Privacy Policy
Privacy Policy
Effective date: May 22, 2018
Antrica (Division of Zilica Ltd) (“us”, “we”, or “our”) operates the https://antrica.com website (the “Service”).
This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.
We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from https://antrica.com
Definitions
Service
Service is the https://antrica.com website operated by Antrica (Division of Zilica Ltd)
Personal Data
Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
Usage Data
Usage Data is data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Cookies
Cookies are small pieces of data stored on your device (computer or mobile device).
Data Controller
Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.
For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.
Data Processors (or Service Providers)
Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller.
We may use the services of various Service Providers in order to process your data more effectively.
Data Subject (or User)
Data Subject is any living individual who is using our Service and is the subject of Personal Data.
Information Collection And Use
We collect several different types of information for various purposes to provide and improve our Service to you.
Types of Data Collected
Personal Data
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Personally identifiable information may include, but is not limited to:
- Email address
- First name and last name
- Phone number
- Address, State, Province, ZIP/Postal code, City
- Cookies and Usage Data
We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send.
Usage Data
We may also collect information how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
Tracking Cookies Data
We use cookies and similar tracking technologies to track the activity on our Service and hold certain information.
Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Examples of Cookies we use:
- Session Cookies. We use Session Cookies to operate our Service.
- Preference Cookies. We use Preference Cookies to remember your preferences and various settings.
- Security Cookies. We use Security Cookies for security purposes.
Use of Data
Antrica (Division of Zilica Ltd) uses the collected data for various purposes:
- To provide and maintain our Service
- To notify you about changes to our Service
- To allow you to participate in interactive features of our Service when you choose to do so
- To provide customer support
- To gather analysis or valuable information so that we can improve our Service
- To monitor the usage of our Service
- To detect, prevent and address technical issues
- To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information
Legal Basis for Processing Personal Data Under General Data Protection Regulation (GDPR)
If you are from the European Economic Area (EEA), Antrica (Division of Zilica Ltd) legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it.
Antrica (Division of Zilica Ltd) may process your Personal Data because:
- We need to perform a contract with you
- You have given us permission to do so
- The processing is in our legitimate interests and it’s not overridden by your rights
- For payment processing purposes
- To comply with the law
Retention of Data
Antrica (Division of Zilica Ltd) will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
Antrica (Division of Zilica Ltd) will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.
Transfer Of Data
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
If you are located outside United Kingdom and choose to provide information to us, please note that we transfer the data, including Personal Data, to United Kingdom and process it there.
Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.
Antrica (Division of Zilica Ltd) will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.
Disclosure Of Data
Disclosure for Law Enforcement
Under certain circumstances, Antrica (Division of Zilica Ltd) may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Legal Requirements
Antrica (Division of Zilica Ltd) may disclose your Personal Data in the good faith belief that such action is necessary to:
- To comply with a legal obligation
- To protect and defend the rights or property of Antrica (Division of Zilica Ltd)
- To prevent or investigate possible wrongdoing in connection with the Service
- To protect the personal safety of users of the Service or the public
- To protect against legal liability
Security Of Data
The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
Your Data Protection Rights Under General Data Protection Regulation (GDPR)
If you are a resident of the European Economic Area (EEA), you have certain data protection rights. Antrica (Division of Zilica Ltd) aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.
If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please contact us.
In certain circumstances, you have the following data protection rights:
The right to access, update or to delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you.
The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
The right to object. You have the right to object to our processing of your Personal Data.
The right of restriction. You have the right to request that we restrict the processing of your personal information.
The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable and commonly used format.
The right to withdraw consent. You also have the right to withdraw your consent at any time where Antrica (Division of Zilica Ltd) relied on your consent to process your personal information.
Please note that we may ask you to verify your identity before responding to such requests.
You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).
Service Providers
We may employ third party companies and individuals to facilitate our Service (“Service Providers”), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.
These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
Payments
We may provide paid products and/or services within the Service. In that case, we use third-party services for payment processing (e.g. payment processors).
