O&A DESIGN LTD.
DATED 25 MAY 2018
This Privacy Standard sets out how O&A DESIGN LTD. (”we”, “our”, “us”, “the Company”) handle the Personal Data of our clients, employees, workers and other third parties.
This Privacy Standard applies to all Personal Data we Process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, website users or any other Data Subject.
We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the Company and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. The Company is exposed to potential fines of up to EUR20 million (approximately £18 million) or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the GDPR.
This Privacy Standard applies to all Personnel (”you”, “your”). You must read, understand and comply with this Privacy Standard when Processing Personal Data on our behalf and attend training on its requirements. This Privacy Standard sets out what we expect from you in order for the Company to comply with applicable law. Your compliance with this Privacy Standard is mandatory. Any breach of this Privacy Standard may result in disciplinary action.
This Privacy Standard and any other privacy-related documents and templates referred to in it are for internal use only and cannot be shared with third parties, clients or regulators without prior authorisation from the DPL.
In this Privacy Standard the following terms have the following meanings:
Business Contact: any individual, whether acting in their own capacity or representing a business, you come into interaction with in the course of your working for the Company and participating in work-related events, whether at the Company’s request or of your own accord.
Client: an individual, whether acting in their own capacity or representing a business, who has engaged the Company for the provision of services or sale of goods, or has taken steps toward such engagement.
Personnel: all employees, workers (contractors, agency workers, consultants), directors, members and others.
Consent: agreement which must be freely and given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to them.
Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to our Personnel and Personal Data used in our business for our own commercial purposes.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.
Data Protection Leader (DPL): data protection manager or other voluntarily appointed data protection leader of the Company.
EEA: the 28 countries in the EU, and Iceland, Liechtenstein and Norway.
Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).
General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679).
IAR: information assets register, a database that records the information assets in the Company’s possession that contain Personal Data and their respective locations, access restrictions and other parameters including retention period.
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
1. PERSONAL DATA PROTECTION PRINCIPLES
We adhere to the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:
1.1. Lawfulness, Fairness and Transparency. Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject. The GDPR allows Processing for specific purposes, of which are relevant to the business of the Company are:
- a) the Data Subject has given their Consent (Consent);
- b) the Processing is necessary for the performance of a contract with the Data Subject (Contract);
- c) to meet our legal compliance obligations (Compliance);
- d) to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process Personal Data for legitimate interests need to be set out in applicable Privacy Notices (Legitimate Interests).
You must identify and document the lawful basis being relied on for each Processing activity. If you are not sure which basis applies, consult the DPL prior to commencing the Processing.
1.2. Purpose Limitation. Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes. You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have Consented where necessary.
1.3. Data Minimisation. Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. You may only Process Personal Data when performing your job duties requires it. You cannot Process Personal Data for any reason unrelated to your job duties. You may only collect Personal Data that you require for your job duties: do not collect excessive data. Ensure any Personal Data collected is adequate and relevant for the intended purposes. You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with this Privacy Standard.
1.4. Accuracy. Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate. You will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
1.5. Storage Limitation. Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is Processed. You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.
The Company will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. You will take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with all the Company’s applicable records retention schedules. This includes requiring third parties to delete such data where applicable.
1.6. Security, Integrity and Confidentiality. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage. We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data. You are responsible for protecting the Personal Data we hold. You must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. You must exercise particular care in protecting Sensitive Personal Data from loss and unauthorised access, use or disclosure.
You must follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. You may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.
You must maintain data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
- a) Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it.
- b) Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.
- c) Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.
You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the GDPR and relevant standards to protect Personal Data.
