Data Protection Policy

Data Protection Policy

June 2024

 

Preamble

The purpose of this Data Protection Policy is to ensure the confidentiality, integrity, availability and authenticity of data on behalf of data subjects, as well as the Company in each phase of data processing.

To achieve this goal, legal provisions governing the protection of personal data need to be complied with and suitable technical and organisational measures have to be implemented as well.

All employees must be aware of the risks associated with technical systems and communications technologies and take utmost care when processing personal data.

1.Significance, Aim, Accessibility

These guidelines:

  • are the binding basis for a sustained and legally compliant protection of personal data in the Company;
  • aim to guarantee and protect the privacy rights of data subjects; and

be easily accessible to employees at all times.

 

2. Scope

  • These guidelines apply to all people working at the Company. This includes all employees, contract staff and trainees.
  • The obligations and prohibitions contained in these guidelines apply to all dealings with personal data, in both electronic and paper form. They also refer to all categories of data subjects (employees, customers, interested third parties, suppliers, service providers, etc.).

3. Definitions

  • personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Special categories of personal data’ are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation of a natural person.
  • ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • ‘data subject’ means an identified or identifiable person whose personal data are processed by the C
  • ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
  • ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

4. Responsible Person

The contact details for the person responsible for data protection within our organisation are as follows:

  • Responsible person: Dave Davies
  • Email: David.Davies@dvs.co.uk 
  • By Post:DVS Ltd. Unit 3, Vanguard Way, Neptune Point, Cardiff. CF24 5PG

 

5. Principles for Processing Personal Data

  • Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

 

6. Special Categories of Personal Data

In principle, special categories of personal data may only be processed where the data subject has consented to such processing, or based on explicit, legal permission. Moreover, additional technical and organizational measures (e.g. encryption during transmission, minimal assignment of rights) are to be taken to protect special personal data.

 

7. Accountability

  • In order to document the lawfulness of the data processing, and especially compliance with the principles of Sections 5 and 6 of this policy, all documents relevant to data protection should be stored in such a manner that they can be retrieved in full without delay.
  • A record of all processing activities for which the company is responsible are to be kept. This record contains all the details required under Article 30 of the UK
  • Where a type of processing (particularly if using new technologies, and taking into account the nature, scope, context and purposes of the processing) is likely to result in a high risk to the rights and freedoms of natural persons, then prior to the processing, a Data Protection Impact Assessment (DPIA) of the envisaged processing operations upon the protection of personal data shall be carried out. The DPIA is to be compiled in compliance with Article 35 of the UK
  • The Responsible Person shall review these guidelines at least annually or as the need arises, and shall inform the Board of both their effectiveness and of any changes required.

 

8. Processor

  • Service providers and suppliers with possible access to personal data should be carefully selected prior to placing the mandate. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the relevant Data Protection Laws and ensure the protection of the rights of the data subject.
  • The selection of service providers and suppliers is to be documented and should take account of the following aspects:
    • the contractor’s specialist suitability for the specific dealings with data;
    • technical-organisational measures;
    • experience on the market; and
    • other aspects relating to the reliability of the provider (data protection documentation, readiness to cooperate, reaction times, etc.).
  • Prior to mandating a provider, the Responsible Person is to be informed to enable them to check whether the mandatory contract pursuant to Article 28 of the UK GDPR has been concluded.
  • Agreements with service providers and suppliers are to be stored in order to verify that agreements have been concluded pursuant to Article 28 of the UK GDPR and enabling the contents of agreements to be inspected.
  • Processors are to be checked at regular intervals in terms of contractually agreed technical and organizational Results are to be documented.

 

9. Data Transfer

  • Personal data may only be transferred to third parties given legal permission or the consent of the data subject.
  • If the recipient of personal data is located outside of the UK, the European Union or the European Economic Area, special measures shall be taken to protect the rights and interests of data subjects. The parties shall refrain from transferring data if the third country in which the recipient is located does not provide an adequate level of data protection or there are no other suitable guarantees. Such a guarantee must be included in standard data protection clauses concluded with the recipient.