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
The payment processors we work with are:
Sage Pay
Their policies can be viewed at
https://www.sagepay.co.uk/policies
Links To Other Sites
Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Children’s Privacy
Our Service does not address anyone under the age of 18 (“Children”).
We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.
Changes To This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.
We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
Contact Us
If you have any questions about this Privacy Policy, please contact us:
- By email: les@antrica.com
- By visiting this page on our website: https://antrica.com/contact
Cookie Policy
Cookies Policy
Last updated: May 22, 2018
Antrica (Division of Zilica Ltd) (“us”, “we”, or “our”) uses cookies on the https://antrica.com website (the “Service”). By using the Service, you consent to the use of cookies.
Our Cookies Policy explains what cookies are, how we use cookies, how third-parties we may partner with may use cookies on the Service, your choices regarding cookies and further information about cookies.
What are cookies
Cookies are small pieces of text sent to your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you and make your next visit easier and the Service more useful to you.
Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your personal computer or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser.
How Antrica (Division of Zilica Ltd) uses cookies
When you use and access the Service, we may place a number of cookies files in your web browser.
We use cookies for the following purposes:
To enable certain functions of the Service
To provide analytics
We use both session and persistent cookies on the Service and we use different types of cookies to run the Service:
Essential cookies. We may use cookies to remember information that changes the way the Service behaves or looks, such as a user’s language preference on the Service.
Analytics cookies. We may use analytics cookies to track information how the Service is used so that we can make improvements. We may also use analytics cookies to test new advertisements, pages, features or new functionality of the Service to see how our users react to them.
Third-party cookies
In addition to our own cookies, we may also use various third-parties cookies to report usage statistics of the Service, deliver advertisements on and through the Service, and so on.
What are your choices regarding cookies
If you’d like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser.
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
For the Chrome web browser, please visit this page from Google:
https://support.google.com/accounts/answer/32050
For the Internet Explorer web browser, please visit this page from Microsoft: http://support.microsoft.com/kb/278835
For the Firefox web browser, please visit this page from Mozilla: https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored
For the Safari web browser, please visit this page from Apple: https://support.apple.com/kb/PH21411?locale=en_US
For any other web browser, please visit your web browser’s official web pages.
Where can you find more information about cookies
You can learn more about cookies and the following third-party websites:
AllAboutCookies:
http://www.allaboutcookies.org/
Network Advertising Initiative:
http://www.networkadvertising.org/Disclaimer
Disclaimer
Last updated: May 22, 2018
The information contained on https://antrica.com website (the “Service”) is for general information purposes only.
Antrica (Division of Zilica Ltd) assumes no responsibility for errors or omissions in the contents on the Service.
In no event shall Antrica (Division of Zilica Ltd) be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Service or the contents of the Service. Antrica (Division of Zilica Ltd) reserves the right to make additions, deletions, or modification to the contents on the Service at any time without prior notice.
Antrica (Division of Zilica Ltd) does not warrant that the Service is free of viruses or other harmful components.
Terms & Conditions of use
Terms and Conditions of use (antrica.com)
Last updated: May 22, 2018
Please read these Terms and Conditions (“Terms”, “Terms and Conditions”) carefully before using the https://antrica.com website (the “Service”) operated by Antrica (Divison of Zilica Ltd) (“us”, “we”, or “our”).
Your access to and use of the Service is conditioned on your acceptance of and compliance with these Terms. These Terms apply to all visitors, users and others who access or use the Service.
By accessing or using the Service you agree to be bound by these Terms. If you disagree with any part of the terms then you may not access the Service.
Intellectual Property
The Service and its original content, features and functionality are and will remain the exclusive property of Antrica (Divison of Zilica Ltd) and its licensors. The Service is protected by copyright, trademark, and other laws of both the United Kingdom and foreign countries. Our trademarks and trade dress may not be used in connection with any product or service without the prior written consent of Antrica (Divison of Zilica Ltd).
Links To Other Web Sites
Our Service may contain links to third-party web sites or services that are not owned or controlled by Antrica (Divison of Zilica Ltd).
Antrica (Divison of Zilica Ltd) has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services. You further acknowledge and agree that Antrica (Divison of Zilica Ltd) shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods or services available on or through any such web sites or services.
