This policy relates to the privacy of your personal data at UNITRACKER.
About Unitracker (Worldwide) Ltd:
Unitracker (Worldwide) Ltd provide businesses with commercial vehicles, various products – GPS vehicle tracking, dash cams, vehicle finance, fuel cards, breakdown-recovery, vehicle hire and service and maintenance packages.
Under the new Data Protection Act 2018 (DPA 2018) which governs Data Protection within the UK, we are required to give you a clear understanding of how and why we process your data, and what our position is, in this relationship
We are the Data Controller
As we set the rules and reasons for collecting data from you, we are classed as the Controller of your personal data. This means it is our responsibility to ensure that the data we collect is controlled effectively, and protected at all times. Should you have any questions about the processing of your data you can contact us directly using the following methods:
Why we need your personal data and what we need to do with it
Your personal data will be managed in accordance with the new Data Protection Regulation (Data Protection Act 2018) under the following principles:
1. Lawfulness, Fairness and Transparency:
We will process your data in order to provide this website to you and to help us answer any questions that you pose. We will also use your personal data in connection with the performance of any contract entered into with Unitracker. (If you are a business, and providing us with driver data, you will need to make sure that drivers are aware that we are processing their personal data.)
Your data will only be collected for specified, contractual and legitimate purposes meaning that as well as using the data to identify you and perform any contract with you, we may use it for:
We will not ask for more information than we need for the purposes for which we are collecting it
We will update our records when you inform us that your details have changed
We will only retain your personal data for the length of time needed to complete the initial request and for three years following any contract in respect of which you are party or subject.
6. Integrity and Confidentiality:
We have implemented appropriate technical and operational measures to protect the integrity and confidentiality of your personal data
Policies and processes we have to protect your rights as the ‘Data Subject’
Policies and processes we have to protect your rights as the ‘Data Subject’
Under the DPA 2018 you have a number of ‘rights’ which you can exercise at any time. Should you wish to do so, please contact the person named at the end of this Notice. These rights might include:
Where we cannot comply with one of these rights, or we need additional time to comply, we will provide you with a full explanation within the timescales required by the Regulation.
Transferring personal data
Due to the nature of the business, we work with a variety of DPA 2018 compliant businesses who act as our processors which store and process your personal data on our instructions. Below is a list of our main categories of processor:
At no time does your personal information leave the UK.
Talking to us about your rights or this Notice
1.1. Unitracker (“the Company”) is committed to protecting the privacy and security of our customers’ personal information.
1.2 The Company has developed policies and practices which describe how we collect and use personal information about customers during and after their relationship with us, in accordance with the Data Protection Act 2018 (DPA 2018).
1.3 The Company is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about customers. We are required under data protection legislation to notify our customers of this information which is contained within a privacy notice sent out to them.
1.4 It is important that all company personnel read this policy, together with any other data protection policies in place or which are implemented in the future, so that they are aware of what personal data is collected, where it is retained and the period the Company will retain it for.
2. Data Protection principals
2.1. The Company will comply with data protection law. The law states that any personal information we hold on an individual must be:
2.1.1. Used lawfully, fairly and in a transparent way.
2.1.2. Collected only for valid purposes that we have clearly explained to the individual and not used in any way that is incompatible with those purposes.
2.1.3. Relevant to the purposes we have told the individual about and limited only to those purposes.
2.1.4. Accurate and kept up to date
2.1.5. Kept only as long as necessary for the purposes we have told the individual about.
3. The type of information that we hold about customers
3.1. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
3.2. There are “special categories” of more sensitive personal data which require a higher level of protection.
3.3. The Company will collect, store, and use the following categories of personal information about individuals (not all will be applicable to each individual):
3.3.1. Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
3.3.3. Company information.
3.3.4. Bank account details and VAT registration.
3.3.5. Location of employment or workplace.
3.3.6. Identification documents.
3.3.7. Public liability Insurance.
3.3.8. Recordings of telephone calls.
3.4. The Company may also collect, store and use “special categories” of sensitive personal information obtained from tracking devices (this may not be applicable to each individual).
3.5. Such information, as set out in this clause 3, is collected either from online referrals, under a customer’s contract with the Company, through electronic, written or verbal communication.
3.6. We only use an individual’s personal information when the law allows us to. Most commonly, we will use personal information as per the privacy notice and in the following circumstances:
3.6.1. Where we need to perform the contract we have entered into with the customer.
3.6.2. Where it is necessary for our legitimate interests (or those of a third party) and an individual’s interests and fundamental rights do not override those interests.
4. Where is customer information stored?
4.1. In line with the Company’s Information Security Policy, we undertake regular data mapping and risk assessments in line with the personal data that we hold to ensure we are compliant with our obligations under the DPA 2018.
