Introduction
This Data Protection Policy sets out the obligations of Reuse-A-Wall Global Ltd and Blok ‘N’ Mesh Europe Ltd (“the Company”) and its employees, and the rights of natural persons (“data subjects”) afforded by the General Data Protection Regulation (Regulation (EU) 2016/679) (“the GDPR”) and the Data Protection Act 2018.
The Company’s designated data controller (“Data Controller”) is: Group HR Manager
The processes, principles and standards contained within this Data Protection Policy must be followed at all times by the Company, its employees, contractors, agents, or other entities working for or on behalf of the Company.
Definitions
For the purposes of this Policy certain words have specific meanings. These are defined below:
- “The Company” shall refer to Reuse-A-Wall Global Ltd and Blok ‘N’ Mesh Europe Ltd
- “Data Subject(s)” shall refer to a natural person, or persons, whose personal information is being processed under the terms of this Policy
- “GDPR” shall refer to the General Data Protection Regulation (Regulation (EU) 2016/679)
- “Data Controller” shall refer to the Company’s designated Data Controller
- “ICO” shall refer to the Information Commissioner’s Office
Principles of Data Protection
The GDPR describes the following principles for processing personal information.
- All personal information must be processed lawfully, fairly, and transparently;
- All personal information collected by the Company must be collected for a specified, explicit, and legitimate purpose, and must not be processed in a manner which is incompatible with the aforementioned purpose;
- All personal information collected by the Company must be relevant and limited to what is necessary to enable the Company to fulfil the stated purpose for collecting it;
- All personal information must be accurate and kept current;
- If personal information is kept in a form which permits identification of data subjects, it must be kept in such a form for no longer than is required in order for the Company to fulfil the stated purpose for collection of the information in question;
- Personal information must be processed in a manner which ensures adequate and appropriate security, including protections and safeguards against unauthorized or unlawful processing, and protected against accidental loss, destruction, or damage, via the use of appropriate technical and procedural safeguards.
Lawful, Fair and Transparent Processing
The GDPR aims to ensure that personal information is processed in accordance with its core principles of lawfulness, fairness, and transparency, while preserving the rights of the data subject(s). The GDPR specifies that processing of personal information will be lawful if at least one of the following cases applies:
- The data subject has consented to their personal information being processed for one or more purposes
- It is necessary for the Company to process personal information in order to fulfil a contract which the data subject is party to, or in order for the Company to perform pre-contract steps at the request of the data subject(s)
- The Company is subject to a legal obligation which necessitates the processing of personal information
- It is necessary to process personal information in order to protect the vital interests of the data subject or another natural person, e.g. in the case of a medical emergency or similar situation
- It is necessary to process personal information in order to carry out a task in the public interest, or in order to exercise official authority vested in the Data Controller
- It is necessary to process personal information for the pursuit of legitimate business interests by the Company or by a third party, except in cases where such interests are overridden by the interests or fundamental rights of the data subject(s) which mandate that personal information be protected, particularly where the data subject is a minor
Processing for Specific and Legitimate Purchases
- The Company collects, processes, and handles categories of personal information described in its register of processing activities. This may include personal information collected directly from data subjects, e.g. contact details used when a data subject corresponds or otherwise communicates with the Company, and/or personal information received from third parties.
- The Company will only process personal information for the specific purposes described in its register of processing activities, or for other purposes explicitly allowed by the GDPR.
- The purposes for which the Company processes personal information should be explained to data subjects at the point of collecting the personal information in question.
- Where personal information is collected from a third party, the purposes for which the Company is processing it should be explained to the data subject(s) no later than one calendar month following the information being obtained.
Accuracy of Data
- Wherever possible, the Company will ensure that all personal information processed is kept accurate and current.
- Accuracy of data should be checked at the point of collection, and at appropriate intervals thereafter.
- Where inaccurate or out-of-date data is identified, all reasonable steps must be taken to correct or erase that data in a prompt and timely manner.
Retention of Data
The Company shall not retain personal information any longer than is necessary in order to fulfil the original purpose for collection and processing of that data. In the event that data is no longer required, all reasonable steps shall be taken to securely destroy it.
Secure Processing
- All personal information collected and processed by the Company must be kept secure and protected against unauthorized or unlawful processing.
- All employees, agents, contractors, or other parties working on behalf of the Company will be required to comply with the following when working with personal information: o All emails containing sensitive personal information must be encrypted where possible.
- If personal information is to be deleted or otherwise disposed of, including copies which are no longer needed, it shall be erased or disposed of in a secure manner. Hardcopies will be shredded, and electronic copies will be securely erased according to industry best practices.