We strongly advise you to read the terms and conditions and privacy policies of any third-party web sites or services that you visit.
Termination
We may terminate or suspend your access immediately, without prior notice or liability, for any reason whatsoever, including without limitation if you breach the Terms.
Upon termination, your right to use the Service will immediately cease.
All provisions of the Terms which by their nature should survive termination shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity and limitations of liability.
Indemnification
You agree to defend, indemnify and hold harmless Antrica (Divison of Zilica Ltd) and its licensee and licensors, and their employees, contractors, agents, officers and directors, from and against any and all claims, damages, obligations, losses, liabilities, costs or debt, and expenses (including but not limited to attorney’s fees), resulting from or arising out of a) your use and access of the Service, or b) a breach of these Terms.
Limitation Of Liability
In no event shall Antrica (Divison of Zilica Ltd), nor its directors, employees, partners, agents, suppliers, or affiliates, be liable for any indirect, incidental, special, consequential or punitive damages, including without limitation, loss of profits, data, use, goodwill, or other intangible losses, resulting from (i) your access to or use of or inability to access or use the Service; (ii) any conduct or content of any third party on the Service; (iii) any content obtained from the Service; and (iv) unauthorized access, use or alteration of your transmissions or content, whether based on warranty, contract, tort (including negligence) or any other legal theory, whether or not we have been informed of the possibility of such damage, and even if a remedy set forth herein is found to have failed of its essential purpose.
Disclaimer
Your use of the Service is at your sole risk. The Service is provided on an “AS IS” and “AS AVAILABLE” basis. The Service is provided without warranties of any kind, whether express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, non-infringement or course of performance.
Antrica (Divison of Zilica Ltd) its subsidiaries, affiliates, and its licensors do not warrant that a) the Service will function uninterrupted, secure or available at any particular time or location; b) any errors or defects will be corrected; c) the Service is free of viruses or other harmful components; or d) the results of using the Service will meet your requirements.
Exclusions
Without limiting the generality of the foregoing and notwithstanding any other provision of these terms, under no circumstances will Antrica (Divison of Zilica Ltd) ever be liable to you or any other person for any indirect, incidental, consequential, special, punitive or exemplary loss or damage arising from, connected with, or relating to your use of the Service, these Terms, the subject matter of these Terms, the termination of these Terms or otherwise, including but not limited to personal injury, loss of data, business, markets, savings, income, profits, use, production, reputation or goodwill, anticipated or otherwise, or economic loss, under any theory of liability (whether in contract, tort, strict liability or any other theory or law or equity), regardless of any negligence or other fault or wrongdoing (including without limitation gross negligence and fundamental breach) by Antrica (Divison of Zilica Ltd) or any person for whom Antrica (Divison of Zilica Ltd) is responsible, and even if Antrica (Divison of Zilica Ltd) has been advised of the possibility of such loss or damage being incurred.
Governing Law
These Terms shall be governed and construed in accordance with the laws of England and Wales, without regard to its conflict of law provisions.
Our failure to enforce any right or provision of these Terms will not be considered a waiver of those rights. If any provision of these Terms is held to be invalid or unenforceable by a court, the remaining provisions of these Terms will remain in effect. These Terms constitute the entire agreement between us regarding our Service, and supersede and replace any prior agreements we might have between us regarding the Service.
Changes
We reserve the right, at our sole discretion, to modify or replace these Terms at any time. If a revision is material we will try to provide at least 30 days notice prior to any new terms taking effect. What constitutes a material change will be determined at our sole discretion.
By continuing to access or use our Service after those revisions become effective, you agree to be bound by the revised terms. If you do not agree to the new terms, you must stop using the service.
Privacy Policy and Cookie Policy
Please refer to our Privacy Policy and Cookies Policy. You agree that they constitute part of these terms. You must read our Privacy Policy and Cookies Policy before you use the Service.
