Information for Customers and Suppliers:
The purpose of this page is to outline our approach to our Data Processing activities. We’ve also included an overview of our Supplier Evaluation Process in this section, as this allows you to see how our compliance in Data Processing is encompassed in a wider supplier management process.
Additionally, a Data Protection Code of Conduct is in place for all suppliers working with Fleet Operations which sets out the expectations around data protection.
We gather information about individuals from a variety of sources. This could be
- from notifications received from our customers about new starters, leavers or changes to their employees;
- directly from an individual, for example: driver licence details;
- from our supply chain, for example: driver (or nominated driver) information relating to an accident or breakdown incident, including that of third parties;
- from other sources, for example: a legal authority (e.g. DVLA, Policy, HMRC etc.) as part of an investigation or audit.
In order to transfer Personal Information, Fleet Operations must have a Data Processing Contract in place with either the customer or the supplier.
In all cases, and wherever the origin of the data, we aim to uphold extremely high standards of data protection and are committed to maintaining our ISO:27001 Information Security accreditation.
Data Processing Contracts, Our Approach
Because of the high volume of connections between our customers, Fleet Operations, and our supply chain; we have taken an approach that confers the conditions relating to Data Processing across the supply chain.
- Customer contracts contain ‘model’ data processing clauses that are replicated in supplier data processing contracts.
- Supplier data processing contracts contain the same ‘model’ clauses, and these are also conferred in full on any secondary suppliers.
Where a contract cannot be established between Fleet Operations and a Third Party Supplier, then data will be provided in an anonymised format. That is to say that where Fleet Operations would typically provide the information about a driver or employee; this information will be anonymised in full and the supplier will have no visibility of the driver or their details. This is because data cannot be transferred for processing without a Data Processing Contract being in place.
In these circumstances, Fleet Operations will act as a liaison point between the Third Party Supplier and the Data Subject or Customer (as appropriate). Clearly this may impact the delivery of effective customer service; and so we are always keen to establish the right Data Processing Contracts and safeguards wherever possible.
In all cases only the minimum amount of data required by each party is shared in line with the terms of the Data Processing Contract.
Information about our Data Processing and Retention Periods for our Customers and Suppliers is available on request.
Information on retention periods for suppliers:
Each supplier may determine their own retention periods for the data based on their assessment of audit and record keeping requirements. However, they must not retain information for longer than is necessary; for longer than the retention periods outlined below; for longer than is stated in a Data Processing Contract; or use the information for anything other than the activity stated in the data processing contract. To keep the requirements simple to follow, we have categorised data transfers into two groups, with corresponding retention periods.
Fleet Operations Limited expects data to be retained for no longer than the following periods of time:
- For any processing activity to provide support for a ‘one off’ event such as a vehicle breakdown, accident or repair: retention is defined as ’12 months following the date of the transfer’ (to allow for billing/audit etc. to be completed on an annual cycle).
- For any processing activity required for the duration of an asset or the provision of services to an individual (e.g. the provision of a vehicle on lease or rental contract, or driver training): retention is defined as ‘for the duration of the contract, plus a maximum of seven years for audit and HMRC compliance purposes’.
After these time periods, data must be securely destroyed in line with the terms of the Supplier Data Processing Contract in place. Other terms and conditions may apply, such as those pertaining to requests from Data Subjects or the Data Controller.
As a supplier, you will know whether you are providing a service as a ‘one off’ event or as part of a longer relationship with a driver or an asset. If you are in any doubt as to the retention period you should follow, please contact firstname.lastname@example.org
Processing, Personal Data and Data Subjects
Each of our Data Processing Contracts will contain the following information.
- Processing by the Data Processor
This sets out why the data is being processed, and that the data will only be processed in line with written instructions.
This sets out the kind of services that the Data Processor offers. In the case of Fleet Operations it will generally be connected to the provision of Fleet Management. In the case of a third-party supplier, it will detail the nature of their services (e.g. Breakdown provision)
- Purpose of Processing
This sets out why the Data Processor needs access to Personal Information. For example, It could be that a dealership needs access to a persons telephone number or email in order to arrange the delivery of a new vehicle.
- Duration of the Processing
This sets out how long the Data Processor may store and process the information, and is governed by both contracts between customers and suppliers, and also where legislation stipulates a length of time that the information should be held (e.g. HMRC requirements).
- Types of Personal Data
In this section, a list of all of the categories of personal data that fall within scope of the Data Processing activity will be included. We’ve included a complete list of all of the categories that we may hold here.
- Categories of Data Subject
This sets out who the Data Processing activity relates to. This could be colleagues (e.g. drivers) working for one of our customers, or the details of someone making an enquiry or complaint.
If you have a query about our approach to Data Processing, please don’t hesitate to contact our Data Protection team at Data.Protection@fleetoperations.co.uk
Each Supplier that we work with undergoes a ‘Supplier Evaluation Process’. This takes into account their approach to the following areas:
- Anti-Bribery and Corruption
- Corporate Social Responsibility
- Customer Complaints
- Data Protection and Security (Including GDPR)
- Diversity and Equality
- Environmental Protection
- Health and Safety
- Modern Day Slavery
- Quality Management Processes
- Training and Development
- WEEE/RoSH (Waste Disposal).
If you have a query about our Supplier Evaluation Process, or relating to one of our Third-Party Suppliers, please contact the Quality Assurance and Audit team at QAA@fleetoperations.co.uk