We are leaders in

Construction & Hospitality Recruitment

1.         Introduction

This Policy sets out the obligations of Goldmills a company registered in England under number 08175723, whose registered office is at 9 Devonshire Square, London, England, EC2M 4YF regarding data protection and the rights of its employees (in this context, “employee data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The  GDPR  defines  “personal  data”  as  any  information  relating  to  an  identified  or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more  factors  specific  to  the  physical,  physiological,  genetic,  mental,  economic, cultural, or social identity of that natural person.

This  Policy  sets  the  Company’s  obligations  regarding  the  collection,  processing, transfer, storage, and disposal of  personal data  relating  to employee  data subjects. The  procedures  and  principles  set  out  herein  must  be  followed  at  all  times  by  the Company, its employees,  agents,  contractors, or  other parties working  on behalf  of the Company.

The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data,  respecting  the  legal  rights,  privacy,  and  trust  of  all  individuals  with  whom  it deals.

2.         The Data Protection Principles

This  Policy  aims  to  ensure  compliance  with  the  GDPR.  The  GDPR  sets  out  the following  principles  with  which  any  party  handling  personal  data  must  comply.  All personal data must be:

2.1       Processed lawfully, fairly, and in a transparent manner in relation to the data subject.

2.2       Collected  for  specified,  explicit,  and  legitimate  purposes  and  not  further processed  in  a  manner  that  is  incompatible  with  those  purposes.  Further processing for archiving purposes in the public interest, scientific or historical research  purposes  or  statistical  purposes  shall  not  be  considered  to  be incompatible with the initial purposes.

2.3       Adequate,  relevant,  and  limited  to  what  is  necessary  in  relation  to  the purposes for which it is processed.

2.4       Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.

2.5       Kept in a form which permits identification of data subjects for no longer than is  necessary  for  the  purposes  for  which  the  personal  data  is  processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or    historical    research    purposes,    or    statistical    purposes,    subject    to implementation  of  the  appropriate  technical  and  organisational  measures required by the  GDPR  in  order to  safeguard  the rights  and  freedoms of  the data subject.

2.6       Processed in a manner that ensures appropriate security of the personal data,

including protection against unauthorised or unlawful processing and against accidental   loss,   destruction,   or   damage,   using   appropriate   technical   or organisational measures.

3.         The Rights of Data Subjects

The GDPR sets out the following rights applicable to data subjects (please refer to the parts of this policy indicated for further details):

3.1       The right to be informed (Part 12).

3.2       The right of access (Part 13);

3.3       The right to rectification (Part 14);

3.4       The right to erasure (also known as the ‘right to be forgotten’) (Part 15);

3.5       The right to restrict processing (Part 16);

3.6       The right to data portability (Part 17);

3.7       The right to object (Part 18); and

3.8       Rights with respect to automated decision-making and profiling (Parts 19 and

20).

4.         Lawful, Fair, and Transparent Data Processing

4.1       The  GDPR  seeks  to  ensure  that  personal  data  is  processed  lawfully,  fairly, and  transparently,  without  adversely affecting  the  rights  of  the  data  subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:

4.1.1    The data subject has given consent to the processing of their personal data for one or more specific purposes;

4.1.2    The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;

4.1.3    The processing is necessary for compliance with a legal obligation to which the data controller is subject;

4.1.4    The  processing  is  necessary to  protect  the  vital  interests  of  the  data subject or of another natural person;

4.1.5    The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or

4.1.6    The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data  subject  which  require  protection  of  personal  data,  in  particular where the data subject is a child.

4.2       If  the  personal  data  in  question  is  “special  category  data”  (also  known  as “sensitive  personal  data”  (for  example,  data  concerning  the  data  subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation), at least one of the following conditions must be met:

4.2.1    The data subject has given their explicit consent to the processing of such  data  for  one  or  more  specified  purposes  (unless  EU  or  EU Member State law prohibits them from doing so);

4.2.2    The  processing  is  necessary  for  the  purpose  of  carrying  out  the obligations and exercising specific rights of the data controller or of the data  subject  in  the  field  of  employment,  social  security,  and  social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides  for  appropriate  safeguards  for  the  fundamental  rights  and interests of the data subject);