Contact Us
If you have any questions about these Terms, please contact us
sales@antrica.com or call +44(0)1628626098
Data Retention Policy
| Zilica Limited (Antrica ) Data Retention Policy 24th May 2018 |
- Introduction
This Policy sets out the obligations of Zilica Ltd , a company registered in the UK under number 888888, whose registered office is at 8 Hasting Close Bray (“the Company”) regarding retention of personal data collected, held, and processed by the Company in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The GDPR also addresses “special category” personal data (also known as “sensitive” personal data). Such data includes, but is not necessarily limited to, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation.
Under the GDPR, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).
In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:
- Where the personal data is no longer required for the purpose for which it was originally collected or processed (see above);
- When the data subject withdraws their consent;
- When the data subject objects to the processing of their personal data and the Company has no overriding legitimate interest;
- When the personal data is processed unlawfully (i.e. in breach of the GDPR);
- When the personal data has to be erased to comply with a legal obligation; or
- Where the personal data is processed for the provision of information society services to a child.
This Policy sets out the type(s) of personal data held by the Company for buying and selling products AND by the personnel dept , the period(s) for which that personal data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.
For further information on other aspects of data protection and compliance with the GDPR, please refer to the Company’s Data Protection Policy.
- Aims and Objectives
- The primary aim of this Policy is to set out limits for the retention of personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with. By extension, this Policy aims to ensure that the Company complies fully with its obligations and the rights of data subjects under the GDPR.
- In addition to safeguarding the rights of data subjects under the GDPR, by ensuring that excessive amounts of data are not retained by the Company, this Policy also aims to improve the speed and efficiency of managing data.
- Scope
- This Policy applies to all personal data held by Zilica Ltd OR the Human resources dept of the Company for Buying and Selling and by third-party data processors processing personal data on the Company’s behalf such as Rice Associates for payroll and our outsourced HR agent New Forest HR Ltd.
- Personal data, as held by Zilica Ltd is stored in the following ways and in the following locations:
- The Company’s servers, located in Westacott Business Centre SL6 3RT;
- Third-party servers, operated by Rice Associates and located in Wokingham;
- Computers permanently located in the Company’s premises at Westacott Business Centre SL63RT;
- Laptop computers and other mobile devices provided by the Company to its employees;
- Computers and mobile devices owned by employees, agents, and sub-contractors
- Physical records stored in Westacott Business Centre A6 SL6 3RT;
- Additional archives held at 8 Hasting Close , SL6 2DA.
- Data Subject Rights and Data Integrity
All personal data held by the Company is held in accordance with the requirements of the GDPR and data subjects’ rights thereunder, as set out in the Company’s Data Protection Policy.
- Data subjects are kept fully informed of their rights, of what personal data the Company holds about them, how that personal data is used [as set out in Parts 12 and 13 of the Company’s Data Protection Policy], and how long the Company will hold that personal data (or, if no fixed retention period can be determined, the criteria by which the retention of the data will be determined).
- Data subjects are given control over their personal data held by the Company including the right to have incorrect data rectified, the right to request that their personal data be deleted or otherwise disposed of (notwithstanding the retention periods otherwise set by this Data Retention Policy), the right to restrict the Company’s use of their personal data, [the right to data portability,] and further rights relating to automated decision-making and profiling [, as set out in Parts 14 to 20 of the Company’s Data Protection Policy].
- Technical and Organisational Data Security Measures
- The following technical measures are in place within the Company to protect the security of personal data. Please refer to Parts 22 to 26 of the Company’s Data Protection Policy for further details:
- All emails containing personal data must be encrypted. This refers to any attachments that should be ZIP’d with a user name and password. If personal information is contained in the body of the email then the email itself should be encrypted;
- All emails containing personal data must be marked “confidential”;
- Personal data may only be transmitted over secure networks. Email is considered a secure network if a) and b) above are met and so is the companies internal LAN Network.;
- Personal data may not be transmitted over a wireless network if there is a reasonable wired alternative or it is impractical to use a wired network;
- Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself and associated temporary files should be deleted;
- Where personal data is to be sent by facsimile transmission the recipient should be informed in advance and should be waiting to receive it;
- Where personal data is to be transferred in hardcopy form, it should be passed directly to the recipient or sent using DHL Document Courier Services;
- All personal data transferred physically should be transferred in a suitable container marked “confidential”;
- No personal data may be shared informally and if access is required to any personal data, such access should be formally requested from Les Litwin.
