Pickerings Lifts Compliance Statement on the General Data Protection Regulation (GDPR)

Introduction

The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 (including within the UK, regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.

Pickerings Lifts is committed to high standards of information security, privacy and transparency and places a high priority on protecting and managing data in accordance with accepted standards and procedures. The company complies with current Data Protection Act 1995 regulations and will comply with applicable GDPR regulations when they take effect on 25th May 2018, including as a data processor, while also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.

It is important to recognise that compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.

Data protection principles

Under the GDPR, there are six data protection principles that the Company must comply with. These provide that the personal information we hold about individuals must be:

1. Processed lawfully, fairly and in a transparent manner.
2. Collected only for legitimate purposes that have been clearly explained and not further processed in a way that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to those purposes.
4. Accurate and, where necessary, kept up to date.
5. Kept in a form which permits identification of individuals for no longer than is necessary for those purposes.
6. Processed in a way that ensures appropriate security of the data.

The Company is responsible for, and must be able to demonstrate compliance with, these principles. This is called accountability.

Transferring personal information outside the European Economic Area

The Company will not transfer any personal information to countries outside the European Economic Area.

Data Retention

The Company will only retain personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.
The Company will generally hold personal information for the duration of any employment or engagement.

Compliance

Pickerings Lifts has a robust ISO-based Management System and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements using internal and external advisors.

Updated information security policies and procedures will build on our existing management systems and our Information Control and Classification policy, informed by gap analysis and data protection risk assessments and supported by communication and training programmes.

All Pickerings Lifts employees must complete data privacy and security training using training modules with GDPR-specific content. In addition to these training requirements, Pickerings Lifts conducts ongoing awareness initiatives on a variety of topics, including data protection, security and privacy.

Pickerings Lifts Data Protection Officer will inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, provide necessary security and ongoing delivery of objectives.

As a data processor, the company continually undertakes risk assessments including detailed consideration of the data types we hold and a data protection impact analysis of personal information stored and processed. Policies such as incident response plans and backup data retention are routinely reviewed and updated.

Your rights in connection with your personal information

It is important that the personal information Pickerings Lifts hold about you is accurate and up to date.

Please keep us informed if your personal information changes, e.g. you change your home address, during your working relationship with the Company so that our records can be updated. The Company cannot be held responsible for any errors in your personal information in this regard unless you have notified the Company of the relevant change.

As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to:

• Request access to your personal information – this is usually known as making a data subject access request and it enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it
• Request rectification of your personal information – this enables you to have any inaccurate or incomplete personal information we hold about you corrected
• Request the erasure of your personal information – this enables you to ask us to delete or remove your personal information where there’s no compelling reason for its continued processing, e.g. it’s no longer necessary in relation to the purpose for which it was originally collected
• Restrict the processing of your personal information – this enables you to ask us to suspend the processing of your personal information, e.g. if you contest its accuracy and so want us to verify its accuracy
• Object to the processing of your personal information – this enables you to ask us to stop processing your personal information where we are relying on the legitimate interests of the business as our legal basis for processing and there is something relating to your particular situation which makes you decide to object to processing on this ground
• Data portability – this gives you the right to request the transfer of your personal information to another party so that you can reuse it across different services for your own purposes.

If you wish to exercise any of these rights, please contact our HR department. We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.

In the limited circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact our HR department. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.

If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues.

Changes to this Compliance Notice

The Company reserves the right to update or amend this notice at any time, including where the Company intends to further process personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information.

Contact

If you have any questions about this notice or how we handle your personal information, please contact our HR department as follows:

• Norma Reilly – HR Manager / 01642 702189 / norma.reilly@pickeringslifts.co.uk
• Rachel Swales – HR & Training Officer / 01642 702079 / rachel.swales@pickeringslifts.co.uk
• Faye Hynd – HR Administrator / 01642 702122 / faye.hynd@pickeringslifts.co.uk

Last updated: 21/05/2018