Data Protection Policy & Procedure
Base Solutions Limited takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) 2018 very seriously. This policy sets out how the company manages those responsibilities.
Base Solutions obtains, uses, stores and otherwise processes personal data relating to:
When processing personal data, Base Solutions is obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation, such as the Data Protection Act 2018.
This policy therefore seeks to ensure that we:
1. Are clear about how personal data must be processed and the Company’s expectations for all those who process personal data on its behalf.
2. Comply with the Data Protection Act and with good practice.
3. Protect the Company’s reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights
4. Protect the Company from risks of personal data breaches and other breaches of data protection law.
This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. paper, computer or other electronic media) and regardless of the data subject. All staff processing personal data on the Company’s behalf must comply with this policy; non-compliance may result in disciplinary action.
The Quality Director is responsible for ensuring adherence to this policy and will implement appropriate practices, processes, controls and training to ensure compliance.
The Quality Director can be contacted at 020 3763 6162.
When processing personal data, we are guided by the following principles, which are set out in the GDPR.
Those principles require personal data to be:
1. Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
2. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
3. Accurate and where necessary kept up to date.
4. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed.
5. Processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Data Subjects’ Rights
Data subjects have rights in relation to the way we handle their personal data. These include the following rights:
1. Where the legal basis of our processing is Consent, to withdraw that Consent at any time.
2. To ask for access to the personal data that we hold.
3. To prevent our use of the personal data for direct marketing purposes.
4. To object to our processing of personal data in limited circumstances.
5. To ask us to erase personal data without delay:
• If it is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
• if the only legal basis of processing is Consent and that Consent has been withdrawn and there is no other legal basis on which we can process that personal data.
• If the data subject objects to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest.
• If the data subject has objected to our processing for direct marketing purposes.
• If the processing is unlawful.
• To ask us to rectify inaccurate data or to complete incomplete data.
• To restrict processing in specific circumstances e.g. where there is a complaint about accuracy.
• To prevent processing that is likely to cause damage or distress to the data subject or anyone else.
We will verify the identity of an individual or organisation requesting data under any of the rights listed.
Base Solutions have implemented appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. It is the Company’s responsibility to be able to demonstrate compliance with the data protection principles if required.
We have therefore, applied adequate resources and controls to ensure and to document GDPR compliance including:
1. Integrating data protection into our policies and procedures, in the way personal data is handled by us.
2. Training staff on compliance with our internal procedures and keeping a record accordingly.
3. Regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
Staff members who process personal data about clients and customers or any other individual must comply with the requirements of this policy. Staff members must ensure that:
1. All personal data is kept securely. All computers are password protected and with firewalls, hard copies are kept in locked cabinets with only authorised access.
2. No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party.
3. Personal data is kept in accordance with the Company’s retention schedule.
4. Any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Quality Director.
5. Where there is uncertainty around a data protection matter advice is sought from the Quality Director.
Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Quality or Health & Safety Directors.
Third-Party Data Processors
Where external companies are used to process personal data on behalf of Base Solutions, responsibility for the security and appropriate use of that data remains with Base Solutions. However, the data processor must provide sufficient guarantee about its security measures to protect the processing of personal data.
If you know or suspect that a personal data breach has occurred, you should immediately contact the Quality Director on 020 3763 6162.
The GDPR requires us to keep full and accurate records of all our data processing activities. We will keep and maintain accurate corporate records reflecting our processing, including records of data subjects’ Consents where Consent is the legal basis of processing.
Sharing Personal Data
Some bodies have a statutory power to obtain information (e.g. the Health and Safety Executive) we would however, seek confirmation of any such power before disclosing personal data in response to a request.
Additionally, data may also be shared with regulatory bodies to ensure client and customer compliance with industry requirements.
This document will be reviewed regularly and amended as necessary to ensure it is fit for purpose. Approval Approved by the Directors of Base Solutions. 31 January 2020