- All hardcopies of personal data, along with any electronic copies stored on physical media should be stored securely;
- No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without authorisation;
- Personal data must be handled with care at all times and should not be left unattended or on view;
- Computers used to view personal data must always be locked before being left unattended;
- No personal data should be stored on any mobile device, whether such device belongs to the Company or otherwise without the formal written approval of Les Litwin and then strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary;
- No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the Company’s Data Protection Policy and the GDPR;
- All personal data stored electronically should be backed up daily with backups stored in secure Encrypted Dropbox folders ;
- All electronic copies of personal data should be stored securely using passwords and encryption;
- All passwords used to protect personal data should be changed regularly and should must be secure;
- Under no circumstances should any passwords be written down or shared. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
- All software should be kept up-to-date. Security-related updates should be installed as soon as reasonably possible after becoming available;
- No software may be installed on any Company-owned computer or device without approval of Les Litwin
- Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Carly Litwin to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the chat service, freshdesk.
- The following organisational measures are in place within the Company to protect the security of personal data. Please refer to Part 27 of the Company’s Data Protection Policy for further details:
- All employees and other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under the Company’s Data Protection Policy;
- Only employees and other parties working on behalf of the Company that need access to, and use of, personal data in order to perform their work shall have access to personal data held by the Company;
- All employees and other parties working on behalf of the Company handling personal data will be appropriately trained to do so;
- All employees and other parties working on behalf of the Company handling personal data will be appropriately supervised;
- All employees and other parties working on behalf of the Company handling personal data should exercise care and caution when discussing any work relating to personal data at all times;
- Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;
- The performance of those employees and other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
- All employees and other parties working on behalf of the Company handling personal data will be bound by contract to comply with the GDPR and the Company’s Data Protection Policy;
- All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all relevant employees are held to the same conditions as those relevant employees of the Company arising out of the GDPR and the Company’s Data Protection Policy;
- Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under the GDPR and/or the Company’s Data Protection Policy, that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
- Data Disposal
Upon the expiry of the data retention periods set out below in Part 7 of this Policy, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:
- Personal data stored electronically (including any and all backups thereof) shall be deleted securely using delete followed by empty waste basket.
- Special category personal data stored electronically (including any and all backups thereof shall be deleted followed by empty waste basket. Personal data stored in hardcopy form shall be shredded using the company cross cut shredder;
- Special category personal data stored in hardcopy form shall be shredded using the company cross cut shredder.
- Data Retention
- As stated above, and as required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.
- Different types of personal data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.
- When establishing and/or reviewing retention periods, the following shall be taken into account:
- The objectives and requirements of the Company;
- The type of personal data in question;
- The purpose(s) for which the data in question is collected, held, and processed;
- The Company’s legal basis for collecting, holding, and processing that data;
- The category or categories of data subject to whom the data relates;
- If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.
- Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the Company to do so (whether in response to a request by a data subject or otherwise).
- In limited circumstances, it may also be necessary to retain personal data for longer periods where such retention is for archiving purposes that are in the public interest, for scientific or historical research purposes, or for statistical purposes. All such retention will be subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects, as required by the GDPR.
