Menu

COMPANY GDPR / DATA PROTECTION POLICY

  1. Introduction

This document sets out the obligations of IMS Building Solutions Ltd with regard to data protection and the rights of people with whom it works in respect of their personal data under the Data Protection Act 1998 (“the Act”) and in compliance with the GDPR 2021 Act.”

This Policy shall set out procedures which are to be followed when dealing with personal data. The procedures set out herein must be followed by the Company, its employees, contractors, agents, consultants, partners, or other parties working on behalf of the Company.

The Company views the correct and lawful handling of personal data as key to its success and dealings with third parties. The Company shall ensure that it handles all personal data correctly and lawfully.

  • The Data Protection Principles

This Policy aims to ensure compliance with the Act. The Act sets out eight principles with which any party handling personal data must comply. All personal data:

  • Must be processed fairly and lawfully (and shall not be processed unless certain conditions are met);
  • Must be obtained only for specified and lawful purposes and shall not be processed in any manner which is incompatible with those purposes;
  • Must be adequate, relevant, and not excessive with respect to the purposes for which it is processed;
  • Must be accurate and, where appropriate, kept up-to-date;
  • Must be kept for no longer than is necessary in light of the purpose(s) for which it is processed;
  • Must be processed in accordance with the rights of data subjects under the Act;
  • Must be protected against unauthorized or unlawful processing, accidental loss, destruction, or damage through appropriate technical and organizational measures; and
  • Must not be transferred to a country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  • Rights of Data Subjects

Under the Act, data subjects have the following rights:

  • The right to be informed that their personal data is being processed;
  • The right to access any of their personal data held by the Company within 40 days of making a request;
  • The right to prevent the processing of their personal data in limited circumstances; and
  • The right to rectify, block, erase, or destroy incorrect personal data.
  • Personal Data

Personal data is defined by the Act as data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Data Retention

The company ensures that all personal data is kept for no longer than is necessary in light of the purpose(s) for which it is processed. This means that:

  • Personal data is only collected to the extent that is necessary to fulfill the stated purpose(s).
  • All personal data is accurate at the time of collection and kept accurate and up-to-date while it is being held and/or processed.
  • No personal data is held for any longer than necessary in light of the stated purpose(s).
  • All personal data is held in a safe and secure manner, taking all appropriate technical and organizational measures to protect the data.
  • All personal data is transferred using secure means, electronically or otherwise.
  • No personal data is transferred outside of the UK or EEA without first ensuring that appropriate safeguards are in place in the destination country or territory.
  • Secure Data Transfer Methods

From The Company:

  • Email Encryption: All emails containing personal data must be encrypted to ensure secure transfer 1.
  • Secure Networks: Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted 1.
  • Hardcopy Transfer: Where personal data is to be transferred in hardcopy form, it should be passed directly to the recipient without using an intermediary 1.
  • Secure Storage: All electronic copies of personal data should be stored securely using passwords and suitable data encryption 1.

From the Web:

  • File Transfer Protocol (FTP) and Secure File Transfer Protocol (SFTP): FTP is a standard network protocol that copies a file online from one host to another. SFTP is one of the safest ways to transfer data online, requiring a username and password for access 2.
  • Website Encryption: Using Secure Sockets Layer (SSL) for encryption allows secure transfer of data over websites, especially for businesses collecting sensitive customer data 2.
  • Data Encryption: Encrypting the data you’re sending is one of the easiest yet most efficient ways to protect your transfer. This involves using public and private key pairs for the sender and receiver 3.