Privacy statement & Legal Notices
- Privacy notice and
consent - Internet email and
communications policy - GDPR information
security policy - GDPR data
protection policy - GDPR access
request policy - Fair Processing
Notice
Privacy Notice and Consent
Naigai Nitto Logistics (Europe) Ltd (the ‘Company’) will be the data controller and can be contacted as follows:
By post: Data Protection Manager, Naigai Nitto Logistics (Europe) Ltd., Office 21 Leslie Square, Paper Mill End Industrial Estate, Great Barr, Birmingham B44 8NH, United Kingdom
By e-mail: keigo.kato.uk@naigainitto.com
By phone: +44 121 356 4777
The information we gather
In this notice, references to ‘we’ or ‘us’ means the Company and our group companies.
Information that we gather about you may include without limitation your name, contact details, financial details, nationality, medical history and information, identify relevant information. The provision of information by you is entirely voluntary.
We may also obtain information about you from third parties, such as our group companies, service providers and agents, and credit reference agencies.
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
The legal basis for processing
If you are our client personally, the processing will usually take place as it is necessary for the performance of the contract between us, or when we are taking steps to enter into a contract.
We may sometimes process your data based on your clear and informed consent. Where you have given consent to any data processing, you have the right to withdraw that consent at any time.
Information about third parties
Systems used to process data
• computer networks and connections
• communications systems
• email and instant messaging systems
• intranet and Internet facilities
• telephones, voicemail, mobile phone records
Cookies
Reasons for processing
• to provide our services
• compliance with legal, regulatory and corporate governance obligations and good practice
• gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
• ensuring business policies are adhered to
• operational reasons, such as recording transactions, training and quality control
• ensuring the confidentiality of commercially sensitive information
• security vetting, credit scoring and checking, investigating claims, complaints and allegations of criminal offences
• statistical analysis
• preventing unauthorised access and modifications to systems
• marketing our business and those of our group
• analysing purchasing preferences and improving services
• providing customer services
Disclosures and exchange of information and transfers outside the EEA
Information may be held at our offices and those of our group companies, and third party credit reference agencies, service providers, representatives and agents as described above. Information may be transferred internationally to Japan and other countries around the world, including those without data protection laws equivalent to those in the UK, for the reasons described above. We have security measures in place to seek to ensure that there is appropriate security for information we hold including those measures detailed in our information security and data protection policies, which are available on request. International data transfers outside the European Economic Area are protected by Standard Contractual Clauses, as per GDPR Article 46(2).
If you would like further information please contact our Data Protection Manager (see above). We will not otherwise transfer your personal data outside of the EEA or to any organisation (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.
Retention periods
Further enquiries
Your rights
• access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address
• require us to correct any mistakes in your information which we hold
• require the erasure of personal information concerning you in certain situations
• receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
• object at any time to processing of personal information concerning you for direct marketing
• object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
• object in certain other situations to our continued processing of your personal information
• otherwise restrict our processing of your personal information in certain circumstances.
Where you have given consent to any data processing, you have the right to withdraw that consent at any time. We will not do anything with your data not outlined in this notice.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you would like to exercise any of these rights, please contact our Data Protection Manager in writing (see above), providing enough information to identify you and let us know which information to which your request relates.
If you are not satisfied with any complaint you have with us, you also have the right to make a complaint to the Information Commissioners Office, which is the supervising authority in the UK in relation to data processing. You can contact the Information Commissioner at https://ico.org.uk/concerns/ or by telephone: 0303 123 1113 for further information about your rights and how to make a formal complaint.
We may change this privacy notice from time to time, when we do we will inform you via e-mail.
Internet email and communications policy
1 Introduction
1.2 The Company expects all of its electronic and computer facilities to be used in an effective and professional manner and encourages all staff to develop the skills necessary to do so. These facilities are provided by the Company for its own business purposes to assist its staff in carrying out their duties effectively. It is the responsibility of all staff to ensure that this technology is used for proper business purposes and in a manner that does not compromise the Company or its workforce in any way.
1.3 Professional integrity is central to the Company and it must characterise all our dealings. All staff should think about how their own image or that of the Company may be affected by how they use the internet and other electronic communication systems. The same professional ethical obligations apply to conduct in online and offline environments.
1.4 This policy applies to the use of Company technology while at work and also when using Company technology from outside work e.g. when accessing our systems remotely, using a Company laptop or tablet when travelling and when using smartphones or personal digital assistants (PDAs).
1.5 Misuse of the internet, email and/or other communication systems can expose both individuals and the Company to legal or financial liability. For example, an individual may enter into unintended contracts, breach copyright or licensing arrangements, incur liability for defamation or harassment or introduce viruses into the system. This policy is designed to safeguard both individuals and the Company from such liabilities. It is important that all staff read the policy carefully and ensure that all use of the internet, email and other communication systems is in accordance with its terms.
1.6 This policy applies to all employees of the Company, agency workers, volunteers, workers, consultants and other contractors who have access to Company computer and other communications systems. It also applies to personal use of the Company’s equipment and technology in any way that reasonably allows others to identify any individual as associated with the Company.
1.7 This policy does not form part of any employee’s contract of employment and the Company may amend it at any time.
1.8 The individual responsible for data protection compliance is Keigo Kato, the Data Protection Manager. The Data Protection Manager is responsible for the monitoring and implementation of this policy. Any questions about the content or application of this policy or other comments should be referred to the Data Protection Manager.
2 Use of the Company’s computer systems
2.2 Use of the Company’s systems for commercial purposes other than the business of the Company is strictly prohibited.
2.3 Any individual with access to the Company's network must adhere to strict access controls, to reduce the risk of virus infections, hacking and other unauthorised access attempts:
2.3.1 only authorised equipment is allowed to connect to the Company's network from any office location;
2.3.2 remote access (via broadband, dial up, etc) is also restricted to authorised equipment and access must only be via secure means, e.g. VPN software.
2.4 The Company licenses software from a number of sources. The Company does not own that software and must comply with any restrictions or limitations on use, in accordance with its licence agreements. All staff must adhere to the provisions of any software licence agreements to which the Company is party.
2.5 Staff must not use any software for any purpose outside the business of the Company without express permission of the IT manager or as otherwise permitted by the terms of this policy.
2.6 Staff must not copy, download or install any software without first obtaining permission from the IT manager.
3 Confidentiality
3.2 Email and internet messages should be treated as non-confidential. Anything sent through the internet passes through a number of different computer systems, all with different levels of security. The confidentiality of messages may be compromised at any point along the way unless the messages are properly encrypted.
3.3 Staff should refer to the Staff Handbook and the Company’s data protection policies for details of the types of information that the Company regards as confidential and which should be treated with particular care.
4 General rules regarding communications and email
4.1.1 keep messages brief and to the point;
4.1.2 ensure the spelling and grammar are carefully checked before sending;
4.1.3 ensure that all emails sent from the Company include the current disclaimer wording;
4.1.4 ensure that an appropriate heading is inserted in the subject field; and
4.1.5 double check the recipient(s) before pressing the send button—not only can it be embarrassing if a message is sent to the wrong person, it can also result in the unintentional disclosure of confidential information about the Company or a client/customer.