4.2.3    The  processing  is  necessary to  protect  the  vital  interests  of  the  data subject   or   of   another   natural   person   where   the   data   subject   is physically or legally incapable of giving consent;

4.2.4    The  data  controller  is  a  foundation,  association,  or  other  non-profit body with a  political, philosophical,  religious,  or trade  union  aim, and the  processing  is  carried  out  in  the  course  of  its  legitimate  activities, provided that  the processing  relates solely to the  members or former members of that body or to persons who have regular contact with it in connection   with   its   purposes   and   that   the   personal   data   is   not disclosed outside the body without the consent of the data subjects;

4.2.5    The processing relates to personal data which is clearly made public by the data subject;

4.2.6    The   processing   is   necessary  for   the   conduct   of   legal   claims   or whenever courts are acting in their judicial capacity;

4.2.7    The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to  the  aim  pursued,  shall  respect  the  essence  of  the  right  to  data protection,  and  shall  provide  for  suitable  and  specific  measures  to safeguard the fundamental rights and interests of the data subject;

4.2.8    The  processing  is  necessary  for  the  purposes  of  preventative  or occupational medicine, for the assessment of  the  working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a  contract  with  a  health  professional,  subject  to  the  conditions  and safeguards referred to in Article 9(3) of the GDPR;

4.2.9    The processing is necessary for public interest reasons in the area of public  health,  for  example,  protecting  against  serious  cross-border threats  to  health  or  ensuring  high  standards  of  quality  and  safety  of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or

4.2.10  The  processing  is  necessary  for  archiving  purposes  in  the  public interest,   scientific   or   historical   research   purposes,   or   statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect  the  essence  of  the  right  to  data  protection,  and  provide  for suitable  and  specific  measures  to  safeguard  the  fundamental  rights and the interests of the data subject.

5.         Specified, Explicit, and Legitimate Purposes

5.1       The Company collects and processes the personal data set out in Parts 21 to

25 of this Policy. This includes:

5.1.1    Personal data collected directly from employee data subjects.

5.1.2    Personal data obtained from third parties.

5.2       The specific purposes for which the Company collects, processes, and holds such  personal  data  are  set  out  in  Parts  21  to  25  of  this  Policy (or  for  other purposes expressly permitted by the GDPR).

5.3       Employee  data  subjects  are  kept  informed  at  all  times  of  the  purpose  or purposes for which the Company uses their personal data. Please refer to Part

12 for more information on keeping data subjects informed.

6.         Adequate, Relevant, and Limited Data Processing

The  Company  will  only  collect  and  process  personal  data  for  and  to  the  extent necessary for the specific purpose or purposes of which employee data subjects have been informed (or will be informed) as under Part 5, above, and as set out in Parts 21 to 25, below.

7.         Accuracy of Data and Keeping Data Up-to-Date

7.1       The  Company shall  ensure  that  all  personal  data  collected,  processed,  and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of an employee data subject, as set out in Part 14, below.

7.2       The  accuracy  of  personal  data  shall be  checked  when it is  collected  and  at regular intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

8.         Data Retention

8.1       The Company shall not keep personal data for any longer than is necessary in light  of  the  purpose  or  purposes  for  which  that  personal  data  was  originally collected, held, and processed.

8.2       When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.

8.3       For  full  details  of   the  Company’s  approach  to  data  retention,  including retention periods for specific personal data types held by the Company, please refer to our Data Retention Policy.

9.         Secure Processing

The Company shall  ensure that  all personal  data  collected,  held,  and processed  is kept secure and protected against unauthorised or unlawful processing and against accidental   loss,   destruction,   or   damage.   Further   details   of   the   technical   and organisational measures which shall be taken are provided in Parts 26 to 31 of this Policy.

10.       Accountability and Record-Keeping

10.1     The Company’s Data Protection Officer is, Tom Burks.

10.2     The  Data  Protection  Officer  shall  be  responsible,  working  together  with  the Directorate, for overseeing the implementation of this Policy and for monitoring compliance  with  this  Policy,  the  Company’s  other  employment  and  data protection-related  policies,  and  with  the  GDPR  and  other  applicable  data protection legislation.