4.2. Personal data is stored both electronically and in paper format. In particular, personal data is stored as follows:-
4.2.1. Electronically with Sales Force a CRM solution;
4.2.2. Electronically on the Company’s server;
4.2.3. Electronically on Outlook 365;
5. How long will the Company use customer information for?
5.1. The Company will only retain customer personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
5.2. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of an individual’s personal data, the purposes for which we process an individual’s personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
5.3. In some circumstances we may anonymise personal information so that it can no longer be associated with an individual, in which case we may use such information without further notice to that individual. Once the individual in question is no longer a customer of the company we will retain and securely destroy their personal information in accordance with applicable laws and regulations.
5.4. In particular, we will retain a customer’s personal information for the length of time needed to complete the initial request and for a maximum of three years should the individual terminate their request (subject to any legal requirement).
6.1. The Company will share an individual’s personal information with third parties where required by law, where it is necessary to administer the working relationship with the customer or where we have another legitimate interest in doing so.
6.2. “Third parties” includes third-party service providers (including contractors and designated agents). The following activities are carried out by third-party service providers:
6.2.1. IT services including web development and hosting companies, email and information technology platforms;
6.2.3. Installation engineers;
6.2.4. Financial and leasing companies; and
6.2.5. Customer relationship management platforms.
6.3. All of our third party service providers are required to take appropriate security measures to protect personal information in line with our policies. For further information please refer to our Information Security Policy.
6.4. The Company may share a customer’s personal information with other third parties, for example in the context of the possible sale or restructuring of the business. The Company may also need to share personal information with a regulator or to otherwise comply with the law.
7.1. The Company has put in place appropriate security measures to prevent customer personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to customer personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process an individual’s personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures are contained within our Information Security Policy.
7.2. The Company has put in place procedures to deal with any suspected data security breach and will notify an individual and any applicable regulator of a suspected breach where we are legally required to do so.
Welcome to Unitracker’s privacy policy for the Unitracker Live Application (the “App”).
UNITRACKER respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you register for or otherwise use the App and tells you about your privacy rights and how the law protects you.
This privacy policy (together with our UNITRACKER Live Agreement and Terms and Conditions) applies to both the Customer who signs up for the App for their business, and to users who register to use or access the App such as administrative employees of the Customer and Drivers.
This privacy policy is provided in a layered format so you can click through to the specific areas set out below. Alternatively, you can download a pdf version of the policy. Please also use the Glossary to understand the meaning of some of the terms used in this privacy policy.
1. IMPORTANT INFORMATION AND WHO WE ARE
Purpose of this privacy policy
This privacy policy aims to give you information on how UNITRACKER collects and processes your personal data through your use of the App, including any data you may provide through your use of the App for example when uploading information from a mobile device.
It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.
Our Customer which contracts to use our App is the Controller and responsible for your data. UNITRACKER is the Processor of your data and processes it on behalf of the Customer.
This privacy policy is issued on behalf of the UNITRACKER Group so when we mention UNITRACKER, “we”, “us” or “our” in this privacy policy, we are referring to the relevant company in the UNITRACKER Group responsible for processing your data.
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise [your legal rights- Link], please contact the DPO using the details set out below.
If you have any questions about this privacy policy or our privacy practices, please contact our DPO in the following ways:
Postal address: Unitracker, 187 Westgate, Bradford, BD1 2RX
Telephone number: 01274 214834
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to the privacy policy and your duty to inform us of changes
We keep our privacy policy under regular review. This version was last updated in August 20222221.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Consent to installation of the App
Before you are granted access to or use of the App, you are required to indicate your consent to our processing of your personal data (including your name, contact details, financial, device information, mobile number ) as described in this policy. By agreeing that you accept this Policy you agree to where you are a user of the App this privacy policy and where applicable, the installation of the App onto your mobile telephone or handheld device (Device). The App can be turned off by you at any time through the controls on your Device.
How you can withdraw consent
You may change your mind and withdraw consent at any time by contacting us but that will not affect the lawfulness of any processing carried out before you withdraw your consent. It will also prevent use of the App which may have consequences in your employment with the Customer.
Consent to processing Location Data
If you are a driver, you consent to processing of your Location Data (including details of your current location disclosed by GPS technology on the Device so that location-enabled Services are activated to provide us and the Customer with real time location data). Location data is activated once you have downloaded or streamed a copy of the App onto your Device.
3. THE DATA WE COLLECT ABOUT YOU
We may collect, use, store and transfer different kinds of personal data about you as follows:
• Identity Data
• Contact Data
• Financial Data
• Transaction Data
• Device Data
• Content Data
• Profile Data
• Usage Data
• Marketing and Communications Data
• Location Data
We explain these categories of data here [SEE DESCRIPTION OF CATEGORIES OF PERSONAL DATA in GLOSSARY BELOW].