4.2 Staff must not send messages from another person’s email address (unless authorised in the proper performance of their duties) or under an assumed name.
4.3 Staff must not send offensive, demeaning, disruptive or defamatory messages or images by any method. This includes, but is not limited to, messages or images inconsistent with the Company's Equal Opportunities Policy and Harassment and Bullying Policy and any sexist or racist material or any material which could be offensive on the grounds of a person’s disability, age, sexual orientation, gender or religion or belief.
4.4 Staff must not place on the system or send any message or image which could be regarded as personal, potentially offensive or frivolous to any recipient or to any other person (even if not sent to them).
4.5 If any individual receives any communication containing material that is offensive or inappropriate to the office environment, the individual must delete it immediately. Under no circumstances should such communication be forwarded either internally or externally, other than internally to the HR department and/or the IT department in order to report a breach of this policy.
4.6 Staff should not transmit anything in an email or other communication that they would not be comfortable writing (or someone else reading) in a letter. Emails leave a retrievable record and, even when deleted, can remain on both the individual’s computer and on the Company's back-up system. Emails can be recovered and used as evidence in court proceedings and/or reviewed by regulators. Electronic messages are admissible as evidence in legal proceedings and have been used successfully in libel and discrimination cases.
4.7 Staff must not create congestion on the Company’s systems by sending trivial messages or by unnecessary copying or forwarding of messages to recipients who do not need to receive them, or by sending or forwarding chain mail, junk mail, cartoons, jokes or gossip.
4.8 Staff must use a Company email address for sending and receiving work-related emails and must not use their own personal email accounts to send or receive emails for the purposes of the Company’s business. Staff must not send (inside or outside work) any message in the Company's name unless it is for an authorised, work-related purpose.
4.9 Staff must not send unsolicited commercial emails to persons with whom the individual does not have a prior relationship without the express permission of the relevant manager.
5 Passwords and security
5.2 Each individual must use passwords on all IT equipment allocated to them and must keep any password allocated to them confidential and must change their password regularly.
5.3 No individual may use another person’s username and/or password to access the Company’s systems, nor may any individual allow any other person to use their password(s). If it is anticipated that someone may need access to an individual’s confidential files in their absence, that individual should arrange for the files to be copied to a network location that is properly secure where the other person can access them or give the person temporary access to the relevant personal folders.
5.4 All staff must log out of the Company’s system or lock their computer when leaving their desk for any period of time. All staff must log out and shut down their computer at the end of the working day.
6 Contact lists
7 Systems and data security
7.2 If any individual suspects that an email may contain a virus, they should not reply to it, open any attachments to it or click on any links in it and must contact the IT department immediately for advice.
7.3 No individual may download or install software from external sources without prior authorisation from the IT manager. Any files or software downloaded from the internet or brought from home must be virus checked before use. Staff should not rely on their own computer to virus check any such programs but should refer direct to the IT department.
7.4 No personal computer, mobile phone, tablet computer, USB storage device or other device is permitted to be connected to the Company’s systems or network without express prior permission from the IT manager. Any permitted equipment must have up-to-date anti-virus software installed on it and the Company may inspect such equipment in order to verify this.
7.5 Staff must not run any '.exe' files, particularly those received via email, unless authorised to do so in advance by the IT department. Unauthorised files should be deleted immediately upon receipt without being opened.
7.6 Staff must not access or attempt to access any password-protected or restricted parts of the Company's systems for which they are not an authorised user.
7.7 All staff must inform the IT manager immediately if they suspect their computer may have a virus and must not use the computer again until informed it is safe to do so.
7.8 All laptop, tablet, smartphone and mobile phone users should be aware of the additional security risks associated with these items of equipment. All such equipment must be locked away in a secure location if left unattended overnight.
8 The internet
8.2 Any unauthorised use of the internet is strictly prohibited. Unauthorised use includes (but is not limited to):
8.2.1 creating, viewing, accessing any webpage or posting, transmitting or downloading any image, file or other information unrelated to your employment and, in particular, which could be regarded as pornographic, illegal, criminal, offensive, obscene, in bad taste or immoral and/or which is liable to cause embarrassment to the Company or to our clients/customers;
8.2.2 engaging in computer hacking and/or other related activities; and
8.2.3 attempting to disable or compromise security of information contained on the Company's systems or those of a third party.
8.3 Staff are reminded that such activity may also constitute a criminal offence.
8.4 Postings placed on the internet may display the Company's address. For this reason staff should make certain before posting information that the information reflects the standards and policies of the Company. Under no circumstances should information of a confidential or sensitive nature be placed on the internet. Staff must not use the Company's name in any internet posting (inside or outside work) unless it is for a work-related purpose.
8.5 Information posted or viewed on the internet may constitute published material. Therefore, reproduction of information posted or otherwise available over the internet may be done only by express permission from the copyright holder. Staff must not act in such a way as to breach copyright or the licensing conditions of any internet site or computer program.
8.6 Staff must not commit the Company to any form of contract through the internet without the express permission of their manager.
8.7 Subscriptions to news groups, mailing lists and social networking websites are permitted only when the subscription is for a work-related purpose. Any other subscriptions are prohibited.
8.8 The Company may block or restrict access to any website at its discretion.
9 Monitoring
9.2 The Company reserves the right to monitor, intercept, retrieve and read the contents of any internal or external email or other communication or to check internet usage (including pages visited and searches made) as reasonably necessary in the interests of the Company’s business, including for these purposes (the list is not exhaustive):
9.2.1 monitoring and record keeping to establish facts;
9.2.2 to establish compliance with regulatory or self-regulatory procedures;
9.2.3 to prevent, detect or investigate alleged crime or wrongdoing;
9.2.4 to investigate or detect the unauthorised use of the Company's systems or to ascertain compliance with the Company's policies, practices or procedures (including this policy);
9.2.5 to locate and retrieve lost messages or files;
9.2.6 to check whether communications are relevant to the business (for example when an individual is absent due to sickness or holiday); and/or
9.2.7 to comply with any legal obligation.
9.3 The Company reserves the right to read any employee’s emails in order to check for business emails while they are absent or out of the office. The Company may also access any employee’s voicemail to check for business calls while they are absent or out of the office. It may therefore be unavoidable that some personal messages will be read or heard.
10 Prohibited use and breach of this policy
10.2 Examples of matters that will usually be treated as gross misconduct include (this list is not exhaustive):
10.2.1 unauthorised use of the internet as outlined in paragraph 8.2 above;
10.2.2 creating, transmitting or otherwise publishing any false and defamatory statement about any person or organisation;
10.2.3 creating, viewing, accessing, transmitting or downloading any material which is discriminatory or may cause embarrassment to other individuals, including material which breaches the principles set out in the Company’s Equal Opportunities Policy and our Harassment and Bullying Policy;
10.2.4 accessing, transmitting or downloading any confidential information about the Company and/or any of our staff and/or client or customers, except where authorised in the proper performance of your duties;
10.2.5 accessing, transmitting or downloading unauthorised software; and
10.2.6 viewing, accessing, transmitting or downloading any material in breach of copyright.
11 Review and training
11.2 The Company regularly monitors the effectiveness of this policy to ensure it is working in practice and will review and update this policy as and when necessary. The Company will provide information and/or training on any changes made.
