Last Updated — 20 January 2022
This policy document sets out how lorcanmak.com (“we”, “our”, “us”) ensures the integrity and confidentiality of Personal Data (as further described below). You must read and comply with the procedures described in this document when processing Personal Data on our behalf so that we comply with applicable laws at all times. Any breach of this policy may result in disciplinary action.
Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously. We are exposed to potential fines of up to EUR 20 million or four percent (4%) of total worldwide annual turnover (whichever is higher and depending on the breach) for failure to comply with applicable laws.
This policy document does not form part of any employee’s contract of employment and may be amended at any time.
This is an internal document and must not be shared with third parties. Please contact the Data Protection Officer at email@example.com with any questions about these procedures or the laws that apply to Personal Data.
The following definitions apply in this policy:
The person who or organisation that determines the purposes for which, and the manner in which, any Personal Data is processed. They are responsible for establishing practices and policies in line with applicable laws. We are the Data Controller of all personal data used in our business for our own commercial purposes.
Personal Data Breach
Any act or omission that compromises the security, confidentiality, integrity, or availability of Personal Data or the physical, technical, administrative, or organisational safeguards in place to protect it. The unauthorised access to, or loss, disclosure, or acquisition of, Personal Data is a Personal Data Breach.
Any activity that involves use of the data. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data, including organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties.
Special Categories of Personal Data
Information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, or biometric or genetic data.
Data Protection Principles
Anyone processing Personal Data must comply with the eight enforceable principles of good practice. These provide that Personal Data must be:
processed fairly and lawfully;
processed for limited purposes;
adequate, relevant, and not excessive for the purpose;
accurate and up to date;
not kept longer than necessary for the purpose;
processed in line with Data Subjects’ rights;
not transferred to people or organisations situated in countries without adequate protection.
Lawfulness, Fairness, Transparency
Applicable laws are not intended to prevent the processing of Personal Data but to ensure that Personal Data is processed lawfully, fairly, and in a transparent manner. You may only collect, process, and share Personal Data for specified lawful purposes. These restrictions ensure that we process Personal Data fairly and without adversely affecting the Data Subject. Some of these fair and lawful bases are set out below:
the Data Subject has given his or her consent;
the processing is necessary for the performance of a contract with the Data Subject;
to meet our legal compliance obligations;
to protect the Data Subject’s vital interests; and
to pursue our legitimate interests for purposes where they are not overridden because the processing prejudices the interests or fundamental rights and freedoms of Data Subjects.
You must identify and record in a document the legal grounds being relied on for each processing activity.
A Data Subject consents to processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the processing.
Data Subjects must be easily able to withdraw consent to processing at any time and withdrawal must be promptly honoured (unless there is a valid legal reason not to do so).
You will need to evidence consent captured and keep records of all consents so that we can demonstrate compliance with consent requirements.
Processing for limited purpose
Whenever we collect Personal Data directly from Data Subjects (for example, when they correspond with us by mail, phone, email, or otherwise) and/or Personal Data we receive from other sources (for example, business partners, subcontractors in technical, payment, and delivery services, credit reference agencies, and others), we must provide them with all the information required by applicable laws, including the identity of the Data Controller and how and why we will use, process, disclose, protect, and retain their Personal Data, including the identity of any third parties.
Personal Data must be collected only for specified, explicit, and legitimate purposes. It must not be further processed in any manner incompatible with those purposes unless you have informed the Data Subject of the new purposes and they have consented where necessary.
Adequate, relevant, and not excessive for purpose
We will only collect and process Personal Data to the extent that it is required for the specific purpose notified to the Data Subject. Personal Data use must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
You may only process Personal Data when the performance of your job duties requires it. You cannot process Personal Data for any reason unrelated to your job duties.
You may only collect Personal Data that you require for your job duties. Do not collect or “stockpile” excessive Personal Data.
We will ensure that Personal Data we hold is accurate and kept up to date. We will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
Not kept longer than necessary for the purpose
Personal Data must not be kept in an identifiable form for longer than is necessary for the legitimate business purposes or purposes for which we originally collected it, including for the purpose of satisfying any legal, accounting, or reporting requirements. This means deleting Personal Data that the business no longer needs, for example Personal Data relating to leavers of the business will be deleted six (6) years after the date on which they left the business.
We will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time.
You will take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require, in accordance with our retention policies. This includes requiring third parties to delete such Personal Data where applicable.
You will ensure Data Subjects are informed of the period for which Personal Data is stored and how that period is determined.
Processing in line with data subjects’ rights
Data Subjects have rights when it comes to how we handle their Personal Data. Data Subjects must make a formal request for information we hold about them. This must be in writing.
