01354 606848

GDPR Policy for CUB (UK) Ltd

Policy Information

Organisation
CUB (UK) Ltd
6 Melbourne Avenue, 
March, 
Cambridgeshire, 
PE15 0EN
Company Reg. 3759889

Scope of Policy
This policy applies to:
• The head office of CUB (UK) Ltd
• All branches of CUB (UK) Ltd
• All staff and volunteers of CUB (UK) Ltd

It applies to all data that the company holds relating to individuals, even if that information technically falls outside of the General Data Protection Regulation (GDPR) (EU) 2016/679. This can include:
• Names of individuals
• Postal Addresses
• Email Addresses
• Telephone Numbers
• Bank Details

Policy operational date 25th May 2018

Policy prepared by James Smy & Justin Healey

Date approved by directors 17/05/2018

Policy Review Date
This policy will be updated at the minimum of every three years to reflect best practice or future amendments made to the General Data Protection Regulation (GDPR) May 2018 and Data Protection Act 1998 – The next scheduled review will be on 25/05/2021.

Introduction

Purpose of Policy

This GDPR policy ensures CUB (UK) Ltd:

• Complies with data protection law and follows good practice
• Protects the rights of staff, customers and partners
• Is open about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

Types of Data

• Information processed, or intended to be processed wholly or partly by automatic means
• Information processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’
• Information that forms part of an ‘accessible record’

Policy Statement

CUB (UK) Ltd needs to gather and use certain information about individuals

These people can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with General Data Protection Regulations.

The GDPR regulates the processing of personal data, and protects the rights and privacy of all living individuals (including children), for example by giving all individuals who are the subject of personal data a general right of access to the personal data which relates to them.

Individuals can exercise the right to gain access to their information by means of a ‘subject access request’. Personal data is information relating to an individual and may be in hard or soft copy (paper/manual files; electronic records; photographs; CCTV images), and may include facts or opinions about a person.

The legislation places a responsibility on every data controller to process any personal data in accordance with the eight principles. In order to comply with its obligations, CUB (UK) Ltd undertakes to adhere to the eight principles:
• Process personal data fairly and lawfully
• Process the data for the specific and lawful purpose for which it collected that data and not further process the data in a manner incompatible with this purpose
• Ensure that the data is adequate, relevant, and not excessive in relation to the purposes for which it is processed
• Keep personal data accurate and, where necessary, up to date
• Only keep personal data for as long as it necessary
• Process personal data in accordance with the rights of the data subject under the legislation
• Put appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data, and against accidental loss of destructive data
• Ensure that no personal data is transferred to a country or a territory outside the European Economic Area (EEA) unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

This policy is CUB (UK) Ltd’s commitment to:
• Comply with both the law and good practice
• Respect individual rights
• Be open and honest with individuals whose data is held
• Provide training and support for staff who handle personal data, so that they can act confidently and consistently
• Notify the Information Commissioner voluntarily, even if this is not required

Key Risks

This policy helps to protect CUB (UK) Ltd from some very real data security risks, including:

• Breaches of confidentiality
• Failing to offer choice
• Reputational damage

Responsibilities
The Board / Company Directors
Louis Fairfax – Managing Director
Jaqui Fairfax – Chairman
Mike Fairfax – R&D Director

Data Protection Officers
James Smy – Financial Controller
Justin Healey – Business Support

Employees & Volunteers
All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Security
Scope CUB (UK) Ltd will have in place appropriate security measures as below:
• Ensuring that hard copy personal data is kept in lockable filing cabinets/cupboards with controlled access
• Password protecting personal data held electronically.
• Archiving personal data which are then kept securely.
• Placing any PCs or terminals, that shows personal data so that they are not visible except to authorised staff.
• Ensuring that PC screens are not left unattended without a password protected screen-saver being used.

Setting Security Levels
CUB (UK) Ltd will assess the level of security required based on the consequences of a breach of confidentiality and will employ appropriate security measures as needed.

Business Continuity
CUB (UK) Ltd ensures business continuity through a variety of measures:
• The organisation will take daily backups of the server which are kept off property
• The organisation has business continuity insurance within their building policy

Data Recording and Storage

Accuracy 

The law requires CUB (UK) Ltd to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort CUB (UK) Ltd should go into ensuring its accuracy.

It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

• Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
• Staff should take every opportunity to ensure data is updated.
• CUB (UK) Ltd will make it easy for data subjects to update the information CUB (UK) Ltd holds about them.
• Data should be updated as inaccuracies are discovered.