10.3     The   Company   shall   keep   written   internal   records   of   all   personal   data collection,  holding,  and  processing,  which  shall  incorporate  the  following information:

10.3.1  The name and details of the Company, its Data Protection Officer, and any applicable third-party data processors;

10.3.2  The  purposes  for which  the  Company collects,  holds,  and  processes personal data;

10.3.3  Details   of   the   categories   of   personal   data   collected,   held,   and processed  by  the  Company,  and  the  categories  of  employee  data subject to which that personal data relates;

10.3.4  Details   of   any   transfers   of   personal   data   to   non-EEA   countries including all mechanisms and security safeguards;

10.3.5  Details  of  how  long  personal  data  will  be  retained  by  the  Company

(please refer to the Company’s Data Retention Policy); and

10.3.6  Detailed  descriptions  of  all  technical  and  organisational  measures taken by the Company to ensure the security of personal data.

11.       Data Protection Impact Assessments

11.1     The Company shall carry out Data Protection Impact Assessments for any and all  new  projects  and/or  new  uses  of  personal  data  which  involve  the  use  of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of employee data subjects under the GDPR.

11.2     Data Protection Impact Assessments shall be overseen by the Data Protection

Officer and shall address the following:

11.2.1  The   type(s)   of   personal   data   that   will   be   collected,   held,   and processed;

11.2.2  The purpose(s) for which personal data is to be used;

11.2.3  The Company’s objectives;

11.2.4  How personal data is to be used;

11.2.5  The parties (internal and/or external) who are to be consulted;

11.2.6  The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;

11.2.7  Risks posed to employee data subjects;

11.2.8  Risks posed both within and to the Company; and

11.2.9  Proposed measures to minimise and handle identified risks.

12.       Keeping Data Subjects Informed

12.1     The  Company  shall  provide  the  information  set  out  in  Part  12.2  to  every employee data subject:

12.1.1  Where personal data is collected directly from employee data subjects, those  employee  data  subjects  will  be  informed  of  its  purpose  at  the time of collection; and

12.1.2  Where  personal  data  is  obtained  from  a  third  party,  the  relevant employee data subjects will be informed of its purpose:

a) if  the  personal  data  is  used  to  communicate  with  the  employee  data subject, when the first communication is made; or

b) if  the  personal  data  is  to  be  transferred  to  another  party,  before  that transfer is made; or

c) as soon  as reasonably possible and in  any event  not more than  one month after the personal data is obtained.

12.2     The following information shall be provided:

12.2.1  Details of the Company including, but not limited to, the identity of its

Data Protection Officer;

12.2.2  The purpose(s) for which the personal data is being collected and will be processed (as detailed in Parts 21 to 25 of this Policy) and the legal basis justifying that collection and processing;

12.2.3  Where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the personal data;

12.2.4  Where  the  personal  data  is  not  obtained  directly  from  the  employee data subject, the categories of personal data collected and processed;

12.2.5  Where  the  personal  data  is  to  be  transferred  to  one  or  more  third parties, details of those parties;

12.2.6  Where  the  personal  data  is  to  be  transferred  to  a  third  party  that  is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the  safeguards in place (see Part 32 of this Policy for further details);

12.2.7  Details of data retention;

12.2.8  Details of the employee data subject’s rights under the GDPR;

12.2.9  Details of the employee data subject’s right to withdraw their consent to the Company’s processing of their personal data;

12.2.10Details   of   the   employee   data  subject’s   right  to  complain  to  the Information  Commissioner’s  Office  (the  “supervisory  authority”  under the GDPR);

12.2.11Where  applicable,  details  of  any  legal  or  contractual  requirement  or obligation necessitating  the collection  and  processing  of  the  personal data and details of any consequences of failing to provide it; and

12.2.12Details  of  any  automated  decision-making  or  profiling  that  will  take place using the personal data, including information on how decisions will   be   made,    the   significance   of    those   decisions,    and   any consequences.

13.       Data Subject Access

13.1     Employee data subjects may make subject access requests  (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.

