Data Protection & Privacy Policy - GDPR
Introduction
Centurion Europe Ltd needs to gather and use certain information about individuals.
This can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.
Why This Policy Exists
This data protection policy ensures Centurion Europe Ltd:
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data Protection Law
The General Data Protection Regulation describes how organisations must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other medias.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The General Data Protection Regulation is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
Policy Scope
This policy applies to:
- The head office of Centurion Europe Ltd
- All staff of Centurion Europe Ltd
- All contractors, suppliers and other people working on behalf of Centurion Europe Ltd
It applies to all data that the company holds relating to identifiable individuals. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- Plus any other information relating to individuals
Data Protection Risks
This policy helps to protect Centurion Europe Ltd from some very real data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
Responsibilities
Everyone who works for or with Centurion Europe Ltd has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
- The Board of Directors is ultimately responsible for ensuring that Centurion Europe Ltd meets its legal obligations
- The Directors and Managers are responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues
- Reviewing all data protection procedures and related policies, in line with an agreed schedule
- Arranging data protection training and advice for the people covered by this policy
- Handling data protection questions from staff and anyone else covered by this policy
- Dealing with requests from individuals to see the data held about them (also called ‘subject access requests’)
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
General Staff Guidelines
- The only people able to access data covered by this policy should be those who need it for their work
- Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers
- Employees should keep all data secure, by taking sensible precautions and following the guidelines below
- In particular, a strong password must be used and they should never be shared
- Passwords should be changed at regular intervals and be of an appropriate complexity to ensure security
- Personal data should not be disclosed to unauthorised people, either within the company or externally
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of
- Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection
Customers, Suppliers & Third-Party Privacy Notice
Data Storage
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT representative or data controller.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it and securely disposed of when no longer relevant or needed.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet
- Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer
- Data printouts should be shredded and disposed of securely when no longer required
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between employees
- Data should only be stored on designated drives and servers and should only be uploaded to approved cloud computing services
- Servers containing personal data should be sited in a secure location, away from general office space
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones, unless the relevant device has the appropriate security measures in place (e.g. password secured auto timed screen locks)
- All servers and computers containing data should be protected by approved security software and a firewall
Data Use
Centurion Europe Ltd understand that when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft, therefore:
- When working with personal data, employees must ensure the screens of their computers are always locked when left unattended
- Personal data must not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure
- Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts
- Personal data should never be transferred outside of the European Economic Area
- Employees must not save copies of personal data to their own computers or to other removeable media devices (e.g. USB pen drives, CD, memory cards). Always access and update the central copy of any data
Data Accuracy
The law requires reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call
- Centurion Europe Ltd will make it easy for data subjects to update the information held about them. For instance, via the company website
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database
- It is the Marketing Manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months
Technical and Organisational Security Measures
Centurion Europe Ltd will maintain these appropriate technical and organisational measures in relation to processing of Protected Data to ensure a level of security.
- Secure UTM Corporate Firewalls
- SSL Certificates
- Antivirus and Anti Malware Defences
- Encryption for all PII Data
- Strong Password Policies
- Data Restriction Procedures
- Authorisation Request Procedures
- Physical Access Control Measures
Subject Access Requests
All individuals who are the subject of personal data held by Centurion Europe Ltd are entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access to it
- Be informed how to keep it up to date
- Be informed how the company is meeting its data protection obligations
If an individual contact the company requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to sales@centurioneurope.co.uk.
The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing Data for Other Reasons
In certain circumstances, the law allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Centurion Europe Ltd will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
Providing Information
Centurion Europe Ltd aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.
Employee Privacy Notice
The Company is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to processing employee data securely and transparently. This privacy notice sets out, in line with GDPR, the types of data that we hold on employees of the Company. It also sets out how we use that information, how long we keep it for and other relevant information about your data.
This notice applies to current and former employees, workers and contractors.