 

10 . Personal Data Breach

  • In the event of personal data breaches, such as the loss of data following an IT breach, a report has to be submitted to the relevant data protection supervisory authority within 72 hours. Provided that the conditions of Article 34 of the UK GDPR have been met, data subjects affected by the breach also have to be informed.
  • The department responsible for the personal data breach within the Company shall propose measures to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. If measures cannot be deferred, they are to be instigated immediately. All measures are to be documented.
  • If a report can be waived, the reasons for this are to be documented pursuant to Article 34 (3)of the UK

 

11. Rights of Data Subjects

  • Data subjects, especially employees, customers and contact persons at service providers and suppliers have rights with regard to the transparency of processing (in particular, to information pursuant to Articles 13, and 14 of the UK GDPR, and access pursuant to Article 15 UK GDPR), to the accuracy of the processing (in particular the right to rectification pursuant to Article 16 of the UK GDPR, to erasure pursuant to Article 17 of the UK GDPR and to restricting processing pursuant to Article 18 of the UK GDPR) and to restrictions of processing (in particular the right to object pursuant to Article 21 of the UK GDPR).
  • The Company shall support data subjects in exercising their rights.
  • When processing requests, the data subject’s identity is to be determined beyond doubt.
  • The Company shall take appropriate measures to provide any information referred to in Articles 13 and 14 of the UK GDPR and any communication under Articles 15 to 22 and 34 of the UK GDPR relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language within legal deadlines.
  • The Company shall take appropriate measures to prevent any further processing if a data subject exercises their right to object (Article 21 of the UK GDPR).
  • Any supply of information shall be documented.

 

12. Complaints

  • Data subjects can complain about the processing of their personal data should they feel that the processing has infringed their rights. Employees can register breaches of these guidelines at any time.
  • Complaints are dealt with in a reasonable time and justified complaints are redressed.
  • Employees can contact the Responsible Person at any time (contact details can be found in Section 4). If necessary, an escalation process shall be set up for complaints from other data subjects. The Responsible Person shall process complaints as part of this process that are upheld following the company’s initial reaction.

 

13. Requests for Information from Third Parties concerning Data Subjects

Should third parties, in particular public authorities, request information about data subjects, for example about customers or the Company’s employees, the information may only be forwarded if:

  • a legal norm obliges the company to provide information, or
  • the company has a legitimate interest in forwarding the information, and
  • the identity of the enquiring third party is clear beyond doubt.

 

14. Awareness and Training

  • Employees involved in processing procedures are to be made aware of data protection in a suitable manner.
  • Appropriate training courses will be undertaken and employee participation documented.

 

15. Confidentiality

Employees are not permitted to process personal data in an unauthorised manner, and are obliged to maintain confidentiality in writing prior to taking up their tasks. This obligation instigated by the corporate management is to refer in particular to the criminal provisions of data protection law.

  • If employees are subject to particular obligations of confidentiality – especially telecommunications secrecy – the corporate management shall impose further obligations.

 

16. Security of Processing

Considering the state of technology, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Among other things, these measures include:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of data processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

 

Technical and organizational measures are to be continuously documented.

 

17. Breaches of the Policy

  • Breaches of this Policy shall be handled in accordance with the Company’s Disciplinary Policy and Procedures.

 

18. Changes to this Policy

  • We reserve the right to update this policy at any time, and We will provide You with a new privacy notice:
  • when We make any substantial updates. We may also notify You in other ways from time to time about the
  • processing of Your personal information, taking account of the continuing development of data protection law and technological and organisational changes, these guidelines are regularly checked for any adaptations/supplement that may be required.
  • Informal amendments to these guidelines are effective. Employees and executives are to be informed immediately and appropriately of any changes made.

 

DVS LTD,
UNIT 3,
NEPTUNE POINT,
VANGUARD WAY,
CARDIFF,
CF24 5PG

Opening Hours: Monday - Friday; 8.30 - 5.30pm
T
+44 (0) 2920 455 512
F
+44 (0) 2920 492 085
E
contact@dvs.co.uk
1 Web Order = 50p donated to Noah's Ark Children's Hospital Charity!
20841
©DVS Ltd 2025. All rights reserved