AMG Cheshire Ltd data protection policy

Context and overview

Key details

Introduction

AMG Cheshire Ltd needs to gather and use certain personal and sensitive information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

Why this policy exists

This data protection policy ensures AMG Cheshire Ltd:

  • Complies with data protection law and follow good practice
  • Protects the rights of staff, customers and partners
  • Is open about how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach

Data protection law

The Data Protection Act 1998 describes how organisations – including AMG Cheshire Ltd – must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully and without the subjects permission?. The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  • Be processed fairly and lawfully
  • Be obtained only for specific, lawful purposes
  • Be adequate, relevant and not excessive
  • Be accurate and kept up to date
  • Not be held for any longer than necessary
  • Processed in accordance with the rights of data subjects
  • Be protected in appropriate ways
  • Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

People, risks and responsibilities

Policy scope

This policy applies to:

  • The head office of AMG Cheshire Ltd
  • All staff and volunteers of AMG Cheshire Ltd
  • All contractors, suppliers and other people working on behalf of AMG Cheshire Ltd

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • – plus any other information relating to individuals

Responsibilities

The board of directors is ultimately responsible for ensuring that AMG Cheshire Ltd meets its legal obligations. Everyone who works for or with AMG Cheshire Ltd has some responsibility for ensuring data is collected, stored and handled appropriately. Each individual that handles personal data must ensure that it is handled and processed in accordance with this policy and the key data protection principles. However, these people have key areas of responsibility in accordance with AMG Cheshire Ltd GDPR policy:

Data storage

  • Files will be kept in a locked drawer(s) or filing cabinet. Data that is usually stored electronically is password protected
  • Employees will make sure paper and printouts are not left where unauthorised people could see them, like on a printer
  • Data printouts will be shredded and disposed of securely when no longer required

Data use

  • When working with personal data, employees will ensure the screens of their computers are always locked when left unattended
  • Personal data will not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure

Data accuracy

  • The law requires AMG Cheshire Ltd to take reasonable steps to ensure data is kept accurate and up to date. AMG Cheshire Ltd will take reasonable steps to review the data held on file regarding our customers on a regular basis. Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call

Subject access requests

All individuals who are the subject of personal data held by AMG Cheshire Ltd are entitled to:

  • Ask what information the company holds about them and why
  • Ask how to gain access to it
  • Be informed how to keep it up to date
  • Be informed how the company is meeting its data protection obligations

If an individual contacts the company requesting this information, this is called a subject access request. Subject access requests from individuals should be made by email, addressed to the data controller at melsherwin@amgcheshire.com. The data controller can supply a standard request form, although individuals do not have to use this. Individuals will be charged £10 per subject access request. The data controller will aim to provide the relevant data within 14 days. The data controller will always verify the identity of anyone making a subject access request before handing over any information.

Reasons/purposes for processing information

We process personal information to enable us to repair and maintain motor vehicles ; Maintain our accounts and records; advertise our services; and to support and manage our employees. We process personal information (registration plates) using a CCTV system to monitor and collect visual images for the purpose of security and the prevention and detection of crime.

Type/classes of information processed

We process information relevant to the above reasons/purposes. This information may include:

  • personal details
  • family details
  • financial details
  • employment details
  • goods/services provided
  • visual images

We also process sensitive classes of information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs
  • lifestyle and social circumstances
  • information about offences/alleged offences

Who the information is processed about

We process personal information about:

  • customers and clients
  • suppliers
  • enquirers
  • employees
  • individuals captured by CCTV images

Who the information may be shared with

We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

Where necessary or required we share information with:

  • business associates
  • employees
  • current, past and prospective employers
  • goods/service providers
  • financial organisations
  • police forces
  • suppliers and central government

Additional reasons

CCTV for crime prevention:

CCTV is used for maintaining the security of property and premises and for preventing and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.

Disclosing data for other reasons

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, AMG Cheshire Ltd will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.

Providing information

AMG Cheshire Ltd aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • How the data is being used
  • How to exercise their rights

To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company. This is available on request.

  • Policy prepared by: Mel Sherwin
  • Approved by board / management on: 01/05/2018
  • Policy became operational on: 01/05/2018
  • Next review date: 01/05/2019