DATA PROTECTION POLICY
GENERAL DATA PROTECTION REGULATION
This Policy sets out the obligations of Futura Electronics Ltd (“the Company”) regarding data protection and the rights of employees, service providers (contractors/sole traders) and business contacts (“data subjects”). This includes obligations in dealing with personal data, in order to ensure that the organisation complies with the requirements of the relevant Irish legislation, namely the General Data Protection Regulation (GDPR) which replaced the Irish Data Protection Act (1988), and the Irish Data Protection (Amendment) Act (2003), (the Acts), as and from 25th May 2018.
The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, and identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy and trust of all individuals with whom it deals.
This Policy sets out the procedures that are to be followed when dealing with personal data. The procedures and principles set out herein must be followed at all times by the Company’s employees, agents, contractors or other parties working on behalf of the Company.
The policy covers both personal and sensitive personal data held in relation to data subjects by the Company and applies equally to personal data held in manual and automated form.
All personal and sensitive personal data will be equally referred-to as personal data in this policy, unless specifically stated otherwise.
This policy should be read in conjunction with the associated:
• Subject Access Request procedure
• The Data Retention and Destruction Schedule
• Procedures for Engaging Data Processors
• The Data Security Breach Notification procedure
• Data Security Policy
• Data Incident Log
• Awareness staff training records
3. The Data Protection Principles
This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. Article 5 in the GDPR states that all personal data must be:
a) Processed lawfully, fairly and in a transparent manner in relation to the data subject;
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
d) Accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed is erased or rectified without delay;
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
g) Article 5(2) states that the Controller is responsible for and must be able to demonstrate compliance with the Data Protection Principles.
3.a. Lawful, Fair and Transparent Data Processing
1) The Regulation seeks to ensure that personal data is processed lawfully, fairly and transparently, without adversely affecting the rights of the data subject. The Regulation states that processing of personal data shall be lawful if at least one of the following applies:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the controller is subject;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The Company will ensure that at least one of the conditions outlined above will be satisfied whenever any processing activities take place.
The Company will also ensure that if it is processing special category data it will identify both a lawful basis for general processing and an additional condition for processing this type of data. The additional conditions are as follows:
Employment law – processing necessary in the context of employment law, or laws relating to social security and social protection.
Vital interests – processing necessary to protect vital interests of the data subject (or another person) where the data subject is incapable of giving consent.
Charity or not-for -profit bodies – processing is carried out in the course of the legitimate activities of these bodies, with respect to its own members, former members, or persons with whom it has regular contact in connection with its purposes.
Data manifestly made public by the data subject
Legal claims – processing necessary for the establishment, exercise, or defence of legal claims, or for courts acting in their judicial capacity.
Reasons for substantial public interest – processing necessary for this and occurs on the basis of a law that is proportionate to the aim pursued and protects the rights of data subjects.
Medical diagnosis and treatment – processing is required for purpose of medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services.
Public health – processing necessary for reasons of public interest in the area of public health.
Historical, statistical or scientific purposes – processing necessary for archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards e.g. anonymised data.
Exemptions under national law – Member States may maintain or introduce further conditions, including limitations with regard to genetic data, biometric data or health data.
2) In order to obtain personal data fairly and in a transparent manner, The Company will make the data subject aware of the following at the time the data is collected directly:
Identity of the controller and the data protection officer (or equivalent)
Purpose and legal basis for processing. An explanation of the legitimate interest of the Company will be provided if it is being used as the legal basis.
Data subject’s rights to withdraw consent, request access, rectification or restriction of processing.
Data subject’s rights to complain to the Data Protection Commissioner’s Office
Recipients of the personal data.
Storage periods or criteria used to determine the length of storage.
Legal basis for intended international transfer of data to a third country or organisation, including the fact that either the receiving country has an adequacy decision from the Commissioner or other appropriate safeguards are in place and how to obtain a copy.
In situations where the data is not being collected directly from the data subject, the Company will provide the source along with the other information listed above to the data subject within a reasonable period after obtaining the data but not more than one month. Information will not be provided to the data subject if it will require disproportionate effort or it would render it impossible or seriously impair the purpose of the data processing.
The Company will place a Fair Processing Notice in a highly visible position, if it intends to record activity on CCTV or video.
The Data Subject’s data will not be disclosed to a third party other than to a party contracted to the Company and operating on its behalf.
3.b. Processed for Specified, Explicit and Legitimate Purposes
The Company follows this purpose limitation principle and only collects and processes personal data for the specific purposes set out in the “Record of Processing Activities” document held by the Company, see 3.g. below. The purposes for which we process personal data will be informed to data subjects at the time their personal data is collected or not more than a month if obtained from a third party.
The Company will not further process personal data in a manner that is incompatible with those purposes unless:
the consent of the data subject has been obtained, or
if the further processing is for archiving purposes in the public interest or scientific and historical research or statistical purposes and the appropriate safeguards are in place and there is no risk of breaching the privacy of the data subject.
3.c. Adequate, Relevant and Limited Data Processing
The Company follows this data minimisation principle and only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to data subjects.
3.d. Accuracy of Data and Keeping Data Up to Date
The Company will ensure that all personal data collected and processed is kept accurate and up-to-date. The accuracy of data will be checked when it is collected and thereafter, also data will be kept up to date, see below. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate. If the Company has disclosed the personal data in question to third parties, the Company will inform them of the rectification where possible.
Remind employees on an annual basis to inform the Company of any changes to their details
If the lawful basis for a processing activity is consent then the Company will review and refresh it at appropriate intervals, taking into account the particular context, including people’s expectations, whether we are in regular contact, how disruptive repeated consent requests would be to the individual. The Company will also consider whether more regularly would ensure a good level of trust and engagement but it will definitely refresh consent every two years. However, consent will be refreshed if anything changes.