13.2     Employees  wishing  to  make  a  SAR  should  do  using  a  Subject  Access

Request Form, sending the form to the Company’s Data Protection Officer at

15 Bishopsgate, London E2.

13.3     Responses  to  SARs  shall  normally  be  made  within  one  month  of  receipt, however  this  may be  extended  by  up  to  two  months  if  the  SAR  is  complex and/or numerous requests are  made. If  such additional time is required,  the employee data subject shall be informed.

13.4     All SARs received shall be handled by the Company’s Data Protection Officer.

13.5     The Company does  not charge  a fee  for the  handling  of  normal SARs.  The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to an employee data subject, and for  requests  that  are  manifestly  unfounded  or  excessive,  particularly  where such requests are repetitive.

14.       Rectification of Personal Data

14.1     Employee data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.

14.2     The  Company  shall  rectify  the  personal  data  in  question,  and  inform  the employee data subject of that rectification, within one month of the employee data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the employee data subject shall be informed.

14.3     In  the  event  that  any  affected  personal  data  has  been  disclosed  to  third parties, those parties shall be informed of any rectification that must be made to that personal data.

15.       Erasure of Personal Data

15.1     Employee  data  subjects  have  the  right  to  request  that  the  Company erases the personal data it holds about them in the following circumstances:

15.1.1  It is no longer necessary for the Company to  hold that personal data with  respect  to  the  purpose(s)  for which  it  was  originally collected  or processed;

15.1.2  The  employee  data  subject  wishes  to  withdraw  their  consent  to  the

Company holding and processing their personal data;

15.1.3  The  employee  data  subject  objects  to  the  Company  holding  and processing  their  personal  data  (and  there  is  no  overriding  legitimate interest to allow the Company to continue doing so) (see Part 18 of this Policy for further details concerning the right to object);

15.1.4  The personal data has been processed unlawfully;

15.1.5  The  personal  data  needs  to  be  erased  in  order  for  the  Company  to comply with a particular legal obligation

15.1.6  The  personal  data  is  being  held  and  processed  for  the  purpose  of providing information society services to a child.

15.2     Unless  the  Company  has  reasonable  grounds  to  refuse  to  erase  personal data, all requests for erasure shall be complied with, and the  employee data subject informed of the erasure, within one month of receipt of the  employee data subject’s request. The period can be extended by up to two months in the case  of  complex  requests.  If  such  additional  time  is  required,  the  employee data subject shall be informed.

15.3     In  the  event  that  any  personal  data  that  is  to  be  erased  in  response  to  an employee  data  subject’s  request  has  been  disclosed  to  third  parties,  those parties  shall  be  informed  of  the  erasure  (unless  it  is  impossible  or  would require disproportionate effort to do so).

16.       Restriction of Personal Data Processing

16.1     Employee  data  subjects  may  request  that  the  Company  ceases  processing the  personal  data  it  holds  about  them.  If  an  employee  data  subject  makes such  a  request,  the Company shall  retain  only the  amount  of  personal  data concerning  that  data  subject  (if  any)  that  is  necessary  to  ensure  that  the personal data in question is not processed further.

16.2     In  the  event  that  any  affected  personal  data  has  been  disclosed  to  third parties,  those  parties  shall  be  informed  of  the  applicable  restrictions  on processing it (unless it is impossible or would require disproportionate effort to do so).

17.       Data Portability

17.1     The   Company   processes   personal   data   relating   to   employees   using automated means.

17.2     Where employee data  subjects  have given their consent  to the  Company to process their personal data in such a manner, or the processing is otherwise required  for  the  performance  of  a  contract  between  the  Company  and  the employee  data  subject,  employee  data  subjects  have  the  right,  under  the GDPR,  to  receive  a  copy  of  their  personal  data  and  to  use  it  for  other purposes (namely transmitting it to other data controllers).

17.3     To facilitate the right of data portability, the Company shall make available all applicable personal data to employee data subjects in the following format[s]:

17.3.1  Word; email, PDF

17.4     Where   technically   feasible,   if   requested   by   an   employee   data   subject, personal data shall be sent directly to the required data controller.

17.5     All  requests  for  copies  of  personal  data  shall  be  complied  with  within  one month of the employee data subject’s request. The period can be extended by up  to  two  months  in  the  case  of  complex  or  numerous  requests.  If  such additional time is required, the employee data subject shall be informed.]