1.7. Accountability. We are responsible for and must be able to demonstrate compliance with the data protection principles listed above. The Company ensures the compliance with the GDPR by:
- a) appointing a suitably qualified DPL. The post of DPL is currently held by the director of the Company Irina Schatton, email@example.com;
- b) implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of Data Subjects;
- c) integrating data protection into internal documents including this Privacy Standard;
- d) regularly training Personnel on the GDPR, this Privacy Standard, and data protection matters including, for example, Data Subject’s rights. The Company must maintain a record of training attendance by Personnel; and
- e) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
2. PERSONAL DATA OF PERSONNEL, CLIENTS AND BUSINESS CONTACTS
We have explained below our approach to the treatment of three main categories of Personal Data processed by the Company: the Personal Data of Personnel, Clients and Business Contacts. If you are not sure how to categorise the Personal Data you are handling you should seek DPL’s assistance immediately.
2.1. Personal Data of Personnel
We collect Personal Data about Personnel either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
2.1.1. Categories of Personal Data, purpose and legal grounds for processing
We will only use your Personal Data when the law allows us to. Most commonly, we will rely on Contract, Compliance or Legitimate Interests as lawful bases for the processing of your data. We may need your Consent in limited circumstances, e.g. to process some categories of Sensitive Personal Data.
Some of the above bases will overlap with respect to the same categories of your Personal Data, and there may be several bases which justify our use of your Personal Data. We have summarised the categories of your Personal Data we may process along with the intended purposes and legal bases for the processing in Table 1 attached to this Privacy Standard.
2.1.2. Data sharing.
We may have to share your Personal Data with third parties, including third-party service providers and other entities in the Company’s group. All our third-party service providers and other entities in the Company’s group are required to take appropriate security measures to protect your Personal Data in line with our policies. We do not allow our third-party service providers to use your Personal Data for their own purposes. We only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
The following third-party service providers process your Personal Data for the following purposes:
|CIS London & Partners LLP||Legal services|
|Primality LLP||Recruiting services|
|ZGRP Limited||Paying employees’ wages and deducting tax and National Insurance contributions (NICs), as well as providing accounting and auditing services to the Company|
We may share your personal information with other third parties, for example with a regulator or to otherwise comply with the law.
If we need to transfer your personal information outside the EU, you can expect a similar degree of protection in respect of your personal information. Please refer to SHARING PERSONAL DATA AND TRANSFER LIMITATIONS section of this Privacy Standard for details.
2.2. Clients’ Personal Data
2.2.1. Lawful basis for Processing
Whenever we Process Personal Data in connection with our contract with a client, we rely on Contract as the lawful basis for our Processing activity. However, this only applies to the extent that the Client’s Personal Data is used sparingly, in accordance with the Data Protection principles, in particular Data Minimisation, and Purpose Limitation, and Storage Limitation Principles.
If you intend to use the Client’s Personal Data in a way, for a purpose or to the extent that is not strictly necessary for the performance of our contract with the Client, consult DPL to see if any other lawful basis for Processing is available.
Occasionally you will come into possession of Personal Data of third parties during the course of your work: for example, a Client may furnish its family members’ Personal Data to you. It is likely that we will need relevant Data Subject’s Consent in order to Process such data.
Consult the DPL whenever you come into possession of Personal Data relating to third parties before you make any use of the data. If the DPL advises that Consent is the appropriate lawful basis, you must pass the evidence of every Consent obtained by you to the DPL so that the Company can demonstrate compliance with Consent requirements.
2.2.2. Privacy notices
If Personal Data is collected by you indirectly (from a source other than the Data Subject), you must check that the Personal Data was collected by the third party in accordance with the GDPR and on a basis which contemplates our proposed Processing of that Personal Data, and in certain cases provide the Data Subject with the Privacy Information as soon as possible after collecting/receiving the data.
Sometimes we must present the Data Subject with more than one privacy notice with respect to the same set of Personal Data – for instance, when we rely on more than one legal basis for Processing (see GROUNDS FOR PROCESSING above). When in doubt over which privacy notice to use, or over the timing of the notice, consult the DPL prior to commencing the Processing.
2.2.3. Data minimisation, e-mail policy and Storage Limitation
A. Active projects
In line with the Data Minimisation Principle, we must make sure that we do not duplicate Client Personal Data.
To help us comply with our Data Minimisation and Storage Limitation obligations, you should save all correspondence relating to an active project exclusively to its designated MS Outlook folder. This applies to both incoming and outgoing e-mails.
