GDPR Policy

 GENERAL DATA PROTECTION REGULATION POLICY (GDPR)

 This policy has been written to correspond with the 12 steps identified by the UK Information Commissioner’s Office (ICO) as a checklist in preparation for the General Data Protection Regulation (GDPR) which applies from 25 May 2018.

 1. Awareness

This policy document and the associated review and documentation of personal data held by HAHN Plastics Ltd (HAHN) has been instigated by the company’s UK Director, Howard Waghorn and approved at a board meeting of the company.

All employees of the company have been made aware of GDPR and have access to a copy of this policy document. Senior employees within the Sales, Marketing and Procurement areas have been involved in the production of the parts of this policy that refer to Customers and Suppliers.

2. Information held by HAHN

The various types of information held by HAHN; any organisations with whom that information is shared and the data retention periods are detailed in the annex to this document.

3. Communicating privacy information

Personal information will either be gathered by HAHN or in the case of prospective employees, by the external HR consultant employed by HAHN, who will identify HAHN as the potential employer.

Information collected and retained by HAHN is either for employment purposes or for managing the accounts of customers and suppliers. As no use will be made of this information for profiling other than for employment suitability and no information will be shared with other parties for marketing purposes, it is not considered necessary to provide individual privacy notices. People will be informed about the purposes to which their information will be used by notes attached to employment records and customer credit account application forms and the HAHN website will be amended to include details for customers and suppliers.

4. Individuals’ rights

HAHN recognise the following rights of individuals:

  • the right to be informed
  • the right of access
  • the right of rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object, and the right not be subject to automated decision-making including profiling                                                                                                                                                                                                                                                        As HAHN will not be processing information by automated means, the right to data portability should not be applicable. With regard to the other rights, HAHN considers that provision of access to this document will allow employees to assess the information retained by HAHN and request for its deletion or amendment.

 5.  Subject access requests

 All requests to access personal information must be submitted to the UK director, Howard Waghorn, either in writing or by email to howard.waghorn@hahnplastics.co.uk

HAHN will respond to all access requests within one month from the date of the access request and provided that the request is not refused, HAHN will provide that information without charge.

Only requests for access to the individual’s own information will be considered.

Should an access request be refused, HAHN will provide written details of the reason for the refusal and will inform the individual of their right to complain to the supervisory authority and to a judicial remedy. The refusal details will be provided within one month of the date of the access request.

6. Lawful basis for processing personal data

HAHN recognise the requirement for personal data to be processed lawfully, fairly and in a transparent manner.

Of the six lawful bases for processing personal data, only two apply to HAHN. In the majority of cases, the lawful basis will relate to a Contract – either a contract of employment with an employee or a trading contract with a customer or supplier. In all these cases it will be necessary to process personal data in order to successfully manage the contract, as without the data, it would not be possible to complete the contract.

The main exception to the Contract lawful basis occurs in relation to the autoenrolment pension scheme, where the basis for processing personal data is Lawful Obligation, as HAHN is legally obliged to provide an autoenrolment pension scheme.

7. Consent

Consent is one of the 6 lawful bases for processing personal data. Although HAHN is gathering personal data with the consent of the individuals, specific consent is not required as HAHN is being provided with information in connection with mutually agreed contracts or in relation to legal obligations.

 8.  Children –this section is not applicable to HAHN as the company does not buy from, sellto or employ children.

 9 Data Breaches

 HAHN recognises its responsibility to have procedures in place to detect, report and investigate a personal data breach.

Personnel information is recorded solely in paper format and filed in locked cabinets, which are accessible to only the Office Manager and the UK Director, with the latter having sole access to files for Office-based employees. Data breach would be evident from physical damage to the locked cabinets. In the event of a breach, HAHN will inform all employees in order that bank details can be changed if required. Reporting the breach to the police will be considered on a case-by-case basis.

Customer and supplier information is recorded in the accounting software used by HAHN. This information is backed-up on a daily basis to a cloud-based system. HAHN utilise a computer security system operated by the related company HAHN Kunststoffe in Germany, to protect against viruses, malware and hacking etc. Should HAHN be advised of a data breach in respect of computer-stored information, this information will be passed to all suppliers and customers.

Hard copy paper files including copy sales invoices are also retained in respect of Customers and Suppliers. Theses files are stored in cabinets which are in open view of office-based employees and are housed in areas not accessible to non-employees.