18.       Objections to Personal Data Processing

18.1     Employee data subjects have the right to object to the Company processing their personal  data based  on legitimate interests,  direct marketing  (including profiling), and processing for scientific and/or historical research and statistics

purposes.

18.2     Where  an  employee  data  subject  objects  to  the  Company  processing  their personal data based on its legitimate interests, the Company shall cease such processing  immediately,  unless  it  can  be  demonstrated  that  the  Company’s legitimate grounds for such processing  override the  employee data subject’s interests,  rights,  and  freedoms,  or  that  the  processing  is  necessary  for  the conduct of legal claims.

18.3     Where  an  employee  data  subject  objects  to  the  Company  processing  their personal data  for direct marketing  purposes, the Company shall cease such processing immediately.

18.4     Where  an  employee  data  subject  objects  to  the  Company  processing  their personal data for scientific and/or  historical research and statistics purposes, the  employee  data  subject  must,  under  the  GDPR,  “demonstrate  grounds relating  to  his  or  her  particular  situation”.  The  Company  is  not  required  to comply if the research is necessary for the performance of a task carried out for reasons of public interest.

19.       Personal Data

The  Company  holds  personal  data  that  is  directly  relevant  to  its  employees.  That personal data shall be collected, held, and processed in accordance with employee data subjects’ rights and  the  Company’s  obligations under  the GDPR and  with this Policy.  The  Company  may collect,  hold,  and  process  the  personal  data  detailed  in Parts 21 to 25 of this Policy:

19.1     Identification information relating to employees:

19.1.1  Name;

19.1.2  Contact Details;

19.2     Equal   opportunities   monitoring   information   (such   information   shall   be anonymised where possible):

19.2.1  Age;

19.2.2  Gender;

19.2.3  Ethnicity;

19.2.4  Nationality;

19.2.5  Religion;

19.3     Health records (Please refer to Part 22, below, for further information):

19.3.1  Details of sick leave;

19.3.2  Medical conditions;

19.3.3  Disabilities;

19.3.4  Prescribed medication;

19.4     Employment records:

19.4.1  Interview notes;

19.4.2  CVs, application forms, covering letters, and similar documents;

19.4.3  Assessments, performance reviews, and similar documents;

19.4.4  Details  of  remuneration  including  salaries,  pay  increases,  bonuses, commission, overtime, benefits, and expenses;

19.4.5  Details of trade union membership (where applicable) (please refer to

Part 24, below, for further information);

19.4.6  Employee  monitoring  information  (please  refer  to  Part  25,  below,  for further information);

19.4.7  Records  of  disciplinary  matters  including  reports  and  warnings,  both formal and informal;

19.4.8  Details  of  grievances  including  documentary  evidence,  notes  from interviews, procedures followed, and outcomes;

20. Health Records

20.1     The Company holds health records on all employee data subjects which are used  to  assess  the  health,  wellbeing,  and  welfare  of  employees  and  to highlight any issues which may require further investigation. In particular, the Company  places  a  high  priority  on  maintaining  health  and  safety  in  the workplace, on promoting equal opportunities, and on preventing discrimination on the grounds of disability or other medical conditions. In most cases, health data on employees falls within the GDPR’s definition of special category data (see Part 4 of this Policy for a definition). Any and all data relating to employee data subjects’ health, therefore, will be collected, held, and processed strictly in  accordance  with  the  conditions  for  processing  special  category  personal data, as set out in Part 4 of this Policy. No special category personal data will be collected, held, or processed without the relevant employee data subject’s express consent.

20.2     Health  records  shall  be  accessible  and  used  only  by  the  Directorate  and Health and Safety Management and shall not be revealed to other employees, agents, contractors, or other parties working on behalf of the Company without the  express  consent  of  the  employee  data  subject(s)  to  whom  such  data relates,  except  in  exceptional  circumstances  where  the  wellbeing  of  the employee  data  subject(s)  to  whom  the  data  relates  is  at  stake  and  such circumstances satisfy one or more of the conditions set out in Part 4.2 of this Policy.

20.3     Health  records  will  only  be  collected,  held,  and  processed  to  the  extent required  to  ensure  that  employees  are  able  to  perform  their  work  correctly, legally, safely, and without unlawful or unfair impediments or discrimination.