- If personal information is required to be sent by fax transmission, the recipient must be informed in advance of the incoming fax and should be waiting at the fax machine to receive it.
- If personal information is to be shared in paper form, it should be physically handed directly to the recipient, or addressed as confidential to be opened by the addressee only.
- No personal information may be shared informally in any circumstances. If an employee, agent, contractor, or other party working on the Company’s behalf requires personal information that they do not have access to, such access must be formally requested.
- All physical copies of any personal information, along with electronic copies stored on removable media, must be stored securely in a locked box, drawer, filing cabinet, or similar container.
- No personal information shall be transferred to any employees, agents, contractors, or other parties, whether or not such parties are working on behalf of the Company, without the authorization of the Data Controller.
- Personal information must be handled securely at all times and must not be left unattended or on view to any unauthorized personnel at any time.
- If personal information is being viewed on a computer screen, the operator must lock the computer with a password before leaving it unattended at any time.
- All passwords used to protect personal information must be set and changed in accordance with the Company’s IT policy.
- No passwords may be written down or shared between any employee or party working on behalf of the Company under any circumstances, irrespective of seniority or department. In the event that a password is forgotten, it must be reset using the appropriate procedures.
- Where personal information retained by the Company is used for marketing purposes, all sales and marketing staff will perform appropriate checks to verify that no data subjects have added their details to any marketing preference or “opt-out” databases, including but not limited to the Telephone Preference Service, Mail Preference Service, and similar databases.
Organisational Safeguards and Measures
The Company must ensure that the following measures are taken regarding collection, retention, and processing of personal information:
- All employees, agents, contractors, or other parties working for or on behalf of the Company will be fully informed of both their individual responsibilities and the Company’s responsibilities under the GDPR and this Policy and will be provided with a copy of this Policy.
- Only personnel working for or on behalf of the Company that need access to, and use of, personal information in order to correctly carry out their assigned duties shall be given access to personal information held by the Company.
- All personnel working for or on behalf of the Company who handle personal information will be given the appropriate training for the safe and secure handling of such information and will be bound by contract to do so in keeping with the principles of the GDPR and this Policy.
- All personnel working for or on behalf of the Company who handle personal information will do so under appropriate supervision.
- The Company’s methods for collecting, retaining, and processing personal information will be regularly evaluated and reviewed.
- The performance of all personnel, organizations, and other entities working for and on behalf of the Company who handle personal information will be regularly evaluated and reviewed.
- All agents, contractors or other entities handling personal information on behalf of the Company must ensure that any and all of their employees who handle personal information are held to the conditions set out in this Policy and under the GDPR.
- If any agent, contractor or other third party handling personal information on behalf of the Company fails in its obligations under this Policy, that party shall indemnify and hold the Company harmless against any costs, liability, damages, loss, claims, or proceedings which may arise out of that failure.
Accountability
The Company shall keep written internal records of all data collected, held, and processed, incorporating the following information:
- The name and details of the Company, its designated data controller, and any third-party data controllers;
- The purposes for which the Company collects and processes personal information;
- Information about the categories of personal information collected, held, and processed by the Company; along with the categories of data subject to which the personal information in question relates;
- Details of any third parties that may receive transfers of personal information from the Company;
- Details of any personal information which is transferred to any non-EU approved country or territory, including all technical and organizational security measures in place;
- Details of how long the Company will retain personal information, or the criteria used to decide upon the deletion of said information;
- Detailed descriptions of all technical and organizational security measures the Company takes to ensure the safety and security of personal information
Privacy Impact Analysis
- A Privacy Impact Analysis shall be carried out by the Company when required under the GDPR, and elsewhere as the Company deems appropriate.
- All Privacy Impact Analyses shall be overseen by the Data Controller.
- Privacy Impact Analyses will address the following areas: o The threats and risk posed to individual data subjects;
- Threats and risks posed to the Company;
- Potential impacts of a data breach on the individual data subject(s);
- Potential impacts of a data breach on the Company;
- Details of risk mitigation/reduction measures and an evaluation of these measures.
The Rights of Data Subjects
The GDPR grants the following rights to data subjects:
- The right to be informed
- The right of access
- The right to rectification
- The right to restrict processing
- The right to data portability
- The right to object
- Rights regarding automated decision making and profiling
There are specific processes and documents which must be followed when a data subject requests to exercise their rights under the GDPR.
