GENERAL DATA PROTECTION REGULATION – POLICY
The EU General Data Protection Regulation (GDPR) has the aim of harmonising data protection and processing laws across the European Union and giving individuals stronger rights of access and control of their personal data.
Bell Plastics :td (the Company) will continue to ensure the security and protection of personal data which is held within the Company. Accordingly it will comply with the provisions of GDPR where it applies to the Company in a manner, which is appropriate and proportionate to the size, type and geography of its business, and in particular it will process and protect personal data in accordance with the responsibilities and principles set out in GDPR.
GDPR will apply to the Company, as in the course of its business the Company will process data relating to individuals, which is personal to those individuals. GDPR describes such data as Personal Data and such individuals as Data Subjects.
In compliance with the provisions of GDPR, the Company will accordingly adhere to the following data protection principles:
- process Personal Data lawfully, fairly and in a transparent manner;
- collectPersonal Data for specified, explicit and legitimate purposes and will not process it in a manner that is incompatible with those purposes;
- only process Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which the Data has been processed;
- ensure that Personal Data is accurate and, where necessary, kept up to date;
- keep Personal Data in a form which permits identification of the Data Subject for no longer than is necessary for the purposes for which the Data has been processed; and
- retain Personal Data in an appropriately secure mannerwhich will include its protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The Company is also committed to ensuring that the rights of the Data Subject about whom Personal Data is held will be fully upheld, including in particular the rights to:
- know that Data is being processed;
- access the Data;
- object to or restrict processing of the Data; and
- correct, rectify, block or erase any Data, which is wrong.
The Company recognises that Personal Data can only be processed on a lawful basis and accordingly its policy will be to determine such lawful basis before it does so and will document this.
GDPR sets out examples of lawful bases for processing Personal Data and these include in particular where processing:
- has been consented to by the Data Subject;
- is necessary for the performance of a contract with the Data Subject or for taking steps to enter into a contract;
- is necessary for compliance with a legal obligation;
- is necessary for the purposes of legitimate interests pursued by the controller or a relevant third party, except where the law requires such interests to be overridden by the interests, rights or freedoms of the Data Subject.
The Company will consider how long it intends to store information containing Personal Data and determine the criteria for doing so. After expiry of the retention period, unless there is a sound business reason to retain them beyond this period, the records containing Personal Data will be disposed of securely and destroyed effectively.
The Company’s employees are required to adhere to this policy and other policies of confidentiality of the Company, together with any instructions which may be given from time to time by Peter Martin, the Company’s Data Protection Compliance Manager, so that the integrity, confidentiality and security of the Personal Data which the Company processes and to which its employees may have access is protected.
Employees are also required to take particular care with regard to protecting special categories of Personal Data and criminal records data.
The Company and its employees must:
- only accessPersonal Data that they are permitted to access and only for authorised purposes;
- not allow any other person (including other Company staff) to access Personal Data unless the employee knows that they have the appropriate permissions;
- keep Personal Data secure (for example by complying with rules on access to premises), computer access, password protection, encryption and secure file storage and destruction)
- not remove Personal Data (including Personal Data in files), or devices containing Personal Data (or which can be used to access it), from the Company’s premises unless appropriate security measures are in place (such as encryption or password protection) to secure the information and the device;
- not store Personal Data on local drives or on personal devices that are used for work purposes.
The Company may be legally required to share Personal Data with other bodies or agencies, such as government or other official bodies, in some of the circumstances set out above and where prior consent may not have been given beforehand by the Data Subject.
Subject to such exceptions and any other relevant provisions of GDPR, the Company will not disclose Personal Data to any unauthorised persons or third parties.
8. ADDITIONAL INFORMATION
Policy Operational Date: 25 May 2018
Preparation of Policy: prepared by Nick Ball, Group Finance Director and Data Protection Compliance Leader for the Plastics Capital Group, and Peter Martin, Finance Manager and Data Protection Compliance Manager of the Company.
Approval of Policy: approved respectively by the board of Plastics Capital plc, the ultimate parent company of the Company, and the board of the Company following consultation with the senior management of the Company.
Policy Review Date: 25 May 2021