10. Data protection by design and data protection impact assessments (DPIA)

HAHN recognises that privacy by design is an express legal requirement under GDPR. In order to comply with this requirement, HAHN has designed this policy in accordance with the 12 steps advised by the ICO and has revised the content of its Employee Record form and Customer Application for Credit Account form accordingly.

The ICO lists examples of situations in which data processing is likely to result in high risk to individuals, resulting in DPIAs being mandatory. These examples are:

  • where a new technology is being employed
  • where a profiling operation is likely to significantly affect individuals
  • where there is processing on a large scale of the special categories of data.

As an SME processing data under either Contract or Legal Obligation bases, HAHN does not consider that the personal data is processed in line with any of the above examples, nor is it considered that the data processing is likely to result in high risk to individuals. As such DPIAs are not considered appropriate.

11. Data Protection Officers

The person responsible for data protection compliance at HAHN is the UK director, Howard Waghorn.

HAHN does not require a formally designated Data Protection Officer, as HAHN is not a public authority; nor is it an organisation that carries out the regular and systematic monitoring of individuals on a large scale, nor is it an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

12. International

HAHN is not involved in cross-border processing, i.e. HAHN does not have establishments in more than one EU member state, nor does it carry out processing that substantially affects individuals in other EU states.

As such there is no requirement to determine a separate lead data protection supervisory authority.

 

GDPR Policy version 1 April 2018.

 

HAHN Plastics Ltd - General Data Protection Regulation

ANNEX

 

 

 

 

 

Information held by HAHN Plastics Ltd

 

 

 

Types of data

Provided By

Shared with by HAHN

 

1  Personal data for current and former employees

 

 

 

Name; address; date of birth; gender; start date

Employee

Payroll bureau; HMRC; Auto emrolment pension

 

 

 

provider and pension administration company;

 

Phone number

Employee

Not shared

 

Email address

Employee

Pension provider and pension admin.

 

Next of kin - emergency contact details

Employee

Not shared

 

CV; details of education

Employee

Not shared

 

References from previous employers

Previous employers

Not shared

 

Initial interview notes

HAHN

Not shared

 

Salary

HAHN

Payroll bureau; HMRC; Auto emrolment pension

 

 

 

provider and pension administration company;

 

Bank details

Employee

Auto emrolment pension provider and

 

 

 

pension administration company;

 

 

 

HAHN Kunststoffe ( for payment purposes)

 

Tax codes

HMRC

Payroll bureau

 

P60s and similar tax notices

HAHN

HMRC

 

In-house reviews

HAHN

Not shared, unless disciplinary, which may be

 

 

 

shared with HAHN legal advisors

 

Accident records

HAHN

May be shared with Insurers and HSE

 

Details of hours worked, holidays and similar information

HAHN

Payroll bureau

 

 Data retention period - information in respect of current employees is retained throughout the period of their employment.

 Information on former emplyees is retained for 2 years following the date of departure

 2     Prospective employees - all information wil be gathered by HAHN external HR consultant 

Name; address; phone number; email address; CV; details of

Prospective employee

External HR consultant

education; information relating to previous employment, such

 

 

as salary; reasons for leaving;

 

 

References from previous employers

Previous employers

External HR consultant

Talent measurement - personal details are not provided

External provider

External HR consultant

Data retention period - for successful candidates, all information will be transferred to personnel files and retained in accordance with section 1. above. For unsuccessful candidates, all hard copy data will be shredded. Electronic data such as CVs, may be retained by the external HR consultant, for future roles at HAHN.

 3    Customer information

Name; address; contact details; company registration number        Customer        Credit insurer

 if applicable

 

HAHN Plastics Ltd - General Data Protection Regulation

 

 

Information held by HAHN Plastics Ltd

 

 

Types of data

Provided By

Shared with by HAHN

Names of proprietors in the case of partnerships or sole traders

Customer

Credit insurer

Delivery addresses

Customer

Freight companies

Credit information

Credit insurer

Not shared

Trading records

HAHN

Not shared

Data retention period - 7 years

 

 

4  Customer credit card information

 

 

Card number; name on card; expiry date; security code

Customer

Credit card organisation

 Data retention period - no hard copies or electronic records of card information are retained.

 5    Supplier information

Name; address; contact details; bank details                                                         Supplier                               Not shared

   Trading records                                                                                                         HAHN                                  Not shared

 

Data retention period - 7 years

Viewed