We also collect, use and share Aggregated Data such as location data where the Device is located and travelling, statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the flow of traffic in the area in which the Device is in use, and the percentage of users accessing a specific App feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
4. HOW IS YOUR PERSONAL DATA COLLECTED
This is information (including Identity, Contact, and Communications Data) you consent to giving us, or allowing your employer to give to us, about you by registering for the app, or by corresponding with us (for example, by email, SMS or chat), or through your contract of employment or terms of employment with our Customer. It includes information you provide when you register to use the App Site, upload information or documentation, and when you report a problem with an App or our Services. If you contact us, we will keep a record of that correspondence.
Information we collect about you and your device.
Each time you activate the App and whilst it is in use, we will automatically collect personal data including Device, Content and Usage Data. We will also collect data when you upload information or documentation to the App such as receipts. We collect this data using cookies and other similar technologies.
We also use GPS technology to determine your current location. Our location-enabled Services require your personal data for the feature to work. [You can withdraw your consent at any time by disabling Location Data in your settings].
Information we receive from other sources including third parties and publicly available sources.
We will receive personal data about you from your employer, namely identity, Contact and Vehicle details.
We use cookies and/or other tracking technologies to distinguish you from other users of the App, App Site, the distribution platform (Appstore) and to remember your preferences. This helps us to provide you with a good experience when you use the App and also allows us to improve the App.
5. HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when the law allows us to do so. Most commonly we will use your personal data in the following circumstances:
• Where you have consented before the processing, either through the App or with your employer (our Customer) through your terms of employment with your employer.
• Where we need to perform a contract we are about to enter or have entered with you or the Customer, by whom you are employed.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.
We will only send you information to enable you to interact with the App and our Services. We may send this by text/SMS or email where we have your consent. You have the right to withdraw that consent at any time by contacting us.
We will not share your personal data with any third party for marketing purposes.
Purposes for which we will use your personal data.
6. DISCLOSURES OF YOUR PERSONAL DATA
When you consent to providing us with your personal data, we will also ask you for your consent to share your personal data with the third parties set out below for the purposes set out in the table [Purposes for which we will use your personal data]:
• Internal Third Parties as set out in the Glossary.
• External Third Parties as set out in the Glossary.
• Your employer (our Customer).
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
7. INTERNATIONAL TRANSFERS
We do not transfer your personal data outside the UK. Data is processed and stored in the UK.
All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password that enables you to access certain parts of Our App, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
[We will collect and store personal data on your Device using [App data caches and browser web storage (including HTML5) and other technology].
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes. Where you are an employee of the Customer, we shall only retain data for so long as it is necessary for the purpose of providing our services to the Customer.
In some circumstances you can ask us to delete your data: see [Your legal rights] below for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for assessing road traffic conditions (Device only), research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Under certain circumstances you have the following rights under data protection laws in relation to your personal data.
• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
if you want us to establish the data’s accuracy;
where our use of the data is unlawful but you do not want us to erase it;
where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You can exercise any of these rights at any time by contacting us via the contact details given above. Further information is also available at the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).
Consent means processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us.
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
Other companies in the UNITRACKER Group acting as joint processors and who are based in the UK and provide IT and system administration services and undertake leadership reporting.
Your employer (our Customer).
Service providers acting as processors based in the UK who provide IT and system administration services.
Description of categories of personal data
• Identity Data: first name, last name, username or similar identifier, marital status, title, date of birth, gender.
• Contact Data: delivery address, email address and telephone numbers.
• Device Data: includes the type of mobile device you use, a unique device identifier (for example, your Device’s IMEI number, the MAC address of the Device’s wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, time zone settings.
• Content Data: includes information stored on your Device, including [login information,] [photos, videos or other digital content,] [check-ins,] [OTHER INFORMATION].
• Profile Data: includes [your username and password, in-App purchase history, your interests, preferences, feedback and survey responses].
• Usage Data: includes details of your use of any of our Apps or your visits to any of Our Sites including, but not limited to, [traffic data [and other communication data],] whether this is required for our own billing purposes or otherwise [and the resources that you access].
• Marketing and Communications Data: includes [your preferences in receiving marketing from us and our third parties and your communication preferences].
• Location Data: includes your current location disclosed by GPS technology.
1.1. Unitracker (“the Company”) is required to comply with the law governing the management and storage of personal data, which is set out in the Data Protection Act 2018 (“DPA 2018”).
1.2. Articles 5 and 23 of the DPA 2018 requires the Company to process personal data securely to ensure protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures. This is commonly referred to as the DPA 2018’s Security Principal.
1.3. Information management and the associated security of information for the Company is made up of a combination of:-
1.3.1. Information systems used for handling data, information and knowledge.
1.3.2. Information technology which supports our information systems represented by the variety of hardware and software which is available to the Company.
1.3.3. Business systems that are operational processes and procedures for the conduct of our business and which require the support of information technology while inevitably in the development of our information systems.
1.3.4. Information assets is the information, personal data and knowledge that the business collects in the course of our activities, be it about our customers, the business, our employees or other third parties which we deal with.