You must avoid sharing the Client Personal Data with anyone via e-mail.
Unless the terms of our contract imply sharing a document containing the Client’s Personal Data with third parties, and such third parties’ names have been communicated to the Client as part of a privacy notice, you must anonymise any documents containing Personal Data before sharing them with anyone outside the Company, including external advisers.
B. Completed projects
Once a project is completed:
- 1. Its inbox folder must be archived.
- 2. If you intend to re-use documents drafted over the course of the engagement as templates, you must anonymise required texts first.
2.3. Business Contacts
Data Subject’s prior Consent is required before we can send them marketing e-mails. You may obtain a GDPR-compliant form of such Consent from the DPL.
You must not create any databases or mailing lists containing Personal Data of Business Contacts without the DPL’s prior approval.
Ad hoc mailing lists must only be retained in electronic form until the purposes for which they were compiled are fulfilled.
You are allowed to keep any loose business cards a new Business Contacts has given you as long as you do not intend to input the details into a computer system. You must always consult the DPL before you first contact a Business Contact by e-mail or otherwise, except in response to their communication to you, as you may need to attach a privacy notice or request for Consent to your communication.
If you receive an opt-out request with respect to the Company’s marketing communications, regardless of the form of such request, their details should be suppressed from marketing lists as soon as possible by retaining just enough information to ensure that their preferences are respected in the future. It is important not to simply delete the details entirely: otherwise there is no way of ensuring that we do not contact them again.
Any newly created marketing list or Business Contact’s Personal Data must be screened against the Company’s suppression list, available from the DPL.
3. GENERAL PROVISIONS
This section GENERAL PROVISIONS relates to any and all Personal Data the Company processes, including your own.
3.1. Retention policy
We only retain Personal Data for as long as necessary to fulfil the purposes we collected it for. Details of retention periods for different categories of Personal Data are indicated in Table 1 attached to this Privacy Standard. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of the Personal Data, the purposes for which we process the Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
3.2. Sharing Personal Data and transfer limitations
Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the Personal Data we hold with another member of Personnel if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
You may only share the Personal Data we hold with third parties, such as our service providers if:
- a) they have a need to know the information for the purposes of providing the contracted services;
- b) the Privacy Notice provided to the Data Subject named the intended third party recipient, and if required, the Data Subject’s Consent has been obtained;
- c) the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
- d) the transfer complies with any applicable cross border transfer restrictions; and
- e) a GDPR-compliant contract is in place with the intended recipient.
The DPL keeps track of our arrangements with third parties whom we occasionally engage and who process data on our behalf. Even if you have shared Personal Data with the same third party before, the terms of our agreement with them may have changed.
The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.
Regardless of the terms of our agreement with the third party recipient, we may only transfer Personal Data outside the EEA if one of the following conditions applies:
- a) the country to which we transfer the Personal Data is included in the list of countries with adequate level of protection for the Data Subjects’ rights and freedoms, as determined by a European Commission decision;
- b) appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPL;
- c) the Data Subject has provided an Explicit Consent to the proposed transfer after being informed of any potential risks; or
- d) the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.
You must always obtain the DPL’s approval prior to disclosing Personal Data to any third party.
3.3. Data Subject’s rights and requests
Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
3.3.1. Right to be informed, i.e. to have up-to-date information regarding the purposes for the processing of their Personal Data, applicable retention periods, and who it will be shared with.
3.3.2. Right of access, i.e. to obtain a confirmation of whether we are processing their Personal Data, the purposes for such processing, whether we share it with third parties, and applicable retention periods; and a copy of the Personal Data we hold about them.
3.3.3. Right to data portability, i.e. to receive a copy of the Personal Data they have provided to us in a structured, commonly used, machine-readable format, and/or to request the transfer of their personal data to another person. This right is only available in respect of the personal data that we collect and process on the basis of Consent or Contract.
3.3.4. Right to rectification, i.e. a limited right to have inaccurate Personal Data in our possession rectified, and incomplete personal data completed.