Data Protection Principles
In relation to personal data, we will:
- process it fairly, lawfully and in a clear, transparent way
- collect data only for reasons that we find proper for the course of employment in ways that have been explained
- keep data for only as long as we need it
- process it in a way that ensures it will not be used for anything that you are not aware of or have consented to
Types of Data We Process
We hold many types of personal data, including:
- personal details including name, address, date of birth, email address, phone numbers
- photograph ID
- gender
- marital status
- dependants, next of kin and their contact numbers
- medical or health information including whether or not you have a disability
- information used for equal opportunities monitoring about sexual orientation, religion or belief and ethnic origin
- information included on CV including references, education history and employment history
- documentation relating to right to work in the UK
- driving licence (where applicable)
- bank details
- tax codes
- National Insurance number
- current and previous job titles, job descriptions, pay grades, pension entitlement, hours of work and other terms and conditions relating to your employment with us
- letters of concern, formal warnings and other documentation with regard to any disciplinary proceedings
- internal performance information including measurements against targets, formal warnings and related documentation with regard to capability procedures, appraisal forms
- leave records including annual leave, family leave, sickness absence etc
- details of criminal records
- training details
- CCTV footage
- building entry card records.
How We Collect Your Data
We collect data about you in a variety of ways and this will usually start when we undertake a recruitment exercise where we will collect the data from you directly. This includes the information you would normally include in a CV or a recruitment cover letter, or notes made by our recruiting officers during a recruitment interview. Further information will be collected directly from you when you complete forms at the start of your employment, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation such as your driving licence, passport or other right to work evidence.
In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.
Personal data is kept in personnel files or within the Company’s HR and IT systems.
Why We Process Your Data
The law on data protection allows us to process your data for certain reasons only:
- in order to perform the employment contract that we are party to
- in order to carry out legally required duties
- in order for us to carry out our legitimate interests
- to protect your interests
- carry out the employment contract that we have entered into with you
- ensure you are paid.
We also need to collect your data to ensure we are complying with legal requirements such as:
- ensuring tax and National Insurance is paid
- carrying out checks in relation to your right to work in the UK
- making reasonable adjustments for disabled employees
We also collect data so that we can carry out activities which are in the legitimate interests of the Company. We have set these out below:
- making decisions about who to offer initial employment to, and subsequent internal appointments, promotions etc
- making decisions about salary and other benefits
- providing contractual benefits to you
- maintaining comprehensive up to date personnel records about you to ensure, amongst other things, effective correspondence can be achieved and appropriate contact points in the event of an emergency are maintained
- effectively monitoring both your conduct and your performance and to undertake procedures with regard to both of these if the need arises
- offering a method of recourse for you against decisions made about you via a grievance procedure
- assessing training needs
- implementing an effective sickness absence management system including monitoring the amount of leave and subsequent actions to be taken including the making of reasonable adjustments
- gaining expert medical opinion when making decisions about your fitness for work
- managing statutory leave and pay systems such as maternity leave and pay etc
- business planning and restructuring exercises
- dealing with legal claims made against us
- preventing fraud
- ensuring our administrative and IT systems are secure and robust against unauthorised access
Special Categories of Data
Special categories of data are data relating to your:
- health
- sex life
- sexual orientation
- race
- ethnic origin
- political opinion
- religion
- trade union membership
- genetic and biometric data
We must process special categories of data in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:
- you have given explicit consent to the processing
- we must process the data in order to carry out our legal obligations
- we must process data for reasons of substantial public interest
- you have already made the data public
We will use your special category data:
- for the purposes of equal opportunities monitoring
- in our sickness absence management procedures
- to determine reasonable adjustments
We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.
Criminal Conviction Data
We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment.
If You Do Not Provide Your Data to Us
One of the reasons for processing your data is to allow us to carry out our duties in line with your contract of employment. If you do not provide us with the data needed to do this, we will unable to perform those duties e.g. ensuring you are paid correctly. We may also be prevented from confirming, or continuing your employment with us in relation to our legal obligations if you do not provide us with this information e.g. confirming your right to work in the UK or, where appropriate, confirming your legal status for carrying out your work via a criminal records check.
