General Data Protection Regulations (GDPR) & UK Global Road Safety Ltd
Personal information, regardless of the format it may take, is a valuable resource that UK Global Road Safety Ltd (UKGRS) takes measures to protect from loss or corruption, unauthorised access and modification. In addition, such information and the way it may be processed is subject to UK law, specifically the General Data Protection Regulations 2018 (GDPR).
This document defines how UKGRS secures and handles data in line with the GDPR.
This policy will be reviewed and updated annually.
- Upon receipt of an enquiry
- In reply to a communication from UKGRS
- From a customer agreeing to engage in the products and services of UKGRS. This may include contact details, date of birth, payment details
- From interacting with delegates attending training which may include contact details, date of birth, driving license information
- Information you provide to us when raising a ticket support enquiry
- Information that you provide when you communicate with us by any means.
Use of data
UKGRS recognises that the data it holds must be protected in line with the GDPR.
UKGRS will use the data that is held to provide our services and any certification. In addition UKGRS may use the information for one or more of the following purposes:
- To provide information that has been requested from UKGRS relating to the products and services available or to address ticket support enquiries
- To provide information relating to other products that may be of interest to clients. Such additional information will only be provided where consent has been given for UKGRS to do so
Information from third parties.
UKGRS may collect delegates personal information or data from third parties (e.g. employers). The third party will hold the appropriate permission for this. This information will only be used to facilitate the delivery of the agreed training or assessment programmes and for no other purpose.
Disclosing data to third parties
UKGRS will only disclose data to third parties for a limited number of reasons:
- Information may be shared with providers of services to UKGRS in order to deliver agreed products and services to clients and for certification purposes
- Information as required or permitted by law, or when it is believed that disclosure is necessary to protect our rights, protect an individual’s safety or the safety of others, and/or to comply with a judicial proceeding, court order, or other legal process served upon UKGRS
- To protect the risk of fraud
UKGRS will not sell or pass on information for commercial purposes.
UKGRS will retain data securely, ensuring the IT infrastructure is covered by appropriate hardware and software maintenance and support.
Personal data will not be retained for any longer than is necessary for its defined purpose. In this respect, a full data retention schedule is held and reviewed in accordance with the principles of the GDPR.
The rights of individuals
Individuals have rights within the GDPR and UKGRS is committed to complying with those rights:
- The right to be informed
UKGRS only processes information that it collects directly from its customers in order to deliver its products and services in a fair and lawful manner.The data may be collected through our website, enquiries that we receive or from an individual, employer or agent.
The type of information that we usually collect may include:
- Email address
- Company name
- Company address
- Language preference
- Driving license number
- Employee ID
- Date of birth
- Home address
- Home, work and/or mobile telephone numbers
- The right of access
Individuals have the right to access the personal information and any supplementary information UKGRS hold on them. Individuals are allowed to be aware of and verify the lawfulness of the processing.
Individuals have the right to obtain the following information by making a request via reasonable means:
Confirmation that their data is being processed.
Access to their personal data
Other supplementary information that UKGRS may hold on the individual
UKGRS will verify the identity of the person making the request
No charge will be made for providing the information, the information will be provided within one month of the date of the request and if the request is made electronically, the response will be made in a commonly used secure format.
Manifestly unfounded or excessive requests
In the event that a request for information is found to be manifestly unfounded or excessive, a “reasonable fee” will be charged, particularly if the request is repetitive. A further fee will also be charged for further copies of the same information but not for subsequent access requests. In the event that the request is of a complex or numerous nature the period of response will be extended to two months, but the individual will be informed within the first month as to why the extension is necessary.
In the event that UKGRS refuses to respond to the request for information, UKGRS will provide a full explanation as to why and inform the individual of the right to complain to the supervisory authority and to a judicial remedy without undue delay and at the least within one month.
In the event that a large quantity of information is requested, UKGRS has the right to ask for specific information to facilitate the request.
- The right to rectification
Individuals have the right to have any data that UKGRS holds, rectified. Personal data can be rectified if it is inaccurate or incomplete.