The Right to be Informed
The Company will provide the following information to a data subject when their personal information is collected:
- Details of the Company including the name and contact details of its Data Controller;
- The purpose for, and the legal basis upon which the Company is collecting and processing the data subject’s personal information;
- Where applicable, the legitimate interest(s) which the Company is using as a legal basis to process the data subject’s personal information;
- In cases where personal information is not obtained directly from the data subject, the source the data was obtained from and what specific information has been collected;
- Where personal information is to be transferred to a third party or parties, details of those third parties;
- Where personal information is to be transferred to a third party that is located outside of the EEA, details of the transfer including the technical and organizational measures in place to ensure the safety of the information being transferred;
- Details of how long the Company will retain personal information, or the criteria used to decide upon the deletion of said information;
- Details of the data subject’s rights under the GDPR;
- Details of the data subject’s right to complain to the ICO;
- Details of any legal or contractual requirement or obligation requiring the processing of personal information;
- Details of any automated decision-making which will take place using personal information, including profiling, along with information on how such decisions will be made, the significance of those decisions along with any consequences which may arise from any such decisions being made
Data Subject Access
- A data subject may make a subject access request (“SAR”) at any time in order to obtain more details about the personal information held by the Company about them.
- The Company is normally required to respond to a SAR within one month of receipt.
- In cases of complex and/or numerous requests, the Company may extend the response deadline by up to two months. In this case, the data subject must be informed of the need for such an extension.
- All SARs must be forwarded to the Company’s Data Controller.
- Handling of normal SARs is free of charge. The Company reserves the right to charge a reasonable administration fee for additional copies of information which has already been given to a data subject, or for requests which are unfounded or excessive, particularly in the case of repeated SARs.
Rectification of Personal Information
- In the event that a data subject informs the Company that personal information retained is inaccurate, incomplete, or otherwise requires rectification, the data in question will be rectified and the data subject will be informed of that rectification.
- Rectification of personal information must normally be completed, and the data subject notified of that completion, within one month of the Company originally receiving notice from the data subject.
- In the case of a complex request, the Company may extend the deadline for completion by up to two months. In this case, the data subject must be notified of the need for such an extension.
- All rectification requests must be forwarded to the Company’s Data Controller.
- In the event that any personal information affected by a rectification request has been disclosed to any third parties, those parties will also be informed of any rectification of personal information.
Deletion of Personal Information
- Data subjects may request that the Company deletes personal information retained about them, in the following circumstances: o The Company’s retention of the personal information in question is no longer necessary with respect to the original purpose for its collection or processing;
- The data subject objects to the Company retaining and processing their personal information, and there is no overriding legitimate interest to allow the Company to continue doing so;
- The personal information in question has been processed unlawfully;
- The personal information in question needs to be destroyed in order for the Company to comply with a legal obligation
- All data deletion requests must be forwarded to the Company’s Data Controller.
- Unless the Company has reasonable grounds for refusal, all data deletion requests will be completed, and the data subject informed of the deletion, within one month of receiving the original request.
- In the case of a complex request, the Company may extend the deadline for completion by up to two months. In this case, the data subject must be notified of the need for such an extension.
- In the event that any personal information affected by a deletion request has been disclosed to any third parties, those parties will also be notified of the deletion, except in cases where such notification would be impossible or would require disproportionate effort.
Restriction of Processing
- Data subjects may request that the Company cease processing personal information retained about them at any time.
- If such a request is made, the Company shall only retain the amount of personal information needed in order to prevent inadvertent future processing of the data subject in question’s personal information.
- All processing restriction requests must be forwarded to the Company’s Data Controller.
- In the event that any personal information affected by a processing restriction request has been disclosed to any third parties, those parties will also be notified of the restriction on processing, except in cases where such notification would be impossible or would require disproportionate effort.
Data Portability
- Data subjects have the legal right under the GDPR to receive a copy of their personal information at any time, and to use it for other purposes such as transmitting to other persons or organizations.
- All requests for data portability must be forwarded to the Company’s Data Controller.
- If requested to do so by a data subject, if technically feasible, personal information will be transmitted directly to the third-party data controller.
- All requests for portable copies of personal information will be completed within one month of the Company’s receipt of the original request.
- In the case of a complex request, or numerous requests, the Company may extend the deadline for completion by up to two months. In this case, the data subject must be notified of the need for such an extension.
Objections to Processing
- Data subjects have the right to object to the Company’s processing of their personal information based on legitimate interests, including profiling and direct marketing.
- All objections to processing must be forwarded to the Company’s Data Controller.