11.3 All staff will receive appropriate training on this policy, including training on any updates made to it.
GDPR information security policy
1 Introduction
1.2 This purpose of this policy is to:
1.2.1 protect against potential breaches of confidentiality;
1.2.2 ensure all our information assets and IT facilities are protected against damage, loss or misuse;
1.2.3 support our Data Protection Policy in ensuring all staff are aware of and comply with UK law and our own procedures applying to the processing of data; and
1.2.4 increase awareness and understanding in the Company of the requirements of information security and the responsibility of staff to protect the confidentiality and integrity of the information that they themselves handle.
1.3 The Data Protection Manager is Keigo Kato and is responsible for all data protection matters.
1.4 The Data Protection Manager is responsible for the monitoring and implementation of this policy. If you have any questions about the content of this policy or other comments you should contact the Data Protection Manager.
2 Scope
2.2 This policy applies to all staff, which for these purposes includes employees, temporary and agency workers, other contractors, interns and volunteers.
2.3 All staff must be familiar with this policy and comply with its terms.
2.4 This policy supplements the Company’s other policies relating to data protection, internet, email and communications, and document retention.
2.5 This policy does not form part of any employee’s contract of employment and the Company may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
3 General principles
3.2 Staff should discuss with line managers the appropriate security arrangements which are appropriate and in place for the type of information they access in the course of their work.
3.3 Staff should ensure they attend any information security training they are invited to unless otherwise agreed by line managers.
3.4 Information is owned by the Company and not by any individual or team.
3.5 Company information must only be used in connection with work being carried out for the Company and not for other commercial or personal purposes.
4 Information management
4.2 Information will be kept for no longer than is necessary in accordance with the Company’s data retention guidelines. All confidential material that requires disposal must be shredded or, in the case of electronic material, securely destroyed, as soon as the need for its retention has passed.
5 Human resources information
5.2 Any staff member in a management or supervisory role must keep personnel information confidential.
5.3 Staff may ask to see their personnel files in accordance with the relevant provisions of the GDPR. Fur further details please see the Company’s Data Subject Access Request Policy and privacy notice.
6 Access to offices and information
6.2 Documents containing confidential information and equipment displaying confidential information should be positioned in a way to avoid them being viewed by people passing by, e.g. through office windows.
6.3 Visitors should be required to sign in at reception, accompanied at all times and never be left alone in areas where they could have access to confidential information.
6.4 Wherever possible, visitors should be seen in meeting rooms. If it is necessary for a member of staff to meet with visitors in an office or other room which contains Company information, then steps should be taken to ensure that no confidential information is visible.
6.5 At the end of each day, or when desks are unoccupied, all paper documents, backup systems and devices containing confidential information must be securely locked away.
7 Computers and IT
7.2 Computers and other electronic devices must be password protected and those passwords must be changed on a regular basis. Passwords should not be written down or given to others.
7.3 Computers and other electronic devices should be locked when not in use to minimise the risk of accidental loss or disclosure.
7.4 Confidential information must not be copied onto floppy disk, removable hard drive, CD or DVD or memory stick/thumb drive without the express permission of the Data Protection Manager and even then, it must be encrypted. Data copied onto any of these devices should be deleted as soon as possible and stored on the Company’s computer network in order for it to be backed up.
7.5 All electronic data must be securely backed up at the end of each working day.
7.6 Staff should ensure they do not introduce viruses or malicious code on to Company systems. Software should not be installed or downloaded from the internet without it first being virus checked. Staff should contact IT department for guidance on appropriate steps to be taken to ensure compliance.
8 Communications and transfer
8.2 Confidential information should be marked ‘confidential’ and circulated only to those who need to know the information in the course of their work for the Company.
8.3 Confidential information must not be removed from the Company’s offices without permission from the Data Protection Manager except where that removal is temporary and necessary.
8.4 In the limited circumstances when confidential information is permitted to be removed from the Company’s offices, all reasonable steps must be taken to ensure that the integrity of the information and confidentiality are maintained. Staff must ensure that confidential information is:
8.4.1 not transported in see-through or other un-secured bags or cases;
8.4.2 not read in public places (e.g. waiting rooms, cafes, trains); and
8.4.3 not left unattended or in any place where it is at risk (e.g. in conference rooms, car boots, cafes).
8.5 Postal, document exchange (DX), fax and email addresses and numbers should be checked and verified before information is sent to them. Particular care should be taken with email addresses where auto-complete features may have inserted incorrect addresses.
8.6 All sensitive or particularly confidential information should be encrypted before being sent by email or be sent by tracked DX or recorded delivery.
8.7 Sensitive or particularly confidential information should not be sent by fax unless you can be sure that it will not be inappropriately intercepted at the recipient fax machine.
9 Home working
9.2 In the limited circumstances in which staff are permitted to take Company information home, staff must ensure that:
9.2.1 confidential information must be kept in a secure and locked environment where it cannot be accessed by family members or visitors; and
9.2.2 all confidential material that requires disposal must be shredded or, in the case of electronic material, securely destroyed, as soon as any need for its retention has passed.
9.3 Staff should not store confidential information on home computers (PCs, laptops or tablets).
10 Transfer to third parties
10.2 Staff involved in setting up new arrangements with third parties or altering existing arrangements should consult the Data Protection Manager for more information.
11 Overseas transfer
12 Data breaches
12.1.1 loss or theft of data or equipment on which personal information is stored;
12.1.2 unauthorised access to or use of personal information either by a member of staff or third party;
12.1.3 loss of data resulting from an equipment or systems (including hardware and software) failure;
12.1.4 human error, such as accidental deletion or alteration of data;
12.1.5 unforeseen circumstances, such as a fire or flood;
12.1.6 deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and
12.1.7 ‘blagging’ offences, where information is obtained by deceiving the organisation which holds it.
12.2 The Company will:
12.2.1 make the required report of a data breach to the Information Commissioner’s Office without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals; and
12.2.2 notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.
12.3 To allow the Company to comply with its obligations under clause 12.2, if you become aware of any actual or potential data protection breach, you must notify your line manager and the Data Protection Manager immediately.
13 Consequences of failing to comply
13.2 Staff with any questions or concerns about anything in this policy should not hesitate to contact the Data Protection Manager.
GDPR data protection policy
You must read this policy because it gives important information about:
• the data protection principles with which the Company must comply;
• what is meant by personal information (or data) and sensitive personal information (or data);
• how we gather, use and (ultimately) delete personal information and sensitive personal information in accordance with the data protection principles;
• where more detailed privacy information can be found, e.g. about the personal information we gather and use about you, how it is used, stored and transferred, for what purposes, the steps taken to keep that information secure and for how long it is kept;
• your rights and obligations in relation to data protection; and
• the consequences of failure to comply with this policy.
The Company’s Data Protection Manager is Keigo Kato.
Once you have read and understood this policy, please confirm you that have done so by signing and returning the attached copy to the Data Protection Manager.
1 Introduction
1.2 This policy sets out how we comply with our data protection obligations and seek to protect personal information relating to our workforce. Its purpose is also to ensure that staff understand and comply with the rules governing the collection, use and deletion of personal information to which they may have access in the course of their work.