You must immediately forward any Data Subject request you receive to the Data Protection Officer at firstname.lastname@example.org and comply with our subject access request procedure.
You must verify the identity of an individual requesting Personal Data under any of their rights and you must not allow third parties to persuade you to disclose Personal Data without proper authorisation.
When receiving telephone enquiries, we will only disclose Personal Data we hold on our systems if the following conditions are met:
we will check the caller’s identity to make sure that information is only given to a person who is entitled to it; and
we will suggest that the caller put their request in writing if we are not sure about the caller’s identity and where their identity cannot be checked. You should refer a request to your line manager or the Data Protection Officer at email@example.com for assistance in difficult situations. Employees should not be bullied into disclosing personal information.
Protecting personal data
Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
We will develop, implement, and maintain safeguards appropriate to our size, scope, and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others, and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure the security of our processing of Personal Data. You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised processing of Personal Data and against the accidental loss of, or damage to, Personal Data.
You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. You may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.
You must maintain data security by protecting the confidentiality, integrity, and availability of the Personal Data, defined as follows:
Confidentiality: means that only people who have a need to know and are authorised to use the Personal Data can access it;
Integrity: means that Personal Data is accurate and suitable for the purpose for which it is processed.
Availability: means that authorised users are able to access Personal Data when they need it for authorised purposes.
Equipment, Security and passwords
You are responsible for the security of the equipment used by you and must not allow it to be used by anyone other than in accordance with these procedures.
You should lock your terminal or log off when leaving it unattended or on leaving the office, to prevent unauthorised users accessing the system in your absence. Anyone who is not authorised to access our network should only be allowed to use terminals under supervision.
You should use passwords on all IT equipment, particularly items that you take out of the office. You must keep your passwords confidential. Passwords must be changed every six (6) months, or more frequently if needed. You must not use another person’s username and password or make available or allow anyone else to log on using your username and password. On the termination of employment (for any reason), you must return any equipment, key fobs, or cards.
If you have been issued with a laptop, smartphone, or other device, you must ensure that it is kept secure at all times, especially when travelling. Passwords must be used to secure access to such equipment to ensure that Personal Data is protected in the event of loss or theft. You should also be aware that, when using equipment away from the workplace, documents may be read by third parties, for example passengers on public transport. Computer screens must be hidden from third parties to ensure that no Personal Data is accidentally shared.
Security procedures include:
Entry controls: any stranger seen in entry-controlled areas should be reported;
Secure lockable desks and cupboards: desks and cupboards should be kept locked if they hold confidential information of any kind (personal information is always considered confidential); and
Methods of disposal: paper documents should be shredded, and digital storage devices should be physically destroyed.
Our systems enable us to monitor telephone, email, voicemail, Internet, and other communications. For business reasons, and in order to carry out legal obligations in our role as an employer, use of our systems including the telephone and computer systems, and any personal use of them, may be continually monitored by automated software or otherwise. Monitoring is only carried out to the extent permitted or as required by law and as necessary and justifiable for business purposes.
Reporting a personal data breach
Applicable laws require us to notify any Personal Data Breach to the applicable regulator and, in certain instances, the Data Subject.
We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.
If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the Data Protection Officer at firstname.lastname@example.org. This is the person designated as the key point of contact for Personal Data Breaches. You should preserve all evidence relating to the potential Personal Data Breach.
Transferring personal data to a country outside the EEA
We may transfer any Personal Data we hold to a country outside the European Economic Area (“EEA”), provided that one of the following conditions applies:
The country to which the Personal Data are transferred ensures an adequate level of protection for the Data Subjects’ rights and freedoms.
Where we use certain service providers, we may use specific contracts approved by the European Commission that give Personal Data the same protection it has in Europe.
Where we use providers based in the USA, we may transfer Personal Data to them if they are part of the Privacy Shield which requires them to provide similar protection to Personal Data shared between the Europe and the USA.
Disclosure and sharing personal information
To the extent we have identified a fair and lawful basis for so doing, we may share Personal Data we hold with any member of our group, which means our subsidiaries and our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.
We may also disclose Personal Data we hold to third parties:
in the event that we sell or buy any business or assets, in which case we may disclose Personal Data we hold to the prospective seller or buyer of such business or assets;
if all or substantially all of our assets are acquired by a third party, in which case Personal Data we hold will be one of the transferred assets; or
if we are under a duty to disclose or share a Data Subject’s Personal Data in order to comply with any legal obligation, or in order to enforce or apply any contract with the Data Subject or other agreements; or to protect our rights or property or the safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Changes to these procedures
We reserve the right to change this policy at any time. Where appropriate, we will notify Data Subjects of the changes by mail or email.