Sharing Your Data
Your data will be shared with colleagues within the Company where it is necessary for them to undertake their duties. This includes, for example, your line manager for their management of you, the HR department for maintaining personnel records and the payroll department for administering payment under your contract of employment.
We may share your data with third parties in order to obtain references as part of the recruitment process. We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us.
We do not share your data with bodies outside of the European Economic Area.
Protecting Your Data
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse.
Where we share your data with third parties, we provide written instructions to them to ensure that your data are held securely and in line with GDPR requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
How Long We Keep Your Data For
In line with data protection principles, we only keep your data for as long as we need it for, which will be at least for the duration of your employment with us though in some cases we will keep your data for a period after your employment has ended. Retention periods can vary depending on why we need your data
Your Rights in Relation to Your Data
The law on data protection gives you certain rights in relation to the data we hold on you.
These are:
- the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice
- the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request
- the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it
- the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it
- the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct
- the right to portability. You may transfer the data that we hold on you for your own purposes
- the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
Privacy & Confidentiality Statement
This Privacy Policy sets out the basis on which personal data is obtained, stored and processed by Centurion Europe Ltd (“we”, “us” or “our”).
We strive to ensure the quality and protection of information held through the implementation and ongoing use of responsible data management practises.
All customer personal data obtained by us is done so exclusively with consent, via the primary method of account form submission. We may also collect data in the following ways:
- Information provided via our website
- Information provided via direct contact (such as phone, email or letter)
- Interaction with members of staff, such the Area Sales Manager
Under ICO guidelines, there are several steps to determine whether data is ‘personal data’:
- Can a living individual be identified from the data, or, from the data and other information in your possession, or likely to come into your possession?
- Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?
- Is the data ‘obviously about’ a particular individual?
- Is the data ‘linked to’ an individual so that it provides particular information about that individual?
- Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
- Does the data have any biographical significance in relation to the individual?
- Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
- Does the data impact or have the potential to impact on the individual, whether in a personal, family, business or professional capacity?
An individual is ‘identified’’ if you have distinguished that individual from other members of a group. In most cases, an individual’s name along with some other information is sufficient enough to identify them.
Put simply, examples of personal data include:
- Name
- Mobile/Home Telephone Number
- Email Address
Where possible, we prefer to store and use none personalised data and this can include:
- generic emails (sales@) rather than personal (name@)
- office or store phone numbers rather than personal phone numbers
- office or store addresses rather than personal addresses
We will not share your personal data to third parties outside the core needs of operating in a B2B capacity. At times, with the intent of offering you the best possible service, we may use the data we store to send you information on:
- Account status
- Improvements or changes to our services
- Product discounts
- Promotional offers
- General business news and updates
The information we collect is strictly used by us for the purposes defined at the time of collection. We use your information to process your business requests and present you with the information you need to access.
Email Policy
We are committed to keeping your email address confidential and as stated above we will not share your email with any third parties.
We will continue to ensure any email communications sent from us is clearly identifiable as such. All emails will also contain contact information for us. In addition, emails will contain obvious methods for removing/unsubscribing yourself from future marketing email communications should you wish to do so. Please be aware you will still receive account information, order confirmation etc. via email if you currently do so.
Access to and viewing of your information
At any time, you can request we give you access to the information we hold about you, you can also request we make any necessary modifications. If you have any questions, please contact us.
Breach of Data
We make every effort to ensure your data is stored and processed in secure environments, both digitally and in physical formats. In the unlikely event of a data breach, Centurion Europe will ensure you are alerted in a timely manner within 72 hours, enabling you to make any changes as necessary.
Length of time we hold your information
We will hold your data for as long as we see a legitimate business interest to do so, not exceeding any current data storage regulations.
Paul Kantecki
Managing Director
Centurion Europe Ltd