is the basis for the processing of data the Data Subject may withdraw the consent at any time by contacting the DPO.
Right to rectification. Any Data Subject has the right to have inaccurate or incomplete personal data stored about them rectified. Requests for rectification will be responded to within one month; this will be extended by two months where the request is complex.
Right to object. In case processing is based on a legitimate interest to run, maintain and develop the business CMS Chemstore Engineering Ltd, any Data Subject has the right to object at any time to processing of the Data Subject’s personal data unless for the provision of business or if CMS Chemstore Engineering Ltd demonstrate other compelling legitimate grounds for processing that override the Data Subject’s interests, rights and freedoms, or for legal claims. Notwithstanding any consent granted beforehand for direct marketing purposes, any Data Subject has the right to prohibit CMS Chemstore Engineering Ltd from using his/her personal data for direct marketing purposes, by contacting the DPO or by unsubscribing from direct marketing messages.
Right to restriction of processing. Individuals have the right to block or suppress CMS Chemstore Engineering Ltd processing of personal data. The processing of personal data will be restricted:
Right to data portability. Any Data Subject has the right to receive Data Subject’s personal data from us in a structured, commonly used and machine-readable format.
Right to erasure. Data Subjects may request the deletion or removal of personal data where there is no compelling reason for its continued processing. This would include:
CMS Chemstore Engineering Ltd may object to a request for erasure:
Privacy Impact Assessment (PIA) and Data Protection Design
PIAs are compulsory under the GDPR. It is essentially a risk assessment of proposed processing of personal data that is likely to result in a high risk of the data subject’s rights. A PIA must be carried out prior to commencing that processing. It should be noted that if CMS Chemstore Engineering Ltd comes to the attention of the Office of the Data Protection Commissioner, the PIA will be the first line of defence.
Conducting a PIA will improve awareness in CMS Chemstore Engineering Ltd of the data protection risks associated with a project. Carrying out a PIA is good practice and a useful tool to help CMS Chemstore Engineering Ltd as Data Controller to comply with protection law. This will help to improve the design of your project and enhance your communication about data privacy risks with relevant stakeholders. Some of the benefits of conducting a DPIA are as follows:
Data Protection by design means embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy.
Data Protection Officer (DPO)
A DPO will be appointed to:
The DPO will report to the highest level of management at CMS Chemstore Engineering Ltd. Sufficient resources will be provided to the DPO to enable them to meet their GDPR requirements.
Direct marketing can be described as the communication (by whatever means) of any advertising or marketing material which is directed at particular individuals. Consent is central to the rules on direct marketing and CMS Chemstore Engineering Ltd will strive to obtain an individual’s consent before sending any marketing material. To be valid, consent must be knowingly and freely given, clear and specific. CMS Chemstore Engineering Ltd will keep a clear record of what has been consented to, when are where this consent has been obtained so that compliance may be demonstrated in the event of a complaint.
The clearest way of obtaining consent is to invite the customer to tick an opt-in box confirming that they wish to receive marketing messages via specific channels. CMS Chemstore Engineering Ltd will strive, in conjunction with their IT Support, to ensure that communication involves a positive action on the part of the individual to consent to direct marketing. There will be a clear and positive statement explaining that the action indicates consent to receive marketing messages from CMS Chemstore Engineering Ltd. Best practice is to provide an unticked opt-in box and invite the person to confirm their agreement by ticking. CMS Chemstore Engineering Ltd will ensure that the language used is clear and easy to understand.
The right to object to marketing is absolute and CMS Chemstore Engineering Ltd must stop processing for these purposes when someone objects. This is so for business to business marketing.
Data Access Request (DAR) and Data Rectification or Deletion Requests (DRDR) – Procedures
Data Protection Training
All CMS Chemstore Engineering Ltd employees that have access to Personal Data will have their responsibilities under this policy outlined to them as part of their staff induction training.
Further information and guidance can be obtained on the Data Protection Commissioner’s website www.dataprotection.ie.
In the course of its role as Data Controller, CMS Chemstore Engineering Ltd engages a number of Data Processors to process Personal Data on its behalf. In each case, a formal, written contract is in place with the Processor, outlining their obligations in relation to the Personal Data, the specific purpose or purposes for which they are engaged, and the understanding that they will process the data in compliance with the Irish Data Protection legislation and the GDPR.
These Data Processors include:
– FBS Business Systems
– Pegasus Opera
– O’Carroll Crane Hire & Haulage
– Aqua Trans International Ltd.
– Gore Transport
This list may be amended as required.
Sending Personal Data Outside the EEA
Personal data shall not be transferred to a country or territory outside the EEA unless that county or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
CMS Chemstore Engineering Ltd will transfer personal data only where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
CMS Chemstore Engineering Ltd will use Model Contract Clauses, Binding Contract Rules or Binding Corporate Rules for Processor or other contractual arrangements in order to establish adequate safeguards to protect the rights and provide remedies to Data Subjects where their data is transferred outside the EEA.
Data Protection Breach
Any loss of personal data in paper or digital format will be responded to and managed in accordance with CMS Chemstore Engineering Ltd data Security Breach Procedures and in compliance with the provisions set out in the Data Protection Commissioner’s personal data Security Breach Code of Practice and available at https://www.dataprotection.ie/docs/Data_Security_Breach_Code_of_Practice/1082.htm
It is essential that all incidents (including suspected incidents) which give rise to the risk of unauthorised disclosure, loss, destruction or alteration or personal data are reported without delay to the DPO.
Incidents can include:
A data protection breach can happen for a number of reasons, including:
In the event of a data breach happening, the DPO must be notified immediately. it must not be assumed that someone else has already notified the breach.
The breach should be notified using a Personal Data Security Breach Form set out in Appendix 1 of this policy.
The DPO will assess the breach and make a decision on the next steps to be taken.
After a review of the breach by the DPO, if the data breached affects the rights of a data subject, the DPO will inform the Office of the Data Protection Commissioner of the breach within 72 hours of CMS Chemstore Engineering Ltd becoming aware of the breach.
A summary of any data breach that occurs, containing the facts relating to the personal data breach, its effects and the remedial action taken, will be recorded in a log maintained by the DPO.