GDPR Policy
Effective Date: 1st January 2024 Review Date: 1st January 2025
Introduction
One Way or Another Limited is committed to protecting the personal data of all individuals we work with, including job applicants, employees, contractors, and clients. This policy outlines our approach to data protection in compliance with the General Data Protection Regulation (GDPR) and ensures that personal information is handled lawfully and correctly.
Definitions
Personal Data: Any information relating to an identifiable person who can be directly or indirectly identified from that information (e.g., name, identification number).
Special Categories of Personal Data: Data concerning health, race, ethnic origin, political opinions, religious beliefs, sexual orientation, etc.
Data Processing: Any operation performed on personal data, such as collection, storage, use, and destruction.
Data Protection Principles
We adhere to the following principles when processing personal data:
Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully and transparently.
Purpose Limitation: Data will be collected for specified legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimization: Only data necessary for processing will be collected.
Accuracy: We will take reasonable steps to ensure personal data is accurate and kept up to date.
Storage Limitation: Personal data will not be kept longer than necessary for its intended purpose.
Integrity and Confidentiality: Personal data will be processed securely to protect against unauthorized access or processing.
Accountability: We are responsible for demonstrating compliance with these principles.
Types of Data Held
We collect and process various categories of personal data, including:
Personal details (name, address, contact information)
Recruitment-related information (CVs, references)
Employment-related information (job title, salary, performance records)
Financial information (bank details for payroll)
Health-related data (as necessary for employment)
Employee Rights
Individuals have the following rights regarding their personal data:
The right to be informed about how their data is used.
The right of access to their personal data.
The right to rectification of inaccurate data.
The right to erasure of their personal data in certain circumstances.
The right to restrict processing of their personal data.
The right to portability of their personal data.
The right to object to processing.
The right not to be subject to automated decision-making.
Responsibilities
All employees who process personal data are required to comply with this policy and attend training on GDPR compliance. Our designated Data Protection Officer (DPO) is Keeley Anthony ([email protected]), responsible for overseeing compliance with this policy.
Lawful Bases for Processing
We process personal data based on one or more lawful bases under GDPR:
Consent: When individuals have given clear consent for us to process their personal data for a specific purpose.
Contractual necessity: When processing is necessary for the performance of a contract with the individual.
Legal obligation: When processing is necessary for compliance with a legal obligation.
Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access or loss. This includes:
Secure storage of physical records in locked cabinets.
Use of encryption and password protection for electronic records.
Regular training for employees on data protection practices.
Data Breach Notification
In the event of a data breach, we will follow our breach notification procedure:
Record the breach in our Data Breach Register.
Notify the Information Commissioner’s Office (ICO) within 72 hours if required.
Inform affected individuals if there is a high risk to their rights and freedoms.
Third-Party Processing
When engaging third parties to process personal data on our behalf, we ensure that they adhere to similar standards of data protection through a formal Data Processing Agreement.
International Data Transfers
One Way or Another Limited does not transfer personal data outside the European Economic Area (EEA).
Training
All employees must read this policy as part of their induction process and participate in ongoing training regarding GDPR compliance.
Records
We maintain records of our processing activities as required by GDPR, including purposes of processing and retention periods. This refined GDPR Policy provides clarity on your organization’s commitment to protecting personal data while ensuring compliance with legal requirements under GDPR. Adjustments can be made based on specific operational needs or additional regulations applicable to your organisation.