3.3.5. Right to erasure, also known as the right to be forgotten, i.e. to require us to erase their Personal Data if:
- a) the personal data is no longer necessary for the purpose which we originally collected or processed it for;
- b) we are relying on Consent for holding the data, and the Data Subject withdraws their consent;
- c) we are relying on Legitimate Interests as our basis for processing, and the Data Subject objects to the processing of the data, and there is no overriding legitimate interest to continue this processing;
- d) we are processing the Personal Data for direct marketing purposes and the Data Subject objects to that processing;
- e) we have processed the Personal Data unlawfully;
- f) we have to do it to comply with a legal obligation; or
- g) we have processed the personal data to offer information society services to a child.
3.3.6. Right to restrict processing, i.e. to require us to limit the purposes for which we process their Personal Data if:
- a) they contest the accuracy of their Personal Data and we are verifying the accuracy of the data;
- b) the data has been unlawfully processed and they oppose erasure and request restriction instead;
- c) we no longer need the Personal Data but the Data Subject needs us to keep it in order to establish, exercise or defend a legal claim; or
- d) the Data Subject has exercised their right to object (see below), and we are considering whether our legitimate grounds override theirs.
3.3.7. Right to object, i.e. to ask us to stop processing the data. This right is available to the Data Subject if we process their Personal Data for direct marketing purposes only. If we process the data relying on Legitimate Interests, this right is also available, but it is subject to our being able to demonstrate compelling legitimate grounds for the processing, which override the Data Subject’s interests, rights and freedoms. This right is also not available if the processing is for the establishment, exercise or defence of legal claims.
You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation). You must immediately forward any Data Subject request you receive to the DPL.
If you want to review, verify, correct or request erasure of your Personal Data, object to the processing of your Personal Data, or request that we transfer a copy of your Personal Data to another party, please contact the DPL in writing.
Normally, you will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
3.4. Reporting a Personal Data Breach
The GDPR requires us to notify Personal Data Breaches to the applicable regulator and, in certain instances, the Data Subject.
We have put in place a Data Breach Policy, attached to this Privacy Standard, to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so. The policy must be followed strictly.
If you have committed a Personal Data Breach (e.g. sent an e-mail containing Personal Data to an unintended recipient), or you become aware of or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the DPL following the instructions contained in the Data Breach Policy. You should preserve all evidence relating to the potential Personal Data Breach.
The GDPR requires us to keep full and accurate records of all our data Processing activities. We have developed the IAR to keep track of our processing activities and respond to Data Subjects’ requests more efficiently. The DPL is responsible for the population and maintenance of the IAR.
We must keep and maintain accurate corporate records reflecting our Processing. For every piece of Personal Data that you obtain, you must save the data to the relevant project folder and create a Data Map in the form attached to this Privacy Standard, save it to the project folder and notify the DPL without delay.
The DPL must introduce every piece of new Personal Data to the IAR promptly upon being presented with such data.
3.6. Information security, privacy by design and DPIA
We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures (like Pseudonymisation) in an effective manner, to ensure compliance with data privacy principles. Our Information Security Policy is attached to this Privacy Standard, and must be followed strictly.
You must assess (and discuss your findings with the DPL) what Privacy by Design measures can be implemented on all programs/systems/processes that Process Personal Data by taking into account the following:
- a) the state of the art;
- b) the cost of implementation;
- c) the nature, scope, context and purposes of Processing; and
- d) the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.
You should conduct a DPIA (and discuss your findings with the DPL) when implementing major system or business change programs involving the Processing of Personal Data including:
- a) use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
- b) automated processing of Persona Data including profiling and automated decision-making; and
- c) large scale Processing of Sensitive Personal Data.
A DPIA must include:
- a) a description of the Processing, its purposes and our legitimate interests if appropriate;
- b) an assessment of the necessity and proportionality of the Processing in relation to its purpose;
- c) an assessment of the risk to individuals; and
- d) the risk mitigation measures in place and demonstration of compliance.