1.4. This policy is our approach to the identification to the monitoring and safeguarding of the areas identified at 1.3 and the policy applies to all Company personnel who processes Personal Data on the Company’s behalf its employees, staff, customers, clients or third parties.
2. The Company’s Approach to Data Protection and Information Security
2.1. The Company ensures that we are compliant with data protection legislation, including the DPA 2018, by undertaking to perform a data mapping process of what personal data we hold and who has access to such personal data. A data mapping process will be considered and prepared on a quarterly basis to consider the continued development of our information systems and information technology.
2.2. We have developed, implemented and maintained safeguards appropriate to our size, scope and business, our available resources, the amount of personal data that we own or maintain on behalf of others and identified risks. These systems will be monitored and improved on a continual basis.
2.3. The Company has a number of practices in place to ensure that we remain compliant with the Security Principal with a view to ensuring that the integrity, confidentiality and availability of our information management systems and services.
2.4. The persons with overall responsibility for this Information Security Policy is Nasar Aftab, Operations Director. This responsibility includes conducting an annual review of the policy to ensure its effectiveness and to answer any questions in terms of the Company’s position on information security.
3.1. This policy should be read alongside our Privacy Standard and Data Retention Policies. The Company’s Data Protection Lead is Nasar Aftab they have overall responsibility of ensuring all company personnel are aware of their obligations under data protection law and to ensure compliance with the principals of the DPA 2018.
3.2. The purpose of our policy is to prevent mismanagement of our information systems and procedures wherever possible in order to avoid or at least mitigate the following (the list is not exhaustive):
3.2.1. proceedings under the Data Protection Act 2018
3.2.2. the inability to provide services
3.2.3. reputational and/or financial damage
3.2.5. breaches of confidentiality
4. Our obligations to ensure the security of information
4.1. The Company recognises under the DPA 2018 that we need to ensure the confidentiality, integrity and availability of personal data (including any sensitive data) is maintained.
4.2. The Company ensures that personal data can only be accessed, altered, disclosed or deleted by Company personnel who the Company has provided authority to do so.
4.3. The Company ensures and has in place measures to ensure that the personal data we do hold is accurate and complete in relation to the lawful processing reason the Company holds the information in the first place.
4.4. The Company ensures that personal data remains accessible and usable and has appropriate measures in place to recover data should it be lost, altered or destroyed in order to prevent any damage or distress to the individual(s) concerned.
4.5. In order to meet these obligations the company has in place organisation and technical measures. Such measures will be reviewed in line with our data mapping and risk assessment process as set out in this policy.
5. Organisational Measures
5.1. The Company has undertaken, and will continue to undertake the following measures to ensure that we comply with our obligations under the DPA 2018 and in particular the security principal of the DPA 2018:-
5.1.1. Regular data mapping and risk assessments of all types of personal data we obtain, hold or record in line with our Privacy Standard;
5.1.2. Nominate an individual (as set out in this policy) who will have overall responsibility for information security;
5.1.3. Provide training to all members of staff on data protection and the procedures they must follow in line with Company procedure (including the correct use of our Information Technology and Computer Systems);
5.1.4. Annual reviews of this Information Security Policy to ensure that it is compliant and the Company’s measures are maintained;
5.1.5. Personal data collated and stored (in line with our Privacy Standard and Data Retention Policies) will be backed up on a weekly or nightly basis (depending upon the type of personal data) to ensure that it can be easily recovered if there was a security breach, incident which resulted in data being lost, altered or destroyed;
5.1.6. Data Retention Policies set out how long personal data will be stored and when it will be erased in line with data protection principals and to ensure data is not kept longer than the lawful reason for processing as identified in our Privacy Notices;
5.1.7. Any third party who acts as a data processor on behalf of the Company (as data controller) will be audited and appropriate terms in compliance with the DPA 2018 will be agreed in writing;
5.1.8. Procedure to change personal details is available and all staff are aware of the Company’s process.
5.2. This list is not exhaustive and will be continually reviewed as part of the review of this policy.
6.1. The Company has undertaken, and will continue to undertake the following measures to ensure that we comply with our obligations under the DPA 2018 and in particular the security principal of the DPA 2018:-
6.1.1. All hard copy personal data is kept in lockable storage devices (access is limited to personnel who have the authority to access such personal data);
6.1.2. Storage of electronic personal data is protected with approved security measures such as Echo Sign, password protected documents etc;
6.1.3. The Company uses reputable companies and ensures they are compliant with data protection regulation to store and back up personal data such as Node4 Amazon Web Services and Salesforce, to assist with the recovery of data following any incident;
6.1.4. The Company uses CCTV on site (please see the company’s CCTV policy);
6.1.5. The Company is aware and has measures in place to ensure its cyber security is monitored and compliant with guidelines in place this includes the use of Amazon Web Services and Sophos (an anti-virus system);
6.1.6. The Company’s website is hosted by a company who is compliant and registered with ISO27001;
6.1.7. All data is wiped from all electronic devices (including computers, phones, tracking devices etc) by a third party (currently P2). The Company ensures that the nominated third party is compliant with DPA 2018;
6.1.8. Paper waste is disposed on site by use of shredding machines and we operate a clear desk procedure meaning all notes must be shredded on a daily basis;
6.1.9. Any visitors to the Company premises are required to sign in and a nominated manager will be responsible for the visitor during the duration of their attendance on site;
6.1.10. All IT and electronic equipment is stored securely on site. Should any company personnel remove electronic equipment from Company premises they must seek managerial approval and comply with company procedure;
6.1.11. The Company has and will undergo and relevant DPIAs (see below) on new systems which could be rolled out for the processing of vehicle tracking data or other changes to our systems to ensure there is a process in place should the Company make the decision implement a major change or our systems
6.2. The Company performs regular tests of the measures in place to assess and evaluate the effectiveness of our procedures and systems in place. All testing is recorded and will form part of ongoing data mapping and risk assessments processes.
