UK Project Engineers in Construction - Concrete, Aggregate, Asphalt & Bridging
UK Project Engineers in Construction - Concrete, Aggregate, Asphalt & Bridging
Data Protection Policy
We understands the security of personal data is of paramount importance to individuals. Any personal data collected by us should be for a legitimate business purpose, stored securely and be adequately protected.
The aim of this policy is to ensure we are as transparent as possible about why personal data is required, how it is processed, and:
This policy applies to all Workers within the company (including, but not limited to employees (whether permanent, fixed term or temporary), self-employed personnel and agency workers).
Other personal data collected can include data for customers, suppliers, business contacts and other individuals with whom the company has a relationship.
This policy has been approved by the companies Board of Directors.
This policy is non-contractual and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action.
Any questions or concerns about the operation of this policy should be referred in the first instance to the HR Department.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the processing of personal data relating to them.
Data Subject: for the purpose of this policy includes all living, identified or identifiable individuals about whom we hold personal data.
Explicit Consent: consent which requires a very clear and specific statement.
Processing or Process: any activity that involves use of personal data. It includes obtaining, recording or the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Categories of Data
There are two types of data:
Personal Data – Classified as, any information relating to a living individual who can be identified from that data (or from that data and other information in our possession). This includes but is not limited to, name, address, Date of Birth, contact numbers, IP and e-mail addresses.
Special Categories of Personal Data – Classified as, any information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and personal data relating to criminal offences and convictions.
Data Protection Principles
All company workers that process personal data must comply with the data protection principles, which require personal data to be:
We will demonstrate compliance with the data protection principles.
In addition to these principles Company Workers must also ensure data is:
Processing Data – Lawfulness, Fairness and Transparency
Lawfulness and fairness: We may only collect, process and share personal data fairly and lawfully and for specified purposes.
For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the Data Subject has consented to the processing, or that the processing is necessary for our legitimate interests, or it is necessary for the performance of a contract, or to meet our legal obligations.
Further information on the processing of personal data is set out in our Privacy Notice available from the HR Department.
Consent: A Data Subject consents to processing of their personal data if they indicate agreement clearly either by a statement or positive action to the processing.
Where consent is given, a Data Subject will be able to easily withdraw their consent at any time. Consent may need to be refreshed if we intend to process personal data for a different and incompatible purpose which was not disclosed when the Data Subject first consented.
Usually we will be relying on another legal basis (and not require Explicit Consent) to process most types of special category data.
Transparency: Whenever we collect personal data directly from Data Subjects, including for HR or employment purposes, we will provide the Data Subject with specific information including:
• that we are the data controller; and
• how and why we will use, process, disclose, protect and retain that personal data.
This is provided through a Privacy Notice. This can be located via the HR Department.
Processing Data – Limited Purposes
Personal data may only be processed for specified, explicit and legitimate purposes. This means that personal data must not be collected for one purpose(s) and used for another unless we have informed you of the new purpose(s).
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You may only process and collect personal data that you require for your job duties; you cannot process or collect personal data for any reason unrelated to your job duties.
We will ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Companies Retention Guidelines.
Processing Data – Accuracy
The Company will review personal data regularly to ensure that it is accurate, relevant and up to date.
In order to ensure the Companies files are accurate and up to date, Data Subjects must notify the HR Department as soon as possible of any change in their personal details.
Processing Data – Retention
The Company is committed to ensuring every Data Subject’s personal and special categories of data in an identifiable form are not kept for longer than is necessary for the purposes for which the data was gathered. We will take all reasonable steps to ensure that data is destroyed or erased from our systems when it is no longer required, unless a law requires such data to be kept for a minimum time. This includes requiring third parties to delete such data where applicable.
This policy provides a consistent approach to managing the retention of records regardless of their format (electronic or paper).
Data Subjects’ records and information will only be retained for legitimate business use.
Refer to Appendix 1 for details of the Companies retention periods.
Processing Data – Security
We will ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
We will ensure that we have in place procedures and technologies appropriate to the size, scope and available resources of our business to maintain the security of all personal data from the point of collection to the point of destruction. We will regularly evaluate the effectiveness, or the safeguards put in place. Personal data may only be transferred to a third-party data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures. We will exercise particular care in protecting special categories of personal data.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
• Confidentiality means that only people who are authorised to use the data can access it.
• Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
• Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our business network instead of individual PCs.
Security procedures include:
• Entry controls. Any stranger seen in entry-controlled areas should be reported.
• Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
• Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required by giving them to the IT Department.
• Equipment. Data Users should ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
Processing Data – Sharing Data with Third Parties
There may be occasions where the company are legitimately required to share some of your personal data with a third party (data processor). The company will not share more data than is necessary.
We may only share the personal data we hold with third parties, such as our service providers if:
• they have a need to know the information for the purposes of providing the contracted services;
• sharing the personal data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s consent has been obtained;
• the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
• the transfer complies with any applicable cross border transfer restrictions; and
• a fully executed written contract that contains Data Protection Legislation approved third party clauses has been obtained.
Third parties may include, but are not limited to:
We may also disclose personal data we hold to third parties:
• In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.
• If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
• If we are under a duty to disclose or share a Data Subject’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the Data Subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We will only transfer personal data we hold to a country outside the EEA in accordance with the Data Protection Legislation.