- If a data subject objects to the Company’s processing of their personal information based on legitimate interests, the Company shall cease such processing immediately unless it can be demonstrated that the Company’s legitimate grounds for processing override the data subject’s interests and rights, or the processing is necessary for legal reasons.
- If a data subject objects to the Company’s processing of their personal information for direct marketing purposes, the Company shall cease such processing immediately.
Automated Decision Making
- The Company may use personal information for the purposes of automated decision-making.
- In the event that those decisions have a legal (or similarly significant) effect on data subjects, data subjects have the right to challenge those decisions under the GDPR.
- Such a challenge may comprise the data subject requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.
- This right does not apply in the following circumstances: o The decision is necessary for the entry into, or execution of, a contract between the Company and the data subject;
- The decision is authorized by law;
- The data subject has given their explicit consent.
Profiling
In cases where the Company uses personal information for the purposes of profiling, the following will apply:
- Data subjects will be provided with clear information explaining the profiling, including its significance and likely consequences;
- Appropriate statistical or mathematical procedures will be implemented;
- The Company will implement appropriate technical and organizational measures in order to minimize the risk of errors, and to enable such errors to be easily corrected;
- All personal information processed for the purposes of profiling will be secured in order to prevent discriminatory effects resulting from profiling. For more details on data security see parts 8 and 9.
Transfer of Personal Information Outside the EEA
- The Company may on occasion have cause to transfer personal information to countries outside of the European Economic Area (“EEA”).
- Transfers of personal information to a country outside of the EEA will only take place if one or more of the following conditions applies: o The transfer is to a country, territory, or one or more specific sectors in that country (or international organization) that the European Commission has determined ensures an appropriate level of protection and security for personal information;
- The transfer is to a country, or international organization, which provides appropriate protection in the form of a legally binding agreement between public authorities, binding corporate rules, standard data protection clauses adopted by the European Commission, compliance with an approved code of conduct approved by a supervisory authority (e.g. the ICO), or similar appropriate measures;
- The information in question is transferred with the informed consent of the relevant data subject(s);
- The transfer of information is necessary for the execution of a contract between the data subject and the Company, or for pre-contract steps taken at the request of the data subject;
- The transfer of information is necessary in the public interest;
- The transfer of information is necessary for the conduct of legal claims;
- The transfer of information is necessary in order to protect the vital interests of the data subject or another natural person, e.g. in the case of a medical emergency or similar situation;
- The information being transferred is otherwise publicly available.
Data Breach Notification
All personal information breaches, or suspected breaches, must be reported immediately to the Company’s Data Controller.
- If a breach of personal information occurs and that breach is likely to result in a risk to the rights of data subjects (e.g. breach of confidentiality, financial loss, discrimination, reputational damage, or other significant economic or social damage), the Data Controller must ensure that the ICO is informed of the breach without delay.
- In any event, the Data Controller must inform the ICO of any data breach within 72 hours of having become aware of it.
- In the event that a personal information breach is likely to result in a risk to the rights and freedoms of data subjects, the Data Controller must ensure that all affected data subjects are identified and informed of the breach directly and without undue delay.
- Data breach notifications shall include the following information: o The categories and approximate number of data subjects affected by the breach;
- The categories and approximate number of personal information records affected by the breach;
- The name and contact details of the Company’s Data Controller, or another contact point where more information can be obtained;
- A description of the likely consequences of the breach;
- Details of steps taken, or proposed to be taken, by the Company in order to address the breach including, where appropriate, steps taken to mitigate any possible adverse effects.
- There are specific processes and documentation which must be followed in the event of a data breach.
Cookies used on this website
Name | Cookie name | Provider | Type | Purpose | Description |
---|---|---|---|---|---|
Laravel Cross Script Reference | XSRF-TOKEN | * | First party | Necessary | This cookie is provided by the Laravel framework in order to prevent the cross-scripting attacks. |
Laravel Session | laravel_session | * | First party | Necessary | This cookie is provided by the Laravel framework in order to handle sessions. |
Google Analytics Universal Tracking Limiter | UA-5364549-2 | Google Analytics | Third party | Analytics | This cookie is used to limit the amount of data recorded by Google on high traffic volume websites. |
Google Analytics ID | _gid | Google Analytics | Third party | Analytics | This cookie is created by Google Analytics as an id to track for analytics purposes. |
Google Analytics Assignation | _ga | Google Analytics | Third party | Analytics | This cookie name is associated with Google Universal Analytics – which is a significant update to Google’s more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default, it is set to expire after 2 years, although this is customisable by website owners. |