1.3 We are committed to complying with our data protection obligations, and to being concise, clear and transparent about how we obtain and use personal information relating to our workforce, and how (and when) we delete that information once it is no longer required.
1.4 The Company’s Data Protection Manager is responsible for informing and advising the Company and its staff on its data protection obligations, and for monitoring compliance with those obligations and with the Company’s policies. If you have any questions or comments about the content of this policy or if you need further information, you should contact the Data Protection Manager; email: keigo.kato.uk@naigainitto.com, tel: +44 121 356 4777, or by post.
2 Scope
2.2 Staff should refer to the Company’s data protection privacy notice and, where appropriate, to its other relevant policies including in relation to internet, email and communications, monitoring, social media, information security, data retention, bring your own device (BYOD) and criminal record information, which contain further information regarding the protection of personal information in those contexts.
2.3 We will review and update this policy regularly in accordance with our data protection obligations. It does not form part of any employee’s contract of employment and we may amend, update or supplement it from time to time. We will circulate any new or modified policy to staff when it is adopted.
3 Definitions
criminal records information |
means personal information relating to criminal convictions and offences, allegations, proceedings, and related security measures; |
data breach |
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information; |
data subject |
means the individual to whom the personal information relates; |
personal information |
(sometimes known as personal data) means information relating to an individual who can be identified (directly or indirectly) from that information; |
processing information |
means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it; |
pseudonymised |
means the process by which personal information is processed in such a way that it cannot be used to identify an individual without the use of additional information, which is kept separately and subject to technical and organisational measures to ensure that the personal information cannot be attributed to an identifiable individual; |
sensitive personal information |
(sometimes known as ‘special categories of personal data’ or ‘sensitive personal data’) means personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation. |
4 Data protection principles
4.1.1 we will process personal information lawfully, fairly and in a transparent manner;
4.1.2 we will collect personal information for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;
4.1.3 we will only process the personal information that is adequate, relevant and necessary for the relevant purposes;
4.1.4 we will keep accurate and up to date personal information, and take reasonable steps to ensure that inaccurate personal information is deleted or corrected without delay;
4.1.5 we will keep personal information in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the information is processed; and
4.1.6 we will take appropriate technical and organisational measures to ensure that personal information is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
5 Basis for processing personal information
5.1.1 review the purposes of the particular processing activity, and select the most appropriate lawful basis (or bases) for that processing, i.e.:
(a) that the data subject has consented to the processing;
(b) that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) that the processing is necessary for compliance with a legal obligation to which the Company is subject;
(d) that the processing is necessary for the protection of the vital interests of the data subject or another natural person;
(e) that the processing is necessary for the purposes of legitimate interests of the Company or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the data subject—see clause 5.2 below.
5.1.2 except where the processing is based on consent, satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis (i.e. that there is no other reasonable way to achieve that purpose);
5.1.3 document our decision as to which lawful basis applies, to help demonstrate our compliance with the data protection principles;
5.1.4 include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s);
5.1.5 where sensitive personal information is processed, also identify a lawful special condition for processing that information (see paragraph 6.2.2 below), and document it; and
5.1.6 where criminal offence information is processed, also identify a lawful condition for processing that information, and document it.
5.2 When determining whether the Company’s legitimate interests are the most appropriate basis for lawful processing, we will:
5.2.1 conduct a legitimate interests assessment (LIA) and keep a record of it, to ensure that we can justify our decision;
5.2.2 if the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment (DPIA);
5.2.3 keep the LIA under review, and repeat it if circumstances change; and
5.2.4 include information about our legitimate interests in our relevant privacy notice(s).
6 Sensitive personal information
6.2 The Company may from time to time need to process sensitive personal information. We will only process sensitive personal information if:
6.2.1 we have a lawful basis for doing so as set out in paragraph 5.1.1 above, e.g. it is necessary for the performance of the employment contract, to comply with the Company’s legal obligations or for the purposes of the Company’s legitimate interests; and
6.2.2 one of the special conditions for processing sensitive personal information applies, e.g.:
(a) the data subject has given has given explicit consent;
(b) the processing is necessary for the purposes of exercising the employment law rights or obligations of the Company or the data subject;
(c) the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent;
(d) processing relates to personal data which are manifestly made public by the data subject;
(e) the processing is necessary for the establishment, exercise or defence of legal claims; or
(f) the processing is necessary for reasons of substantial public interest.
6.3 Before processing any sensitive personal information, staff must notify the Data Protection Manager of the proposed processing, in order that the Data Protection Manager may assess whether the processing complies with the criteria noted above.
6.4 Sensitive personal information will not be processed until:
6.4.1 the assessment referred to in paragraph 6.3 has taken place; and
6.4.2 the individual has been properly informed (by way of a privacy notice or otherwise) of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.
6.5 The Company’s data protection privacy notice sets out the types of sensitive personal information that the Company processes, what it is used for and the lawful basis for the processing.
6.6 In relation to sensitive personal information, the Company will comply with the procedures set out in paragraphs 6.7 and 6.8 below to make sure that it complies with the data protection principles set out in paragraph 4 above.
6.7 During the recruitment process: the HR department, with guidance from the Data Protection Manager, will ensure that (except where the law permits otherwise):
6.7.1 during the short-listing, interview and decision-making stages, no questions are asked relating to sensitive personal information, e.g. race or ethnic origin, trade union membership or health;
6.7.2 if sensitive personal information is received, e.g. the applicant provides it without being asked for it within his or her CV or during the interview, no record is kept of it and any reference to it is immediately deleted or redacted;
6.7.3 any completed equal opportunities monitoring form is kept separate from the individual’s application form, and not be seen by the person shortlisting, interviewing or making the recruitment decision;
6.7.4 ‘right to work’ checks are carried out before an offer of employment is made unconditional, and not during the earlier short-listing, interview or decision-making stages;
6.7.5 we will not ask health questions in connection with recruitment.
6.8 During employment: the HR department, with guidance from the data protection manager, will process:
6.8.1 health information for the purposes of administering sick pay, keeping sickness absence records, monitoring staff attendance and facilitating employment-related health and sickness benefits;
6.8.2 sensitive personal information for the purposes of equal opportunities monitoring and pay equality reporting. Where possible, this information will be anonymised; and
6.8.3 trade union membership information for the purposes of staff administration and administering ‘check off’.
7 Criminal records information
8 Data protection impact assessments (DPIAs)
8.1.1 whether the processing is necessary and proportionate in relation to its purpose;
8.1.2 the risks to individuals; and
8.1.3 what measures can be put in place to address those risks and protect personal information.
8.2 Before any new form of technology is introduced, the manager responsible should therefore contact the Data Protection Manager in order that a DPIA can be carried out.
8.3 During the course of any DPIA, the employer will seek the advice of the Data Protection Manager and the views of employees and any other relevant stakeholders.
9 Documentation and records
9.1.1 the name and details of the employer’s organisation (and where applicable, of other controllers, the employer's representative and DPO);
9.1.2 the purposes of the processing;
9.1.3 a description of the categories of individuals and categories of personal data;
9.1.4 categories of recipients of personal data;
9.1.5 where relevant, details of transfers to third countries, including documentation of the transfer mechanism safeguards in place;
9.1.6 where possible, retention schedules; and
9.1.7 where possible, a description of technical and organisational security measures.
