Clients Privacy Notice for Enterprise Plants
Our management team are aware of how personal data is defined within our country’s data protection legislation and we have identified that we need to comply
with the new General Data Protection Regulation.
Our managing director has overall responsibility for security and data protection within our organisation. Within regular appraisals management consider information security and data protection when reviewing performance.
We carry out an annual data privacy risk assessment and have procedures in place to mitigate risks. Our managing director regularly checks procedures are being followed to monitor compliance. The Atlas platform by our Health and Safety consultancy company Citation is used to train our employees on personal data and information security requirements. Our managing director is responsible for ensuring compliance is maintained and for data security.
We have completed a data analysis and a data flow audit and have processes in place for all of the data that requires protection. We have documented where the personal data we hold has been obtained from. When assets are no longer required, we ensure data is securely wiped or destroyed.
Nature of work – Commercial Landscape Business
Point of Contact – Customer enquiry contact details:
Matthew Monckton Managing Director Enterprise Plants Limited Church Lane North Ockendon Upminster RM14 3QH Email address: email@example.com
Description of processing
The following is a broad description of the way this organisation/data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.
Reasons/purposes for processing information
We process personal information to enable us to promote our goods and services, to maintain our accounts and records and to support and manage our staff.
Type/classes of information processed
We process information relevant to the above reasons/purposes that may include:
personal details, family, lifestyle and social circumstances, financial details, employment and education details goods or services provided.
We also process sensitive classes of information that may include:
Physical or mental health details, racial or ethnic origin, religious or other beliefs of a similar nature, trade union membership
We process personal information about our:
Employees, customers and clients, suppliers and services providers, advisers, consultants and other professional experts, complainants and enquirers
Who the information may be shared with
We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
Family, associates and representatives of the person whose personal data we are processing employment and recruitment agencies, current, past and prospective employers, educators and examining bodies, central government, credit reference agencies, suppliers and service providers, debt collection and tracing agencies, financial organisations
CCTV for crime prevention
CCTV is used for maintaining the security of our property and premises and for preventing and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include
visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.
Our sub-processors adhere fully to GDPR regulations and we are aiming to have contracts in place with them all, our sub-processors consist of subcontractors, suppliers and companies we engage for marketing activities we ensure these 3rd parties adhere to GDPR. Our off site back up and data recovery is encrypted to 256 bit before leaving our offices and transmitted via SSL and is all securely stored within EU encrypted locations.
We conduct risk assessments for data privacy. We ensure data is encrypted before being stored or accessed by our public cloud provider. We ensure our public cloud provider securely stores the data we share and hold. Consent is obtained before personal data is stored outside of the European Economic Area (EEA).
Privacy Impact Assessment:
We carry out Data Protection Impact Assessment (DPIA) when required. We consider data privacy when starting new projects to ensure that data is considered and protected, as part of the initial design.
Data Protection is referenced within our employee contracts.
Our policies and procedures clearly explain responsibilities for handling personal data. We collect personal data in a fair, lawful and transparent manner. We ensure data notices can be easily accessed by data subjects. This hasn’t been relevant to our operations however if subjects are under 16 years we would request obtain parental consent. We are able to respond to Subject Access Requests (SAR’s) within appropriate time-scales. We ensure data is accurate and kept up-to-date. We can delete data subject’s personal data, when required.
We can stop processing personal information, when required. We can provide electronic copies of an individual’s personal data, when required. We have a complaints and appeals procedure.
Legal Basis for Processing:
We document the legalities surrounding the reasons why we obtain personal information. We record the ways in which we obtain consent for the purpose of demonstrating compliance.
Personal information is handled in a way that is appropriate to its sensitivity and confidentiality.
We ensure the level of data access granted to employees is appropriate to their position.
We assess document security breaches involving personal data and report this, where appropriate through our incident report system and to the ICO if appropriate.
We ensure personal data is relevant and adequate for the organisation’s purposes. Our Data Privacy Statement includes a point of contact for issues concerning data protection. Data subjects are able to revoke consent for data obtained. We record the reasons why personal data was obtained. Our contracts state whether we are acting as the data controller or data processor. Our security policy is detailed within the relevant contracts. Privacy impact assessments are carried out on new systems and projects where personal data is used.
We record which processes/policies/technologies need to be monitored. Senior level management review the output of monitoring activities.
We identify nonconformities through our incident report system to help us continue improving our Privacy Management System.