20.4     Employee data subjects have the right to request that the Company does not keep  health records  about them. All such  requests  must be made  in writing and addressed to Tom Burks, 15, Bishopsgate, London. E2.

21. Benefits

21.1     In cases where employee data subjects are enrolled in benefit schemes which are provided by the Company, it may be necessary from time to time for third party  organisations  to  collect  personal  data  from  relevant  employee  data subjects.

21.2     Prior  to  the  collection  of  such  data,  employee  data  subjects  will  be  fully informed  of  the  personal  data  that  is  to  be  collected,  the  reasons  for  its collection, and the way(s) in which it will be processed, as per the information

requirements set out in Part 12 of this Policy.

21.3     The  Company  shall  not  use  any  such  personal  data  except  insofar  as  is necessary in the administration of the relevant benefits schemes.

22. Trade Unions

22.1     The  Company  will  provide  the  following  personal  data  concerning  relevant employee  data  subjects  to  bona  fide  trade  unions  where  those  unions  are recognised by the Company. In most cases, information about an individual’s trade union membership falls within the GDPR’s definition of special category data  (see  Part  4  of  this  Policy  for  a  definition).  Any  and  all  data  relating  to employee data subjects’ trade union membership, therefore, will be collected, held, and processed strictly in accordance with the conditions for processing special category personal data, as set out in Part 4 of this Policy. No special category  personal  data  will  be  collected,  held,  or  processed  without  the relevant employee data subject’s express consent. The following data will be collected and supplied:

22.1.1  Name;

22.1.2  Job description;

22.2     All employee data subjects have the right to request that the Company does not  supply their personal  data  to  trade  unions  and  shall be informed of  that right before any such transfer is made.

23. Employee Monitoring

23.1     The Company may from time to time monitor the activities of employee data subjects. Such monitoring may include, but will not necessarily be limited to, internet  and  email monitoring.  In  the  event  that  monitoring  of  any kind  is  to take  place  (unless  exceptional  circumstances,  such  as  the  investigation  of criminal  activity  or  a  matter  of  equal  severity,  justify  covert  monitoring), employee data subjects will be informed of the exact nature of the monitoring in advance.

23.2     Monitoring  should not (unless exceptional circumstances justify it, as  above)

interfere with an employee’s normal duties.

23.3     Monitoring will only take place if the Company considers that it is necessary to achieve  the  benefit  it  is  intended  to  achieve.  Personal  data  collected  during any such monitoring  will only be  collected,  held,  and  processed for reasons directly related to (and necessary for) achieving the intended result and, at all times, in accordance with employee data subjects’ rights and the Company’s obligations under the GDPR.

23.4     The  Company  shall  ensure  that  there  is  no  unnecessary  intrusion  upon employee data subjects’ personal communications or activities, and under no circumstances   will   monitoring   take   place   outside   of   an   employee   data subject’s  normal  place  of  work  or  work  hours,  unless  the  employee  data subject in question is using  Company equipment or other facilities including, but not limited to, Company email, the Company intranet, or a virtual private network (“VPN”) service provided by the Company for employee use.

24. Data Security - Transferring Personal Data and Communications

The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data (including, but not limited to, personal data relating to employees):

24.1     All   emails   containing   personal   data   must   be   encrypted   using   Outlook

Encryption.

24.2     While  creating  a  message,  click  the  Options  tab  at  the  top  of  the  message screen. The Options Ribbon appears.

24.3     Click the arrow beside More Options...

24.4     Click the Security Settings button...

24.5     Select the Encrypt Message Contents and Attachments check box.

24.6     Click  OK.  The  Signing  Data  with  Your  Private  Exchange  Key  dialog  box appears.

24.7     All emails containing personal data must be marked “confidential”;

24.8     Personal  data  may  be  transmitted  over  secure  networks  only;  transmission over unsecured networks is not permitted in any circumstances;

24.9     Personal  data  may  not  be  transmitted  over  a  wireless  network  if  there  is  a wired alternative that is reasonably practicable;

24.10   Personal  data  contained  in  the  body of  an  email,  whether  sent  or  received, should be copied from the body of that email and stored securely. The email itself  should be  deleted. All temporary files associated therewith should  also be deleted using Permanently delete in Outlook

24.11   Where  personal  data  is  to  be  sent  by  facsimile  transmission  the  recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;

24.12   Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using Registered mail. All personal data to be transferred  physically,  whether  in  hardcopy form  or  on  removable  electronic media shall be transferred in a suitable container marked “confidential”.

