Privacy Policy
- This policy meets the requirements of the General Data Protection Regulation (GDPR)
ACTTnow is committed to protecting your privacy and the security of the information which you share with us.
Personal data is managed in accordance with applicable data protection legislation, including the EU General Data Protection Regulation and the corresponding Personal Data Protection Policy in ACTTnow, if applicable.
- What kind of data and personal information do we collect, and for what purpose?
First and foremost, data and personal information is collected so that we can manage our business and our relationships with yourselves as customers, employees, suppliers etc. Information may also be collected to comply with certain laws, improve products or services as well as resolve any legal and/or commercial matters or disputes.
In general, personal information which may be asked for and collected includes your contact information (name, address, e-mail, phone number) and identification details. If we ask for special categories of personal information such as medical and health information, we will ask for your explicit consent and inform you of the purpose of the processing, if required.
Due to the varying nature of ACTTnow’s services, different data and personal information may be collected. However, all data collected is deemed necessary for ACTTnow to carry out its specific business purpose, and each service area has its own privacy notice relevant to the data and personal information being collected.
Data is generally collected directly from you as an individual via electronic means such as use of websites, forms, and emails, or during phone calls with yourselves, or other correspondence methods.
We may also ask you to supply information to us from time to time, including when you report a problem with our services and when we ask you to complete surveys, questionnaires, and feedback forms that we use for quality monitoring and research purposes.
It is your right to choose to provide us with personal information and to identify yourself to us, however if you choose not to provide personal information we request, we may not be able to provide you with the services you require.
- What do we do with your data and personal information?
We are committed to ensuring your data and personal information is secure, preventing unauthorized access or disclosure, and have in place physical, electronic, and managerial procedures to safeguard the information.
All data provided is held in a secure and relevant business system or archive appropriate to the purpose of the business and processing needs. This may be in electronic or paper format, where safeguards have been put into place to protect your data and personal information from loss, misuse, and unauthorized access.
Some of your data may be transferred and processed by certain suppliers, e.g. IT suppliers, who process the information on behalf of ACTTnow. ACTTnow has carefully selected and agreed data processing agreements with our suppliers to ensure an adequate level of data protection is adhered to.
We may transfer some of your data to recipients in countries outside EU/EEA as we may use external suppliers to host/store some of our data and personal information. When transferring to recipients outside EU/EEA adequate safeguards will be provided such as in accordance with the US privacy shield scheme or on the basis of EU’s “Standard Contractual Clauses”.
- Data Usage and Cookies
Disclosure to 3rd parties may be carried out in some business areas where there is a specific and legitimate purpose and in compliance with applicable legislation and where all reasonable steps will be taken to ensure the 3rd parties are bound by confidentiality and privacy obligations in respect to the protection of personal information.
ACTTnow, in some specific cases, may use your data for direct marketing use in accordance with the applicable consent regulations in each business area and country. Please see the local consent and privacy notice for further details.
Cookies will be used when you visit our websites, which can provide ACTTnow trends and data to help improve our services. You have the choice to consent to the use of cookies, and once used, can be deleted from your computer or device if required. Further information regarding cookies can be found in each business area and specific website. Where links and information are provided to other service providers and partners, we take no responsibility for the use of their cookies.
- How do we retain, amend, and delete your data and personal information?
We retain your data and personal information for as long as necessary to fulfil the stated purpose, and/or be in compliance with legislative requirements. Personal information comes under periodic review to ensure it is still necessary to retain. Each of ACTTnow’s business and services has specific legislation and retention guidelines to adhere to.
We endeavour to hold information, which is accurate, up to date and relevant. You should contact us via the relevant business or service if you think your personal information is incorrect, for us to take the appropriate steps to correct it.
- What are your rights regarding your data and personal information?
It is your right to choose what information to provide us, however, if you choose not to provide the personal information we request, we may not be able to provide you with the services or information you require.
You have the right to access your personal data, to rectify incorrect information, delete, limit and data portability. You may also object to the processing of your personal data including automated and individual decisions.
You also have a right to lodge a complaint with the relevant supervisory authority.