| Data Ref. | Type of Data | Purpose of Data | Review Period | Retention Period or Criteria | Comments (DP=Data Processor) |
| PD-SAGE | Sage Contact names | Names , email and tel numbers of accounts and purchasing within companies we trade with | Annually | 7 years | Companies contacts will be reviewed more frequently as and when we trade with the company to ensure contact details are still correct. DP= Becky Litwin |
| PD-DEMO | Demo loans contact names | Names, email and tel numbers of persons who have borrowed demo equipment | Annually | 1 year | Contacts are deleted as soon as equipment is returned but import export documents containing their names must be kept for 7 years in line with company records DP=David Mason |
| PD-RMA | RMA contact names | Names email and tel. numbers of contacts who are requesting return of defective equipment for repair | Annually | 1 Year | Contacts are kept for the period during which equipment is repaired and up to 1 year after wards in case of further questions regarding repair and for proof or repair and return. Import export documents are kept for up to 7 years for legal reasons re Company records retention. DP= David Mason |
| PD News | Newsletter contact data | Names and email addresses of contacts who have positively subscribed to newsletters | Annually | 5 years or until individual unsubscribes or email bounces | The Subscription via the web site or previous requests via email prior to 25th May 2018 is by positive subscription and all individuals can unsubscribe easily at any time via links on email. DP=Carly Litwin |
| PD-Employee | Employee details | Employee information provided at employment including CVs , next of Kin , review minutes, questionnaires and other data voluntarily supplied. | Annually | On Departure or retirement from employment up to 7 years after as required by law. | HR records for current employees will be kept during employment and disposed of after 7 years of leaving employment or as required at the time by law DP=Becky Litwin |
| PD-FRESH | Freshdesk support data | Customer email name and company supplied by customer in order to receive technical support or sales enquiry. | Annually | 1 Year after closed ticket date | Tickets are retained for 1 year in case the customer has similar issues and we can refer to history. DP=David M |
| PD-CHAT | Website Chat service | Customer email name and company supplied by customer in order to chat live or leave a message out of hours to discuss products. | Annually | 1 year after closed chat date | Chats are retained for 1 year in case the customer has similar issues and we can refer to history. DP=Carly Les |
| PD-QUOTES | Quotes to customers | Customers name & email & Company | Annually | 2 years after quote date | Customer quotes are referred to to see what prices they were quoted , 2 year retention required for business purposes. DP=Les Becky Carly |
- Roles and Responsibilities
- The Company’s Data Protection Officer is Les Litwin, les@zilica.com.
- The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other Data Protection-related policies (including, but not limited to, its Data Protection Policy), and with the GDPR and other applicable data protection legislation.
- The Data Protection Officer shall be directly responsible for ensuring compliance with the above data retention periods.
- Any questions regarding this Policy, the retention of personal data, or any other aspect of GDPR compliance should be referred to the Data Protection Officer.
- Implementation of Policy
This Policy shall be deemed effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This Policy has been approved and authorised by:
| Name: | Leslie Litwin |
| Position: | Managing Director |
| Date: | 24th May 2018 |
| Due for Review by: | 24th May 2019 |
| Signature: | |
Data Protection Policy
Antrica (Division of Zilica Ltd) Data Protection Policy 24th May 2018 |
- Introduction
This Policy sets out the obligations of Zilica Ltd (Antrica), a company registered in England under number 4888553, whose registered office is at 8 Hasting Close Bray SL6 2DA UK (“the Company”) regarding data protection and the rights of Customers, Suppliers and Employees (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
- The Data Protection Principles
This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:
- Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
- The Rights of Data Subjects
The GDPR sets out the following rights applicable to data subjects (please refer to the parts of this policy indicated for further details):
- The right to be informed (Part 12).
- The right of access (Part 13);
- The right to rectification (Part 14);
- The right to erasure (also known as the ‘right to be forgotten’) (Part 15);
- The right to restrict processing (Part 16);
- The right to data portability (Part 17);
- The right to object (Part 18); and
- Rights with respect to automated decision-making and profiling (Parts 19 and 20).
- Lawful, Fair, and Transparent Data Processing
- The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:
- The data subject has given consent to the processing of their personal data for one or more specific purposes;
- The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;
- The processing is necessary for compliance with a legal obligation to which the data controller is subject;
- The processing is necessary to protect the vital interests of the data subject or of another natural person;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
- The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- If the personal data in question is “special category data” (also known as “sensitive personal data”) (for example, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation), at least one of the following conditions must be met:
- The data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);
- The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject);
- The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;
- The processing relates to personal data which is clearly made public by the data subject;
- The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;
- The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;
- The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;
- The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or
- The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.]
- Specified, Explicit, and Legitimate Purposes
- The Company collects and processes the personal data set out in Part 21 of this Policy. This includes:
- Personal data collected directly from data subjects
- The Company does not obtain Personal data from third parties.
