This policy explains how Osmond Group Limited (The Company) collects, uses, stores and disposes of personal data in line with the General Data Protection Regulation (EU) 2016/679 requirements. This is generally referred to as GDPR. It is EU legislation effective from May 25th, 2018 and setting guidelines for the way personal data is handled and processed and the responsibilities of the data controller and data processors handling the data.
As defined by ICO (the Information Commissioner’s Office), a data controller determines the purposes and means of processing personal data. A data processor is responsible for processing personal data on behalf of a controller.
What do we mean by personal data?
Personal data means details which can identify an individual or could be used to identify an individual, such as a name, contact details or address.
What personal data does The Company hold?
The Company holds the following types of data:
- Personal information of customers, suppliers and third parties who work with us or handle services or products to / from us. This includes contact numbers and email addresses.
- Names and contact details, including email addresses, for individuals who have registered to receive marketing material, such as our monthly eBulletin (email newsletter).
- Brief special category data, such as individuals’ anthropometric (body measurement) data, disabilities and / or medical and postural conditions. This data may include an individual’s name, telephone number and / or email address for the purpose of visiting a client and carrying out services such as workstation and disability needs assessments.
How does the Company receive and collect data?
- Data controllers, third parties and people who work with us: Provided to us either at the time of opening an account with The Company, or to update us about relevant changes and additions, as well as orders and instructions to supply products and services.
- Marketing: Collated through events, exhibitions, meetings, online newsletters and social media where each individual’s consent has been received. Also allowing individuals to opt out, deregister or be anonymised or made invisible at any point.
- Individuals (general public): Provided directly by the individual or via an employer, legal entity, therapist or other healthcare professional with the data subject’s consent.
- Manufacturers: Directly from the manufacturer.
What lawful basis does the Company use to process data?
The Company processes data where the data subject or relevant company / body has given consent, or where processing is required for the performance of a contract or transaction. An example of this would be assessment visits for individuals who require guidance and advice about our products and / or services.
Who does the Company share data with?
The Company sometimes needs to share personal data with other organisations / persons and, or the individual themselves. Examples could be family members, manufacturers, couriers, professional or government bodies and external assessors.
Subject Access Request
The Company recognises that all data subjects have the right to know about what data The Company holds, stores, shares and processes about them, as set out in Article 15 (Right of access by the data subject) of GDPR. Data subjects are entitled only to information about themselves and not about others. A request can be made verbally or in writing. The Company will identify and act on the request within one month of receipt, as set out in the GDPR guidelines. However, if The Company feels that the individual’s request is uncorroborated The Company reserves the right to refuse or to charge accordingly. If a request is refused, The Company will explain to the individual why and inform them that they have the right to appeal to the Managing Director.
The Company understands that the individual has the following rights with regards to any personal data that is stored about them:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The right not to be subject to automated decision-making including profiling.
Data Security and Retention
The Company systems and devices are monitored and backed up continuously. All emails are encrypted (TLS) and any sensitive attachments have been replaced with a secure storage system providing individual document access via secure hyperlink. All employees receive training to reduce the possible risks involved in handling personal data and to ensure all data is handled in a secure environment.
The Company holds personal data for seven years, unless there is a requirement to do otherwise. For example if the transaction / contract involves a warranty which exceeds this period. Also if the personal data is requested to be disposed of The Company will act upon the request accordingly.
The Company understands the importance of, and need to identify, assess and respond to a breach (within 72 hours). The Company has a separate Data Breach Policy which provides an in depth explanation of procedures. A copy can be provided upon request.
Cookies / Website
The Company has a complaints procedure in place to ensure that all complaints are addressed and resolved effectively in an adequate timescale. Complaints can be received verbally in person or by phone, or in writing by email or post. The complaint will then be passed to the relevant Department Manager and / or Managing Director to action accordingly.
Policies and Procedures
Copies of the Company policies and procedures can be requested at any point by phone, email or in writing.
Registration with ICO
The Company is registered with the Information Comissioner’s Office (ICO) and you can view our registration here: https://ico.org.uk/ESDWebPages/Entry/Z8680716 or by visiting the ICO website at ico.org.uk and entering the following reference number: Z8680716.
Data Protection Officer
The Company has appointed a Data Protection Officer (DPO). The DPO can be contacted at email@example.com or by calling 0345 345 0898. It is also acceptable to write to:
The Data Protection Officer
Osmond Group Limited
21 Johnson Road
Ferndown Industrial Estate