- Who should I contact for further information?
If you have any questions or comments with respect to the processing of your personal data or you wish to exercise your rights under applicable legislation, please contact the relevant business area contact or by emailing to info@acttnow.com
ACTTnow
3 Eco Business Park
Eco Way
Hatfield
DONCASTER
DN7 4JJ
TMS International Ltd trading as ACTTnow. Registered in England and Wales 07465106
- ACTTnow Cookie Policy
Here, you will find information about cookies and how to delete them.
General information
ACTTnow uses cookies to improve the users’ online experience. The information stored in cookies enables us to run related programs and to perform other operational activities at relyonnutec.com. We also use cookies to collect and process data on how our visitors use our website
Personal data stored in our cookies are encrypted and only contain information which is strictly necessary for providing the services to you.
Below, you will find detailed information about cookies and how we use them. You will also find information about what data we collect and who has access to them.
Find out more about how we protect personal data in our privacy policy.
What is a cookie?
A cookie is a small data file which is stored on your computer when you visit a website. If you return to the website, the website will recognise the data file. Data files are therefore typically used for preparing statistics or for behaviour-based marketing purposes. Cookies make it easier for us to provide our services to you on our website, and they are sometimes necessary for website functionality purposes.
Third Party Cookies
- We collect and process the information for the following purposes:
- To retrieve the website from the server so that the website can be displayed in your browser
- To optimise the website and your user experience
- To prepare statistics on the use of the website by you and others
- To prepare statistics and analyses with the objective of improving products, services and technologies
- Marketing purposes, including profiling and behaviour-based marketing initiatives to make our product information and offers as relevant to you as possible
- To comply with applicable legislation (e.g. the EU General Data Protection Regulation (the GDPR) and e-privacy rules), including documentation requirements:
- Compliance with basic principles for processing of personal data and legal basis for processing (e.g. obtaining consent)
- Implementation and maintenance of technical and organisational security measures
- Investigation of suspected or known security breaches and reporting to data subjects and authorities
- Processing of requests and complaints from data subjects and third parties
- Handling of inspections and requests from supervisory authorities
- Management of disputes with data subjects and third parties
- Statistics concerning use of the website
Duration of cookies
How long a cookie is stored on your computer depends on the individual cookie.
Technically speaking there are two types of cookies:
- Session cookies: For example, session cookies keep track of items in your shopping cart while you are navigating a website. Session cookies are not stored on your PC and disappear when you close your browser.
- Persistent cookies: Persistent cookies are stored as text files on your PC. Persistent cookies enable our server to recognise your PC the next time you log into our website.
How do I avoid cookies?
When you visit our website, one or more cookies will automatically be stored on your PC. If you want to avoid cookies, we suggest that you use the following links (depending on your browser) to change your browser settings to block cookies from being stored on your computer going forward.
- How to delete cookies in Google Chrome
- How to delete cookies in Mozilla Firefox
- How to delete flash cookies
- How to avoid cookies in Microsoft Internet
- How to delete cookies in Opera
- How to delete cookies in Safari
If your browser is not listed above, we suggest that you check your browser’s help menu or search the Internet for “cookies” together with the name of your browser.
Why do we provide information about cookies?
We inform about our use of cookies in accordance with the Danish Executive Order on information and consent required in case of storing or accessing information in end-user terminal equipment (the “Executive Order on Cookies”).
The legal basis for collection of your personal data by means of cookies, including for profiling purposes, is your consent, see section 3 of the Executive Order on Cookies.
- Who should I contact for further information?
If you have any questions or comments with respect to the cookie policy or you wish to exercise your rights under applicable legislation, please contact the relevant business area contact or by emailing to info@acttnow.com
ACTTnow Ltd
3 Eco Business Park
Eco Way
Hatfield
DONCASTER
DN7 4JJ
TMS International Ltd trading as ACTTnow. Registered in England and Wales 07465106
- ACTTnow: Privacy policy for customers and website visitors
This privacy policy explains how ACTTnow processes and protects your personal data.