- The Company only collects, processes, and holds personal data for the specific purposes set out in Part 21 of this Policy (or for other purposes expressly permitted by the GDPR).
- Data subjects are kept informed at all times of the purpose or purposes for which the Company uses their personal data. Please refer to Part 12 for more information on keeping data subjects informed.
- Adequate, Relevant, and Limited Data Processing
The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed) as under Part 5, above, and as set out in Part 21, below.
- Accuracy of Data and Keeping Data Up-to-Date
- The Company shall ensure that all personal data collected, processed, and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of a data subject, as set out in Part 14, below.
- The accuracy of personal data shall be checked when it is collected and at 12 monthly intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
- Data Retention
- The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.
- When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.
- For full details of the Company’s approach to data retention, including retention periods for specific personal data types held by the Company, please refer to our Data Retention Policy.
- Secure Processing
The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Further details of the technical and organisational measures which shall be taken are provided in Parts 22 to 27 of this Policy.
- Accountability and Record-Keeping
- The Company’s Data Protection Officer is Leslie Litwin , les@zilica.com.
- Terms: Data Protection Policy (DPP) Data Retention Policy (DRP)
- The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.
- The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:
- The name and details of the Company, its Data Protection Officer, and any applicable third-party data processors; (See DPP &DRP)
- The purposes for which the Company collects, holds, and processes personal data; (See DPP &DRP)
- Details of the categories of personal data collected, held, and processed by the Company, and the categories of data subject to which that personal data relates; (See DPP &DRP)
- Details of any transfers of personal data to non-EEA countries including all mechanisms and security safeguards; (See DPP &DRP)
- Details of how long personal data will be retained by the Company (See DPP &DRP)
- Detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of personal data. (See DPP &DRP)
- Data Protection Impact Assessments
- The Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR.
- Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:
- The type(s) of personal data that will be collected, held, and processed;
- The purpose(s) for which personal data is to be used;
- The Company’s objectives;
- How personal data is to be used;
- The parties (internal and/or external) who are to be consulted;
- The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;
- Risks posed to data subjects;
- Risks posed both within and to the Company; and
- Proposed measures to minimise and handle identified risks.
- Keeping Data Subjects Informed
- The Company shall provide the information set out in Part 12.2 to every data subject:
- Where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and
- Where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:
- if the personal data is used to communicate with the data subject, when the first communication is made; or
- if the personal data is to be transferred to another party, before that transfer is made; or
- as soon as reasonably possible and in any event not more than one month after the personal data is obtained.
- The following information shall be provided:
- Details of the Company including, but not limited to, the identity of its Data Protection Officer;
- The purpose(s) for which the personal data is being collected and will be processed (as detailed in Part 21 of this Policy) and the legal basis justifying that collection and processing;
- Where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the personal data;
- Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;
- Where the personal data is to be transferred to one or more third parties, details of those parties;
- Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place (see Part 28 of this Policy for further details);
- Details of data retention;
- Details of the data subject’s rights under the GDPR;
- Details of the data subject’s right to withdraw their consent to the Company’s processing of their personal data at any time;
- Details of the data subject’s right to complain to the Information Commissioner’s Office (the “supervisory authority” under the GDPR);
- Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and
- Details of any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.
- Data Subject Access
- Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.
- Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s Data Protection Officer at 8 Hasting Close, Bray SL6 2DA.
- Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.
- All SARs received shall be handled by the Company’s Data Protection Officer.
- The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
- Rectification of Personal Data
- Data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.
- The Company shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
- In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.
- Data Portability
- The Company processes personal data using automated means. Email, Sage Accounting Software , Excel spread sheets .
- Where data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).
- To facilitate the right of data portability, the Company shall make available all applicable personal data to data subjects in the following format:
- Word , Excel or PDF;
- Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.
- All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.
- Objections to Personal Data Processing
- Data subjects have the right to object to the Company processing their personal data based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.
- Where a data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
- Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing immediately.
- Where a data subject objects to the Company processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. The Company is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.
- Automated Decision-Making
- The Company does not make automated decisions on any personal data held. Exceptions include payroll which could be considered automated .
