This document defines the policy on Data Protection for Soltherm External Insulation Limited (the “Company”). It has the endorsement of the Board of Directors and will be regularly reviewed by the Board to ensure that it reflects any changes in applicable laws and developments in acceptable standards for the conduct of business.
Adherence to the clear guidelines set out in this policy will ensure that the Company and its employees comply with Data Protection laws.
1. Introduction to Data Subject Rights under GDPR
The General Data Protection regulation (“GDPR”) gives Data Subjects certain rights in terms of the information which we hold on them. In brief these rights are:
The right to be informed;
The right of access;
The right to rectification;
The right to erasure;
The right to restrict processing;
The right to data portability;
The right to object; and
Rights to automated decision making and profiling.
Much of the information relating to the right to be informed is contained in our website privacy notice and any other areas where we may provide privacy information e.g. our terms and conditions of service. The other Data Subject Rights you may be asked about directly. The most common right you will encounter is the right of access, which is also known as a Subject Access Request or SAR.
Not all of these Data Subject Rights apply in every circumstance, and not all of them can be fully complied with if requested. For example, the right of erasure is not absolute, and we may have to hold information on a Data Subject for legal reasons e.g. for submission to HMRC.
Where you receive a request for information from a Data Subject, please read the information below on that specific right before going on to read the section Data Subject Rights: How to Respond.
2. Common Provisions in Relation to the Rights
Timescales. The rights must be responded to without undue delay and this must be no later than within one month of receiving the request from the Data Subject. The ICO have set out very detailed explanations of what constitutes within ‘one month’ on their website, but as best practice we will reply to all requests as soon as possible, and in no event later than 28 days.
It may be possible to extend the time to respond by a further two months if the request is complex or we have received a number of requests from the same individual. In this case, we must let the individual know of our intention to extend the time to respond the right in question. We must do this without undue delay and within one month of receiving their request, explaining why the extension is necessary.
Fees. We do not charge a fee for responding to requests, unless the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
Where we consider that a request is manifestly unfounded or excessive we can:
request a "reasonable fee" to deal with the request; or
refuse to deal with the request
In either case, Piotr Michalski make this decision, which will need to be justified and the reason for such decision communicated to the Data Subject.
Any ‘reasonable fee’ charged for the administrative costs of complying with the requests must be promptly communicated to the Data Subject, but we do not need to comply with the request until we have received the fee.
Where the Company Refuses a Request. In the event we refuse a request, we must inform the Data Subject without undue delay and within one month of receipt of the request, including:
the reasons we are not taking action/granting their request;
their right to make a complaint to the ICO; and • their ability to seek to enforce this right through a judicial remedy.
Where we request a reasonable fee or need additional information to identify the individual, we will also provide this information to the Data Subject.
How to Identify Requests. Requests may be made verbally or in writing. The Data Subject may not use the language of GDPR and ask for rectification or erasure. The ICO recommends checking with the Data Subject that we have understood their request, as this can help avoid later disputes about how we have interpreted the request. You should always log all requests (including verbal ones) and follow the procedures set out below in Data Subject Rights: How to Respond to a SAR.
3. SARs and the Company as Data Controller
As Data Controller, the Company holds quite considerable Personal Data on the individuals it works with, including special categories of Personal Data, for example health conditions. The Company has in place comprehensive employee training on GDPR, which includessecurity awareness training and simulated phishing attacks resulting in targeting training. Front line employees that will in the main deal with any SARs also receive basic training on what a SAR is and how to respond to one, as set out in the SAR Response Document below.
4. SARs and the Company as Data Controller The Right to be Informed
Data Subjects must be provided with information about the collection and use of their data. We do this at the time we collect personal data from them: this is the sort of information we provide in our website privacy notice and also in our terms of business.
Where we collect data about a Data Subject from another source, for example from a local authority, we must provide the Data Subject with our privacy information no later than one month from our receipt of their details.
The Right of Access
Introduction to the Right of Access
Recital 63 of the General Data Protection Regulation (‘GDPR’) allows EU residents the opportunity to verify the lawfulness of any data which may be held on them. In order to facilitate this Recital, Articles 12 and 15 give individuals a right of access to their information.
A right of access request will typically include the following:
A request for confirmation from the Data Controller that the individual’s data is being processed by them;
A request for the information held on the individual by the Data Controller; and
A request for any supplementary information. This is by virtue of Article 15 and roughly corresponds to the information contained within the Controller’s Privacy Notice.
When replying to a request for the right of access, when considering point (c) above, the privacy notice checklist includes:
The name and contact details of the Company;
The contact details of our data protection officer (if applicable).
