The data protection stakes are higher than ever and all employees should bear some of the burden for ensuring organisations remain compliant. Given the impending introduction of the General Data Protection Regulation (GDPR), devolving all responsibility to a single data…
Fleet Operations needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
Why this policy exists
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
General Data Protection Regulations
The General Data Protection Regulations (GDPR) come in to effect in May 2018, and replace the Data Protection Act 1998; bringing with them a wider scope of protections for individuals, and greater accountability for the data controller and processor. These regulations describe how organisations — including Fleet Operations Limited— must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Regulations are is underpinned by six important principles. These say that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition, Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Lawfulness of Processing
Under the GDPR, the business processes data within the scope of the following clauses:
6(1)(a) With the consent of the data subject.
Applicable to all data held on colleagues, suppliers and to any person who contacts the business in a personal capacity (e.g. sales or job enquiry).
6(1)(b)Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
Applicable to people in a contractual relationship with companies that have a contractual relationship with the business to provide a product or service (e.g. drivers).
6(1)(c)Processing is necessary for compliance with a legal obligation
Applicable to information held that is required for statutory reporting. (e.g. colleagues’ P60 returns).
6(1)(f)Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Applicable to information held on people relating to areas such as driver risk management (e.g. where the contracting customer has an interest in ensuring that drivers of company vehicles or driving on business have an entitlement to drive to fulfil their legal obligations).
9(2)(b)Processing is necessary for carrying out obligations under employment, social security or social protection law, or collective agreement
Applicable to information held on colleagues, and to people in a contractual relationship with companies that have a contractual relationship with the business to provide a product or service (e.g. P46 or P11d reporting for drivers of a company car).
Under the GDPR, there are a variety of methods for obtaining consent for storing personal data, and these closely link to how the data is lawfully processed.
The majority of individuals covered under the scope of the GDPR, the consent to store and process the data is derived from the third party under clause 6(1)(f).
For any individual with a direct relationship with Fleet Operations (i.e. not through a third party contracting with the business) the consent is obtained at the time of providing the personal information.
Individuals have a right to withdraw their consent from Fleet Operations at any time.
It should be noted that the withdrawal of consent may affect an individual’s ability to fulfil their contractual or non-contractual obligation to the third party (e.g. their employer), and so the business would recommend that the individual consult with the third party in the first instance – Fleet Operations cannot advise of any consequences for an individual of withdrawing their consent.
Data Control, Processing and Retention
Please click here to see a table showing how we process data and how long it is retained.
The Rights of the Individual
There are a number of enhanced rights for individuals under the scope of the GDPR.
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
To ensure that the we are as transparent as possible, the ICO Register holds an entry around what data we hold and process.
The information is available publicly on the Data Protection Register – the Registration Number is Z1888123.
Complaints or Corrections
In the first instance, please address any complaint or correction to firstname.lastname@example.org. This will be dealt with an aim to resolve the complaint in a satisfactory and timely manner.
Where a correction in data relates to information provided by a third party for processing on their behalf, we may request that you contact them to correct the data ‘at source’, or afford us permission to do this on your behalf.
If you are unable to reach a satisfactory resolution, you may report a concern to the Information Commissioners Office on 0303 123 1113.
Right of Access
You have a right to access the personal information we hold about you. To do this, please contact email@example.com.
We aim to respond to any requests in writing within one month, however if your request is particularly complex, we may take a further two months to process your request, however we will contact you to explain this within one month.
Within the scope of the GDPR, we always aim to provide this information free of charge. However, in line with the regulations, we reserve the right to charge a reasonable fee for any manifestly unfounded, excessive or repeated requests; or where multiple copies of the response are required. This fee will be aligned to the actual cost of providing the information.
Under certain exceptional circumstances, we may refuse your request for information. This would generally be because we cannot legally disclose it. If we do this, we will explain why we have taken this action, and provide you with an escalation point within the relevant supervisory authority.
Right of Erasure
You have the right to request that we erase any personal data held about you, subject to you providing a valid reason for this request within the scope of the GDPR. The business will not ordinarily refuse such a request, unless it would render the business liable for a breach of its legal obligations.
If you wish to make a representation under the Right of Erasure, please write to firstname.lastname@example.org stating what data you wish to have erased, and the reason for the request.
he business will respond in writing within one month stating the action taken.
It should be noted that the right to erasure may affect an individual’s ability to fulfil their contractual or non-contractual obligation to a third party (e.g. their employer), and so the business would recommend that the individual consult with the third party in the first instance – Fleet Operations cannot advise of any consequences for an individual of enacting the right to erasure.
Right to Restrict Processing
You have the right to restrict the processing of your personal data. This means that Fleet Operations can retain enough data to meet its legal obligations, but may not further process the data.
If you wish to make a representation under the right to restrict processing, please write to email@example.com, stating what data you wish to restrict from processing. The business will respond in writing within one month stating the action taken.
It should be noted that the right to restrict processing may affect an individual’s ability to fulfil their contractual or non-contractual obligation to a third party (e.g. their employer), and so the business would recommend that the individual consult with the third party in the first instance – Fleet Operations cannot advise of any consequences for an individual of enacting the right to restrict processing.
We reserve the right to collect and store website usage information to help us assess and improve the website content, design and navigation.
We may collect website usage from a number of sources, including our web server / service providers, or from URLs, IP addresses and Cookies passed to us when you enter our site.
In all cases, website usage information excludes any information that can be traced back to you, and is therefore treated as non-personal data under the terms of the General Data Protection Regulations.
You may be provided with a username and password to access certain functionality on one or more of our websites. Your stored information is not shared with other parties. We use industry-standard SSL encryption software when processing sensitive information such as usernames and passwords, to safeguard your data and employ strict security standards to prevent any unauthorised access to your data. Please contact us if you require further information about the secure site.
Links to other sites
Post: Data Protection Team, Fleet House, Maries Way, Silverdale Business Park, Newcastle-under-Lyme, Staffordshire, ST5 6PA