2020 will usher in a new regime for calculating Vehicle Excise Duty (VED) and company car benefit-in-kind (BIK) tax. Fleet Operations outlines the key changes and how you will be affected. Emissions testing: what has changed? A new method for…
Fleet Operations needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
Why this policy exists
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
General Data Protection Regulations
The General Data Protection Regulations (GDPR) come in to effect in May 2018, and replace the Data Protection Act 1998; bringing with them a wider scope of protections for individuals, and greater accountability for the data controller and processor. These regulations describe how organisations — including Fleet Operations Limited— must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Regulations are underpinned by six important principles. These say that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition, Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Lawfulness of Processing
Under the GDPR, the business processes data within the scope of the following clauses:
6(1)(a) With the consent of the data subject.
Applicable to all data held on colleagues, suppliers and to any person who contacts the business in a personal capacity (e.g. sales or job enquiry).
6(1)(b)Processing is necessary for the performance of a contract with the data subject or to take steps to enter a contract.
Applicable to people in a contractual relationship with companies that have a contractual relationship with the business to provide a product or service (e.g. drivers).
6(1)(c)Processing is necessary for compliance with a legal obligation
Applicable to information held that is required for statutory reporting. (e.g. colleagues’ P60 returns).
6(1)(f)Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Applicable to information held on people relating to areas such as driver risk management (e.g. where the contracting customer has an interest in ensuring that drivers of company vehicles or driving on business have an entitlement to drive to fulfil their legal obligations).
9(2)(b)Processing is necessary for carrying out obligations under employment, social security or social protection law, or collective agreement
Applicable to information held on colleagues, and to people in a contractual relationship with companies that have a contractual relationship with the business to provide a product or service (e.g. P46 or P11d reporting for drivers of a company car).
Under the GDPR, there are a variety of methods for obtaining consent for storing personal data, and these closely link to how the data is lawfully processed.
The majority of individuals covered under the scope of the GDPR, the consent to store and process the data is derived from the third party under clause 6(1)(f).
For any individual with a direct relationship with Fleet Operations (i.e. not through a third party contracting with the business) the consent is obtained at the time of providing the personal information.
Individuals have a right to withdraw their consent from Fleet Operations at any time.
It should be noted that the withdrawal of consent may affect an individual’s ability to fulfil their contractual or non-contractual obligation to the third party (e.g. their employer), and so the business would recommend that the individual consult with the third party in the first instance – Fleet Operations cannot advise of any consequences for an individual of withdrawing their consent.
Data Control, Processing and Retention
Please click here to see a table showing how we process data and how long it is retained.
The Rights of the Individual
There are a number of enhanced rights for individuals under the scope of the GDPR.
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
To ensure that the we are as transparent as possible, the ICO Register holds an entry around what data we hold and process.
The information is available publicly on the Data Protection Register – the Registration Number is Z1888123.
Complaints or Corrections
In the first instance, please address any complaint or correction to firstname.lastname@example.org. This will be dealt with an aim to resolve the complaint in a satisfactory and timely manner.
Where a correction in data relates to information provided by a third party for processing on their behalf, we may request that you contact them to correct the data ‘at source’, or afford us permission to do this on your behalf.
If you are unable to reach a satisfactory resolution, you may report a concern to the Information Commissioners Office on 0303 123 1113.
Right of Access
You have a right to access the personal information we hold about you. To do this, please contact email@example.com.
We aim to respond to any requests in writing within one month, however if your request is particularly complex, we may take a further two months to process your request, however we will contact you to explain this within one month.
Within the scope of the GDPR, we always aim to provide this information free of charge. However, in line with the regulations, we reserve the right to charge a reasonable fee for any manifestly unfounded, excessive or repeated requests; or where multiple copies of the response are required. This fee will be aligned to the actual cost of providing the information.
Under certain exceptional circumstances, we may refuse your request for information. This would generally be because we cannot legally disclose it. If we do this, we will explain why we have taken this action, and provide you with an escalation point within the relevant supervisory authority.
Right of Erasure
You have the right to request that we erase any personal data held about you, subject to you providing a valid reason for this request within the scope of the GDPR. The business will not ordinarily refuse such a request, unless it would render the business liable for a breach of its legal obligations.
If you wish to make a representation under the Right of Erasure, please write to firstname.lastname@example.org stating what data you wish to have erased, and the reason for the request.
The business will respond in writing within one month stating the action taken.