25. Data Security - Storage

The Company shall ensure that the following measures are taken with respect to the storage  of  personal  data  (including,  but  not  limited  to,  personal  data  relating  to employees):

25.1     All  electronic  copies  of   personal   data  should  be  stored  securely  using passwords and data encryption;

25.2     All  hardcopies  of  personal  data,  along  with  any  electronic  copies  stored  on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;

25.3     All  personal  data  stored  electronically  should  be  backed  up,  with  backups stored onsite AND offsite. All backups should be encrypted.

25.4     No personal data  should  be stored  on  any mobile device (including, but  not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of  Tom  Burks and, in the event of such approval, strictly in accordance with all instructions

and limitations described at the time the approval is given, and for no longer than is absolutely necessary.

25.5     No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to  agents,  contractors,  or  other  parties  working  on  behalf  of  the  Company where the party in question has agreed to comply fully with the letter and spirit of  this  Policy  and  of  the  GDPR  (which  may  include  demonstrating  to  the Company that  all suitable technical  and  organisational  measures  have been taken).

26. Data Security - Disposal

When  any  personal  data  is  to  be  erased  or  otherwise  disposed  of  for  any  reason (including  where  copies  have  been  made  and  are  no  longer  needed),  it  should  be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.

27. Data Security - Use of Personal Data

The Company shall ensure that the following measures are taken with respect to the use of personal data:

27.1     No personal data may be shared informally and if an employee, agent, sub- contractor, or other party working on behalf of the Company requires access to  any personal  data  that  they  do  not  already have  access  to,  such  access should be formally requested from Tom Burks, Director;

27.2     No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of Tom Burks, Director.

27.3     Personal data must be handled with care at  all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;

27.4     If  personal data is  being  viewed on  a computer screen  and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; and

27.5     Where personal data held by the Company is used for marketing purposes, it shall   be   the   responsibility   of   Senior   Management   to   ensure   that   the appropriate  consent  is  obtained  and  that  no  employee  data  subjects  have opted out, whether directly or via a third-party service such as the TPS.

28. Data Security - IT Security

The Company shall ensure that the following measures are taken with respect to IT

and information security:

28.1     All passwords used to protect personal data should be changed regularly and should  not  use  words  or  phrases  that  can  be  easily  guessed  or  otherwise compromised.  All  passwords  must  contain  a  combination  of  uppercase  and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords.

28.2     Under  no  circumstances  should  any  passwords  be  written  down  or  shared between  any  employees,  agents,  contractors,  or  other  parties  working  on

behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;

28.3     All software (including, but not limited to, applications and operating systems) shall  be  kept  up-to-date.  The  Company’s  IT  staff  shall  be  responsible  for installing any and all security-related updates not more than 24 hours after the updates are made available by the publisher or manufacturer OR as soon as reasonably  and  practically  possible  unless  there  are  valid  technical  reasons not to do so.

28.4     No  software  may  be  installed  on  any  Company-owned  computer  or  device without the prior approval of the IT Head of Department.

29.       Organisational Measures

The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

29.1     All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the  Company’s  responsibilities  under  the  GDPR  and  under  this  Policy,  and shall be provided with a copy of this Policy;

29.2     Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;

29.3     All employees, agents, contractors, or other parties working on behalf of the

Company handling personal data will be appropriately trained to do so;

29.4     All employees, agents, contractors, or other parties working on behalf of the

Company handling personal data will be appropriately supervised;

29.5     All employees, agents, contractors, or other parties working on behalf of the Company   handling   personal   data   shall   be   required   and   encouraged   to exercise  care,  caution,  and  discretion  when  discussing  work-related  matters that relate to personal data, whether in the workplace or otherwise;

29.6     Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;

29.7     All personal data held by the Company shall be reviewed periodically, as set

out in the Company’s Data Retention Policy;