7. Data Mapping and Risk Assessments
7.1. The Company carries out a data mapping and risk assessment of the principal information and personal data we process and hold on a quarterly basis. The data mapping process is recorded and maintained to show the main categories of information we hold in relation to our customers, the business and our members of staff. Such a process also indicates what security measures are taken to protect the personal data we process, use and maintain together with any risks identified.
7.2. In general terms the types of documents to be held in our information systems (either electronic or hard copy) are:-
7.2.1. Customer documents (Vehicle tracking reports, contact details, order forms, contracts, purchase history etc)
7.2.2. Staff documents (contracts of employment, personnel records etc)
7.2.3. Business documents (examples – leases, company documents etc)
7.2.4. Others (third party agreements)
7.3. The safe disposal of any information and personal data collated as part of the data mapping process will be in line with this policy and the Company’s Data Retention Policy.
8. Training and Awareness
8.1. Staff should at all times do their best to ensure the accuracy, relevance and sufficiency of any information they use, process or maintain in accordance with the processes and procedures relevant to their role. They will, at all times, seek to maintain the confidentiality and security of the Company’s information and personal data.
8.2. The Company provides regular training to all staff on all relevant aspects of data protection, information management and information technology as appropriate.
8.3. New members of staff joining the Company, who have access to personal data, will be introduced to this Information Security Policy and other relevant data protection policies referred therein as part of their induction.
8.4. Should a member of staff of the Company move from one area of the business to another then they will receive training in the relevant procedures on information security relevant to their new role.
8.5. The Company will monitor the review of their information systems, information technology and information security measures as set out in this policy and will ensure all members of staff are updated.
9. Data Privacy Impact Assessments (DIPAs)
9.1. The Company, as a Data Controller, must conduct DPIAs should a specific type of processing or processing which is likely to result in a high risk to individuals’ interests.
9.2. Company personnel should conduct a DPIA (and discuss your findings with the Data Protection Manager) when implementing major system or business change progUnitrackers involving the processing of personal data including the following:
9.2.1. use of new technologies (progUnitrackers, systems or processes), or changing technologies (progUnitrackers, systems or processes);
9.2.2. automated processing including profiling and/or automated decision-making;
9.2.3. large scale processing of sensitive data; and
9.2.4. large scale, systematic monitoring of a publicly accessible area.
9.3. A DPIA must include:
9.3.1. a description of the processing, its purposes and the Data Controller’s legitimate interests if appropriate;
9.3.2. an assessment of the necessity and proportionality of the processing in relation to its purpose;
9.3.3. an assessment of the risk to individuals; and
9.3.4. the risk mitigation measures in place and demonstration of compliance.
10. Key Areas of Information Security
10.1. The Company is increasingly reliant on information and communication technology for the preparation and delivery of its services to our customers. This position increases the significance of effective computer management systems within the Company.
10.2. The Company has in place strict rules on and procedures on the use of:-
10.2.1. Internet access and use
10.2.2. Email communication protocols
10.2.3. Social media access and use (both personal and business use)
10.2.4. Telephone and mobile use
10.3. The Company, as part of our data mapping and risk assessment process, keeps under review our information and communication technology policies and procedures. The person with responsibility for this task is Nasar Aftab, Operations Director. Where necessary, all members of staff will receive training on the Company’s policies and procedures in terms of information and communication technology.
11. System Risk Management
11.1. Management of our information systems is the responsibility of Nasar Aftab, Operations Director.
11.2. The Company has identified the following critical risks to our systems:-
11.2.2. Computer virus attack
11.3. The Company has in place the following procedures, processes and technology to eliminate, minimise or transfer the critical risks identified above:-
11.3.1. Virus protection system
11.3.2. Management of system configurations
11.3.3. Regular system backups
11.3.4. Use of a router firewall on its internet connection
11.3.5. User password procedures
11.3.6. Management of user accounts including restrictions of access and removal of users where access is no longer required
11.3.7. Continual training on I.T systems
11.3.8. Restrictions on computer systems to prevent data being added or removed.
12.1. The Company has identified and uses third parties to process personal data on our behalf (as per our privacy policies and notices). The Company recognises that as the data controller we are responsible for ensuring compliance with the DPA 2018. This includes what our data processers do with the personal data.