The purposes of the processing.
The lawful basis for the processing.
The legitimate interests for the processing (if applicable).
The categories of Personal Data obtained (if the Personal Data is not obtained from the individual it relates to).
The recipients or categories of recipients of the Personal Data.
The details of transfers of the Personal Data to any third countries or international organisations (if applicable).
The retention periods for the Personal Data.
The rights available to the Data Subject in respect of the processing.
The right to withdraw consent (if applicable).
The right to lodge a complaint with a supervisory authority.
The source of the Personal Data (if the Personal Data is not obtained from the individual it relates to).
The details of whether the Data Subject is under a statutory or contractual obligation to provide the Personal Data (if applicable, and if the Personal Data is collected from the individual it relates to).
The details of the existence of automated decision-making, including profiling (if applicable).
Right to Rectification
The right to rectification is contained in Article 16 of GDPR and allows the Data Subject the right to have inaccurate Personal Data rectified without undue delay. Depending on the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed. This right will most commonly be exercised when the Data Subject has either been contacted using incorrect details, or where a SAR has been obtained and the Data Subject notices that details about them are wrong.
Requests for rectification should not be problematic, but as a matter of good practice we will automatically restrict processing while an investigation is carried out. This may be requested by the Data Subject when asking for rectification, but it may not. You should always follow the procedure below in the section Data Subject Rights: How to Respond to a SAR.
The Right to Erasure
The right to erasure (the right to be forgotten) is contained within Article 17 of GDPR, which provides that a Data Subject shall have the right to have Personal Data erased without undue delay, where one of these grounds applies:
The Personal Data is no longer necessary for the purposes for which it was collected;
The Data Subject withdraws consent and there is no other lawful right of process;
The Data Subject objects to processing, with reference to public interest or legitimate interest of Controller/third party, AND there are no legitimate grounds for processing, or where the Data Subject objects to processing in relation to direct marketing;
The Personal Data has been unlawfully processed; or
Erasure is required for the Data Controller to be in compliance with an EU or Member State law.
Most of the conditions set out above make reference to the lawful right of process – that is the basis on which the Company processes the information of the Data Subject. The most common lawful right of process which the Company may hold Personal Data would be contractual, consent or legitimate interest.
Lawful Right of Process is Contractual. Where we have entered into a contract with the Data Subject, points (a) to (c) do not apply, and you should not agree to erase data for the following reasons:
Some of the data will be required to comply with UK law e.g. records for taxation;
As we operate in a highly regulated industry, it is essential that we can account for our actions and that all contact with the Data Subject is recorded in detail.
Provided the contact is valid, point (d) will not apply and it would be very rare for point (e) to apply. In both these cases significant investigation would need to be carried out before we would agree to erase data.
Lawful Right to Process is Consent. This would most commonly be the case where a Data Subject has been in contact with us e.g. filling in a contact form on our website, but who has not yet signed a contract and is not yet a client. In this case, points (a), (b) or (d) may apply. The data we hold is likely to be minimal and restricted to contact details, though this may not always be the case. Where the lawful right of process is consent, the Data Subject may have a strong case for erasure
Lawful Right to Process is Legitimate Interest. This is rarely a lawful right to process that the Company would use in relation to Personal Data, however it may exist as regards contact details used for marketing where no other right of process has been identified. Where this is the case, points (c) and (d) may apply and the Data Subject may be entitled to erasure.
The right to erasure is complex and if data is erased we cannot get it back should we need it. Before you respond to this request you must always check with Justyna Szymanska, following the procedures out below in Data Subject Rights: How to Respond to a SAR.
The Right of Restriction of Processing
The Company may be restricted from processing Personal Data where:
The accuracy of the Personal Data is contested: we must then restrict processing until the accuracy of the data has been verified by the Data Subject;
Processing is unlawful, but instead of requesting erasure, the Data Subject requests processing to be restricted instead;
We no longer need the data for the purposes of processing, but the Data Subject requires us to keep it for the establishment, exercise or defence of legal claims; or
The Data Subject has objected to processing their data under the right to object (Article 21(1)), and we are considering whether our legitimate grounds to use the data overrides the rights of the Data Subject.
This is not an absolute right and it only applies in the circumstances set out above. Where it does apply (and where we are investigating a request for this right), we are able to store data, but not to use it e.g. we cannot use an e-mail address for marketing, but it can remain on our CRM system where it should be marked as restricted and its use prohibited.
Where a request for this right has been investigated and we have decided that it is not valid, we must justify our decision and we must tell the Data Subject of our decision before we resume processing the data.