It should be noted that the right to erasure may affect an individual’s ability to fulfil their contractual or non-contractual obligation to a third party (e.g. their employer), and so the business would recommend that the individual consult with the third party in the first instance – Fleet Operations cannot advise of any consequences for an individual of enacting the right to erasure.
Right to Restrict Processing
You have the right to restrict the processing of your personal data. This means that Fleet Operations can retain enough data to meet its legal obligations, but may not further process the data.
If you wish to make a representation under the right to restrict processing, please write to email@example.com, stating what data you wish to restrict from processing. The business will respond in writing within one month stating the action taken.
It should be noted that the right to restrict processing may affect an individual’s ability to fulfil their contractual or non-contractual obligation to a third party (e.g. their employer), and so the business would recommend that the individual consult with the third party in the first instance – Fleet Operations cannot advise of any consequences for an individual of enacting the right to restrict processing.
Post: Data Protection Team, Fleet House, Maries Way, Silverdale Business Park, Newcastle-under-Lyme, Staffordshire, ST5 6PA
We reserve the right to collect and store website usage information to help us assess and improve the website content, design and navigation.
We may collect website usage from a number of sources, including our web server / service providers, or from URLs, IP addresses and Cookies passed to us when you enter our site.
In all cases, website usage information excludes any information that can be traced back to you, and is therefore treated as non-personal data under the terms of the General Data Protection Regulations.
This policy is updated from time to time. The latest version is published on this page.
If you have any questions about this policy, please email firstname.lastname@example.org or write to: Fleet Operations Limited, Fleet House, Maries Way, Silverdale Business Park, Newcastle Under Lyme, Staffordshire, ST5 6PA.
We gather and use certain information about individuals in order to provide products and services and to enable certain functions on this website.
What Data We Gather
We may collect the following information:
- Name and job title
- Contact information including email address
- Demographic information, such as postcode, preferences and interests
- Website usage data
- Other information relevant to client enquiries
- Other information pertaining to special offers and surveys
Collecting this data helps us understand what you are looking for from the company, enabling us to deliver improved products and services.
Specifically, we may use data:
- For our own internal records.
- To improve the products and services we provide.
- To contact you in response to a specific enquiry.
- To customise the website for you.
- To send you promotional emails about products, services, offers and other things we think might be relevant to you.
- To send you promotional mailings or to call you about products, services, offers and other things we think might be relevant to you.
- To contact you via email, telephone or mail for market research reasons.
A cookie is a small file placed on your computer’s hard drive. It enables our website to identify your computer as you view different pages on our website.
Cookies allow websites and applications to store your preferences in order to present content, options or functions that are specific to you. They also enable us to see information like how many people use the website and what pages they tend to visit.
- Analyse our web traffic using an analytics package. Aggregated usage data helps us improve the website structure, design, content and functions.
- Identify whether you are signed in to our website. A cookie allows us to check whether you are signed in to the site.
- Test content on our website. For example, 50% of our users might see one piece of content, the other 50% a different piece of content.
- Store information about your preferences. The website can then present you with information you will find more relevant and interesting.
- To recognise when you return to our website. We may show your relevant content, or provide functionality you used previously.
Cookies do not provide us with access to your computer or any information about you, other than that which you choose to share with us.
However, please note that doing this may affect how our website functions. Some pages and services may become unavailable to you.
To learn more about cookies and how they are used, visit All About Cookies.
When you fill in a form or provide your details on our website, you may see one or more tick boxes allowing you to:
- Opt-in to receive marketing communications from us by email, telephone, text message or post.
- Opt-in to receive marketing communications from our third-party partners by email, telephone, text message or post.
If you have agreed that we can use your information for marketing purposes, you can change your mind easily, via one of these methods:
- Sign in to our website and change your opt-in settings.
- Send an email to email@example.com
- Write to us at: Fleet Operations Limited, Fleet House, Maries Way, Silverdale Business Park, Newcastle Under Lyme, Staffordshire, ST5 6PA.
We will never lease, distribute or sell your personal information to third parties unless we have your permission or the law requires us to.
Any personal information we hold about you is stored and processed under our data protection policy, in line with the General Data Protection Regulations.
We will always hold your information securely.
To prevent unauthorised disclosure or access to your information, we have implemented strong physical and electronic security safeguards.
We also follow stringent procedures to ensure we work with all personal data in line with the General Data Protection Regulations.
Our website may contain links to other websites.
Please note that we have no control of websites outside the www.fleetoperations.co.uk domain. If you provide information to a website to which we link, we are not responsible for its protection and privacy.
Always be wary when submitting data to websites. Read the site’s data protection and privacy policies fully.