ACTTnow processes your personal data when you are a customer, receive our newsletters and other electronic communication and/or use our website at www.acttnow.com and associated sub websites. In this privacy policy, we describe how we process your personal data.
We fully respect your right to privacy when using our services.
If you only visit the website, you should read sections 1 and 4 below.
If you are a customer of ACTTnow, create or cancel bookings on the booking portal website or cancel a purchase without becoming a customer, you should read sections 1, 2 and 4 below.
If you subscribe to a newsletter or other electronic mail or fill out a contact form on the website, you should read sections 1, 3 and 4 below.
10.1 Ordinary visitors on the website www.acttnow.com.
When you visit and navigate www.acttnow.com and associated sites, we process personal information about you.
Types of information and purpose:
- We collect and process the following types of personal information:
- IP address, operating system, language settings, browser type, type of equipment, MAC number (depending on equipment), etc.
- Your navigation on the website and immediately before and after your visit on www.acttnow.com time and duration of visits to pages and sub-pages, etc.
- Interests and preferences.
- ACTTnow collects this information by means of cookies on www.acttnow.com and associated sites. You can read about this in our Cookie Policy.
We collect and process the information for the following purposes:
- To retrieve the website from the server so that the website can be displayed in your browser
- To optimise the website and your user experience
- To prepare statistics on the use of the website by you and others
- To prepare statistics and analyses with the objective of improving products, services and technologies
- Marketing purposes, including profiling and behaviour-based marketing initiatives to make our product information and offers as relevant to you as possible
- To comply with applicable legislation (e.g. the EU General Data Protection Regulation (the GDPR) and e-privacy rules), including documentation requirements;
- Compliance with basic principles for processing of personal data and legal basis for processing (e.g. obtaining consent)
- Implementation and maintenance of technical and organisational security measures
- Investigation of suspected or known security breaches and reporting to data subjects and authorities
- Processing of requests and complaints from data subjects and others
- Handling of inspections and requests from supervisory authorities
- Management of disputes with data subjects and third parties
- Statistics concerning use of the website
- Sources
We collect information about your behaviour by means of cookies on the website. You can read more about this in our Cookie Policy. Information may also be collected from you directly, from our IT systems or from third parties.
- Legal basis for collection and processing of personal data
The legal basis for collection of your personal data by means of cookies, including for profiling purposes, is your consent, see relevant national legislation.
Your personal data may be processed for other purposes and based on another legal basis, including documentation of compliance with legislation, see article 6(1)(c) of the GDPR, and pursuing legal claims in accordance with ACTTnow’s legitimate interests in safeguarding its legal position, see article 6(1)(f) of the GDPR.
You have the right to withdraw your consent; however, this will not affect any processing or disclosure prior to the withdrawal of your consent, i.e. withdrawal of your consent will only apply prospectively.
- Disclosure of your personal data
Personal data will be disclosed and shared with the following recipients as described in the consent to cookies:
- Digital media partners
- Collection on a voluntary or mandatory basis
The provision of personal data is voluntary. If you choose not to provide the information, you may not be able to access the website or use certain features on the website, etc.
- Customers of ACTTnow
When you make a purchase from us, e.g. on our booking portal, by telephone or another channel ACTTnow processes the following personal information (in addition to the information stated in section 1 above):
- Identification information: Name, invoice address, delivery address, e-mail address, telephone number
- Proof of identification information e.g. passport
- Gender
- Employment details including employing company, work location and your job title.
- Medical declaration and/ or medical information (where applicable).
- CCTV images
- Payment details
- Login information: username and password
- Purchase information: individual services/courses
- Your use of ACTTnow’s website: time of visits, sub-page visits and purchases made
- Contact history between you and ACTTnow
- Recording of services and sales calls
- Customer satisfaction information
We collect and process the information for the following purposes:
- To provide customer service and support regarding your purchases
- To identify you in case of a dispute over a purchase
- The collection of personal and medical (sensitive) data is required to ensure ACTTnow have the necessary information to provide training courses and services.
- We record CCTV images to monitor the security of our premises and the safety of course participants during training.
