Organisations covered by this Policy:
- Ali UK Limited
- Burlodge Group Limited
- Burlodge Limited
Hereafter referred to as the ‘Company’.
1) Scope
Following the adoption of the revised EU Regulation governing companies’ responsibilities towards handling and safekeeping personal data, the Company has reviewed its policy in this area.
Replacing the previous Data Protection Act (1998), the General Data Protection Regulations were made UK law as the Data Protection Act (2018) on 25th May 2018, and applies a more stringent obligation on how companies collect, store, protect and use customer data, whether in its capacity as a Controller, or as a Processor (an organisation that handles data on behalf of a Data Controller).
Data Protection Officer
Under the Regulations, the nature of the Company’s activities do not require it to appoint a nominated Data Protection Officer, with responsibility for maintaining the integrity and security of all such confidential information held and processed by the Company.
2) About the data we hold
Types of data defined by the Act
Personal data:information relating to living individuals, e.g. names, addresses, financial details, email, CCTV, IP addresses. Includes anything that identifies a living individual, such as names, addresses, email addresses of clients.
Sensitive Personal Data:includes medical records, religion, political opinions. There are additional obligations where sensitive personal data is held. Personal data will be extended under the GDPRs to include biometric and genetic data, as well as any data which allows any living person to be identified, which covers Unique IDs (UID) such as those found in cookies, device IDs (such as IMEI number on a mobile device) and IP addresses.
Commercially sensitive information:commercial customers, pricing, customer relationships, supplier chain and costs, etc.
Confidential information:customers’ systems, business information, trade secrets, bid responses, proposed acquisitions or mergers.
Types of data held by the Company
Business Information
The Company gathers information in the course of conducting its business about each site and the equipment held at each site we work with, and from the suppliers we contract with to provide the goods and services.
We hold this information as appropriate: records of equipment and any maintenance provided, as well as delivery, invoicing and payment history.
In the course of this business, commercially sensitive information is learned, but this is not our business, and is only recorded electronically where it impacts on the correct functioning of our contract with the customer.
Business Contact details
In the course of our business we build up a network of contacts at our supplier and customer organisations. This information is limited to contact details provided by their employer or business, and retained for the purposes of facilitating the conduct of business.
Personal Information
Personal information, including some sensitive personal information, is retained for the purposes of employment of staff. This is restricted to the information we need to know to comply legally with the law and is secured and protected unless required for a business purpose, for which the individual has either given explicit consent or this information is otherwise available to the Company.
There is a “Contact us” page on our website, which is used to facilitate sending an email to the company: the contact data input is not stored in a database, and cannot be used to compile information about anyone who uses this tool.
3) Our Commitment
The Company considers each agreement – from a Framework contract with large customers down to a Purchase order for a single trolley maintenance agreement – a partnership, and treats all information generated under these agreements with the same diligence. This includes site arrangements and employee contact information.
This is also true of the data we hold for those on our team, and all such data is held in the same utmost respect, and is only retained and released for authorised purposes.
It is unlikely that the Company will have cause to send any sensitive data to an organisation in another country, but should the requirement arise, no such data will be transferred outside the United Kingdom and European Union without the express consent of those organisations or individuals concerned, without ensuring the proper security of such data.
We will also identify those suppliers or service providers who are affected by the obligations under this legislation, and ensure that they also comply to equally stringent standards of protection and care.
‘Right to be forgotten’:
One of the key principles of the GDPR regulations is that an individual can request and expect that the data we hold on them will be deleted, such that they are not targeted or monitored in any way when they have requested that we no longer have any right to hold their information. Although this data is only retained for the conduct of our business, and not for any marketing or other unessential contact, we accept this right, and will do all that is necessary to delete any such information that we are not required to retain by the wider legal framework in which we operate.
In the event of a data breach:
We work hard to avoid any data breach, and try to hold only a minimum of Personal Information, but we must accept that data security is an area that is always evolving.
Should we discover the data we hold has been compromised in any way, we shall draw up rapid and appropriate responses, including but not necessarily limited to:
i) Take immediate steps to block any further breaches;
ii) Identify what type and to what extent data has been compromised, and assess the implications;
iii) Inform on an ongoing basis those affected of what data has been stolen and what the implications for them as individuals are; and where appropriate assist the individuals affected to prevent further ramifications from the data loss;
iv) Inform the Information Commissioner’s Office (ICO) [Telephone: 0303 123 1113] of the data breach and of the steps taken to remedy the situation and inform those affected, with the following information:
- what has happened;
- when and how we found out about the breach;
- the people that have been or may be affected by the breach;
- what we are doing as a result of the breach; and
- whom the ICO should contact if they need more information and who else we have told.
Policy date: 17th April 2018 Version Number 1.0
Next review date: 17th April 2019