The Company will ensure that once consent has been received from the data subject for further marketing, thereafter there will be an “unsubscribe” facility on all further correspondence, thus allowing the data subject to withdraw consent.
Amend inaccurate data which has been notified to the Company by the Data Subject or is revealed as a result of a subject access request.
3.e. Timely Processing
The Company follows this storage limitation principle and does not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed.
The Company will verify whether statutory data retention periods exist in relation to the type of processing e.g., personal data may need to be kept in order to comply with tax, health and safety, or employment regulations etc. If the law is silent, internal data retention periods will be set to meet the storage limitation principle.
Retention periods will be set considering the purpose or purpose for which the data is collected and used, and once the storage periods expire, data will be securely deleted/destroyed in the absence of a sound new lawful basis to retain it. However, personal data may be stored for longer periods by the Company insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific, historical research or statistical purposes ensuring appropriate safeguards are in place i.e. irreversibly anonymised.
Under the GDPR, organisations are obliged to demonstrate that their processing activities are compliant with the Data Protection Principles. The principle of accountability seeks to guarantee the enforcement of the Principles.
The Company will demonstrate compliance in the following ways:
By keeping an internal record of all personal data collected, held or processed as per Article 30 - “Records of Processing Activities”. Upon request, these records will be disclosed to the Data Protection Commissioner’s Office.
When the Company is acting as a Data Controller this record will contain the following:
• Name of Controller
• Categories of personal data and data subjects
• Elements of personal data included within each data category
• Source of the personal data
• Purpose for which the personal data in processed
• Electronic / Manual data
• Legal basis for each processing purpose
• Special categories of data
• Is data transferred to a third country
• How is it being transferred to a third country
• Name of third country
• Safeguards for transfer to third country
• Retention period
When the Company is acting as a Data Processor this record will contain the following:
• Name of Controller
• Name of Data Protection Manager
• Categories of processing carried out on behalf of the Controller
• International transfers and measures in place to ensure they are lawful
In order to assess the potential risks arising out of any new processing activity the GDPR requires organisations to conduct a Data Protection Impact Assessment (DPIA). The Company will demonstrate its compliance by carrying out Assessments whenever any new processing activity is proposed, especially where it involves new technologies, resulting in a high degree of risk for data subjects. After the PIA has been carried out and if all the risks cannot be mitigated, then the Company will consult with the Office of the Data Protection Commissioner prior to beginning processing. The DPIA will be overseen by the Company’s Data Protection Manager and the DPIA’s will be filed and retained as proof of compliance.
The Company will appoint a Data Protection Officer if its core data processing activities involve:
• Regular and systematic monitoring of data subjects on a large scale; or
• Processing sensitive personal data on a large scale.
The Company maintains a data protection document framework i.e. policies & procedures, training records etc.
The Company ensures that data protection by design is addressed throughout the life cycle of any processing activity but especially at the time of planning the means and type of processing and during the processing itself. Necessary safeguards are integrated into the Company’s systems with the use of data minimisation and pseudonymisation as privacy enhancing tools. The Company assess the risks of a process and tries to mitigate those risks in order to meet the data protection by design requirements.
The Company also ensures that data protection by default is implemented by choosing the most data protective setting as the default i.e. users will have to opt in to any settings that presents greater risks. By default, only the personal data that is necessary is processed.
4. The Rights of Data Subjects
The Company has implemented a Subject Access Request procedure by which to manage such requests in an efficient and timely manner, within the timelines stipulated in the Regulation.
As part of the day-to-day operation of the organisation, the Company’s staff members engage in active and regular exchanges of information with Data Subjects. Where a formal request is submitted by a Data Subject in relation to the data held by the Company, such a request gives rise to access rights in favour of the Data Subject, the Regulation sets out the following rights applicable to data subjects:
The right to be informed (see section 3.a(2) above);
The right of access;
The right of rectification;
The right to erasure (also known as the “right to be forgotten”);
The right to restrict processing;
The right to data portability;
The right to object;
Rights with respect to automated decision-making and profiling.
The right to withdraw consent
The Company’s staff members will ensure that, where necessary, such requests are forwarded to the Company’s Data Protection Manager in a timely manner, and they are processed as quickly and efficiently as possible.
The Company has a Data Access Request Policy Procedure in place.
5. Transferring Personal Data to a Country Outside the EEA
The Company may from time to time transfer (“transfer” includes making available remotely) personal data to countries outside the Economic European Area (EEA).
The transfer of personal data to a “third country” i.e. outside the EEA, will only take place if one or more of the following applies:
Is a country that the European Commission has determined to have an adequate level of protection for personal data;
The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority; certification under an approved certification mechanism as provided for in the Regulation; contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
The transfer is made with the informed consent of the relevant data subject(s);
The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
The transfer is necessary for important public interest reasons;
The transfer is necessary for the conduct of legal claims;
The transfer is necessary to protect the vital interests of the data subjects or other individuals where the data subject is physically or legally unable to give their consent; or
The transfer is made from a register that, under Irish or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.
6. Data Breach Notification
The Company have outlined the procedure for data breach notification in a separate document, see Data Breach Procedure along with an incident log.
It should be noted that the Company treats data breaches very seriously and any employee who becomes aware of a likely data breach and fails to notify the Company’s Data Protection Manager may be subject to the Companies disciplinary procedure depending on the severity of the breach.
The Company ensures that any entity which processes Personal Data on its behalf (a Data Processor) does so in a manner compliant with the Regulations.
Failure of a Data Processor to manage the Company’s data in a compliant manner will be viewed as a breach of contract.
Failure of the Company’s staff members to process Personal Data in compliance with this policy may result in disciplinary proceedings.