9.2 As part of our record of processing activities we document, or link to documentation, on:
9.2.1 information required for privacy notices;
9.2.2 records of consent;
9.2.3 controller-processor contracts;
9.2.4 the location of personal information;
9.2.5 DPIAs; and
9.2.6 records of data breaches.
9.3 If we process sensitive personal information or criminal records information, we will keep written records of:
9.3.1 the relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for that purpose;
9.3.2 the lawful basis for our processing; and
9.3.3 whether we retain and erase the personal information in accordance with our policy document and, if not, the reasons for not following our policy.
9.4 We will conduct regular reviews of the personal information we process and update our documentation accordingly. This may include:
9.4.1 carrying out information audits to find out what personal information the Company holds;
9.4.2 distributing questionnaires and talking to staff across the Company to get a more complete picture of our processing activities; and
9.4.3 reviewing our policies, procedures, contracts and agreements to address areas such as retention, security and data sharing.
9.5 We document our processing activities in electronic form so we can add, remove and amend information easily.
10 Privacy notice
10.2 We will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
11 Individual rights
11.1.1 to be informed about how, why and on what basis that information is processed—see the Company’s data protection privacy notice;
11.1.2 to obtain confirmation that your information is being processed and to obtain access to it and certain other information, by making a subject access request—see the Company’s subject access request policy;
11.1.3 to have data corrected if it is inaccurate or incomplete;
11.1.4 to have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (this is sometimes known as ‘the right to be forgotten’);
11.1.5 to restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful (but you do not want the data to be erased), or where the employer no longer needs the personal information but you require the data to establish, exercise or defend a legal claim; and
11.1.6 to restrict the processing of personal information temporarily where you do not think it is accurate (and the employer is verifying whether it is accurate), or where you have objected to the processing (and the employer is considering whether the organisation’s legitimate grounds override your interests).
11.2 If you wish to exercise any of the rights in paragraphs 11.1.3 to 11.1.6, please contact the Data Protection Manager.
12 Individual obligations
12.2 You may have access to the personal information of other members of staff, suppliers and clients of the Company in the course of your employment or engagement. If so, the Company expects you to help meet its data protection obligations to those individuals. For example, you should be aware that they may also enjoy the rights set out in paragraph 11.1 above.
12.3 If you have access to personal information, you must:
12.3.1 only access the personal information that you have authority to access, and only for authorised purposes;
12.3.2 only allow other Company staff to access personal information if they have appropriate authorisation;
12.3.3 only allow individuals who are not Company staff to access personal information if you have specific authority to do so from the Data Protection Manager;
12.3.4 keep personal information secure (e.g. by complying with rules on access to premises, computer access, password protection and secure file storage and destruction and other precautions set out in the Company’s information security policy);
12.3.5 not remove personal information, or devices containing personal information (or which can be used to access it), from the Company’s premises unless appropriate security measures are in place (such as pseudonymisation, encryption or password protection) to secure the information and the device; and
12.3.6 not store personal information on local drives or on personal devices that are used for work purposes.
12.4 You should contact the Data Protection Manager if you are concerned or suspect that one of the following has taken place (or is taking place or likely to take place):
12.4.1 processing of personal data without a lawful basis for its processing or, in the case of sensitive personal information, without one of the conditions in paragraph 6.2.2 being met;
12.4.2 any data breach as set out in paragraph 15.1 below;
12.4.3 access to personal information without the proper authorisation;
12.4.4 personal information not kept or deleted securely;
12.4.5 removal of personal information, or devices containing personal information (or which can be used to access it), from the Company’s premises without appropriate security measures being in place;
12.4.6 any other breach of this policy or of any of the data protection principles set out in paragraph 4.1 above.
13 Information security
13.1.1 making sure that, where possible, personal information is pseudonymised or encrypted;
13.1.2 ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
13.1.3 ensuring that, in the event of a physical or technical incident, availability and access to personal information can be restored in a timely manner; and
13.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
13.2 Where the Company uses external organisations to process personal information on its behalf, additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal information. In particular, contracts with external organisations must provide that:
13.2.1 the organisation may act only on the written instructions of the Company;
13.2.2 those processing the data are subject to a duty of confidence;
13.2.3 appropriate measures are taken to ensure the security of processing;
13.2.4 sub-contractors are only engaged with the prior consent of the Company and under a written contract;
13.2.5 the organisation will assist the Company in providing subject access and allowing individuals to exercise their rights in relation to data protection;
13.2.6 the organisation will assist the Company in meeting its obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments;
13.2.7 the organisation will delete or return all personal information to the Company as requested at the end of the contract; and
13.2.8 the organisation will submit to audits and inspections, provide the Company with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell the Company immediately if it is asked to do something infringing data protection law.
13.3 Before any new agreement involving the processing of personal information by an external organisation is entered into, or an existing agreement is altered, the relevant staff must seek approval of its terms by the Data Protection Manager.
14 Storage and retention of personal information
14.2 Personal information (and sensitive personal information) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained. Staff should follow the Company’s records retention policy which sets out the relevant retention period, or the criteria that should be used to determine the retention period. The records retention policy can be seen at Schedule 1. Where there is any uncertainty, staff should consult the Data Protection Manager.
14.3 Personal information (and sensitive personal information) that is no longer required will be deleted permanently from our information systems and any hard copies will be destroyed securely.
15 Data breaches
15.1.1 loss or theft of data or equipment on which personal information is stored;
15.1.2 unauthorised access to or use of personal information either by a member of staff or third party;
15.1.3 loss of data resulting from an equipment or systems (including hardware and software) failure;
15.1.4 human error, such as accidental deletion or alteration of data;
15.1.5 unforeseen circumstances, such as a fire or flood;
15.1.6 deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and
15.1.7 ‘blagging’ offences, where information is obtained by deceiving the organisation which holds it.
15.2 The Company will:
15.2.1 make the required report of a data breach to the Information Commissioner’s Office without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals; and
15.2.2 notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.
15.3 To allow the Company to comply with its obligations under clause 15.2, if you become aware of any actual or potential data protection breach, you must notify your line manager and the Data Protection Manager immediately.
16 International transfers
17 Training
18 Consequences of failing to comply
18.1.1 puts at risk the individuals whose personal information is being processed; and
18.1.2 carries the risk of significant civil and criminal sanctions for the individual and the Company; and
18.1.3 may, in some circumstances, amount to a criminal offence by the individual.
18.2 Because of the importance of this policy, an employee’s failure to comply with any requirement of it may lead to disciplinary action under our procedures, and this action may result in dismissal for gross misconduct. If a non-employee breaches this policy, they may have their contract terminated with immediate effect.
18.3 If you have any questions or concerns about anything in this policy, do not hesitate to contact the Data Protection Manager.
I have read and understood this policy and agree to abide by its terms.
Signed...............................
Schedule 1 – records retention
This record retention schedule accompanies and is incorporated into the Company’s data protection policy. It sets out the time periods that different types of documents must be retained for business and legal purposes. This is a lengthy document listing the many types of records used by the company and the applicable retention periods for each record type.
