This document sets out the data and privacy policy for all activities carried out by atd partners in compliance with the General Data Protection Regulations (EU) 2016/679 (GDPR). This policy is reviewed annually to ensure its ongoing compliance and appropriateness. Our Data Protection Officer, Ian Burnley, has designated responsibility for compliance with data protection legislation. Ian can be contacted at [email protected].
Definitions of personal data and sensitive personal data under GDPR
Personal data includes information about a living individual where it can be connected to a name, employment details (such as job title), home address, date of birth, National ID, passport or tax number (eg. payroll record). Sensitive personal data relates to a person’s physical, physiological, genetic, biometric, mental, economic, cultural or social identity; also, anything that reveals political opinions, racial or ethnic origin, religious beliefs, trade union membership, sexual orientation and health status.
Our use of data
We shall process personal data and sensitive personal data only to the extent, and in such manner, as is necessary for the purpose of providing services to our clients and in accordance with any client written instructions. Within the context of our services, we only use or process personal data when one or more of the following apply: • It is necessary for the preparation and/or performance of a contract with the data subject; • It is necessary for compliance with a legal obligation; • It is necessary to protect the vital interests (eg. immediate health needs) of the data subject; • It is necessary for the purposes of legitimate interests; • We have consent that is freely given. Within the context of our services, we only use or process sensitive personal data when one or more of the following apply: • It is necessary under employment law, collective agreement or other law; • The data has already been made public by the data subject; • It is required by judicial authorities; • It is necessary for the protection of public health; • We have consent that is freely given, informed, specific and explicit. Data is held by us for a period agreed with the client and unless agreed otherwise, is only shared with the client who has commissioned the work and the individual to whom it is related. Following the completion of a client engagement, once the client has all the data they require, paper records are destroyed and electronic records are deleted from our systems within two years.
Data Storage and Sharing
Personal data that we hold and use during client engagements are stored securely on IT systems that comply with GDPR regulations. Personal data is only shared with employees and associates where it is necessary in order to fulfil our performance of a contract.
Data Protection Checkpoints and Impact Assessments
Each client engagement has a Data Protection Checkpoint (DPC) at its inception in order to identify whether the project creates any new data protection issues or risks, to ensure GDPR compliance and to make appropriate arrangements or changes to this policy. The DPC is signed off by the DPO. In the event of a project or situation where data processing is likely to result in high risk to individuals, a formal Data Protection Impact Assessment (DPIA) will be carried out and reviewed by the DPO prior to proceeding with the project.
Third party suppliers
To instil on our employees that they must respect the privacy of each member of the company. Each member is encouraged to avoid any activities which could conflict with their responsibilities to the company.
Information Audits
We have completed an Information Audit to assess our use of data and to ensure that our processes relating to this data are appropriate. This audit will be updated on an ad hoc basis as any new uses are identified and will be reviewed annually alongside the Data & Privacy Policy.
Data Breaches
In the case of a personal data breach, the person who identifies it, should report it immediately to the DPO and be prepared to support the investigation and resolution of a breach. The DPO decides whether or not the Information Commissioner’s Office (ICO) should be informed which will be necessary in the event that the data breach is likely to result in a risk to the rights and freedoms of individuals, eg. it could result in discrimination, damage to reputation, financial loss or loss of confidentiality. The DPO will also decide whether those directly concerned should be informed which will be necessary in the event that the breach may result in a high risk to the rights and freedoms of individuals.
International
Our operations are conducted from the UK and whilst delivered internationally, fall under the UK supervisor authority.
Date of Issue
This policy was reviewed and issued on 20th January 2023.