29.8     The  performance  of  those  employees,  agents,  contractors,  or  other  parties working on behalf  of  the Company handling  personal data shall be regularly evaluated and reviewed;

29.9     All employees, agents, contractors, or other parties working on behalf of the Company handling  personal data  will be bound to  do so in accordance  with the principles of the GDPR and this Policy by contract;

29.10   All  agents,  contractors,  or  other  parties  working  on  behalf  of  the  Company handling personal data must ensure that any and all of their employees who are  involved  in  the  processing  of  personal  data  are  held  to  the  same conditions  as  those  relevant  employees  of  the  Company  arising  out  of  this Policy and the GDPR; and

29.11   Where any agent, contractor or other party working on behalf of the Company

handling  personal  data  fails  in  their  obligations  under  this  Policy  that  party shall  indemnify and  hold  harmless  the  Company  against  any  costs,  liability, damages, loss, claims or proceedings which may arise out of that failure.

30.       Transferring Personal Data to a Country Outside the EEA

30.1     The  Company  may  from  time  to  time  transfer  (‘transfer’  includes  making

available remotely) personal data to countries outside of the EEA.

30.2     The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:

30.2.1  The transfer is to a country, territory, or one or more specific sectors in that  country  (or  an  international  organisation),  that  the  European Commission has  determined  ensures an  adequate  level of  protection for personal data;

30.2.2  The  transfer  is  to  a  country  (or  international  organisation)  which provides  appropriate  safeguards  in   the  form   of  a  legally  binding agreement  between  public  authorities  or  bodies;  binding  corporate rules;  standard  data  protection  clauses  adopted  by  the  European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification  under  an  approved  certification  mechanism  (as  provided for  in  the  GDPR);  contractual  clauses  agreed  and  authorised  by  the competent    supervisory    authority;    or    provisions    inserted    into administrative   arrangements   between   public   authorities   or   bodies authorised by the competent supervisory authority;

30.2.3  The  transfer  is  made  with  the  informed  consent  of   the  relevant employee data subject(s);

30.2.4  The  transfer  is  necessary for  the  performance  of  a  contract  between the  employee  data  subject  and  the  Company  (or  for  pre-contractual steps taken at the request of the employee data subject);

30.2.5  The transfer is necessary for important public interest reasons;

30.2.6  The transfer is necessary for the conduct of legal claims;

30.2.7  The transfer is necessary to protect the vital interests of the employee data  subject  or  other  individuals  where  the  employee  data  subject  is physically or legally unable to give their consent; or

30.2.8  The  transfer  is  made  from  a  register  that,  under  UK  or  EU  law,  is intended  to  provide  information  to  the  public  and  which  is  open  for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

31.       Data Breach Notification

31.1     All personal  data  breaches  must be reported immediately to  the Company’s

Data Protection Officer.

31.2     If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of employee data subjects (e.g. financial loss, breach of  confidentiality,  discrimination,  reputational  damage,  or  other  significant social or economic damage), the Data Protection Officer must ensure that the Information  Commissioner’s  Office  is  informed  of  the  breach  without  delay, and in any event, within 72 hours after having become aware of it.

31.3     In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 29.2) to the rights and freedoms of employee  data  subjects,  the  Data  Protection  Officer  must  ensure  that  all affected  employee  data  subjects  are  informed  of  the  breach  directly  and without undue delay.

31.4     Data breach notifications shall include the following information:

31.4.1  The  categories  and  approximate  number  of  employee  data  subjects concerned;

31.4.2  The  categories  and  approximate  number  of  personal  data  records concerned;

31.4.3  The name and contact details of the Company’s data protection officer

(or other contact point where more information can be obtained);

31.4.4  The likely consequences of the breach;

31.4.5  Details  of  the  measures  taken,  or  proposed  to  be  taken,  by  the Company   to   address   the   breach   including,   where   appropriate, measures to mitigate its possible adverse effects.

32.       Implementation of Policy

This Policy shall be deemed effective as of 25th  May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This Policy has been approved and authorised by:

Name:                              Mr Tom Burks

Position:                          Director

Date:                                9th  May 2018

Due for Review by:         8th  May 2019