Data Protection Policy
At Zenrec here after referred to as ‘the Company’, we collect and process information about individuals (i.e. ‘personal data’) for business purposes, including employment administration, provision of our services, marketing, and business administration. This includes personal data relating to our staff, clients, suppliers and other third parties.
Compliance with data protection law is essential to ensure that personal data remains safe, our business operations are secure and the rights of individuals are respected. The Company is a controller under data protection law, meaning it decides how and why it uses personal data. This Policy explains our procedures for complying with data protection law in relation to personal data. It also sets out your obligations whenever you are processing any personal data in the course of your employment.
This Policy does not give contractual rights to any Employees. It may be updated at any time.
Who is responsible for data protection at Zenrec?
All Employees at the Company have some responsibility for ensuring that personal data is kept secure and processed in a lawful manner although certain Employees will have particular responsibilities, of which they will be aware and in respect of which they may receive specific instructions.
What is personal data?
Personal data means any information relating to any living individual (also known as a ‘data subject’) who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, NI number, employee number, email address, physical features). Relevant individuals can include your colleagues, consumers, members of the public, business contacts, etc. Personal data can be factual (e.g. contact details or date of birth), an opinion about a person's actions or behaviour, or information that may otherwise impact on that individual. It can be personal or business related.
Personal data may be automated (e.g. electronic records such as computer files or in emails) or in manual records which are part of a filing system or are intended to form part of a filing system (e.g. structured paper files and archives).
Data Protection Obligations
The Company is responsible for and must be able to demonstrate compliance with data protection law. To ensure that the Company meets its responsibilities, it is essential that its Employees comply with data protection law and any other Company policies, guidelines or instructions relating to personal data when processing personal data in the course of their employment.
We have set out below the key obligations under data protection law and details of how the Company expects Employees to comply with these requirements.
- Process personal data in a fair, lawful and transparent manner
Legal grounds for processing
Data protection law allows us to process personal data only where there are fair and legal grounds which justify using the information.
Examples of legal grounds for processing personal data include the following (at least one of these must be satisfied for each processing activity):
- complying with a legal obligation (e.g. health and safety or tax laws);
- entering into or performing a contract with the individual (e.g. an Employee's terms and conditions of employment, or a contract for services with an individual customer);
- acting in the Company’s or a third party’s legitimate interests (e.g. maintaining records of business activities, monitoring business productivity); and
- obtaining the consent of the individual (e.g. for sending direct marketing communications).
Data protection law also requires us to process personal data in a transparent manner by providing individuals with appropriate, clear and concise information about how we process their personal data.
We usually provide individuals with basic information about how we use their data on forms which collect data (such as application forms or website forms), and in longer privacy notices setting out details including: the types of personal data that we hold about them, how we use it, our legal grounds for processing the information, who we might share it with and how long we keep it for.
We supplement these notices, where appropriate, with reminders or additional information at the time particular processing activities take place or become relevant for an individual (for example when they sign up for a new service or event).
- Take extra care when handling sensitive or special categories of personal data
Some categories of personal data are ‘special’ because they are particularly sensitive. These include information that reveals details of an individual’s:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- physical or mental health;
- sexual life or sexual orientation;
- biometric or genetic data (if used to identify that individual); and
- criminal offences or convictions.
- Only process personal data for specified, explicit and legitimate purposes
- Make sure that personal data is adequate, relevant and limited to what is necessary for your legitimate purposes
- Keep personal data accurate and (where necessary) up-to-date
- Keep personal data for no longer than is necessary for the identified purposes
- Take appropriate steps to keep personal data secure
- Take extra care when sharing or disclosing personal data
- Do not transfer personal data to another country unless there are appropriate safeguards in place
- Report any data protection breaches without delay
Individual Rights and Requests
Under data protection law, individuals have certain rights when it comes to how we handle their personal data. For example, an individual has the following rights:
- The right to make a ‘subject access request’. This entitles an individual to receive a copy of the personal data we hold about them, together with information about how and why we process it and other rights which they have. This enables them, for example, to check we are lawfully processing their data and to correct any inaccuracies.
- The right to request that we correct incomplete or inaccurate personal data that we hold about them.
- The right to withdraw any consent which they have given.
- The right to request that we delete or remove personal data that we hold about them where there is no good reason for us continuing to process it. Individuals also have the right to ask us to delete or remove their personal data where they have exercised their right to object to processing.
- The right to object to our processing of their personal data for direct marketing purposes, or where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing.
- The right to request that we restrict our processing of their personal data. This enables individuals to ask us to suspend the processing of personal data about them, for example if they want us to establish its accuracy or the reason for processing it.
- The right to request that we transfer to them or another party, in a structured format, their personal data which they have provided to us (also known as the right to ‘data portability’). The applicability of this right depends on the legal grounds on which we process it.
- The right to challenge a decision based solely on profiling/automated processing, to obtain human intervention, and to express their point of view.