01449 720886 MARCUS JAMES CARS 07468 692360
01449 720886 MARCUS JAMES CARS 07468 692360
Marcus James Cars (the Company) processes the personal data of living individuals such as its Staff, Customers, Contractors, Research subjects and Customers. This processing is regulated by the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR). The UK’s regulator for the DPA and GDPR is the Information Commissioner’s Office (ICO).
The Company is registered as a Data Controller with the ICO1 and is responsible for compliance with the GDPR and DPA.
This DPA and GDPR contain a number of key definitions which are referenced in this policy such as ‘Personal Data, ‘Processing’ and ‘Data Controller. Those definitions are set out in Annex A.
This policy sets out the Company’s commitment to comply with the Data Protection Act 2018 (‘DPA’), and the General Data Protection Regulation (‘the GDPR’).
This policy applies to all Company staff, Customers and others who use or process any Personal Data. This policy applies regardless of where Personal Data is held and or the equipment used if the Processing is for the Company’s purposes. Further, the policy applies to all Personal Data (including Sensitive Personal Data) held in any form whether manual paper records or electronic records.
The Directors are responsible for approval of the Policy.
The Directors are responsible for the strategic level implementation of the policy, oversight of compliance with the policy and reporting identified risks.
The Company will appoint Information Asset Owner (IAO) with local responsibility for data protection compliance for Personal Data processed.
The Company will appoint Information Asset Managers who will hold local responsibility for data protection compliance processed within their teams.
Legal Services are responsible for providing advice, support and guidance in relation to day-to-day data protection matters.
All staff, including permanent staff, fixed-term contractors and temporary workers must comply with this Policy, the DPA and the GDPR whenever Processing Personal Data is held by the Company or on behalf of the Company.
All Customers are responsible for compliance with the rules and policies made by the Company. Customers must comply with this policy when collecting and Processing Personal Data as part of their course, studies or research.
Third parties such as consultants, and contractors undertaking work on behalf of the Company involving Personal Data, must adhere to the Company’s Data Protection Policy and comply with the DPA and the GDPR. Provision will be made in contracts with external providers to ensure compliance with this Policy, the DPA and GDPR.
The Company will implement a Privacy By Design Approach to Processing Personal Data by integrating Privacy Impact Assessments into business processes and projects.
The Company will provide appropriate information to individuals when collecting their Personal Data by means of privacy notices. The Company will also ensure at least one lawful basis is available before Processing Personal Data.
The Company will clearly set out purposes for Processing Personal Data. The Company will only process Personal Data for purposes notified to individuals and where the new purpose is compatible with an existing purpose.
The Company will only collect as much information as is necessary to meet the purposes that have been identified. Personal Data must be adequate, relevant and not excessive.
The Company will ensure that Personal Data processed is accurate and where necessary kept up to date.
The Company will protect the security of Personal Data by maintaining and monitoring compliance with the requirement set up by the GDPR.
The Company will maintain a records retention and disposal schedule setting the periods for which records containing Personal Data are to be retained.
The Company will enter into legally binding written contracts with external bodies where those bodies are engaged to process Personal Data on our behalf. The Company will implement adequacy arrangements when transferring any
Personal Data outside of the European Union.
The Company will only disclose Personal Data to third parties such as the police, central government and other educational institutions where there is a lawful basis for doing so and appropriate arrangements are in place with those parties.
The Company will seek to ensure that Personal Data is only shared across different teams, divisions or faculties where those areas have a business need for accessing that data.
5. Data Subjects Rights
The Company will comply with requests from an individual to exercise their rights under the DPA, and the GDPR. All individuals have the right to be informed of what information the Company holds about them and to request copies of that information. This is known as a Subject Access Request. Any individual wishing to submit a Subject Access Request should contact the company in writing.
Under the DPA and GDPR, individuals also have the following rights in relation to their Personal Data:
It is recommended that Individuals submit their request in writing and specify exactly what Personal Data and/or Processing they are referring to and which right they wish to exercise. If you are seeking access to your Personal Data (i.e. making a ‘Subject Access Request’) then you may find it helpful to review the guidance available on our website.
Any staff member who receives a request from an individual to exercise the above rights under the DPA and GDPR must forward it immediately to the responsible person. All staff are responsible for cooperating with Legal Services to ensure that the Company can comply with an individual’s request under the DPA and GDPR within the statutory timescales.
All staff and Customers are responsible for checking that information they provide to the Company in connection with their employment or studies is accurate and up to date. Any changes to Personal Data provided (e.g. change of address) must be promptly notified, in writing, to the Company.
The Company will respond promptly to any identified Personal Data Breaches and thoroughly investigate those incidents to ascertain whether:
The breach should or must be reported to the ICO
Data subjects should or must be made aware of the breach, and It is necessary to amend processes or introduce new measures to mitigate against any further breaches.
Any staff member who knows or suspects that an actual or potential Personal Data Breach has occurred must immediately notify the responsible. All staff are responsible for fully engaging and cooperating with DPO in relation to their investigation of a Personal Data Breach.
Compliance with this Policy, the DPA and the GDPR is the responsibility of all members of staff and Customers. Employees must comply with the rules and procedures made by the Company.
Any breach of the policy by a member of staff may result in disciplinary action. Serious or deliberate breaches of the DPA can result in criminal prosecution.
Any breach of the GDPR by the Company may result in a substantial fine or actions imposed upon the Company by the ICO.
Questions about the interpretation or operation of this policy should be taken up in the first instance with the Data Protection Officer. Any individual who considers that the Policy has not been followed in respect of Personal Data about themselves should also raise the matter with the Company’s Data Protection Officer.
Further information about the DPA and the GDPR can be found on the Information Commissioner’s Office (ICO website). Further guidance for staff can be found on the company’s data protection website. Please see the policy section of the Riverside Autos Ltd website for related policies.
Document Data Protection Policy Owner Riverside Autos Ltd Approved by Directors
Annexe A Key Definitions