The retention periods are based on business needs and legal requirements. If you maintain any types of records that are not listed in this schedule, and it is not clear from the existing record types in this Schedule what retention period should apply, please contact the Data Protection Manager for guidance.
Any deviations from the retention periods in this schedule must be approved in advance by the Data Protection Manager.
Personal data should not be retained for longer than necessary in relation to the purposes for it was collected. Any personal data which has been collected which is not expressly mentioned below should be carefully considered, and securely disposed of if it is no longer required, for example when an employee leaves.
Sections 1 to 3 cover employee-related data. Section 4 relates to clients.
Employment records
1. Personnel records
Record |
Recommended retention period |
Storage format |
Reference |
Rejected job applicant records, including: |
6 months after applicant is notified of rejection |
Paper/electronic |
ICO Employment Practices Code para 1.7 |
Application records of successful candidates, including: |
6 years after employment ceases |
Paper/electronic |
Limitation Act 1980 (LA 1980), s 5 |
Criminal records information: |
Criminal records requirement assessments for a particular post—12 months after the assessment was last used |
Paper or electronic |
DBS guidance for employers: Duration of criminal record check validity |
Employment contracts, including: |
6 years after employment ceases |
Paper/electronic |
LA 1980, s 5 |
Copies of identification documents (e.g. passports) |
6 years after employment ceases |
Paper/electronic |
LA 1980, s 5 |
Identification documents of foreign nationals (including right to work) |
2 years from the date of termination of employment |
Paper/electronic |
Immigration Restrictions on Employment) Order SI 2007/3290, Art 6(1)(b) |
Records concerning a temporary worker |
6 years after employment ceases |
Paper/electronic |
LA 1980, s 5 |
Employee performance records, including: |
6 years after employment ceases |
Paper/electronic |
LA 1980, s 5 |
Records relating to and/or showing compliance with Working Time Regulations 1998 including: |
2 years from the date on which the record was made |
Paper/electronic |
Working Time Regulations 1998, SI 1998/1833, reg 9 |
Redundancy records |
6 years from date of redundancy |
Paper/electronic |
LA 1980, s 5 |
Annual leave records |
6 years after the end of each tax year |
Paper/electronic |
LA 1980, s 5 |
Parental leave records |
6 years after the end of each tax year |
Paper/electronic |
LA 1980, s 5 |
Sickness records |
6 years after the end of each tax year |
Paper/electronic |
LA 1980, s 5 |
Records of return to work meetings following sickness, maternity etc |
6 years the end of each tax year |
Paper/electronic |
LA 1980, s 5 |
2. Payroll and salary records
Record |
Recommended retention period |
Storage format |
Reference |
Records for the purposes of tax returns including wage/salary records, records of overtime, bonuses and expenses |
6 years |
Paper/electronic |
Taxes Management Act, 1970 s 12B |
PAYE records, including: |
3 years |
Paper/electronic |
Income Tax (Pay As You Earn) Regulations 2003, SI 2003/2682, reg 97 |
Income tax and NI returns, income tax records and correspondence with HMRC |
3 years after the end of the financial year to which they relate |
Paper/electronic |
Income Tax (Employments) Regulations 1993, SI 1993/744, reg 55 |
Records demonstrating compliance with national minimum wage requirements |
3 years beginning with the day upon which the pay reference period immediately following that to which they relate ends |
Paper/electronic |
National Minimum Wage Regulations 2015, SI 2015/621, reg 59 |
Details of benefits in kind, income tax records (P45, P60, P58, P48 etc), annual return of taxable pay and tax paid |
4 years |
Paper/electronic |
Taxes Management Act 1970 |
Employee income tax and national insurance returns and associated HMRC correspondence |
3 years from end of tax year to which they relate |
Paper/electronic |
Income Tax (Pay as You Earn) Regulations 2003, SI 2003/2682, reg 97 |
Statutory sick pay (SSP) records |
3 years after the end of the tax year to which they relate |
Paper/electronic |
The requirement to maintain SSP records for three years after the end of the tax year to which they relate was revoked in 2014, but an employer may still be required by HMRC to produce such records as are in his possession or power which contain, or may contain, information relevant to satisfy HMRC that statutory sick pay has been and is being paid. |
Wage/salary records (including overtime, bonuses and expenses) |
6 years |
Paper/electronic |
Taxes Management Act 1970, s 43 |
Records relating to hours worked and payments made to workers |
3 years |
Paper/electronic |
National Wage Act 1998, s 9 |
Statutory maternity pay records, calculations, certificates or other medical evidence |
3 years after the end of the tax year in which the maternity period ends |
Paper/electronic |
Statutory Maternity Pay (General) Regulations 1986, SI 1986/1960, reg 26 |
3. Health and safety records
Record |
Recommended retention period |
Storage format |
Reference |
Records of reportable injuries, diseases or dangerous occurrences |
3 years from date of the entry |
Paper/electronic |
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR 2013), SI 2013/1471, reg 12 |
Records of tests and examinations of control systems and protective equipment under COSHH |
5 years from the date on which the record was made |
Paper/electronic |
COSHH 2002, reg 9 |
4. Client records
Record |
Recommended retention period |
Storage format |
Reference |
Client details |
6 years after relationship ceases |
Paper/electronic |
LA 1980, s 5 |
GDPR access request policy
1 Introduction
1.2 Under the General Data Protection Regulation (‘GDPR’), individuals (known as ‘data subjects’) have a general right to request confirmation that we process their data, access to personal information or data that we hold or process about them and certain other information contained in our privacy notice, subject to certain exceptions. These requests are known as ‘subject access requests’.
1.3 The Data Protection Manager is Keigo Kato and is responsible for all data protection matters.
1.4 The Data Protection Manager is responsible for ensuring:
1.4.1 hat all subject access requests are dealt with in accordance with the GDPR; and
1.4.2 that all staff have an understanding of the GDPR in relation to subject access requests and their personal responsibilities in complying with the relevant aspects of the GDPR.
1.5 This policy provides guidance for staff members on how subject access requests should be handled and is intended for internal use. It is not a privacy policy or statement and is not to be made routinely available to third parties.
1.6 This policy is aimed primarily at those members of staff who are authorised to handle subject access requests. For other staff members, it provides guidance on:
1.6.1 what to do if you receive a subject access request (see paragraph 2 below); and
1.6.2 how to decide whether a request for information is a subject access request (see paragraph 3 below).
1.7 Failure to comply with the GDPR puts both staff and the Company at risk, and so the Company takes compliance with this policy very seriously. Failure to comply with any
requirement of the policy may lead to disciplinary action, which may result in dismissal.
1.8 If you have any questions regarding this policy, please contact the Data Protection Manager.
2 Receiving a subject access request (non-authorised staff)
2.2 For information on what amounts to a subject access request, see paragraph 3 below. If you are in any way unsure as to whether a request for information is a subject access request, please contact the Data Protection Manager.
2.3 If you receive a subject access request by e-mail, you must immediately forward the request to the Data Protection Manager at this e-mail address: keigo.kato.uk@naigainitto.com.
2.4 If you receive a subject access request by letter you must:
2.4.1 scan the letter;
2.4.2 send the original to the Data Protection Manager; and
2.4.3 send a scanned copy of the letter by e-mail.
