Business Computer Projects Limited (BCP) is committed to protecting the rights and freedoms of individuals (data subjects). This policy sets out how BCP securely processes their data in accordance with the General Data Protection Regulation (GDPR) 2018.
1. Data processing
For the purpose of this policy ‘Data processing’ means any operation which is performed on personal data, whether or not by automated means such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Records of processing activities
Based on GDPR Article 30(5), BCP is not under any obligation to keep a record of processing activities because the company has less than 250 employees. That is unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional (for example regularly processing data regarding its employees), the processing includes special categories of data as referred to in Article 9(1) or the personal data relates to criminal convictions and offences referred to in Article 10.
3. Personal data
‘Personal data’ means any information relating to an individual who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier or specific physical, physiological, genetic, mental, economic, cultural or social identity.
BCP hold personal data about employees, customers, suppliers and other individuals for a variety of business purposes and may include:
• Job title
• Business address and telephone number
• Business email address
• Mobile phone number
• Usage and preferences for any of BCP’s websites
• Home address and contact details (BCP employees only)
• Educational background (BCP employees only)
• Financial and pay details (BCP employees only)
• Details of certificates and diplomas, skills (BCP employees only)
• Marital status, nationality (BCP employees only)
• Special categories of data* (BCP employees only)
* Special categories of data (formerly known as sensitive personal data) include information about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings, and genetic and biometric information — any use of special categories of personal data will be strictly controlled in accordance with this policy.
4. Legitimate Interests
Based on GDPR Article 6 (1) BCP will process the personal data of its employees, suppliers, customers and prospective customers based on a number of legitimate business interests if consent has not already been granted. These interests include:
• Providing personalised products and services to existing customers.
• The direct marketing of news, products, special offers or other information to individuals at relevant businesses who would directly benefit from using BCP products and services (based on Recital 47). BCP classify ‘relevant businesses’ as wholesalers, distributors, logistic providers and foodservice businesses across the UK and Ireland.
• Market research.
• Customising the website according to an individual user’s interests.
• Operational reasons, such as recording transactions, quality control, investigating complaints, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking.
• HR reasons, such as employee development, assessment and training, monitoring employee conduct, ensuring business policies are adhered to, checking references, managing employee access to systems, employee absences, and disciplinary matters.
• Compliance with any other legal, regulatory and corporate governance obligations and good practice.
To ensure compliance with GDPR Article 5(2) BCP has undertaken a ‘Legitimate Interest Assessment’ for both prospects and customers to ensure the privacy rights of these individuals have been given due consideration.
5. Compliance with the GDPR Principles
BCP make every effort possible to comply with the principles of data protection outlined in the EU General Data Protection Regulation. These principles are:
Lawfulness, fairness and transparency
BCP only processes personal data where we have been given consent from an individual to do so or BCP has a legitimate business interest for collecting and using the personal data (see section 4).
BCP only obtain personal data for the specified and lawful purposes below. Personal data shall not be further processed in any manner incompatible with these purposes:
- The processing of personal data is necessary for BCP to fulfil or prepare a contract with a client.
- BCP has a legal obligation to process the data, excluding a contract.
- Processing the data is necessary to protect an employee or customer or in a medical situation.
- The processing is necessary for BCP to achieve a legitimate business interest. (See section 4)
BCP does not process personal data for any unconnected purpose other than for the legitimate business interests for which the data was obtained (See section 4). Unless the individual concerned has agreed to this or would otherwise reasonably expect this. BCP only ask for a sufficient amount of personal information needed for the purpose for which the data is required.
BCP employees must rectify any inaccurate information as soon as possible, or they inform the relevant person to do so. When informed about any changes to an individual’s personal data BCP employees update all relevant databases as soon as possible and confirm to the individual that the changes have been made. Any bounces or unsubscribes BCP receive are updated in the CRM database before any further processing can take place. BCP continually review their data to ensure any errors or out of date information is identified and rectified.
Unless required by law to retain records for a certain period of time, BCP update, archive or securely delete any information that is out of date.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Integrity and Confidentiality
BCP has a range of processes in place to ensure personal data is secure against loss or misuse:
• Lockable desk drawers and other storage means are available so BCP employees can secure printed paper to ensure unauthorised personnel cannot access it.
• Shredders are available for when paper documents are no longer needed.
• BCP employees are prompted to create strong passwords and to change them regularly.
• Laptops are password protected and BCP employees must lock them away securely when they are not being used.
• Servers containing personal data are kept in a secure location, away from general office spaces.
• Data is regularly backed up in line with the company’s backup procedures.
• All servers containing sensitive data is protected by security software.
• All possible technical measures are in place to keep data secure.
International Data Processing
BCP does not process any personal data overseas and does not disclose any personal information to overseas third parties.
6. Rights of individuals
Individuals have rights to their data which BCP must respect and comply with to the best of their ability. BCP will ensure individuals can exercise their rights in the following ways:
Right to be informed
We have a privacy notice on our website which is concise, transparent, easily accessible and free of charge. We keep a record of how we use personal data to demonstrate compliance with the need for accountability and transparency.
Right of access
Individuals are able to access their personal data and supplementary information with a written request. We will supply an individual with a copy of the information they requested, free of charge, within one month. We can refuse to respond to certain requests, and can, in circumstances of the request being manifestly unfounded or excessive, charge a fee. If the request is for a large quantity of data, we can request the individual specify the information they are requesting.
Right to rectification
We will rectify or amend personal data within one month of receiving a written request.
Right to erasure
We will delete or remove an individual’s data if we receive a written request and there is no compelling reason for its continued processing. If personal data that needs to be erased has been passed onto other parties or recipients, they must be contacted and informed of their obligation to erase the data. If the individual asks, we must inform them of those recipients.
Right to restrict processing
We will comply with any request to unsubscribe, restrict, block, or otherwise suppress the processing of personal data. If we are permitted to store personal data that has been restricted, but cannot process it further, we will retain enough data to ensure the right to restriction is respected in the future.
Right to data portability
We will provide individuals with their data so that they can reuse it for their own purposes or across different services. We will provide it in a commonly used, machine-readable format, and send it directly to another controller if requested.
Right to object
We will respect the right of an individual to object to data processing based on legitimate interest or the performance of a public interest task. We will respect the right of an individual to object to direct marketing, including profiling. We will respect the right of an individual to object to processing their data for scientific and historical research and statistics.
Rights in relation to automated decision making and profiling
We will respect the rights of individuals in relation to automated decision making and profiling. Individuals retain their right to object to such automated processing, have the rationale explained to them, and request human intervention.
7. Third-party data
BCP acknowledges its responsibilities as a data processor under GDPR and will protect and respect the rights of data subjects. BCP requires written and signed non-disclosure agreements (NDA) from any third-party data providers and will only act on the documented instructions of a data provider. When using third-party data, BCP will comply with the terms that specify the duration of the processing, the nature and stated purpose of the processing activities, the types of personal data and categories of data subject used. BCP will also comply with the obligations and rights of the controller, including deleting or returning all personal data at the end of the contract.
8. Criminal record checks
Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject. BCP cannot keep a comprehensive register of criminal offence data. All data relating to criminal offences are considered to be a special category of personal data and will be treated as such.