- To make a self-service solution available to you that allows you to manage, change or terminate your agreements with ACTTnow in accordance with the relevant terms and conditions
- Marketing: The information collected about you may be used for marketing purposes
- To comply with applicable legislation (e.g. the EU General Data Protection Regulation (the GDPR)), including documentation requirements:
- Compliance with basic principles for processing of personal data and legal basis for processing
- Implementation and maintenance of technical and organisational security measures
- Investigation of suspected or known security breaches and reporting to individuals and authorities
- Processing of requests and complaints from data subjects and others
- Handling of inspections and requests from supervisory authorities
- Management of disputes with data subjects and third parties
- Statistics concerning use of the website
Your personal and sensitive information will not be shared, sold, or disclosed other than as described in this privacy policy.
- Sources
The personal information is collected from you when you make purchases or updates in ACTTnow booking portal. Information about your use of our services is in some cases registered by ACTTnow’s employees, e.g. in connection with general customer service. In addition, information may also be collected from other sources that are publicly available, e.g. social media, telephone registers and geodemographic classifications.
- Legal basis for collection and processing of personal data
The legal basis for collection and processing of your identification information, is the following:
- Processing is necessary for the conclusion and performance of a subscription agreement, service agreement, purchase agreement or other agreements with you, see article 6(1)(b) of the GDPR.
- The legal basis for collection of information about your use of the website, enrichment of your data, collection and processing of customer satisfaction information and recording of sales calls is the following:
- Processing is necessary for pursuing a legitimate interest, see article 6(1)(f) of the GDPR
- The legitimate interests we pursue in enriching your personal data are to be able to identify you in relation to purchases, e.g. in case of a dispute over a purchase
- The legitimate interests we pursue in enriching your personal data are to target our marketing based on profiling (article 6(1)(f) of the GDPR)
- The legitimate interests we pursue in conducting customer satisfaction surveys are to improve our products and services, undertake follow-up and thereby ensure the overall satisfaction for you as customer
- The legitimate interests we pursue in recording service and sales calls are to improve our customer management and training of our employees and thereby the overall customer experience
- The legitimate interests in pursuing legal claims, ACTTnow’s legitimate interests in safeguarding its legal position, see article 6(1)(f) of the GDPR.
The legal basis for collection and processing of personal data is:
The personal data may be processed for documentation of compliance with legislation, see article 6(1)(c) of the GDPR.
You have the right to withdraw your consent; however, this will not affect any processing or disclosure prior to the withdrawal of your consent, i.e. withdrawal of your consent will only apply prospectively.
- Voluntary basis
We collect necessary and relevant data to deliver training courses and services. You are not obligated to provide the personal and sensitive information to us, however the consequences of not providing the information described above is that you may be unable to fully participate on training courses.
- Disclosure of your personal data
Based on the legal basis mentioned above, personal data may be disclosed to the following recipients:
- 3rd party contractors working on our behalf;
- Course awarding bodies
- Your employing company or company who made your booking;
- The ACTTnow Group’s parent company;
- ACTTnow internal and external audit processes;
- Insurance companies;
- Government bodies such as Health and Safety Executive;
We will not share your medical (sensitive) data with anyone unless we receive your written consent. The requirement to share this information may be as follows:
- We may need to discuss your medical circumstances with a medical professional in support of your fitness to participate on a training course.
- We may need to inform your employer about your medical circumstances/ outcome in relation to your fitness to participate on a training course.
- Types of information and purpose
Email subscribers, filled out forms, etc.
When you register to receive e-mail from ACTTnow or fill out a form, e.g. a contact form, ACTTnow processes such personal information (in addition to the information stated in section 1 above):
We collect and process the following types of personal information about you:
- Identification information: Name, company name and occupation, if relevant, e-mail address, telephone number, IP address
- E-mail logging: number of clicks, number of openings, reading time, returning of newsletters (bounces), withdrawal of consent.
We collect and process the information for the following purposes:
- Marketing purposes, including to target our communication with you based on your interests and behaviour (digital behaviour on our websites and newsletters as well as any purchase history) in order to send you relevant marketing.
