Data Protection Policy

Last updated: 2nd May 2018

Introduction

RHM needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with GDPR.

Why this policy exists

This data protection policy ensures RHM:

  • Complies with data protection law, specifically GDPR, and follow good practice
  • Protects the rights of staff, customers and partners
  • Is open about how it stores and process individuals’ data
  • Protects itself from the risks of a data breach

Policy scope

This policy applies to:

  • All staff of RHM
  • All contractors, suppliers and other people working on behalf of RHM

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the GDPR.

Data protection risks

This policy helps to protect RHM from some very real data security risks, including:

  • Breaches of confidentiality – for example, information being given out inappropriately.
  • Failing to offer choice – for example, all individuals should be free to choose how RHM uses data relating to them.
  • Reputational damage – for example, the RHM could suffer if hackers successfully gained access to sensitive data.

Responsibilities

Everyone who works for, or with RHM, has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

  • The Board of Directors is ultimately responsible for ensuring that RHM meets its legal obligations.
  •  The Data Protection Officer, Annalie Poccard, is responsible for:
    • Keeping the Board updated about data protection responsibilities, risks and issues.
    • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
    • Arranging data protection training and advice for the people covered by this policy
    • Handling data protection questions from staff and anyone else covered by this policy
    • Dealing with requests from individuals to see the data RHM holds about them (also called ‘subject access requests’).
    • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
  • The IT Manager, Nick Hunt, is responsible for:
    • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
    • Performing regular checks and scans to ensure security hardware and software is functioning properly.
    • Evaluating any third-party services the company is considering using to store or process data.
  • The Managing Director, Nick Thomas, is responsible for:
    • Approving any data protection statements attached to communications such as emails and letters.
    • Addressing any data protection queries from journalist or media outlets like newspapers.
    • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

What is Personal Data?

Personal Data is any information that can identify a person (a data subject) such as a name, address or any factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

The following data may be collected, held and processed by RHM:

  • Names of individuals
  • Email addresses
  • Landline and mobile numbers
  • Postal addresses
  • Voice recordings
  • IP addresses
  • Any other information that an individual sends to RHM

The Data Protection Principles

All personal data must be:

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject;
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  • Accurate and, where necessary, kept up to date;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawful, Fair and Transparent Data Processing

All personal data must be processed lawfully, fairly and transparently, without adversely affecting the rights of the data subject.

Processing of personal data is lawful if at least one of the following applies:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary to protect the vital interests of the data subject
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Processed for Specified, Explicit and Legitimate Purposes

RHM collects and processes data received directly from data subjects (for example, contact details when a data subject communicates with us) and data received from third parties (for example, contact details from our carriers).

RHM only processes personal data where it is necessary to service its contracts (for example, customer contracts, supplier contracts, employee contracts).

Subject Access Requests

All individuals who are the subject of personal data held by RHM, have the right to obtain from RHM confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to their personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the period for which the personal data will be stored;
  • where the personal data is not collected from the individual, details as to where their personal data has come from

This is known as a ‘Subject access request’.

Subject access requests from individuals should be made by email at gdpr@rhmtelecom.com. The data protection officer will supply the individual a standard request form to be completed. When the request form is received, the data protection officer will verify the identity of the individual and then aim to provide the relevant data within 14 days.

RHM does not charge a fee for the handling of normal Subject Access Requests. However, RHM reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

All subject access requests are recorded on the ‘Subject Access Request Record’.

Rectification of Personal Data

All individuals have the right to rectify any personal data held by RHM which is inaccurate or incomplete. If this personal data has been disclosed to third parties, it is RHM’s responsibility to inform all parties holding this data of the rectification.

Unless special requirements are met, the rectification request must be fulfilled within one month. This can be extended if the request is especially complex, however this should be kept to a reasonable timeframe.

All requests to rectify records are recorded on the ‘Data Rectification Record’.

Right to Erasure aka Right to be Forgotten

All individuals have the right to have any of their personal data held by RHM removed without undue delay if one of the following applies:

  • RHM doesn’t need the data anymore;
  • The individual withdraws consent for the processing with which they previously agreed to (and RHM doesn’t legally need to keep it);
  • The individual uses their right to object to the data processing;
  • RHM is processing the data unlawfully;
  • There is a legal requirement for the data to be erased;
  • The individual was a child at the time of collection

Exceptions

Data might not have to be erased if any of the following apply:

  • The ‘right of freedom and expression’
  • The need to adhere to legal compliance
  • Reasons of public interest in the area of public health
  • Scientific, historical research or public interest archiving purposes
  • For supporting legal claims

Out of Scope

Non-electronic documents which are not (to be) filed, i.e. data you can’t search for such as a paper notepad, are not classed as personal data in the GDPR and are therefore not subject to the right to erasure.