12.2. We ensure, as part of our organisation and technical measures, that all data processors comply with the DPA 2018 principals and provides the Company with the appropriate written agreements of their compliance.
12.3. All data processors will have to comply with the same security measures we enforce and expect as specified under this policy.
12.4. As part of our data mapping and risk assessment process this will include an audit of data processors used.
13. Data Protection Breaches
13.1. The Company recognises at times, despite all efforts made to prevent breaches of data security in line with this policy, there could be a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
13.2. Data protection breaches could happen for a number of reasons including, human error, cyber-attacks, loss or theft of devices/equipment, deceit, disasters at company premises or inadequate or inappropriate access controls.
13.3. Should a data protection breach occur then it must be reported to Nasar Aftab (Data Protection Leads) immediately upon discovery. A report of a potential breach should be made by way of logging a DPA 2018 case on SalesForce. Should any member of staff be unsure whether a potential incident or situation would amount to a data protection breach then they should speak with their direct line manager in the first instance.
13.4. The Data Protection Lead ( Nasar Aftab) will then take appropriate steps to recover lost data, limit the damage of the breach and will investigate the breach. Should a breach amount to a risk to the rights and freedoms of the individual(s) then the breach will be reported to the Information Commissioner’s Officer (“ICO”) in line with reporting guidelines in place at the relevant time but without delay and no later than 72 hours after notification of the breach.
13.5. The Data Protection Lead (Nasar Aftab) where appropriate will inform the individual(s) affected by the data protection breach in line with current guidelines and requirements.
13.6. All data protection breaches must be recorded in the Company’s central breach register.
13.7. If the breach is found to be part of a wider systematic issue then the Data Protection Lead (Nasar Aftab) will ensure that practices are revised and communication to all relevant parties.
1.1. This Privacy Standard sets out how (”we”, “our”, “us”, “the Company”) handle the Personal Data of our customers, suppliers, employees, workers and other third parties with regard to the Data Protection Act 2018 s (DPA 2018).
1.2. This Privacy Standard applies to all Personal Data we Process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other individual.
1.3. This Privacy Standard applies to all Company Personnel (”you”, “your”). You must read, understand and comply with this Privacy Standard when Processing Personal Data on our behalf and attend training on its requirements. This Privacy Standard sets out what we expect from you in order for the Company to comply with applicable law. Your compliance with this Privacy Standard is mandatory. Related Policies are available to help you interpret and act in accordance with this Privacy Standard; you must also comply with all such Related Policies. Any breach of this Privacy Standard may result in disciplinary action.
1.4. This Privacy Standard (together with Related Policies) is an internal document and cannot be shared with third parties, clients or regulators without prior authorisation from the Data Protection Leads (Nasar Aftab).
2.1. These terms have the following meaning within this Privacy Standard:-
2.1.1. Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.
2.1.2. Company name: Unitracker (Worldwide) Ltd t/as Unitracker.
2.1.3. Company Personnel: all employees, workers contractors, agency workers, consultants, directors, members and others.
2.1.4. Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the individual’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.
2.1.5. Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the DPA 2018. We are the Data Controller of all Personal Data relating to our Company Personnel and Personal Data used in our business for our own commercial purposes.
2.1.6. Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Information Security Policy and should be conducted for all major system or business change programs involving the Processing of Personal Data.
2.1.7. UK: the constituent countries of the United Kingdom.
2.1.8. Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).
2.1.9. Data Protection Act 2018 (DPA 2018): the Data Protection Act 2018. Personal Data is subject to the legal safeguards specified in the DPA 2018.
2.1.10. Personal Data: any information identifying an individual or information relating to an individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
2.1.11. Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
2.1.12. Privacy Notices: separate notices setting out information that may be provided to individuals when the Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose.
2.1.13. Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
2.1.14. Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
2.1.15. Related Policies: the Company’s policies, operating procedures or processes related to this Privacy Standard and designed to protect Personal Data including Information Security Policy, Data Retention Policy for Employees and Data Retention Policy for Customers.
2.1.16. Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
3.1. We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. The Company is exposed to potential fines of up to £17.5 million or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the DPA 2018.
3.2. All managers are responsible for ensuring all Company Personnel comply with this Privacy Standard and need to implement appropriate practices, processes, controls and training to ensure such compliance.
3.3. The Data Protection Lead is responsible for overseeing this Privacy Standard and, as applicable, developing Related Policies. This post is held by Nasar Aftab, Managing Director, nasar@untracker.co.uk .