2.5 If you receive a subject access request by telephone or in person you must:
2.5.1 make a detailed note of the request (including the data subject’s contact details) and if possible confirm the detail of the request with the data subject;
2.5.2 send the note of the request by e-mail to the Data Protection Manager.
2.6 You will receive confirmation when the request has been received by the Data Protection Manager. If you do not receive such confirmation, you should contact the Data Protection Manager to confirm safe receipt.
2.7 You must not take any other action in relation to the data access request unless the Data Protection Manager has authorised you to do so.
3 What is a subject access request?
3.2 All subject access requests should be immediately directed to the Data Protection Manager in accordance with paragraph 2 above.
3.3 A request can be for:
3.3.1 confirmation that their data is being processed;
3.3.2 access to the subject’s personal data; and
3.3.3 other supplementary information that is contained in the Company’s privacy notice.
4 Requirements for a valid request
4.1.1 we must be able to identify the individual making the subject access request and then verify that identity using reasonable means. Typically, we will request a copy of the individual's driving licence or passport to enable us to establish his or her identity and signature (which should be compared to the signature on the subject access request and any signature we already hold for the individual). We also ask for a recent utility bill (or equivalent) to verify the individual's identity and address. In the case of current employees, it may not be necessary to follow these requirements exactly, and reasonable means should be used to verify the identity of the person making the request. If the request is made orally, the identity of the data subject must still be proven by other reasonable means. If there is doubt about the identity of the data subject, we can request further information necessary to confirm the data subject’s identity;
4.1.2 we must be able to identify the information being requested. For example, if a subject access request is made by an individual who is both an employee and a customer, we can ask the individual to specify whether he or she is seeking access to human resources information, customer records or both. If the request relates to CCTV images, it may be necessary to ask the individual to supply a photograph of him or herself or provide a description of the clothing the individual was wearing at the time his or her image is believed to have been recorded on CCTV. We should also ask for details of the date, time and location to help narrow the search further (if such information is available).
4.2 If the individual makes a request that does not satisfy the above requirements the Data Protection Manager will write to him or her setting out in what respect the requirements are not satisfied.
4.3 In most cases, the request will be provided free of charge. The Data Protection Manager can charge reasonable administrative charges if the request is manifestly unfounded, excessive or repetitive. Alternatively, the Data Protection Manager can refuse to act on the request (in which case, see paragraph 5.3.)
4.4 In providing data to the data subject, the rights and freedoms of other data subjects must not be adversely affected. This includes trade secrets, intellectual property and copyright protecting any relevant software.
5 Time limit for responding to a request
5.2 The Data Protection Manager can extend the deadline for a response to up to three months where absolutely necessary, although a response will still be given to the subject within one month to explain why the longer deadline is necessary.
5.3 If we do not respond to a request without delay or within one month, then we will inform the data subject the reason why, and of their rights to make a complaint to the Information Commissioners Office (‘ICO’) and/or to seek a judicial remedy.
6 Information to be provided in response to a request
6.1.1 confirmation that we process data about him or her;
6.1.2 access to the personal data we process about him or her;
6.1.3 the purposes for which we process the data;
6.1.4 the categories of personal data concerned;
6.1.5 the recipients to whom we have disclosed or may disclose the data (particularly any recipients in third countries or international organisations, and where this is the case the appropriate safeguards used to protect the data);
6.1.6 the retention period for which the data will be stored (or the criteria used to determine that period);
6.1.7 the existence of their right to:
(a) request rectification or erasure of their personal data;
(b) request restriction of processing of their personal data;
(c) object to processing of their personal data; and
(d) their right to lodge a complaint with the ICO;
6.1.8 the existence, logic and consequences behind any automated decision we have taken about him or her; and
6.1.9 where the personal data was not collected directly from the data subject, information about the source of the personal data.
6.2 The information referred to in paragraph 6.1 must be provided in the form requested by the data subject. This can be orally, physically or electronically. For any further copies beyond the initial response, the Data Protection Manager can charge a reasonable administrative fee.
6.3 If the request is made electronically, the information should be provided in a commonly used electronic format. Where possible, the information will be provided by remote access to a secure self-service system
6.4 Any technical terms, abbreviations or codes contained in the personal data must be explained to the individual.
6.5 Where we process a large amount of data about the data subject, the Data Protection Manager may ask the data subject to specify the information the request relates to.
7 How to locate information
7.2 Depending on the type of information requested, you may need to search all or some of the following:
7.2.1 electronic systems, e.g. databases, networked and non-networked computers, servers, customer records, human resources system, email data, back up data, CCTV;
7.2.2 manual filing systems, e.g. the HR filing system, but only where the manual filing system falls within the definition of a ‘filing system’;
7.2.3 data systems held externally by our data processors, e.g. external payroll service providers;
7.2.4 occupational health records;
7.3 You should search these systems using the individual's name, employee number, customer account number or other personal identifier as a search determinant.
8 A relevant filing system
8.2 Personal data that has been pseudonymised can still fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
9 Information to be supplied in response to a request
9.2 The type of information that will be classified as personal data is any information which identifies the individual (either directly from the data or from those data and other information which is in our possession or likely to come into our possession, such as information held by other companies, offices and branches).
9.3 Information about companies or other legal entities is not personal data. However, information about sole traders or partnerships will be, as the individuals within them are individuals. Personal data relating to deceased persons is not covered.
9.4 The right of access is subject to a number of conditions and exemptions, particularly where the personal data reveal information about another individual—this is covered in paragraph 10 below.
10 Disclosing personal data relating to third parties
10.1 Does the information relate to and identify the third party? In deciding this point, you should take into account:
10.1.1 the information you are disclosing; and
10.1.2 any information you reasonably believe the requester may have, or may get hold of, that would identify the third party.
10.2 If so, is it possible to comply with the request without revealing the third party’s information, e.g. by redacting (blanking out) names or editing documents?
10.3 If it is impossible to separate the third party’s information from that requested and still comply with the request, then you should consider whether the third party has consented to the disclosure of his or her information. It is good practice to ask relevant third parties for consent to the disclosure of their personal data in response to a subject access request. However, it may not always be appropriate to ask for consent, e.g. if to do so would inevitably involve disclosing personal data about the requester to the third party.
10.4 If the third party has not given consent, is it otherwise reasonable in all the circumstances to disclose without the third party’s consent? You should take into account the following (non-exhaustive) list of factors:
10.4.1 any duty of confidentiality that we owe to the third party;
10.4.2 any steps we have taken to obtain the consent of the third party;
10.4.3 whether the third party is capable of giving consent; and
10.4.4 any express refusal of consent by the third party.
10.5 The following additional factors should also be considered:
10.5.1 whether the third party is a recipient or one of a class of recipients who might act on the data to the requester’s disadvantage;
10.5.2 whether the third party is the source of the information;
10.5.3 whether the information is generally known by the requester; and
10.5.4 the importance of the information to the requester.
10.6 Ultimately, whether or not it is reasonable to disclose the third party’s information will depend upon all the circumstances and each request must be considered on a case-by-case basis.
