The principle behind our GDPR Policy is that we shall only hold personal data where we have a contractual or legitimate reason to do so; we shall only retain it for as long as it is necessary and we retain a contractual or legitimate reason to do so and we shall only permit those individuals in our organisation, or those of our suppliers, to see the personal data where there is a contractual or legitimate reason to do so.
The nature of the personal data which Sematron holds is dependent on the relationship of the stakeholder, or data subject to Sematron’s business and may be categorised into three groups
Full details of what type of data we hold for each group and how we protect this data is described later in this Policy. However, it will be shown that, with the exception of our own employees, the personal data that we hold for our other stakeholders is not of a highly sensitive nature. Nonetheless, we protect it securely.
Sematron have never, and will, never sell personal data to third parties.
This Policy is in place to ensure that all staff and the relevant suppliers are aware of their responsibilities and outlines how Sematron complies with the core principles of the GDPR.
For the purpose of this Policy, personal data refers to information that relates to an identifiable, living individual. The GDPR applies to both automated personal data and to manual filing systems.
Data that the Company will process for customers may include
Data that the Company will process for suppliers may include
Employees' personal information
Relevant personal data throughout recruitment and employment and for as long as is legally necessary (currently 6 years) after the termination of employment. Full details are available to employees in the Employee Privacy Notice.
Management of information
Information is held for the following reasons
Information may be stored in hard copy, soft copy or both.
The following Third Parties have access to personal information Sematron holds: Company Accountant, IT Support provider, Business Management System provider, Sematron suppliers. These companies have confirmed compliance to GDPR.
Accountability Data Protection Officer
The Data Protection Officer (DPO) is responsible for ensuring the education of the Company and its employees relating to compliance requirements, training employees involved in data processing, and conducting regular security audits. The DPO also serves as the point of contact between the Company and any Supervisory Authorities that oversee activities related to personal data.
The DPO’s responsibilities include, but are not limited to, the following
Under the GDPR, data will be lawfully processed under the following conditions
In the case of sensitive data processing will only take place under the following conditions
Sensitive paper records will be kept in a locked filing cabinet, drawer or safe, with restricted access. Sensitive paper records will not be left unattended or in clear view anywhere with general access. Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed up off-site. Where data is saved on removable storage or a portable device, the device will be kept in a locked filing cabinet, drawer or safe when not in use. Memory sticks will not be used to hold personal information unless they are password-protected and fully encrypted.
All mobiles and laptops are password-protected to protect the information on the device in case of theft. Where possible, Sematron enables electronic devices to allow the remote blocking or deletion of data in case of theft. Employee’s will not use their personal laptops or computers for Sematron purposes. All necessary employees are provided with their own secure login and password, and every computer regularly prompts users to change their password. Emails containing sensitive or confidential information are password-protected if there are unsecure servers between the sender and the recipient.
Where circular emails are sent, they are sent blind carbon copy (bcc), so email addresses are not disclosed to other recipients. When sending confidential information by fax, staff will always check that the recipient is correct before sending.
Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format, staff will take extra care to follow the same procedures for security, eg, keeping devices under lock and key. The person taking the information from Sematron premises accepts full responsibility for the security of the data. Before sharing data, all employees will ensure:
Sematron will not publish any personal information, including photos, on its website without the permission of the affected individual. When uploading information to the Sematron website or social media, staff are considerate of any metadata or deletions which could be accessed in documents and images on the site.
The Data Protection Officer is responsible for continuity and recovery measures are in place to ensure the security of protected data.
In the event of a personal data breach we have in place procedures to ensure that the effects of such breach are minimised and shall liaise with the ICO and with you as appropriate. All notifiable breaches will be reported to the relevant supervisory authority within 72 hours of Sematron becoming aware of it.
Sematron understands that recording images of identifiable individuals constitutes as processing personal information, so it is done in line with data protection principles. Sematron notifies all employees and visitors of the purpose for collecting CCTV images via signs around the building in line with the CCTV policy. Cameras are only placed where they do not intrude on anyone’s privacy and are necessary to fulfil their purpose. All CCTV footage will be kept for six months for security purposes; the Data Protection Officer is responsible for keeping the records secure and allowing access.
The policy for retaining data will be regularly reviewed by the DPO.
Sematron may retain personal information indefinitely for the following purposes
Requests under individuals’ rights will be recorded and audited regularly.
Personal data subject to removal will be de-identified and archived from use within the appropriate application to ensure it is no longer used for the purposes obtained.
Some records relating to former employees may be kept for an extended period for legal and HMRC reasons.
Call us on +44 (0)1256 812222