4. TRAINING AND AUDIT
We are required to ensure all Personnel have undergone adequate training to enable them to comply with data privacy laws. We must also regularly test our systems and processes to assess compliance.
You must undergo all mandatory data privacy related training and ensure your team undergo similar mandatory training.
You must regularly review all the systems and processes under your control to ensure they comply with this Privacy Standard and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.
5. CHANGES TO THIS PRIVACY STANDARD
We reserve the right to change this Privacy Standard at any time without notice to you so please check back regularly to obtain the latest copy of this Privacy Standard.
This Privacy Standard does not override any applicable national data privacy laws and regulations in countries where the Company operates.
6. ACKNOWLEDGEMENT OF RECEIPT AND REVIEW
I, [EMPLOYEE NAME], acknowledge that I received and read a copy of the O&A DESIGN LTD.’s Privacy Standard dated 25 May 2018 and understand that I am responsible for knowing and abiding by its terms. I understand that the information in this Privacy Standard is intended to help Personnel work together effectively on assigned job responsibilities and assist in the use and protection of Personal Data. This Privacy Standard does not set terms or conditions of employment or form part of an employment contract.
Printed Name ……………………………………………….
|Information Asset Name||Categories of Personal Data||Lawful Basis||Lawful Basis Explained||Retention Period|
|Employee right to work checklist||Name||Compliance||Ss15-25 Immigration, Asylum and Nationality Act 2006 and ss24 and 24B Immigration Act 1971||Two years after termination of employment|
|Employee passport copy||Name
Date of birth
Place of birth Nationality
Passport number and date of issue
|Employee UK visa copy||Name
Date of birth
Place of birth
Visa number and expiry date
|Confirmation of term and vacation dates for Tier 4 student employees||Name
|Employee biometric residence permit copy||Name
Date of birth
Place of birth
Permit number and expiry date
|HMRC letter re employee’s NIN||Name
||Six years after termination of employment|
Date of birth
Passport number and expiry date
Visa number and expiry date
||One year after sponsorship ends|
|Copy of employee’s degree certificate and transcript||Name
Date of birth
|Compliance||Part 4(c) Appendix D: guidance for sponsors on keeping documents||One year after sponsorship ends|
Details of pay
||Six tax years after the end of the tax year in which payments were made|
|Company’s bank statements||Name
Details of pay
|Compliance||Part 3(a) Appendix D: guidance for sponsors on keeping documents||One year after sponsorship ends|
|Contract with the employee||Name
Job title Address
Details of pay
|Compliance||Part 3(c) Appendix D: guidance for sponsors on keeping documents||Six years after termination of employment|
|Legitimate Interest||Company needs to retain a copy of the employment contract as proof of the employee’s agreement with the terms of their employment, and as proof of the employee’s details such as bank details and address that the Company uses to make payments and serve notices|
|Compliance||Part 4(a) Appendix D: guidance for sponsors on keeping documents||Six years after termination of employment|
|Legitimate Interest||In case an employment dispute arises the Company needs to retain a copy of the job description as proof of the employee’s scope of engagement and responsibilities undertaken|
|Employee resume (CV)||Name
Date of birth
|Compliance||Part 2(k) Appendix D: guidance for sponsors on keeping documents||Until the end of employment|
|Employee cover letter||Name
|Compliance||Part 2(k) Appendix D: guidance for sponsors on keeping documents||One year after sponsorship ends|
|Candidate checklist||Name||Compliance||Para 28 Tiers 2 and 5: guidance for sponsors (as proof that no suitable settled worker is available to fill the job)||One year after sponsorship ends|
|Employee self-certification form||Name
Date of birth
Details of sickness
|Compliance AND Article 9(2)(b) GDPR||S34 Taxes Management Act 1970 (as ground for sick leave and, if eligible, sick pay)||Six tax years after the end of the tax year in which payments (sick pay or tax) were made|
|Employee absences form||Name
Details of absence
|Compliance||Parts 1(h) / 6(c) Appendix D: guidance for sponsors on keeping documents||One year after sponsorship ends|
|Legitimate Interest||It is the Company’s legitimate interest to protect itself from possible action against it. This information asset is crucial for the Company’s defence in case a former employee brings a claim for payment in lieu of annual leave accrued but not taken||Three months after employment ends|