In the event that personal data has been shared with a third party in order to facilitate the services of UKGRS, the third party will be contacted and informed of the rectification – unless this proves impossible or involves disproportionate effort.Should UKGRS be asked, individuals will be informed about these recipients.
All requests for rectification be responded to within one month. This can be extended by two months where the request for rectification is complex.
In the event that UKGRS does not take action in response to a request for rectification, an explanation will be provided to the individual, information them of their right to complain to the supervisory authority and to a judicial remedy.
- The right to erasure
Individuals have the right to erasure of the personal data that UKGRS holds.
This enables an individual to request UKGRS deletes or removes personal data where this is no compelling reason for its continued processing.
The right to erasure does not provide an absolute right to be forgotten but gives individuals a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
UKGRS can refuse the right to comply with a request for erasure in the event that the data is processed for the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific
- research, historical research or statistical purposes; or
- the exercise or defence of legal claims
UKGRS has no reason to process children’s data will never knowingly do so.
In the event that personal data has been shared with a third party in order to facilitate the services of UKGRS, the third party will be contacted and informed of the erasure request – unless this proves impossible or involves disproportionate effort. Should UKGRS be asked, individuals will be informed about these recipients.
UKGRS does not make personal data public.
- The right to restricted processing
- Individuals have a right to ‘block’ or suppress processing of personal data that UKGRS holds.
Upon receipt of a request to restrict processing UKGRS will store the personal data but not further process it.
Sufficient information about the individual will be held to ensure that the restriction is respected in the future.
UKGRS will restrict the processing of personal data in the following circumstances:
- Where an individual contests the accuracy of the personal data, UKGRS will restrict the processing until the accuracy of the personal data has been verified.
- Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and UKGRS is considering whether its legitimate grounds override those of the individual.
- When processing is unlawful and the individual opposes erasure and requests restriction instead.
- If UKGRS longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.
In the event that personal data has been shared with a third party in order to facilitate the services of UKGRS, the third party will be contacted and informed of the restriction on the processing of the personal data – unless this proves impossible or involves disproportionate effort. Should UKGRS be asked, individuals will be informed of these recipients.
UKGRS will inform individuals should it decide to lift a restriction on processing.
- The right to data portability
Individuals have the right to data portability, allowing them to obtain and reuse their personal data for their own purposes across different services. Personal data can move, be copied or transferred easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
In the unlikely event that UKGRS is subject to a data portability request, personal data will be provided in a structured and commonly used and machine-readable format. This information will be provided free of charge.
Upon receipt of request from an individual, UKGRS will transmit the data directly to another organisation, where this is technically feasible. However UKGRS will not necessarily adopt or maintain processing systems that are technically compatible with other organisations.
If the personal data request concerns more than one individual, UKGRS will consider whether providing the information would prejudice the rights of any other individual.
Any requests to port personal data will be addressed without undue delay, and within one month. In the event that the request is complex where a number of requests are received, this will be extended to two months. The individual will be advised within one month of receipt of the request and an explanation given as to why the extension is necessary.
In the event that no action is being taking with regards to a portability request an explanation will be provided to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
- The right to object
Individuals have the right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- Direct marketing (including profiling); and
- Processing for purposes of scientific/historical research and statistics.
The individuals right to object will be based on “grounds relating to his or her particular situation”
UKGRS will stop processing the personal data unless:
- It can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
UKGRS will inform individuals of their right to object “at the point of first communication” and in its privacy notice.
This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
UKGRS will stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse.
UKGRS will deal with an objection to processing for direct marketing at any time and free of charge.
UKGRS will offer a way for individuals to object online.
- Rights in relation to automated decision-making and profiling
The products and services of UKGRS do not fall in line with Article 22 as referred to under the GDPR.
UKGRS will still comply with the GDPR principles as outlined in this document.
In the event of a breach of personal data UKGRS will comply with the duties set down in the GDPR, informing the Information Commissioners Office if necessary. Where feasible, UKGRS will honour its obligations within 72 hours of becoming aware of the breach.
Should the breach be likely to result in a high risk of adversely affecting individuals’ rights and freedoms, UKGRS will also inform those individuals without undue delay.
Date of Policy:
25th May 2018. Next review date May 2019.