1.1 We are committed to ensuring the secure and safe management of data we hold on you. We have a responsibility to comply with the terms of this policy, and to manage your data in accordance with this policy and any documentation referred to.
1.2 We gather and use certain information about you as well as managing some data, from a variety of other sources.
1.3 This Policy sets out our duties in processing that data, and the procedures for the management of such data.
2.1 It is our legal requirement that we process your data correctly and that we collect, handle and store personal information in accordance with the relevant legislation.
2.2 The relevant legislation in relation to the processing of data is:
a) The General Data Protection Regulation (EU) 2016/679 (“the GDPR”).
(b) The Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications).
(c) Any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the European Union.
3.1 We hold a variety of Data relating to you, which is known as Personal Data. Your Personal Data held and processed by us is detailed within the “How we Use your Personal Information” (or Fair Processing Notice – FPN) which is found here.
4.0 Processing of Personal Data
4.1 We process your Personal Data on one of the following grounds (we never process Special Category Personal Information or Sensitive Personal Information):
So that we can deliver our service to you
To manage and improve our service that we provide for you
To help investigate any complaints you may have about our service
To check the quality of our service
To send you out information about our services
If we need to comply with a legal obligation
When processing is necessary for the purposes of legitimate interests
4.2 How we Use Your Personal Information – (Fair Processing Notice – FPN) sets out the Personal Data that we process and the basis for that Processing. To view this click here.
By being an R3 Direct Member, you have agreed to accept membership benefits and regular newsletters which contain information on services that you might find useful. That means that we don’t need your consent to let you know about our services as this forms part of the membership.
You can cancel your membership and its benefits at any time or edit your personal details by logging onto your online account https://www.r3direct.co.uk/auth/login. However, you can sign up to R3 Direct membership again at any time in the future.
If you have used R3 Direct but are not a member, we will not send you any further information on R3 Direct Services unless you ask us to do so.
6.0 Data Sharing
6.1 We may share your data with various third parties in order to help deliver our services to you. We monitor the compliance of the Data Protection Laws with these of third parties by entering into an agreement with them which governs the processing of data, security measures to be implemented and responsibility for breaches.
6.2 Personal Data Sharing
6.2.1 Your Personal data may very occasionally be shared with third parties who require to process this data as well. Both we and the third party will process that data in our individual capacities as data controllers.
6.2.2 Where we share in the processing of your personal data with a third party organisation, it shall require the third party organisation to enter in to a Data Sharing Agreement with us.
6.3 Data Processors
6.3.1 A data processor is a third party entity that processes your personal data on our behalf, and are frequently engaged if some of our outsourced work.
6.3.2 A data processor must comply with Data Protection laws. Our data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify us if a data breach has happened.
6.3.3 If a data processor wishes to sub-contact their processing, prior written consent from us must be obtained. Upon a sub-contracting of processing, the data processor will be liable in full for the data protection breaches of their sub-contractors.
6.3.4 Where we contract with a third party to process your personal data, it shall require the third party to enter into a Data Protection Addendum Agreement with us.
7.0 Data Storage, Retention and Security
7.1 There's often a legal or a contractual reason for keeping your personal information for a set period of time. We will keep your information for the duration of providing a service to you and/or as long as you are an R3 Direct Member. When the service we have provided comes to and end or if you end your R3 Direct membership we will keep your personal data for a set time for auditing and reporting purposes and for legitimate interest purposes. After that time we will either anonymise or destroy your information.
You can ask for a copy of our Data Retention Schedule by e-mail to email@example.com
7.2 Paper Storage
7.2.1 If your Personal Data is stored on paper we will keep it in a secure place where unauthorised personnel cannot access it. We will ensure that none of your Personal Data is left where unauthorised personnel can access it. When your Personal Data is no longer required it will be disposed of.
7.3 Electronic Storage
7.3.1 Your Personal Data stored electronically will be protected from unauthorised use and access. Examples of our security includes:
Password protection of documents if appropriate
Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
Training our staff to allow us to make them aware of how to handle information and how and when to report when something goes wrong
Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches)
8.1 A data breach can occur at any point when handling your Personal Data and we have reporting duties in the event of a data breach or potential breach occurring.
If you suspect your personal information or that of others may have been at risk of a data protection breach please tell us by using this link: click here (firstname.lastname@example.org)
8.2 Internal Reporting
8.2.1 We take the security of your data very seriously and in the unlikely event of a breach will take the following steps:
As soon as the breach or potential breach has occurred, and in any event on the same working day that it has occurred, the Data Protection Officer (DPO) will be notified of (i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s)
We will seek to contain the breach by whatever means available
Our DPO will consider whether the breach is one which requires to be reported to the Information Commissioners Office (ICO) and all data subjects affected.
We will notify third parties in accordance with the terms of any applicable Data Sharing Agreements
8.3 Reporting to the ICO
8.3.1 Our DPO will require to report any breaches which pose a risk to your rights and freedoms, to the ICO within 72 hours of the breach occurring.
9.0 Data Protection Officer (“DPO”)
We have a Data Protection Officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact our Data Protection Officer on 03000 999 247 or e-mail here (mailbox@R3repairs.co.uk)
10.0 Your Rights
10.1 You have certain rights under GDPR. You have the right to view your personal data held by us, and can request this by letter or e-mail.
10.2 You have a right to request a restriction of processing your data, a right to be forgotten and a right to object to our processing of your data.
10.3 Subject Access Requests
10.3.1 You have a right to view your data held by us upon making a request by letter or e-mail (a Subject Access Request).
In order to make a subject access request you may need to provide the following information:
Enough information to identify your records
If we have doubts about your identity or we are finding it difficult to locate your personal information we may ask you to provide us with proof of identity such as a copy of your passport or driving license with signature.
We will respond to your Subject Access Request within one month of the date of receipt of the request:
We will provide you with an electronic or hard copy of the personal data that you have requested, unless any exemption to the provision of that data applies in law
Where the personal data requested comprises of data relating to other data subjects, will take reasonable steps to obtain consent from those other data subjects before releasing the requested information.
If we do not hold the information you have requested, we will tell you as soon as practicably possible, and in any event, not later than one month from the date on which the request was made
10.4 The Right to be Forgotten
10.4.1 You have the right to be forgotten by submitting a request in writing to ask that we erase your Personal Data in its entirety.
10.4.2 Your request will be considered on its own merits and legal advice may be required in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing your request and will respond in writing.
10.4.3 Where your personal information has been shared with others, we will do what we can to make sure those using your personal information comply with your request for erasure.
10.5 The Right to Restrict or Object to Processing
10.5.1 You may request that we restrict the processing of your Personal Data, or object to the processing of that data if:
You have identified inaccurate personal information, and have told us of it
we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether
10.5.2 In the event that any direct marketing is undertaken from time to time by us, you have an absolute right to object to processing of this by us, and if we receive a written request to cease processing for this purpose, then we will do so immediately.
10.5.3 Your request will be considered on its own merits and legal advice may be required in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing your request.
11.0 Policy Review