Where a right to restriction is successful, we must inform any third parties who we have shared that data with, as they will also need to restrict access to that data. This must be done unless it is impossible or involves disproportionate effort.
This right is very closely aligned with the right to rectification and the right to object.
The Right to Data Portability
Data portability means that where the Data Subject provided the Company with Personal Data, they then have the right to receive their Personal Data from us in a commonly used, machine readable format. The Data Subject can also ask us to transmit their Personal Data directly to another Data Controller. This right applies where:
Lawful right of processing is gained by consent or for the performance of a contract; and
The processing is carried out by automated means (i.e. excluding paper files).
This right only applies to information provided to us, not to additional data we may have created from that e.g. a user profile. It also applies to raw data e.g. meter readings.
The Right to Object
Data Subjects have the right to object to:
processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics.
Where we receive an objection to processing Personal Data as regards point (a) we must stop processing unless we can demonstrate compelling legitimate grounds for the processing (which override the interests, rights and freedoms of the individual) or the processing is for the establishment, exercise or defence of legal claims.
Where we receive an objection to processing Personal Data as regards point (b) we must stopprocessing data as soon as we receive an objection: there are no exemptions or grounds to refuse. We ensure that in all our marketing materials there is the option to opt out of/object to direct marketing, in addition to being in our privacy notice.
We only use legitimate interest as a legal right to process in limited circumstances, therefore the most common right to object we will receive will be as regards direct marketing.
Rights in relation to Automated Decision Making and Profiling
Automated decision making is defined as being where decisions are made with no human involvement. Profiling is the automated processing of personal data to evaluate certain things about an individual.
At the Company we do not carry out profiling or automated decision making therefore we do not need to consider the GDPR provisions applicable to them.
5. Data Subject Rights: How to Respond to a SAR
Although unusual, as the Company acts as a Data Controller, you may at some point encounter one or more of the Data Subject Rights listed above. The most common right will be the Right of Access and this may be the starting point for the Data Subject going on to request other rights. Data Subject Rights are commonly called subject Access Requests or as SARs, but when responding it is important that within the SAR you identify the correct rights which have been requested.
The correct procedure for dealing with a SAR is as follows:
Notify Justyna Szymanska that a SAR has been received and document the date and time of the SAR and its details in the SAR Log-sheet. SAR’s must be responded to within one month of receipt and it is essential that the SAR is not ignored or forgotten about.
The identity of the Data Subject issuing the SAR must be confirmed using reasonable means. Please check with Justyna Szymanska for confirmation of what is ‘reasonable’ in each individual circumstance, but this could for example include contacting the Data Subject (using the contact details provided by them and which we have stored on our CRM system) to request confirmation that they sent a SAR to us.
Using the CRM system, confirm that we do indeed hold information on the Data Subject and that we are processing their data. The CRM system should indicate where to find the information we store on the Data Subject, for example the CRM system itself for contact details or the finance system for payment processing. Check for any supplementary information on the Data Subject, such as information which may be contained in e-mails, including attachments.
You should always contact the staff member in the Company who has had the most recent contact with the Data Subject. This can provide you with valuable information that may not be obvious from the CRM system, such as whether there is indeed supplementary information contained in e-mails, or if the Data Subject seemed unduly upset or has special needs.
Remember that due to our compliance with the data minimisation requirements of GDPR, in addition to technological restrictions, we do not store certain information for longer than required to meet our statutory or regulatory obligations. If a SAR cannot locate information on an individual, even if they exist in the CRM and/or finance system, it may be that all other information on them has been deleted in compliance with data minimisation.
If it appears that the information requested in a SAR is excessive or manifestly unfounded, or that there are SARs which are repetitive in nature from the same Data Subject, discuss with Justyna Szymanska on how to proceed. It may be that the SAR is refused or that we charge a reasonable fee that reflects the administrative costs of supplying the information requested in the SAR.
Where the request is denied, this must be done within one month, providing reasons for the decision to deny the request and informing the individual of their right to complain to the supervisory authority (the ICO) and also their right to a judicial remedy.
Where the individual makes the SAR electronically, unless otherwise requested, return the information by e-mail in a commonly used electronic format e.g. a CSV file.
Always request that the individual confirms to us receipt of the information we provide and log the confirmation received in the SAR Log-sheet.
Every Data Subject Right is different in nature. The SAR we most commonly anticipate is the right of access, which can involve quite a lot of detail where there is a request for supplementary information. The right to restrict processing and the right to erasure require more complex decisions which will be undertaken by Justyna Szymanska.