Unless RHM has reasonable grounds to refuse to erase personal data, the erasure request must be fulfilled within one month. The individual must also be informed that the request has been complied with within one month.

All requests to erase data are recorded on the ‘Data Erasure Record’.

Right to Restriction of Processing

Any individual whose data RHM holds has the right to suppress processing of this personal data. This means that RHM cannot further process this data but can still store the data and retain enough information as is needed to ensure that this restriction on processing is maintained in future if one of the following applies:

  • The individual contests the accuracy of the data held. Processing is restricted until the accuracy of the data has been confirmed.
  • The processing is unlawful and the individual requests restriction of processing in place of erasure of data.
  • RHM no longer needs the personal data for the purposes of processing but they are required by the individual to establish, exercise or defend a legal claim.
  • If an individual has objected to processing on the grounds that it was necessary to do so for the performance of a public interest task or with legitimate interest, but RHM believes it has legitimate grounds to processing which override those of the individual in question.

Requests to restrict processing should be fulfilled as soon as possible. From this date, data must no longer be processed.

All requests to restrict processing are recorded on the ‘Request to Restrict Processing Record’.

Right to Data Portability

Portability is about the individual having the right to receive their personal data in a format they can understand and that someone else can import automatically.

The rights to portability:

  • Individuals can request a copy of their personal data for free;
  • The data has to be provided in a format that the requestor can easily understand and that another controller could easily import;
  • RHM must send the data to a third party controller (e.g. competitor) if requested to do so by the individual ‘without hindrance’;
  • RHM are not responsible for protecting the data that has been received by the individual or a third party controller.

All requests for copies of personal data shall be complied with within one month unless the request is complex, in which case this can be extended by up to two months. The individual will be informed if an extension is required.

Right to Object

An individual has the right to object to data processing under certain circumstances, including, but not limited to:

  • For direct marketing purposes
  • For scientific, statistical or historical research (unless the research is carried out in the public interest).

Where an individual objects to RHM processing their data for direct marketing purpose, RHM will cease such processing immediately.

Where an individual objects to RHM processing their personal data based on its legitimate interests, RHM will cease processing immediately unless it can be demonstrated that RHM’s legitimate grounds for such processing override the individual’s interests, rights and freedoms or the processing is necessary for the conduct of legal claims.

Where an individual objects to RHM processing their personal data for scientific, statistical or historical research, the individual must demonstrate grounds relating to their particular situation.

Consent

GDPR sets a high standard for consent. Consent must be unambiguous and involve a clear affirmative action (an opt-in).
Valid consent:

  • Consent must be freely given; this means giving people genuine ongoing choice and control over how RHM uses their data, pre-ticked opt in boxes are not allowed.
  • Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
  • Consent must specifically show RHM’s name, why RHM wants the data, what RHM will do with it and it must be easy to understand.
  • Consent should be separate from any terms and conditions and should not generally be a precondition of signing up to a service.
  • Explicit consent must be expressly confirmed in words, rather than by any other positive action.
  • There is no set time limit for consent. How long it lasts will depend on the context. RHM will review and refresh consent as appropriate.
  • RHM keeps records to evidence consent. These records include details of who consented, when, how and what they were told.

Withdrawal of Consent

GDPR gives individuals the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.”
In relation to Direct Marketing, RHM will inform individuals of the right to withdraw before consent is given. Once consent is withdrawn, individuals have the right to have their personal data erased and no longer used for processing.

Data Retention Policy

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Keeping personal data for too long may cause the following problems:

  • Increased risk that the information will go out of date, and that outdated information will be used in error – to the detriment of all concerned.
  • As time passes it becomes more difficult to ensure that information is accurate.
  • Even though RHM may no longer need the personal data it must still make sure it is held securely.
  • RHM must also be willing and able to respond to subject access requests for any personal data you hold. This may be more difficult if RHM is holding more data than it needs.

Retention and disposal of Customer Data

Unless otherwise advised by the customer, RHM will retain customer data during their contract term and for two years after they have left RHM.