|Holiday Rota||Name||Legitimate Interest||The consolidated table indicating planned absences of employees is necessary for the planning of annual leaves||Until the end of employment|
|Self-employed HMRC Self-Assessment Statement||Name
Details of taxable income
|Compliance||S34 Taxes Management Act 1970 (as grounds the calculation of the Company’s tax liability)||Six tax years after the end of the tax year in which last payments were made|
|Employee starter checklist||
|Compliance||HMRC Guide (https://www.gov.uk/new-employee/employee-information)||Three tax years after the end of the tax year in which the employment started|
|Consents for PD processing||Name
|Legitimate Interest||It is the Company’s legitimate interest to protect itself from possible action against it. This information asset is crucial for proving the Company processed data lawfully when it relied on consent||Six years after data last processed (deleted)|
|Client contact and employment information||Address
Location of employer
|Contract||The Company uses this information to provide services and sell goods to the client in accordance with the terms of our contract and communicate with the client in connection with the contract||Six years after relationship with the client ended or after last transaction, whichever is later|
|Legitimate Interests||To prevent fraud and assist the Company in case of a dispute with the client, the Company retains communications from the client that inevitably bear the client’s contact information|
|Payment and transaction information relating to the client||Bank account details
Bank card details
Date, time, amount and other transaction details
|Contract||The Company uses this information to provide services and sell goods to the client in accordance with the terms of our contract and facilitate the transactions envisaged by it||Six years after relationship with the client ended or after last transaction, whichever is later|
|Legitimate Interests||To prevent fraud, to ensure compliance with its professional obligations, and assist the Company in case of a dispute with the Client|
|Business contacts information||E-mail address
|Consent||If the data subject has consented to receiving our marketing communications, we use this information to send them our newsletters, invitations, news and promotion offers||Until the data subject unsubscribes from our communications|
Location of employer
Areas of professional interest
|Legitimate Interests||To tailor the marketing communications to the business contact’s interests|
|E-mail address as included in the Company’s suppression list||Compliance||The Privacy and Electronic Communications (EC Directive) Regulations 2003||Indefinitely|
DATA MAP FORM
Please use a separate Data Map for each document containing Personal Data you are reporting
|3.||Category of personal data contained in the document|
|5.||Received from Data Subject?|
|6.||If received from a person other than the Data Subject, specify the source|
|7.||Purpose for processing|
|8.||Whom we will share (or have shared) this Personal Data with|
O&A DESIGN LTD. INFORMATION SECURITY POLICY
This policy sets out the organisational and technical measures implemented by the Company for ensuring the security of processing of the Personal Data of our clients, employees, workers and other third parties.
This policy has been developed based on the Company’s assessment of the state of the art and the costs of implementation of security measures, as well as the nature, scope, context and purposes of the Company’s processing activities, and the risks for the rights and freedoms of Data Subjects from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
1. TECHNICAL MEASURES
1.1. Access restrictions
User accounts on desktop and portable devices supplied by the Company are password-protected.
Access to the project folders on the Company’s internal server is by default restricted.
1.2. Storage restrictions
Personnel is not allowed to store Personal Data on their own devices without the prior written approval of the DPL.
The Company observes the data minimisation principle and does not store duplicates of the same set of Personal Data, except for backup purposes as explained below. All of the Personal Data processed and stored by the Company is stored in a designated location on the Company’s internal server hosted in a secured location. Personnel are not allowed to save information containing Personal Data outside relevant project folders on the Company’s server.
If a member of Personnel accesses their corporate e-mail account from their own device, they are required to have the device protected by password.
To ensure the resilience of the Company’s systems, and be able to restore availability and access to data in a timely manner in the event of a physical or technical incident, the Company regularly conducts the back-up of its [●], and the back-up files are stored securely on [●].
