Sematron UK Limited (Sematron) is a Business to Business (B2B) supplier of products and services.  Sematron is committed to the protection of the necessary personal information which we hold relating to our stakeholders.  This Privacy Policy outlines Sematron’s management of personal data in compliance with the General Data Protection Regulation 2018 (GDPR).

The principle behind our GDPR Policy is that we shall only hold personal data where we have a contractual or legitimate reason to do so; we shall only retain it for as long as it is necessary and we retain a contractual or legitimate reason to do so and we shall only permit those individuals in our organisation, or those of our suppliers, to see the personal data where there is a contractual or legitimate reason to do so.

The nature of the personal data which Sematron holds is dependent on the relationship of the stakeholder, or data subject to Sematron’s business and may be categorised into three groups

• Customers
• Suppliers
• Employees

Full details of what type of data we hold for each group and how we protect this data is described later in this Policy.  However, it will be shown that, with the exception of our own employees, the personal data that we hold for our other stakeholders is not of a highly sensitive nature.  Nonetheless, we protect it securely.

Sematron have never, and will, never sell personal data to third parties.

This Policy is in place to ensure that all staff and the relevant suppliers are aware of their responsibilities and outlines how Sematron complies with the core principles of the GDPR.

Applicable Data

For the purpose of this Policy, personal data refers to information that relates to an identifiable, living individual.  The GDPR applies to both automated personal data and to manual filing systems.

Customer information

Data that the Company will process for customers may include

• name (first name, surname)
• salutation (Mr, Mrs, Miss, Ms)
• job title
• email address
• telephone number
• location and/or place of work
• interest (product)

Suppliers' information

Data that the Company will process for suppliers may include

• name (first name, surname)
• salutation (Mr, Mrs, Miss, Ms)
• job title
• email address
• telephone number
• location and/or place of work

Employees' personal information

Relevant personal data throughout recruitment and employment and for as long as is legally necessary (currently 6 years) after the termination of employment.  Full details are available to employees in the Employee Privacy Notice.

Management of information

Information is held for the following reasons

• customers: provision of quotations, the fulfilment of a contract, after sales support contracts and e-marketing
• suppliers: purchasing, fulfilment of a contract, provision of services and employee benefits
• employees: legal requirement of employment, provision of employee benefits and HMRC

Information may be stored in hard copy, soft copy or both.

The following Third Parties have access to personal information Sematron holds: Company Accountant, IT Support provider, Business Management System provider, Sematron suppliers.  These companies have confirmed compliance to GDPR.

Accountability Data Protection Officer

The Data Protection Officer (DPO) is responsible for ensuring the education of the Company and its employees relating to compliance requirements, training employees involved in data processing, and conducting regular security audits.  The DPO also serves as the point of contact between the Company and any Supervisory Authorities that oversee activities related to personal data.

The DPO’s responsibilities include, but are not limited to, the following

• educating the Company and employees on important compliance requirements
• ensuring compliance of third party suppliers
• training employees  involved in data processing
• conducting audits to ensure compliance and address potential issues proactively
• serving as the point of contact between the Company and GDPR Supervisory Authorities
• monitoring performance and providing advice on the impact of data protection efforts
• informing data subjects about how their data is being used, their rights to have their personal data erased, and what measures the Company has put in place to protect their personal information
• maintaining comprehensive records of all communications received from data subjects and actions taken
• assessing requests and instructions for processing data for validity and lawfulness and advising data subjects accordingly

Lawful Processing

Under the GDPR, data will be lawfully processed under the following conditions

• for the purposes of legitimate interests, except where such interests are overridden by the interests, rights or freedoms of the data subject
• for the performance of a contract with the data subject or to take steps to enter into a contract
• compliance with legal and regulatory obligations
• protecting the vital interests of a data subject or another person

In the case of sensitive data processing will only take place under the following conditions

• explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
• processing relates to personal data manifestly made public by the data subject

Data Security

Sensitive paper records will be kept in a locked filing cabinet, drawer or safe, with restricted access.  Sensitive paper records will not be left unattended or in clear view anywhere with general access.  Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed up off-site.  Where data is saved on removable storage or a portable device, the device will be kept in a locked filing cabinet, drawer or safe when not in use.  Memory sticks will not be used to hold personal information unless they are password-protected and fully encrypted.

All mobiles and laptops are password-protected to protect the information on the device in case of theft.  Where possible, Sematron enables electronic devices to allow the remote blocking or deletion of data in case of theft.  Employee’s will not use their personal laptops or computers for Sematron purposes.  All necessary employees  are provided with their own secure login and password, and every computer regularly prompts users to change their password.  Emails containing sensitive or confidential information are password-protected if there are unsecure servers between the sender and the recipient.

Where circular emails are sent, they are sent blind carbon copy (bcc), so email addresses are not disclosed to other recipients.  When sending confidential information by fax, staff will always check that the recipient is correct before sending.

Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format, staff will take extra care to follow the same procedures for security, eg, keeping devices under lock and key.  The person taking the information from Sematron premises accepts full responsibility for the security of the data.  Before sharing data, all employees will ensure:

• they are allowed to share it
• that adequate security is in place to protect it
• who will receive the data has been outlined in a Privacy Notice.  Under no circumstances are visitors allowed access to confidential or personal information. Visitors to areas of Sematron containing sensitive information are supervised at all times.  The physical security of Sematron’s buildings and storage systems, and access to them, is reviewed on a termly basis.  If an increased risk in vandalism/burglary/theft is identified, extra measures to secure data storage will be put in place.  Sematron takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action in accordance with the Company handbook

Sematron will not publish any personal information, including photos, on its website without the permission of the affected individual.  When uploading information to the Sematron website or social media, staff are considerate of any metadata or deletions which could be accessed in documents and images on the site.

The Data Protection Officer is responsible for continuity and recovery measures are in place to ensure the security of protected data.

In the event of a personal data breach we have in place procedures to ensure that the effects of such breach are minimised and shall liaise with the ICO and with you as appropriate.  All notifiable breaches will be reported to the relevant supervisory authority within 72 hours of Sematron becoming aware of it.

CCTV

Sematron understands that recording images of identifiable individuals constitutes as processing personal information, so it is done in line with data protection principles.  Sematron notifies all employees and visitors of the purpose for collecting CCTV images via signs around the building in line with the CCTV policy.  Cameras are only placed where they do not intrude on anyone’s privacy and are necessary to fulfil their purpose.  All CCTV footage will be kept for six months for security purposes; the Data Protection Officer is responsible for keeping the records secure and allowing access.

Data Retention

The policy for retaining data will be regularly reviewed by the DPO.

Sematron may retain personal information indefinitely for the following purposes

• if it is subject to a contract either previously or in the future
• potential e-marketing opportunities
• ensuring data subjects preferences and request under individuals rights are maintained

Requests under individuals’ rights will be recorded and audited regularly.

Personal data subject to removal will be de-identified and archived from use within the appropriate application to ensure it is no longer used for the purposes obtained.

Some records relating to former employees may be kept for an extended period for legal and HMRC reasons.