3.4. Please contact the Data Protection Lead with any questions about the operation of this Privacy Standard, the DPA 2018 or if you have any concerns that this Privacy Standard is not being or has not been followed. In particular, you must always contact the Data Protection Lead in the following circumstances:
3.4.1. if you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by the Company) (see Section [5.1-5.4] below);
3.4.2. if you need to rely on Consent and/or need to capture Explicit Consent (see Section [5.5-5.9] below);
3.4.3. if you need to draft Privacy Notices (see Section [5.10-5.13] below);
3.4.4. if you are unsure about the retention period for the Personal Data being Processed (see Section [9] below);
3.4.5. if you are unsure about what security or other measures you need to implement to protect Personal Data (see Section [10.1-10.4] below);
3.4.6. if there has been a Personal Data Breach (Section [10.5-10.7] below);
3.4.7. if you are unsure on what basis to transfer Personal Data outside the UK (see Section [11] below);
3.4.8. if you need any assistance dealing with any rights invoked by an individual (see Section [12]);
3.4.9. whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA (see Information Security Policy) or plan to use Personal Data for purposes others than what it was collected for;
3.4.10. If you need help complying with applicable law when carrying out direct marketing activities (see Section [14] below); or
3.4.11. if you need help with any contracts or other areas in relation to sharing Personal Data with third parties (including our vendors) (see Section [15] below).
4. Personal Data Protection Principles
4.1. The Company follows the principals set out in the DPA 2018 relating to Processing of Personal data which require it to be:
4.1.1. Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
4.1.2. Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
4.1.3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).
4.1.4. Accurate and where necessary kept up to date (Accuracy).
4.1.5. Not kept in a form which permits identification of individual(s) for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).
4.1.6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
4.1.7. Not transferred to another country without appropriate safeguards being in place (Transfer Limitation).
4.1.8. Made available to individuals and an individual is allowed to exercise certain rights in relation to their Personal Data (Individual’s Rights and Requests).
4.2. The Company is responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
5. Lawfulness, Fairness, Transparency
5.1. Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the individual.
5.2. You may only collect, Process and share Personal Data fairly and lawfully and for specified purposes. The DPA 2018 restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent Processing, but ensure that we Process Personal Data fairly and without adversely affecting the individual(s).
5.3. The DPA 2018 allows Processing for specific purposes, some of which are set out below:
5.3.1. the individual has given his or her Consent;
5.3.2. the Processing is necessary for the performance of a contract with the individual;
5.3.3. to meet our legal compliance obligations;
5.3.4. to protect the individual’s vital interests; or
5.3.5. to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of individual(s). The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices.
5.4. The Company must identify and document the legal ground being relied on for each Processing activity.
5.5. A Data Controller must only process Personal Data on the basis of one or more of the lawful bases set out in the DPA 2018, which include Consent.
5.6. An individual consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.
5.7. Individuals must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the individual first consented.
5.8. Unless we can rely on another legal basis of Processing, Explicit Consent is usually required for Processing Sensitive Personal Data and for cross border data transfers (when applicable). Usually we will be relying on another legal basis (and not require Explicit Consent) to Process most types of Sensitive Data. Where Explicit Consent is required, you must issue a Privacy Notice to the individual to capture Explicit Consent.
5.9. You will need to evidence Consent captured and keep records of all Consents so that the Company can demonstrate compliance with Consent requirements.
Transparency (Notifying Individuals)
5.10. The DPA 2018 requires Data Controllers to provide detailed, specific information to individual(s) depending on whether the information was collected directly from an individual or from elsewhere. Such information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that an individual can easily understand them.
5.11. Whenever we collect Personal Data directly from individuals, including for human resources, employment purposes or acting on behalf of our agreement with our customers, we must provide the individual with all the information required by the DPA 2018 including the identity of the Data Controller and Data Protection Lead, how and why we will use, Process, disclose, protect and retain that Personal Data through a Privacy Notice which must be presented when the individual first provides the Personal Data.
5.12. When Personal Data is collected indirectly (for example, from a third party or publicly available source), you must provide the individual with all the information required by the DPA 2018 as soon as possible after collecting/receiving the data. You must also check that the Personal Data was collected by the third party in accordance with the DPA 2018 and on a basis which contemplates our proposed Processing of that Personal Data.
5.13. You should seek guidance on drafting Privacy Notices from the Company’s Data Protection Lead.
6.1. Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.
6.2. You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless you have informed the individual(s) of the new purposes and they have Consented where necessary.
7.1. Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
7.2. You may only Process Personal Data when performing your job duties requires it. You cannot Process Personal Data for any reason unrelated to your job duties.
7.3. You may only collect Personal Data that you require for your job duties: do not collect excessive data. Ensure any Personal Data collected is adequate and relevant for the intended purposes.
7.4. You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Company’s data retention guidelines.
8.1. Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
8.2. You will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps or amend inaccurate or out-of-date Personal Data.
9.1. Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
9.2. You must not keep Personal Data in a form which permits the identification of the individual for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.
9.3. The Company will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. You must ensure that you comply with the Company’s guidelines on Data Retention.