2. ORGANISATIONAL MEASURES
To ensure effective access controls protecting Personal Data from unauthorised access / disclosure, the Company organises regular training of employees privy to such personal data. The Company’s consultants and workers based outside London shall be required to join the training via video conference or familiarise themselves with the training materials independently and complete a test to evaluate the result.
The Company conducts regular testing of employees on data protection to check their understanding of the Privacy Standard and this policy.
2.2. Access restriction
In determining access rights of Personnel the Company adopts a conservative approach. Exact access rights are determined on a case-by-case basis for each Personnel member, and never confer more access rights than necessary for the performance of the Personnel member’s duties.
Neither member of the Personnel, except the DPL, can erase or modify the Personal Data once it has been recorded in the IAR.
2.3. Monitoring and testing
The Company conducts regular monitoring for security issues and testing of business continuity / disaster recovery plans on a regular basis.
O&A DESIGN LTD. DATA BREACH POLICY
This policy sets out the procedure to be followed in case of a Personal Data Breach with respect to the Personal Data in the Company’s custody, regardless of format in which the data is stored.
This policy applies to both confirmed and suspected Personal Data Breaches.
1. Forms of Personal Data Breach
The most common forms of Personal Data Breach are as follows:
- a) loss or theft of a carrier on which Personal Data is stored;
- b) technical failure affecting the carrier on which Personal Data is stored or the Company’s information system;
- c) unauthorised access to or processing of Personal Data;
- d) unauthorised disclosure of Personal Data;
- e) fishing or hacking attack; and
- f) human error, i.e. unintended disclosure or damage to Personal Data.
2. Reporting a Personal Data Breach
2.1. Every member of Personnel is responsible for reporting Personal Data Breaches immediately to the acting DPL.
2.2. The report must include the following information:
- a) when the Personal Data Breach occurred;
- b) brief description of the breach and Personal Data compromised; and
- c) name of the Data Subject affected.
2.3. If reporting on a weekend, bank holiday in England, before 10am or after 5pm London time, the report must be followed up with a call to the acting DPL’s personal phone number, to be communicated to each member of the Personnel separately.
2.4. Upon receiving the report, the DPL must determine if the Personal Data Breach has in fact occurred and whether it is continuing.
2.5. The DPL must establish the severity of the breach and determine immediate action to minimise the damage of the breach without delay, having regard to the following:
- a) the identity and personal circumstances of the Data Subject affected;
- b) the nature of the compromised Personal Data, and whether any special category data, as defined in the GDPR, has been compromised;
- c) whether the compromised Personal Data relates to vulnerable categories of Data Subject, e.g. children;
- d) whether the compromised Personal Data could be used to commit identity fraud;
- e) in case a carrier has been lost or stolen, whether it be tracked/disabled/recovered remotely using technical means; and
- f) risk of distress or other damage to the Data Subject in case the compromised Personal Data is disclosed.
2.6. The DPL must establish who needs to be notified of the breach and carry out the notification, having regard to:
- a) legal and contractual notification requirements;
- b) the likelihood of the breach adversely affecting the Data Subject’s rights; and
- c) whether the notification of the Data Subject proper will assist in the protection of the Data Subject’s rights and interests, e.g. by making it possible for the Data Subject to mitigate the damage.
2.7. If the Information Commissioner’s Office needs to be notified of the breach, the notification must be done within 72 hours of the DPL’s becoming aware of the breach.
2.8. If the Data Subject needs to be notified of the breach, the notification should be made promptly, contain full details of the breach and action taken to address it, and be accompanied with suggestions as to the action to be taken by the Data Subject.
2.9. The DPL must retain a record of the breach and any notifications made in the IAR.
3. Response to Personal Data Breach
Following each Personal Data Breach, the DPL shall conduct an investigation into the causes of the breach. Based on the results of the investigation, the DPL may organise an extraordinary training session on Personal Data Breach prevention for the Personnel and/or suggest changes to the Company’s internal policies, systems or procedures.