Retention Periods
CUB (UK) Ltd has strict retention periods which are outlined in CUB (UK) Ltd’s Information Asset Register which is reviewed on an annual basis for the purpose of making sure the company remains compliant with its own standards and the law.

Right of Access

Responsibility

CUB (UK) Ltd’s Data Protection Officers are responsible for ensuring that right of access requests are handled within the legal time limit which is one month:

• James Smy – Financial Controller
• Justin Healey – Business Support

Procedure for Making Request
Under the GDPR an individual (Data Subject) has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her is being processed. Where that is the case, the Data Subject is entitled to access to that personal data and certain information as follows:-

• The purposes of the processing
• Categories of personal data concerned
• The recipients or categories of recipients to whom the personal data have been or will be disclosed
• Where possible the period for which the personal data may be stored or, if that is not possible, the criteria used to decide that period
• The existence of the right to request, from the Data Controller, rectification of the data or erasure of the data or restriction on processing of the data or to object to the processing
• The right to lodge a complaint with the ICO
• Where the personal data has not been collected from the Data Subject, any available information as to the source of that data
• The existence of any automated decision making and information about that decision making

Right of access requests must be in writing. A standard request form is available on request, you are not obliged to complete this form to make a request, but doing so will make it easier for us to process your request quickly.

Provision for Verifying Identity
To ensure we are releasing data to the right person we require you to provide us with proof of your identity and proof of your address. Please supply us with a photocopy or scanned image (do not send the originals) of one of both of the following:
• Proof of Identity (Passport, photo driving licence, national identity card, birth certificate.)
• Proof of Address Utility bill, bank statement, credit card statement (no more than 3 months old); current driving licence; current TV licence; local authority tax bill, HMRC tax document (no more than 1 year old).

If we are not satisfied you are who you claim to be, we reserve the right to refuse to grant your request.

Charging
While in most cases we will be happy to provide you with copies of the information you request, we nevertheless reserve the right, in accordance with Article 12 of the GDPR to charge a fee or refuse the request if it is considered to be “manifestly unfounded or excessive”.

However we will make every effort to provide you with a satisfactory form of access or summary of information if suitable.

Disclosing Data for Other Reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, CUB (UK) Ltd will disclose requested data. However, the data controller will ensure the request is legitimate by any means possible.


Transparency

Commitment
CUB (UK) Ltd is committed to ensuring that Data Subjects are aware that:

• Their data is being processed; and
• For what purpose it is being processed
• What types of disclosure are likely; and
• How to exercise their rights in relation to the data

Procedure
Data subjects are informed as per below:
• Employees will be informed in their new employee’s handbooks.
• Clients, suppliers or other individuals or organisations that CUB (UK) Ltd has a relationship with can contact the Data Protection Officers with any requests.
• CUB (UK) Ltd’s GDPR policy will be available on its website

Responsibility
All employees at CUB (UK) Ltd are responsible for transparency in relation to data subjects.

Lawful Basis

Underlying Principles

The legislation places a responsibility on every data controller to process any personal data in accordance with the eight principles. In order to comply with its obligations, CUB (UK) Ltd undertakes to adhere to the eight principles:

• Process personal data fairly and lawfully
• Process the data for the specific and lawful purpose for which it collected that data and not further process the data in a manner incompatible with this purpose
• Ensure that the data is adequate, relevant, and not excessive in relation to the purposes for which it is processed
• Keep personal data accurate and, where necessary, up to date
• Only keep personal data for as long as it necessary
• Process personal data in accordance with the rights of the data subject under the legislation
• Put appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data, and against accidental loss of destructive data
• Ensure that no personal data is transferred to a country or a territory outside the European Economic Area (EEA) unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Opting Out
CUB (UK) Ltd has provisions in place to accommodate a data subjects request to opt out of having their data used in particular ways. Where this is a concern the data subject should contact the organisations data protection officers.

Withdrawing Consent
CUB (UK) Ltd recognises that once given, consent can be withdrawn, but not retrospectively. However there may be occasions where the organisation has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn

Employee Training

Induction
All employees who have access to any kind of personal data will have their responsibilities outlined during their induction procedures from the implementation of GDPR on 25th May 2018 going forwards.

Continuing Training
The organisations Data Protection officers will undergo continued training and are in charge of organising any further training that CUB (UK) Ltd employees will need to undergo, opportunities for training will be reviewed on a quarterly basis.

Policy Review

Responsibility
James Smy – Financial Controller
Justin Healey – Business Support

Timing
Review to begin 14/05/2021 to be completed by 15/05/2021