- Profiling
- The Company DO NOT use personal data for profiling
- Personal Data Collected, Held, and Processed
The following personal data is collected, held, and processed by the Company (for details of data retention, please refer to the Company’s Data Retention Policy):
| Data Ref. | Type of Data | Purpose of Data |
| PD-Sage | Sage contact names | Names email tel number to contact accounts or purchase officers when trading with a company |
| PD-Demo | Demo loans contact names | Names , email and tel number of people who have borrowed equipment to test |
| PD-RMA | RMA contact names | Names and email/tel number of people who have asked to return products that have failed under warranty |
| PD-News | Newsletter opt in contact name | Names and email addresses of people who have opted in to the newsletters from Antrica |
| PD-Employee | Employee details | Data supplied to us by employees in the form of CVs , review minutes, references from past employees, home address and in case of emergency contact information. Records of salarys paid |
| PD-FRESH | Freshdesk support | Data supplied by customers who contact support@ include email and name plus their technical enquiry. |
| PD-CHAT | Chat line data | Some chat customers will leave email name and company details to request a call back others leave this during a live chat |
| PD-QUOTE | Quotes to customers | Name and email plus company records for quotations given |
| PD-WEBSHIP | Shipping address data | Names and tel number and or email address held for fast booking of repeated shipments to the same location and contact |
| | | |
- Data Security – Transferring Personal Data and Communications
The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:
- All emails containing personal data and sent must be encrypted using Zip file compression with user name and password. This applies if transferring the personal data “within” an email (attachment or in body of email) as opposed to using a persons email address. If sending a spread sheet by email that contains the list of people who have subscribed to the company’s newsletter;
- All emails containing personal data must be marked “confidential”;
- Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances. Email is considered a secure network if the files are protected as in 22.1;
- Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
- Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted [using the computer delete and the waste basket empty method . If paper copy this should be shredded];
- Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
- Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using DHL within a sealed envelope within a plastic bag; and
- All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential”.
- Data Security – Storage
The Company shall ensure that the following measures are taken with respect to the storage of personal data:
- All electronic copies of personal data should be stored securely using passwords and “secure folders” within dropbox , method will use Boxcrypor to secure folders in dropbox containing personal data ;
- All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;
- All personal data stored electronically should be backed up daily with backups stored in Dropbox secure folders (Boxcryptor). All backups should be encrypted using Boxcryptor Encryption
- No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of Les Litwin and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary; and
- No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken)
- Data Security – Disposal
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.
- Data Security – Use of Personal Data
The Company shall ensure that the following measures are taken with respect to the use of personal data:
- No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Les Litwin;
- No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of Les Litwin;
- Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;
- If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; and
- Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Carly Litwin to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.
- Data Security – IT Security
The Company shall ensure that the following measures are taken with respect to IT and information security:
- All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols.
- Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
- All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security-related updates as soon as reasonably and practically possible , unless there are valid technical reasons not to do so; and
- No software may be installed on any Company-owned computer or device without the prior approval of Les Litwin .
- Organisational Measures
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
- All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy;
- Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;
- All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so;
- All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised;
- All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;
- Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;
- All personal data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy;
- The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
- All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract;
- All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the GDPR; and
- Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
- Transferring Personal Data to a Country Outside the EEA
- The Company may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA.
- The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:
- The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
- The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
- The transfer is made with the informed consent of the relevant data subject(s);
- The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
- The transfer is necessary for important public interest reasons;
- The transfer is necessary for the conduct of legal claims;
- The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
- The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.
- Data Breach Notification
- All personal data breaches must be reported immediately to the Company’s Data Protection Officer.
- If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
- In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 29.2) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
- Data breach notifications shall include the following information:
- The categories and approximate number of data subjects concerned;
- The categories and approximate number of personal data records concerned;
- The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained);
- The likely consequences of the breach;
- Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
- Implementation of Policy
This Policy shall be deemed effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This Policy has been approved and authorised by:
| Name: | Leslie Litwin |
| Position: | Managing Director |
| Date: | 24th May 2018 |
| Due for Review by: | 24th May 2019 |
| Signature: |