9.4. You will take all reasonable steps to destroy or erase from our systems all Personal that we no longer require in accordance with all the Company’s applicable records retention schedules and policies. This includes requiring third parties to delete such data where applicable.
9.5. You will ensure individuals are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice.
10. Security Integrity and Confidentiality
10.1. Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.
10.2. The Company will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data. You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. You must exercise particular care in protecting Sensitive Personal Data from loss and unauthorised access, use or disclosure.
10.3. You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. Please refer to the Company’s Information Security Policy for the Company’s procedures and position.
10.4. You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the DPA 2018 and relevant standards to protect Personal Data.
Reporting a Personal Data Breach
10.5. The DPA 2018 requires Data Controllers to notify any Personal Data Breach to the applicable regulator and, in certain instances, the individual.
10.6. We have put in place procedures to deal with any suspected Personal Data Breach and will notify individual(s) or any applicable regulator where we are legally required to do so.
10.7. If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the Data Protection Leads. You should preserve all evidence relating to the potential Personal Data Breach.
11.1. The DPA 2018 restricts data transfers to countries outside the UK in order to ensure that the level of data protection afforded to individuals by the DPA 2018 is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.
11.2. You may only transfer Personal Data outside the UK one of the following conditions applies:
11.2.1. the UK Government has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for an individual’s rights and freedoms. For further information please review the following website – https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/
11.2.2. appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the UK Government, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;
11.2.3. the individual has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or
11.2.4. the transfer is necessary for one of the other reasons set out in the DPA 2018 including the performance of a contract between us and the individual, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the individual where the individual is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.
12. Individual’s Rights and Requests
12.1. Individuals have rights when it comes to how we handle their Personal Data. These include rights to:
12.1.1. withdraw Consent to Processing at any time;
12.1.2. receive certain information about the Data Controller’s Processing activities;
12.1.3. request access to their Personal Data that we hold;
12.1.4. prevent our use of their Personal Data for direct marketing purposes;
12.1.5. ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
12.1.6. restrict Processing in specific circumstances;
12.1.7. challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
12.1.8. request a copy of an agreement under which Personal Data is transferred outside of the UK;
12.1.9. object to decisions based solely on Automated Processing, including profiling (automated decision making (ADM));
12.1.10. prevent Processing that is likely to cause damage or distress to the individual or anyone else;
12.1.11. be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
12.1.12. make a complaint to the supervisory authority; and
12.1.13. in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format.
12.2. You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation).
12.3. You must immediately forward any Subject Access Request you receive to your supervisor.
13.1. The Data Controller must implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
13.2. The Company must have adequate resources and controls in place to ensure and to document DPA 2018 compliance including:-
13.2.1. Implementing appropriate measures when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of individuals;
13.2.2. Integrating data protection into internal documents including this Privacy Standard, Related Policies or Privacy Notices;
13.2.3. Regularly training Company Personnel on the DPA 2018, this Privacy Standard, Related Policies and data protection matters including, for example, individual’s rights, Consent, legal basis, DPIA and Personal Data Breaches. The Company must maintain a record of training attendance by Company Personnel; and
13.2.4. Regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
13.3. The DPA 2018 requires us to keep full and accurate records of all our data Processing activities.
13.4. The Company must keep and maintain accurate corporate records reflecting our Processing including records of an individual’s Consents and procedures for obtaining Consents.
13.5. These records should include, at a minimum, the name and contact details of the Data Controller and the Data Protection Leads, clear descriptions of the Personal Data types, individual(s) types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place. In order to create such records, data maps will be created which should include the detail set out above together with appropriate data flows.
14.1. The Company is subject to certain rules and privacy laws when marketing to our customers.
14.2. For example, an individual’s prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as “soft opt in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar products or services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.
14.3. The right to object to direct marketing must be explicitly offered to an individual in an intelligible manner so that it is clearly distinguishable from other information.
14.4. An individual’s objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
14.5. You must liaise with the Company’s Data Protection Lead about any marketing plans and follow their instructions.
15. Sharing Personal Data
15.1. Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
15.2. You may only share the Personal Data we hold with another employee, agent or representative of our group (which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
15.3. You may only share the Personal Data we hold with third parties, such as our service providers if:
15.3.1. They have a need to know the information for the purposes of providing the contracted services;
15.3.2. sharing the Personal Data complies with the Privacy Notice provided to the individual and, if required, the individual’s Consent has been obtained;
15.3.3. the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
15.3.4. the transfer complies with any applicable cross border transfer restrictions; and
15.3.5. a fully executed written contract that contains DPA 2018 approved third party clauses has been obtained.
16. Changes to this Privacy Standard
16.1. The Company reserves the right to change this Privacy Standard. We encourage you to regularly check this policy for any updates and changes.
16.2. This Privacy Standard does not override any applicable national data privacy laws and regulations in countries where the Company operates.
16.3. This policy was last updated in August 2021.
