As of 28/05/2019 the relevant person with responsibility for data under the GDPR within our organisation is:
Data Controller: Mike Moran, Operations Manager, firstname.lastname@example.org
For the purposes of the GDPR Data is identified under two categories:
Personal data is a term used to describe the data relating to an individual held by SMI Data from which they are identified or can be identified in conjunction with other information that is in, or is likely to come into, the possession of SMI Data. Examples of personal data includes forename, surname and online identifiers e.g. email address.
Special Categories of Personal Data is a term used to describe personal data of a sensitive nature such as data relating to a person’s racial or ethnic origin, political opinions or religious or other philosophical beliefs, physical or mental health, sexual life, criminal convictions, your genetic or biometric data or the alleged commission of an offence and/or trade union membership.
We may collect personal data either from individuals directly or from a third party supplier.
To control and process data requires one of six recognised legal bases under GDPR to do so. The six bases are as follows:
(1) Consent: the individual has given clear consent to process their personal data for a specific purpose.
(2) Contract: the processing is necessary for a contract we have with the individual, or because the individual has asked us to take specific steps before entering into a contract.
(3) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
(4) Vital interests: the processing is necessary to protect someone’s life.
(5) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(6) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Legitimate Interest is determined by a three-part test as follows:
The GDPR provides the following rights for individuals:
More detail on these rights can be found here – https://ico.org.uk/your-data-matters/
In addition a Data Subject has the right to make a complaint to the Information Commissioner’s Office online, by phone or in writing at the following:
Tel: 0303 123 1113;
Information Commissioner’s Office, Wycliffe house, Water Lane, Wilmslow, Cheshire. SK9 5AF.
The following table identifies the types of data we collect, control and process; and the legal basis we rely upon for doing so:
Type of information collected.
Legal basis for processing
Data Subject’s name, address, telephone numbers, e-mail address(es).
Managing the Data Subject’s relationship with the firm.
Performing the Firm’s contract with the Data Subject.
Data Subject’s name, address, telephone numbers and email address.
Legitimate interest. The Data Subject may object at any time and will be informed accordingly.
Bank account details or payment details
To pay, be paid, or to refund monies.
To fulfil the contract between the Firm and the Data Subject.
Data subject’s name, address, email, next of kin.
To perform HR functions within organisation.
Contract with employee.
Data subjects name, address, bank details.
Maintain records for tax & NI purposes
SMI Data will not retain personal data for longer than is necessary to fulfil the purpose it is being processed for. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means.
SMI Data applies a data minimisation policy in relation to personal data. This means that we will only collect and process personal data that is adequate, relevant and necessary to achieve our commitments in relation to the purposes stated above and will not process data that is not required or excessive to those purposes.
SMI Data will protect the data we collect in the following ways:
The Data Subject’s data will not be transferred outside the European Economic Area [EEA] without the explicit consent of the Data Subject;
We follow strict security procedures in the storage and disclosure of personal data, and to protect it against accidental loss, destruction or damage. SMI Data protects the confidentiality and integrity of personal data by having appropriate security measures in place including cyber security, securing IT systems and maintaining a high level of confidentiality.
Any breach of data which may pose a serious risk will be notified to the Data Subject without delay.
Personal data will only be provided to third parties on the strict understanding that it is to be used only for the purposes as set out above, or in accordance with law, and that the data is not to be used for any other purpose and that for the duration of their access to such personal data they shall ensure that adequate security measures are in place to prevent unauthorised access to, or unauthorised alteration, disclosure or destruction of personal data.
SMI Data will not sell, pass on or contract with third parties Data Subject’s data without prior written [withdrawable] consent other than where required to by law; or otherwise provided for in the above table.