ERGOPLUS FACILITIES LTD – GENERAL DATA PROTECTION POLICY
ErgoPlus Facilities Ltd needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts employees and other people the company has a relationship with or may need to contact.
This policy describes how this data must be collected, handled and stored to meet the company’s data protection standard and to comply with the law.
Why this policy exists
This data protection policy ensures ErgoPlus Facilities;
- Complies with data protection law and follows good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individual’s data
- Protects itself from risks of a data breach
Who is covered under the General Data Protection Regulation?
Employees of our company must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.
Scope of our Policy
As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, financial data etc.
Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties.
ErgoPlus Facilities Ltd is required to adhere to the eight principles of data protection as laid down by the Act.
Our data will not be:
- Communicated informally
- Stored for more than a specified amount of time
- Transferred to organisations, states or countries that do not have adequate data protection policies
- Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities)
In accordance with those principles our data will be:
- Processed fairly and lawfully
- Processed for specified purposes only
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept longer than necessary
- Processed in accordance with data subjects’ rights
- Processed and held securely
- Not transferred outside the countries of the European Economic Area without adequate protection.
In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs.
Specifically, we must:
- Let people know which of their data is collected
- Inform people about how we’ll process their data
- Inform people about who has access to their information
- Have provisions in cases of lost, corrupted or compromised data
- Allow people to request that we modify, erase, reduce or correct data contained in our database
Third Party Data Processors
In the unlikely event that external companies are used to process personal data on behalf of ErgoPlus Facilities, responsibility for the security and appropriate use of that data remains with ErgoPlus Facilities Ltd.
Where a third party is used
A data processor must be chosen who provides sufficient guarantees regarding its security measures to protect personal data
A written contract is established as to what personal data will be processed and for what purpose
Reasonable steps must be taken that such security measures are in place
To exercise data protection, we’re committed to:
- Restrict and monitor access to sensitive data
- Develop transparent data collection procedures
- Train employees in online privacy and security measures
- Build secure networks to protect online data from cyber attacks
- Establish clear procedures for reporting privacy breaches or data misuse
- Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorisation etc.)
ErgoPlus Facilities Ltd is required to permit individuals to access their own personal data held via an access request. Any individual wishing to exercise this right should do so in writing to the Management Team. ErgoPlus Facilities Ltd aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within the 40-calendar day limit set out in the Data Protection Act 1998.
Individuals will not be entitled to access information to which any of the exemptions in the Act applies. However, only those specific pieces of information to which the exemption applies will be withheld and determining the application of exemptions will be made by the Management Team.
Data Protection Breaches
Where a Data Protection breach occurs, or is suspected, it should be reported immediately to the Managing Director. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.
Effective from May 2018