6. Data Subject Rights Log-sheet
Date request received & date it must be responded by
Do we hold information on this individual
Name, email & Confirm ID checked
Departments holding information
– Fee or
Type of response
Date of response & confirm receipt
[Date] & [Yes/No] on [Date]
[e.g. only contact details held on CRM. No finance as did not sign on as client] [e.g. Rectification of wrong postcode]
[e.g. Erasure [complied with][not
complied with because.......]]
7.Introduction to the Company’s Data Breach Policy & Response Plan
The Company takes data protection very seriously. All staff are trained in how to recognise and respond to a suspected Data Breach and are required to adhere to our strict data security requirements at all times, the details of which form part of our employment handbook.
Nominated Person Contact Details in the Event of a Data Breach
In the event that you suspect there has been a Data Breach, it is important that that this policy is followed so that we can deal with the breach in the appropriate way. We believe in working in an open and honest manner, with a ‘no blame’ culture. We will investigate all suspected Data Breaches thoroughly in order to (a) be compliant with the General Data Protection Regulation (‘GDPR’); (b) uphold the rights of the individuals and organisations we hold Personal Data on; and (c) learn from our mistakes.
If you do not understand any parts of the policy, please contact Justyna Szymanska for clarification.
How to recognise a Data Breach
A Data Breach may not always be obvious. The UK regulator – the ICO - has issued a useful definition of a Data Breach as follows:
A Data Breach can be ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.’
Therefore, a Data Breach can include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a Data Controller or Data Processor;
sending Personal Data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of Personal Data without permission; and
loss of availability of Personal Data.
Reporting a Data Beach
Where you suspect a Data Breach it must be reported to Justyna Szymanska, no matter how small or insignificant the breach may appear. Once it has been confirmed that a Data Breach has occurred, then it will be logged in the Data Breach Register and you then may be asked to help investigate how the breach occurred. Reporting is important, not only to comply with the relevant legislation, but also because if even seemingly insignificant Data Breaches are reported and recorded, this may then help identify how we can improve our data security, systems and procedures overall.
9.Data Breach Response Plan for GDPR
The supervisory authority for the Company is: The ICO
Once a Data Breach is reported to Justyna Szymanska, the steps of the response plan for the Company are as follows:
Justyna Szymanska, in addition to any other applicable parties, form a Breach Assessment Team (‘BAT’).
BAT will take immediate steps to fix or mitigate the problem while the potential Data Breach is being investigated, in order to safeguard all data which, the Company holds.
The BAT will immediately begin a preliminary investigation into the potential Data Breach, bearing in mind the time limits for breach notification: for GDPR this is 72 hours from when the Company became aware of the breach.
The Breach will be logged in the Company’s Record of Data Breaches and the BAT will determine whether a Data Breach has actually occurred and if so, the type of breach, severity of the breach and the next steps to take;
Where the BAT considers the breach is not minor and constitutes a Data Breach under GDPR, BAT will immediately and within 72 hours of the Company becoming aware of the Data Breach:
Contact the client whose data is involved in the Data Breach (where applicable); and
Report the Data Breach to ICO, either by telephone or electronically.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the Company must inform those individuals without undue delay.
Informing the ICO by Telephone
BAT will gather the preliminary information required by the ICO and will provide this both to the ICO and any clients whose data is involved in the Data Breach. The ICO will ask the following questions:
what has happened;
when and how you found out about the breach;
the people that have been or may be affected by the breach;
what you are doing as a result of the breach; and
who they should contact if they need more information and who else has been told.
As the investigation of the breach progresses and more information is available, it should be communicated to the ICO and any other interested parties. Under the GDPR the Company will need to provide the ICO with the following details in conjunction with any other interested parties:
a description of the nature of the personal data breach including, where possible:
the categories and approximate number of individuals concerned; and
the categories and approximate number of personal data records concerned;
the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
a description of the likely consequences of the personal data breach; and
a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Justyna Szymanska as a person authorized will be responsible for leading the investigation into the breach and for informing interested third parties such as the police, insurers, bank or credit card companies in order to mitigate the effects of the breach.
Where the ICO does NOT need to be Informed
Where the Data Breach is not severe and does not involve the data of clients e.g. the internal employee telephone list has been deleted, then the ICO does not have to be informed. However, the breach should still be logged in the Company’s Record of Data Breaches and steps taken to minimise human error and reduce the possibility of the same type of breach occurring again.
Record of Data Breaches
This is an Excel file. Justyna Szymanska hold up to date copies and will provide you with the file if you need to log a minor Data Breach as set out above.