Last updated: 2nd May 2018
RHM needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with GDPR.
This data protection policy ensures RHM:
This policy applies to:
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the GDPR.
This policy helps to protect RHM from some very real data security risks, including:
Everyone who works for, or with RHM, has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
Personal Data is any information that can identify a person (a data subject) such as a name, address or any factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
The following data may be collected, held and processed by RHM:
All personal data must be:
All personal data must be processed lawfully, fairly and transparently, without adversely affecting the rights of the data subject.
Processing of personal data is lawful if at least one of the following applies:
RHM collects and processes data received directly from data subjects (for example, contact details when a data subject communicates with us) and data received from third parties (for example, contact details from our carriers).
RHM only processes personal data where it is necessary to service its contracts (for example, customer contracts, supplier contracts, employee contracts).
All individuals who are the subject of personal data held by RHM, have the right to obtain from RHM confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to their personal data and the following information:
This is known as a ‘Subject access request’.
Subject access requests from individuals should be made by email at gdpr@rhmtelecom.com. The data protection officer will supply the individual a standard request form to be completed. When the request form is received, the data protection officer will verify the identity of the individual and then aim to provide the relevant data within 14 days.
RHM does not charge a fee for the handling of normal Subject Access Requests. However, RHM reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
All subject access requests are recorded on the ‘Subject Access Request Record’.
All individuals have the right to rectify any personal data held by RHM which is inaccurate or incomplete. If this personal data has been disclosed to third parties, it is RHM’s responsibility to inform all parties holding this data of the rectification.
Unless special requirements are met, the rectification request must be fulfilled within one month. This can be extended if the request is especially complex, however this should be kept to a reasonable timeframe.
All requests to rectify records are recorded on the ‘Data Rectification Record’.
All individuals have the right to have any of their personal data held by RHM removed without undue delay if one of the following applies:
Data might not have to be erased if any of the following apply:
Non-electronic documents which are not (to be) filed, i.e. data you can’t search for such as a paper notepad, are not classed as personal data in the GDPR and are therefore not subject to the right to erasure.
Unless RHM has reasonable grounds to refuse to erase personal data, the erasure request must be fulfilled within one month. The individual must also be informed that the request has been complied with within one month.
All requests to erase data are recorded on the ‘Data Erasure Record’.
Any individual whose data RHM holds has the right to suppress processing of this personal data. This means that RHM cannot further process this data but can still store the data and retain enough information as is needed to ensure that this restriction on processing is maintained in future if one of the following applies:
Requests to restrict processing should be fulfilled as soon as possible. From this date, data must no longer be processed.
All requests to restrict processing are recorded on the ‘Request to Restrict Processing Record’.
Portability is about the individual having the right to receive their personal data in a format they can understand and that someone else can import automatically.
The rights to portability:
All requests for copies of personal data shall be complied with within one month unless the request is complex, in which case this can be extended by up to two months. The individual will be informed if an extension is required.
An individual has the right to object to data processing under certain circumstances, including, but not limited to:
Where an individual objects to RHM processing their data for direct marketing purpose, RHM will cease such processing immediately.
Where an individual objects to RHM processing their personal data based on its legitimate interests, RHM will cease processing immediately unless it can be demonstrated that RHM’s legitimate grounds for such processing override the individual’s interests, rights and freedoms or the processing is necessary for the conduct of legal claims.
Where an individual objects to RHM processing their personal data for scientific, statistical or historical research, the individual must demonstrate grounds relating to their particular situation.
GDPR sets a high standard for consent. Consent must be unambiguous and involve a clear affirmative action (an opt-in).
Valid consent:
GDPR gives individuals the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.”
In relation to Direct Marketing, RHM will inform individuals of the right to withdraw before consent is given. Once consent is withdrawn, individuals have the right to have their personal data erased and no longer used for processing.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Keeping personal data for too long may cause the following problems:
Unless otherwise advised by the customer, RHM will retain customer data during their contract term and for two years after they have left RHM.
Upon leaving RHM, the Billing Manager will inform the Data Protection Officer that a customer has left. The Data Protection Officer will add the details to the ‘Disposal of Customer Data Record’ and enter the date that the data needs to be disposed of.
Within one month of the disposal date, electronic data will be deleted, paper files will be shredded (with the exception of any records that legally need to be kept for accounting purposes) and customer accounts on Sage and abillity will be archived (not possible to delete).
Unless otherwise advised by the supplier, RHM will retain supplier data during their contract term and for two years after RHM has ceased using the supplier.
Upon cessation of the contract, the Data Protection Officer will be informed that the contract has ceased. The Data Protection Officer will add the details to the ‘Disposal of Supplier Data Record’ and enter the date that the data needs to be disposed of.
Within one month of the disposal date, electronic data will be deleted, paper files will be shredded (with the exception of any records that legally need to be kept for accounting purposes) and customer accounts on Sage and abillity will be archived (not possible to delete).
Personnel records will be kept for six years after the employee has left RHM.
Once the employee has left RHM, the Data Controller will add the details to the ‘Disposal of Personnel Record’.
Within one month of the disposal date, the employee’s personnel file will be destroyed and any electronic files will be deleted.
There are two levels of fines.
The lower level of fine is up to 2% of RHM’s annual turnover.
This includes infringements relating to:
The higher level of fine is up to 4% of RHM’s annual turnover.
This includes infringements relating to:
When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case:
If RHM makes several infringements, the total amount of the administrative fine will not exceed the fine for the most serious infringement for the same or linked processing operations.
Member States will also have the ability to apply penalties for infringements to the GDPR. The Member State will be responsible for implementing such penalties, which must be effective, proportionate and dissuasive.
Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.
All requests and enquiries relating to GDPR should be emailed to gdpr@rhmtelecom.com. This mailbox will be monitored by the Data Protection Officer, IT Manager and Managing Director.
Requests and enquiries could be received over the phone, to individual email addresses or by post.
Requests to individual email addresses should be forwarded to gdpr@rhmtelecom.com.
If a request is received over the phone, the customer or supplier should be asked to put their request in writing and send it to gdpr@rhmtelecom.com.
All requests will be responded to within 14 days of receipt.
If you wish to complain to RHM about how your personal information has been processed; your
(GDPR) complaint has been handled, or appeal against any decision made following a complaint, you can do so using our GDPR complaint form and send/address this directly to the RHM Data Protection Officer.
Further details and a copy of the GDPR complaint form can be found on the RHM website (https://www.rhmtelecom.com under the contact us section.)
The complaints procedure for handling and escalation of these complaints is as follows:
If you are dissatisfied with the way in which your complaint has been handled then you may forward your complaint to:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
If you have any questions about the above outlined policy, please contact us at the below:
Telephone: 0345 136 6060
Email: enquiries@rhmtelecom.com
© rhm telecommunications 2023