Upon leaving RHM, the Billing Manager will inform the Data Protection Officer that a customer has left. The Data Protection Officer will add the details to the ‘Disposal of Customer Data Record’ and enter the date that the data needs to be disposed of.

Within one month of the disposal date, electronic data will be deleted, paper files will be shredded (with the exception of any records that legally need to be kept for accounting purposes) and customer accounts on Sage and abillity will be archived (not possible to delete).

Retention and disposal of Supplier Data

Unless otherwise advised by the supplier, RHM will retain supplier data during their contract term and for two years after RHM has ceased using the supplier.

Upon cessation of the contract, the Data Protection Officer will be informed that the contract has ceased. The Data Protection Officer will add the details to the ‘Disposal of Supplier Data Record’ and enter the date that the data needs to be disposed of.
Within one month of the disposal date, electronic data will be deleted, paper files will be shredded (with the exception of any records that legally need to be kept for accounting purposes) and customer accounts on Sage and abillity will be archived (not possible to delete).

Retention and disposal of Personnel Records

Personnel records will be kept for six years after the employee has left RHM.
Once the employee has left RHM, the Data Controller will add the details to the ‘Disposal of Personnel Record’.

Within one month of the disposal date, the employee’s personnel file will be destroyed and any electronic files will be deleted.

Consequences of failing to comply with GDPR

There are two levels of fines.
The lower level of fine is up to 2% of RHM’s annual turnover.
This includes infringements relating to:

  • Integrating data protection ‘by design and by default’;
  • Records of processing activities;
  • Cooperation with the supervising authority;
  • Security of processing data;
  • Notification of a personal data breach to the supervisory authority;
  • Communication of a personal data breach to the data subject;
  • Data Protection Impact Assessment;
  • Prior consultation;
  • Designation, position or tasks of the Data Protection Officer;
  • Certification.

The higher level of fine is up to 4% of RHM’s annual turnover.
This includes infringements relating to:

  • The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
  • Rights of the data subject
  • Transfer of personal data to a recipient in a third country or an international organisation

When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case:

  • The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
  • The intentional or negligent character of the infringement;
  • Any action taken by RHM to mitigate the damage suffered by data subjects;
  • The degree of responsibility of RHM taking into account technical and organisational measures implemented by them;
  • Any relevant previous infringements by RHM;
  • The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
  • The categories of personal data affected by the infringement.

If RHM makes several infringements, the total amount of the administrative fine will not exceed the fine for the most serious infringement for the same or linked processing operations.

Member States will also have the ability to apply penalties for infringements to the GDPR. The Member State will be responsible for implementing such penalties, which must be effective, proportionate and dissuasive.

Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.

Process for Dealing with a GDPR Request

All requests and enquiries relating to GDPR should be emailed to gdpr@rhmtelecom.com. This mailbox will be monitored by the Data Protection Officer, IT Manager and Managing Director.

Requests and enquiries could be received over the phone, to individual email addresses or by post.

Requests to individual email addresses should be forwarded to gdpr@rhmtelecom.com.

If a request is received over the phone, the customer or supplier should be asked to put their request in writing and send it to gdpr@rhmtelecom.com.

All requests will be responded to within 14 days of receipt.

Complaints Procedure

If you wish to complain to RHM about how your personal information has been processed; your
(GDPR) complaint has been handled, or appeal against any decision made following a complaint, you can do so using our GDPR complaint form and send/address this directly to the RHM Data Protection Officer.

Further details and a copy of the GDPR complaint form can be found on the RHM website (http://www.rhmtelecom.com under the contact us section.)

The complaints procedure for handling and escalation of these complaints is as follows:

  • Complaints regarding how your personal information has been processed should be submitted on the appropriate form and submitted to the RHM Data Protection Officer, who will acknowledge receipt within 3 working days.
  • The Data Protection Office will review and respond in writing, to your complaint within 28 working days of receipt of the complaint. If an extension is required, this will be with the agreement of both parties and up to a maximum of a further 10 working days.

If you are dissatisfied with the way in which your complaint has been handled then you may forward your complaint to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Contact Us

If you have any questions about the above outlined policy, please contact us at the below:

Telephone: 0345 136 6060
Email: enquiries@rhmtelecom.com

 

Need more information or advice? Call us now 0345 136 60 60

© rhm telecommunications 2018