Commercial Waste Connections Ltd is committed to a policy of protecting the rights and privacy of individuals, including customers and others, in accordance with the General Data Protection Regulation (GDPR) May 2018.
The new regulatory environment demands higher transparency and accountability in how companies manage and use personal data. It also accords new and stronger rights for individuals to understand and control that use.
The GDPR contains provisions that the company will need to be aware of as data controllers, including provisions intended to enhance the protection of people’s personal data. Foe example, the GDPR requires that: We must ensure that our privacy notices are written in a clear, plain way that people can understand. Commercial Waste Connections Ltd needs to process certain information about its customers and other individuals with whom it has a relationship for various purposes such as, but not limited to;
To comply with various legal obligations, including the obligations imposed on it by the General Data Protection Regulation (GDPR), Commercial Waste Connections Ltd must ensure that all this information about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.
This policy applies to all customers and other people we may encounter whilst fulfilling our duties. Any breach of this policy or of the Regulation itself will be considered an offence and the companies’ disciplinary procedures will be invoked. As a matter of best practise, other organisations and individuals working with Commercial Waste Connections Ltd and who have access to personal information, will be expected to read and comply with this policy. It is expected that departments who are responsible for dealing with external bodies will take the responsibility for ensuring that such bodies sign a contract which among other things will include an agreement to abide by this policy.
This policy will be updated as necessary to reflect best practise in data management, security, and control and to ensure compliance with any changes or amendments to the GDPR and other relevant legislation.
General Data Protection Regulation (GDPR)
This piece of legislation comes into force on the 25th May 2018. The GDPR regulates the processing of personal data and protects the rights and privacy of all living individuals (including children), for example by giving all individuals who are the subject of personal data a general right of access to the personal data which relates to them. Individuals can exercise the right to gain access to their information by means of a ‘subject access request’. Personal data is information relating to an individual and may be in hard or soft copy (paper/manual files; photographs; CCTV images) and may include facts or opinions about a person.
Responsibilities Under the General Data Protection Regulation (GDPR)
The Managing Director is responsible for all day-to-day protection matters and will be responsible for ensuring that all members of staff and relevant individuals abide by this policy, and for developing and encouraging good information handling within the company.
Compliance with the legislation is the personal responsibility of all employees of the company who process personal information. Individuals who provide personal data to the Company are responsible for ensuring that the information is accurate and up-to-date.
Data Protection Principles
The legislation places a responsibility on every data controller to process any personal data in accordance with the eight principles. More detailed guidance on how to comply with these principles can be found on the ICO’s website (www.ico.gov.uk). In order to comply with its obligations, Commercial Waste Connections Ltd undertakes to adhere to the eight principles:
1. Process Personal Data Fairly and Lawfully
The GDPR requires us to process personal data fairly and lawfully. We collect and process data to enable us to provide a service to our customers. Commercial Waste Connections Ltd will make all reasonable efforts to ensure that individuals who are the focus of the personal data (data subjects) are given an indication of the period for which the data will be kept, and any other information which may be relevant.
2. Purpose Limitations
Commercial Waste Connections Ltd will ensure that the reason for which it collected the data originally is the only reason for which it processes that data, unless the individual is informed of any additional processing before it takes place.
3. Data Minimisation
Commercial Waste Connections Ltd will not seek to collect any personal data which is not strictly necessary for which it was obtained. Forms for collecting data will always be drafted with this in mind. If any irrelevant data is given by individuals, this will be destroyed immediately.
Commercial Waste Connections Ltd will review and update all data on a regular basis. It is the responsibility of the individuals giving their personal data to ensure that this is accurate, and each individual should notify the company if, for example, a change in circumstances means that the data needs to be updated. It is the responsibility of Commercial Waste Connections Ltd to ensure that any notification regarding the change is noted and acted on.
5. Storage Limitations
Commercial Waste Connections Ltd undertakes not to retain personal data for longer than is necessary, to ensure compliance with the legislation and any other statutory requirements. This means that Commercial Waste Connections Ltd will undertake a regular review of the information held for as long as necessary.
Commercial Waste Connections Ltd will dispose of any personal data in a way that protects the rights and privacy of the individuals concerned (e.g. secure electronic deletion, shredding and disposal of hard copy files as confidential waste).
6. Integrity and Confidentiality
Individuals have various rights under the legislation including a right to:
Request that the Office of the Information Commissioner assess whether any provision of the Act has been contravened.
Commercial Waste Connections Ltd will only process personal data in accordance with the individuals’ rights.
All members of staff are responsible for ensuring that any personal data which they hold is kept securely and not disclosed to any unauthorised third parties.
Commercial Waste Connections Ltd will ensure that all personal data is accessible only to those who have a valid reason for using it.
Commercial Waste Connections Ltd will have in place, appropriate security measures e.g. insuring that hard copy personal data is kept in lockable filing cabinets/cupboards with controlled access (with the keys then held securely in a key cabinet with controlled access):
In addition, Commercial Waste Connections Ltd will put in place appropriate measures for the deletion of personal data – manual records will be shredded or disposed of as confidential waste and appropriate contract terms will be put in place with any third parties undertaking this work. Hard drives of redundant PC’s will be wiped clean before disposal or if that is not possible, destroyed physically.
This policy also applies to staff who process personal data offsite e.g. when working from home or at a customer’s premises, additional care must be taken regarding the security of the data.
8. Ensure that no personal data is transferred to a country or a territory outside the European Economic Area (EEA) unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Consent as a Basis for Processing
Although it is not always necessary to gain consent from individuals before processing their data, it is often the best way to ensure that data is collected and processed in an open and transparent manner.
Commercial Waste Connections Ltd does not have a requirement to process any sensitive data as defined by the legislation.
Commercial Waste Connections Ltd understands consent to mean that the individual has been fully informed of the intended processing and has signified their agreement (e.g. via an account application form/service agreement).
Commercial Waste Connections Ltd endeavours to contact each customer for whom we hold personal data to request consent moving forward. However due to the nature of our work. We have a responsibility to remind our customers of upcoming collections, services, legislative updates and addendums to annual waste transfer notes, therefore if responses to the requests have not been received, the data will be kept until the next scheduled contact where we will attempt to obtain consent again.
Subject Access Requests
Individuals have a right to access any personal data relating to them which are held by the company. Any individual wishing to exercise this right should apply in writing to the Data Controller. Any member of staff receiving a subject access request should forward this to the Data Controller.
Under the terms of the legislation, any such requests must be complied with within one month and must be available free of charge.
Any disclosure of data must be sent in a commonly used format such as PDF, Excel or Word format. Alternatively, the hard copies can be sent in the post.
Disclosure of Data to Third Parties
Commercial Waste Connections Ltd will not disclose any personal data to third parties for any marketing purposes what so ever.
Commercial Waste Connections Ltd may disclose personal information to selected organisations for the sole purpose of fulfilling the obligations of the service we provide e.g. sub-contractors who will be required to carry out work on behalf of Commercial Waste Connections Ltd or suppliers who will be required to ship goods direct to the customer.
If required by law, Commercial Waste Connections Ltd may disclose any or all personal data to the police or any government agency requiring it.
Procedure for Review
This policy will be updated as necessary to reflect best practise or future amendments made to the General Data Protection Regulation (GDPR) May 2018 and Data Protection Act 1998.
Please follow this link to the ICO’s website (www.ico.gov.uk) which provides further detailed guidance on a range of topics including individual’s rights, exemptions from the Act, dealing with subject access requests, how to handle requests from third parties for personal data to be disclosed etc.
You may find it helpful to read the Guide to Data Protection which is available from the website.
Our data protection registration number is ZA379677.