- To comply with applicable legislation (e.g. the EU General Data Protection Regulation (the GDPR), marketing legislation, e-privacy legislation), including documentation requirements;
- Compliance with basic principles for processing of personal data and legal basis for processing
- Implementation and maintenance of technical and organisational security measures
- Investigation of suspected or known security breaches and reporting to individuals and authorities
- Processing of requests and complaints from data subjects and others
- Handling of inspections and requests from supervisory authorities
- Management of disputes with data subjects and third parties
- Statistics concerning use of direct marketing
- Sources
The personal information is collected from you when you make updates in ACTTnow booking portal or through tracking in e-mails.
From other sources that are publicly available, e.g. telephone registers and geodemographic classifications.
- Legal basis for collection and processing of personal data
The legal basis for collection and processing of personal data is:
When you have given your consent to receive direct marketing under the applicable national legislation, ACTTnow’s legal basis is its legitimate interests in being able to send you the direct marketing to which you have provided your consent, see article (6)(1)(f) of the GDPR.
The legitimate interests we pursue in enriching your personal data are to target our marketing based on profiling, see article 6(1)(f) of the GDPR. The legitimate interests in pursuing legal claims, cf. ACTTnow’s legitimate interests in safeguarding its legal position, see article 6(1)(f) of the GDPR.
The legal basis for collection of your personal data by means of cookies is your consent, see relevant national legislation
The personal data may be processed for documentation of compliance with legislation, see article 6(1)(c) of the GDPR.
You have the right to withdraw your consent; however, this will not affect any processing or disclosure prior to the withdrawal of your consent, i.e. withdrawal of your consent will only apply prospectively.
- Voluntary basis
When we collect personal data directly from you for the purpose of sending you newsletters, providing us with the information is voluntary. If you choose not to provide the information, we cannot send you newsletters.
- Transfer of personal information to data processors
We transfer your personal data to certain suppliers, e.g. IT suppliers, who process the information on behalf of ACTTnow.
- Transfer of personal data to recipients in countries outside EU/EEA
The basis for the inter-national transfer is EU’s “Standard Contractual Clauses” for transfers from data controllers to data processors in countries without an adequate level of protection outside EU/EEA. The standard agreement is available in different languages via this link.
- Storage period
We keep your personal data for as long as necessary to meet the above-mentioned purposes and any subsequent, lawful purposes. Furthermore, we keep your personal data for as long as necessary for our documentation of compliance with applicable legislation based on the rules on time limitation.
We also keep the information for as long as necessary for defending against or pursuing civil law claims, including on the basis of the rules on time limitation. If a claim is raised, however, we will keep the information for a longer period in order to handle the claim.
For other purposes, including statutory documentation and implementation of security measures, we keep the personal data for as long as necessary based on the statutory rules on time limitation for incurring criminal liability.
- Your rights
Subject to the limitations that follow from legislation, your rights include the following: right of access to your personal data, right to rectification of incorrect information, right to erasure of information, right to restriction of processing, right to data portability and right to object to the processing of personal data, including automated individual decision-making.
You also have the right to lodge a complaint with the national Data Protection Agency.
- Security and contact
ACTTnow, as a data controller, has a duty to protect the personal and sensitive data we process about our delegates.
The information we collect about you and your organisation is stored on an electronic database on a secure server.
If you have any questions about the processing of your personal data or your privacy rights, you are welcome to contact us by e-mailing www.acttnow.com
ACTTnow Ltd
3 Eco Business Park
Eco Way
Hatfield
DONCASTER
DN7 4JJ
TMS International Ltd trading as ACTTnow. Registered in England and Wales 07465106
The organisation is committed to being transparent about how it collects and uses the personal data of its workforce, and to meeting its data protection obligations. This policy sets out the organisation’s commitment to data protection, and individual rights and obligations in relation to personal data.
This policy applies to the personal data of job applicants, employees, workers, contractors, interns, apprentices, and former employees, referred to as HR-related personal data. This policy does not apply to the personal data of customers or suppliers processed for business purposes.