Processing Data – Individuals’ Rights
Data Subjects have rights when it comes to how we handle their personal data. These include rights to:
• withdraw consent to processing;
• receive certain information about our processing activities;
• request access to their personal data that we hold;
• prevent our use of their personal data for direct marketing purposes;
• ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
• restrict processing in specific circumstances;
• challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
• request a copy of an agreement under which personal data is transferred outside of the EEA;
• object to decisions based solely on Automated Processing, including profiling;
• prevent processing that is likely to cause damage or distress to the Data Subject or anyone else;
• be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
• make a complaint to the supervisory authority; and
• in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format.
Some of these rights are not automatic.
Workers must verify the identity of an individual requesting data under any of the rights listed above.
If a Data Subject wishes to exercise a right, the request must be immediately forwarded to the HR Department.
The company will respond to any request to exercise a right within one month of receipt of the request unless it extends the response time. Where the request is complex or there is a large volume of requests, the company may extend the deadline to respond by a further two months (three months in total). Where the deadline is extended, the HR Department will write to the Data Subject, within one month of the original request, detailing the reasons the extension is necessary.
In the event that the company takes the decision not to respond to a request, the Data Subject will be notified in writing of the reasons together with their rights and process for making a complaint within one month of the request.
The key rights are set out below.
Subject Access Requests
Data Subjects have the right to access data held about them by making an application in the form of a Subject Access Request. The request must be submitted in writing to the HR Department.
Once collated, the company will provide the personal data in either a hard copy format or electronically.
The company may ask a Data Subject for further details in respect of their request to be able to locate the required information.
Where a request to access data is considered to be manifestly unfounded or excessive, the company may:
Right of Erasure
Data Subjects can request the deletion or removal of their personal data, where the company have no legitimate reason to continue processing the data. This can occur where:
Where the company have disclosed the personal data in question to third parties (data processors), they must inform the processors of the requirement to delete the personal data.
Right of Rectification
Data Subjects are entitled to have to their personal data rectified where it is found to be inaccurate or incomplete.
Where the company have disclosed the personal data in question to third parties (data processors), the company will inform them of the rectification requirement, where possible. In addition, the Data Subject will be informed about the processors to whom the data has been disclosed, where appropriate.
Right to Restrict Processing
The company will be required to restrict processing of a Data Subject’s personal data, where:
Where the company has disclosed the personal data in question to third parties, the company will inform them of the restriction on processing, where possible.
The Right to Data Portability
This right allows Data Subjects to obtain and reuse their personal data for their own purposes across different services, such as move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right only applies where a Data Subject has provided personal data to a data controller (i.e. the company). The request should be submitted in writing to the HR Department.
The company will provide the personal data free of charge and in a structured, commonly used and machine-readable format, such as a CSV file. Where the personal data concerns more than one Data Subject the company will make a decision as to if providing the data would prejudice the right of any other Data Subject.
Right to Object
Data Subjects can object to the processing of their personal data for marketing and/or research purposes. The Data Subject must submit the request in writing to the HR Department.
The company will be required to cease processing the personal data upon receipt of a request, unless it is demonstrated:
A personal data breach is defined as a security incident that has affected the confidentiality, integrity, or availability of personal data. This can include, but is not limited to:
Should an individual within the company become aware of a breach, they should report it immediately by e-mailing firstname.lastname@example.org, detailing as a minimum, how the breach occurred, the personal data breached and names of Data Subjects affected. The individual should preserve all evidence relating to the potential personal data breach.
In the event there is a data breach the company will assess the risks involved. Where the data breach is considered to be a ‘risk’ to the rights and freedoms of the Data Subject, the company will report it to the ICO (Information Commissioners Office) within 72 hours. Where the data breach is considered to be a ‘high risk’ to the rights and freedoms of the Data Subject, they will be informed of the breach.
Upon notification of any data breach the company will immediately assess whether any action should be taken to mitigate the risk of the same or similar breach happening again in the future.
A record of all data breaches will be kept by the HR Department, detailing the facts of the breach, it’s effects and the corrective action taken.
Accountability and Record-Keeping
The company has adequate resources and controls in place to ensure and to document data protection compliance including:
implementing Privacy by Design when processing personal data and completing Privacy Impact Assessments where processing presents a high risk to rights and freedoms of Data Subjects;
• integrating data protection into internal documents including this Data Protection Policy and Privacy Notice;
• regularly training relevant staff on the Data Protection Legislation, this Data Protection Policy, related policies and data protection matters; and
• regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
We will keep and maintain accurate corporate records reflecting our processing.
Training and Audit
We will regularly review and test all the systems and processes under our control to ensure they comply with this Data Protection Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.
Automated Processing and Automated Decision-Making
Automated Decision-Making is where a decision is made based on the automatic processing of personal data which significantly affects a Data Subject. The company does not take any decisions using automated means
Staff who have access to personal data must comply with the Data Protection Legislation and this policy at all times.
Failure to comply with this Policy and associated procedures may result in disciplinary action up to and including summary dismissal.
The company have developed Privacy Notices which are designed to be clear documents detailing:
Should an individual have any questions regarding the content of a privacy notice, please contact the HR Department.
Where an individual has concerns with the way the company has or is handling their personal data, or feel the company have failed to comply with GDPR, they should discuss this with the HR Department.
Monitoring and Review of the Policy
We reserve the right to change this policy at any time without notice to you. This policy is reviewed annually by the HR Department to ensure it is achieving its stated objectives.
Cookies that we use are;