10.7 Always keep a record of what you have decided to do and your reasons for doing it.
11 Requests made by third parties on behalf of the individual
12 Exemptions to the right of subject access:
12.1 Crime detection and prevention: We may not have to disclose any personal data which we are processing for the purposes of preventing or detecting crime; apprehending or prosecuting offenders; or assessing or collecting any tax or duty. This is not an absolute exemption. It only applies to the extent to which the giving of subject access would be likely to prejudice any of these purposes. We are still required to provide as much of the personal data as we able to. For example, if the disclosure of the personal data could alert the individual to the fact that he or she is being investigated for an illegal activity (i.e. by us or by the police) then we do not have to disclose the data since the disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.
12.2 Confidential references: We may not have to disclose any confidential references that we have given to third parties for the purpose of actual or prospective:
12.2.1 education, training or employment of the individual;
12.2.2 appointment of the individual to any office; or
12.2.3 provision by the individual of any service
This exemption does not apply to confidential references that we receive from third parties. However, in this situation, granting access to the reference may disclose the personal data of another individual (i.e. the person giving the reference), which means you must consider the rules regarding disclosure of third-party data set out in paragraph 10 before disclosing the reference.
12.3 Legal professional privilege: We may not have to disclose any personal data which is subject to legal professional privilege. There are two types of legal professional privilege:
12.3.1 ‘Advice privilege’ covers confidential communications between the Company and our lawyers where the dominant purpose of the communication is the seeking or giving of legal advice;
12.3.2 ‘Litigation privilege’ covers any document which was created with the dominant purpose of being used in actual or anticipated litigation (e.g. legal proceedings before a court or tribunal). Once a bona fide claim to litigation privilege ends, the documents in the file which were subject to litigation privilege become available if a subject access request is received.
If you think the legal professional privilege exemption could apply to the personal data that have been requested, you should refer the matter to the Data Protection Manager for further advice.
12.4 Management forecasting: We do not have to disclose any personal data which we process for the purposes of management forecasting or management planning to assist us in the conduct of any business or any other activity. Examples of management forecasting and planning activities include staff relocations, redundancies, succession planning, promotions and demotions. This exemption must be considered on a case-by-case basis and must only be applied to the extent to which disclosing the personal data would be likely to prejudice the conduct of that business or activity.
12.5 Negotiations: We do not have to disclose any personal data consisting of records of our intentions in relation to any negotiations with the individual where doing so would be likely to prejudice those negotiations. For example, if HR is negotiating with an employee in order to agree the terms of a redundancy package and the employee makes a subject access request, HR can legitimately withhold giving access to information which would prejudice those redundancy negotiations. The HR department must, however, disclose all other personal data relating to the individual unless that other personal data is also exempt from disclosure.
13 Consequences of failing to comply with a request
13.1 the individual may complain to the Information Commissioner and this may lead the Commissioner to investigate the complaint. If we are found to be in breach, enforcement action could follow (which could include monetary penalties);
13.2 if an individual has suffered damage, or damage and distress, as a result of our breach of GDPR, he or she may take us to court and claim damages from us; and/or
13.3 a court may order us to comply with the subject access request if we are found not to have complied with our obligations under the GDPR.
13.4 As set out above, if we fail to respond to a request within the time period, we must inform the data subject of the existence of the data subject’s rights to make a complaint.
14 Contacts and responsibilities
14.2 Any questions regarding this Policy should be addressed to the Data Protection Manager.
Fair Processing Notice
Naigai Nitto Logistics (Europe) Ltd (the ‘Company’) will be the data controller and can be contacted as follows:
By post: Data Protection Manager, Naigai Nitto Logistics (Europe) Ltd., 21 Leslie Square, Paper Mill End Industrial Estate, Great Barr, Birmingham B44 8NH, United Kingdom
By e-mail: keigo.kato.uk@naigainitto.com
By phone: +44 121 356 4777
The information we gather
In this notice, references to ‘we’ or ‘us’ means the Company and our group companies.
Information that we gather about you may include your name, contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality and other information contained in your passport, National Insurance number, date of birth, job title, photograph, personal mobile phone number, date of joining, and CV.
We may also obtain information about you from third parties, such as our group companies, service providers and agents (such as your recruitment consultant).
The provision of your personal data is a contractual requirement. If you do not wish to provide the requested data, it may not be possible for the Company to employ you or provide certain employment benefits.
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
The legal basis for processing
Information about third parties
Systems used to process data
• computer networks and connections
• access control systems
• communications systems
• remote access systems
• email and instant messaging systems
• intranet and Internet facilities
• telephones, voicemail, mobile phone records
Some limited personal data may be collected from monitoring devices and systems such as door entry and the building’s CCTV systems.
Purposes for processing
• the employee/employer relationship
• administering and maintaining personnel records
• paying salary and other remuneration and providing and administering benefits
• compliance with legal, regulatory and corporate governance obligations and good practice
• gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
• ensuring business policies are adhered to (such as policies covering security and Internet use)
• operational reasons, such as training and quality control
• ensuring the confidentiality of commercially sensitive information
• investigating complaints and allegations of criminal offences
• statistical analysis
• preventing unauthorised access and modifications to systems
• checking and providing references
• ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences
• staff administration and assessments, monitoring staff conduct, disciplinary matters, maintaining sickness and absence records and taking decisions as to your fitness for work
Disclosures and exchange of information and transfers outside the EEA
Information may be held at our offices and those of our group companies, and service providers, representatives and agents as described above. Information may be transferred internationally to Japan and other countries around the world, including those without data protection laws equivalent to those in the UK, for the reasons described above. We have security measures in place to seek to ensure that there is appropriate security for information we hold including those measures detailed in our data protection policies, which can be located at http://www.nnt.co.jp/privacy-policy/ . For transfers to Naigai Nitto Co. Ltd, the Company has established Standard Contractual Clauses to protect this data, as per GDPR Article 46(2). This document can be located at http://www.nnt.co.jp/privacy-policy/ .
If you would like further information please contact our Data Protection Manager (see above). We will not otherwise transfer your personal data outside of the EEA or to any organisation (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.
Sensitive personal data
We will usually only collect and record sensitive personal data with your prior consent. However, occasionally we may do so without consent where required or permitted to do so by applicable law (e.g. to comply with diversity reporting requirements). We may disclose your sensitive personal data to our group companies or service providers, representatives and agents.
Retention periods
Your rights
• access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address
• require us to correct any mistakes in your information which we hold
• require the erasure of personal information concerning you in certain situations
• receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
• object at any time to processing of personal information concerning you for direct marketing
• object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
• object in certain other situations to our continued processing of your personal information
• otherwise restrict our processing of your personal information in certain circumstances.
Where you have given consent to any data processing, you have the right to withdraw that consent at any time. We will not do anything with your data not outlined in this notice.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you would like to exercise any of these rights, please contact our Data Protection Manager in writing (see above), providing enough information to identify you and let us know which information to which your request relates.
If you are not satisfied with any complaint you have with us, you also have the right to make a complaint to the Information Commissioners Office, which is the supervising authority in the UK in relation to data processing. You can contact the Information Commissioner at https://ico.org.uk/ or by telephone: 0303 123 1113 for further information about your rights and how to make a formal complaint.
We may change this privacy notice from time to time, when we do we will inform you via e-mail.
Further enquiries
Signature:
Name:
Position:
Date