The organisation has appointed Alex Elliott, Finance Manager as the person with responsibility for data protection compliance within the organisation. He can be contacted at DPO@pjdltd.com. Questions about this policy, or requests for further information, should be directed to him.
- Definitions
- “Personal data” is any information that relates to an individual who can be identified from that information.
- Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
- “Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
- “Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
- Data protection principles
The organisation processes HR-related personal data in accordance with the following data protection principles:
- The organisation processes personal data lawfully, fairly and in a transparent manner.
- The organisation collects personal data only for specified, explicit and legitimate purposes.
- The organisation processes personal data only where it is adequate, relevant, and limited to what is necessary for the purposes of processing.
- The organisation keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
- The organisation keeps personal data only for the period necessary for processing.
The organisation adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction, or damage.
The organisation tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons.
Where the organisation processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data and criminal records data.
The organisation will update HR-related personal data promptly if an individual advises that his/her information has changed or is inaccurate.
Personal data gathered during the employment, worker, or contractor relationship, or apprenticeship or internship] is held in the individual’s personnel file (in hard copy or electronic format, or both), and on HR systems. The periods for which the organisation holds HR-related personal data are contained in its privacy notices to individuals.
The organisation keeps a record of its processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).
- Individual rights
As a data subject, individuals have a number of rights in relation to their personal data.
Subject access requests
Individuals have the right to make a subject access request. If an individual makes a subject access request, the organisation will tell him/her:
- whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
- to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
- for how long his/her personal data is stored (or how that period is decided);
- his/her rights to rectification or erasure of data, or to restrict or object to processing;
- his/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights; and
- whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.
The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically unless he/she agrees otherwise. If the individual wants additional copies, the organisation will charge a fee, which will be based on the administrative cost to the organisation of providing the additional copies.
To make a subject access request, the individual should send the request to Alex Elliott, Finance Manage, email DPO@pjdltd.com . In some cases, the organisation may need to ask for proof of identification before the request can be processed. The organisation will inform the individual if it needs to verify his/her identity and the documents it requires.
The organisation will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the organisation processes large amounts of the individual’s data, it may respond within three months of the date the request is received. The organisation will write to the individual within one month of receiving the original request to tell him/her if this is the case.
If a subject access request is manifestly unfounded or excessive, the organisation is not obliged to comply with it. Alternatively, the organisation can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it.
- Other rights
Individuals have a number of other rights in relation to their personal data. They can require the organisation to:
- rectify inaccurate data;
- stop processing or erase data that is no longer necessary for the purposes of processing;
- stop processing or erase data if the individual’s interests override the organisation’s legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data);
- stop processing or erase data if processing is unlawful; and
- stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override the organisation’s legitimate grounds for processing data.
To ask the organisation to take any of these steps, the individual should send the request to Alex Elliott, Finance Manager, email DPO@pjdltd.com .
- Data security
The organisation takes the security of HR-related personal data seriously. The organisation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
Where the organisation engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
- Impact assessments
Where processing would result in a high risk to individual’s rights and freedoms, the organisation will carry out a data protection impact assessment to determine the necessity and proportionality of processing.
This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
- Data breaches
If the organisation discovers that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The organisation will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
- International data transfers
The organisation will not transfer HR-related personal data to countries outside the EEA.
- Individual responsibilities
Individuals are responsible for helping the organisation keep their personal data up to date. Individuals should let the organisation know if data provided to the organisation changes, for example if an individual moves to a new house or changes his/her bank details.
Individuals may have access to the personal data of other individuals and of our customers and clients in the course of their employment, contract, internship, or apprenticeship. Where this is the case, the organisation relies on individuals to help meet its data protection obligations to staff and to customers and clients.
Individuals who have access to personal data are required:
- to access only data that they have authority to access and only for authorised purposes;
- not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
- to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
- not to remove personal data, or devices containing or that can be used to access personal data, from the organisation’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
- not to store personal data on local drives or on personal devices that are used for work purposes.
Further details about the organisation’s security procedures can be found in its IT security policy.
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the organisation’s disciplinary procedure.
Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
- Training
The organisation will provide training to all individuals about their data protection responsibilities as part of the induction process.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.