Privacy Policy

General Data Protection Policy

Purpose

C J Lang & Son Limited recognises that the General Data Protection Regulation (GDPR) and the current Data Protection Act (DPA) regulate electronic data, CCTV and the images they capture, as well as manual data/records. The purpose of this policy is to put measures in place to ensure that legislative compliance is maintained and that individuals’ data is kept safe, with no data breaches, and that their privacy is treated with respect.

Policy

C J Lang policy is to ensure legislative compliance in its obtaining, collecting, storing, sharing, updating, analysing, handling, retaining and deleting of personal data through following the eight enforceable principles of GDPR/DPA. The principles are as follows:

Personal Data shall be:

*    processed lawfully, fairly and in a transparent manner in relation to individuals;

*    collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

*    adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

*    accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

*    kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

*    processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures;

For the purposes of GDPR/DPA the principal “Data Controller” is C J Lang & Son Limited and they will decide the purpose and manner in which data is processed.

The Company will also on many occasions be the “Data Processor” since they will decide on how to process the data e.g. payroll. However, there will be occasions where the “Data Processor” will be a third party e.g. pension providers.

This policy will be the General Data Protection Policy for C J Lang and Son Limited but it will be further supported by the following:

•    Data Protection Policy Addendum-CCTV and Images: due to the specialist nature of this type of data and the sensitivities and legal requirements required by the Information Commissioners Office (ICO) and the respective Code of Practice, the Company sets out its treatment of such data in this policy

•    Privacy Statement-Our People-given we employ around 2000 employees there is a need to expand on the Company’s responsible handling of their data

•    Privacy Statement-Customers, Retailers and Suppliers: business to business customers and suppliers where personal identifying information might be supplied need to understand how we handle their data. Our business to consumers who may take up our complaints process and who perhaps have signed up to loyalty scheme need deeper understanding.

Scope

GDPR and the current Data Protection Act are concerned with personal identifying data- name, address, date of birth, telephone numbers, e-mail address, facts, comments and opinions about an individual, etc. The legislation goes further and specifies “special category data” such as race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (if used for ID purposes); health; sex life; or sexual orientation since these are more sensitive data which need a higher level of  protection. The Company also includes images taken from its CCTV cameras and indeed photographic images taken for marketing purposes. Additionally, the Company will process data about criminal convictions as per the Rehabilitation of Offenders Act in order to satisfy alcohol licensing law requirements and to protect other employees, its customers and assets.

Data Protection Officer

A “Data Protection Officer” (DPO) is appointed by the Company. This role is held by the Company Secretary with the important remit to protect “personal identifying information” and lead the Company to ongoing GDPR/DPA legal compliance.

Implementation

Standards are set and procedures put in place by the Data Protection Officer who acts as the Company’s representative on all matters relating to GDPR/DPA.

In terms of the specialist area of CCTV and Images there is delegated responsibility to the Company’s Security Manager for achieving high standards of CCTV management. The Data Protection Officer will work closely with the Security Manager to ensure legislative compliance in this area.

Lawful basis for processing data

Before the Company begins any processing data activity it will establish the lawful basis/bases for doing so as set out in GDPR/DPA and will document the reason for such a decision. Below are the categories of consent:

*    Legitimate interest-the processing is necessary for C J Lang’s legitimate interest e.g. payroll processing, or the interests of a third party e.g. pension provider, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests

*    Consent- permission has been be freely given by an individual and is explicit (it states clearly and in detail, leaving no room for confusion or doubt), usually for a specific purpose e.g. a medical access report request

*    Contract-the processing is necessary to meet a contract the Company has with an individual, or the individual has asked the Company to take specific steps before entering a contract;

*    Legal obligation-the processing is necessary for the Company to comply with the law (not including contractual obligations)

*    Vital interests-the processing is necessary to protect someone’s life

*    Public interest- the processing is necessary since it is in the public interest and the processing task has a clear basis in law;

C J Lang will explain its lawful reason for general processing of data in the Privacy Statements. However, there will be specific data from time to time requiring processing of a different nature e.g. an employee medical report request, customer complaints, and trade customers. These consents will be logged/documented on a separate basis.

Individual rights

GDPR/DPA sets out the following rights for individuals and their data. Individuals have:

*    the right to be informed-providing fair processing information through a privacy notice or statement;

*    the right of access-individuals can access their personal data;

*    the right to rectification-if data is inaccurate or incomplete, it can be rectified;

*    the right to erasure-an individual can request deletion or removal of data where there is no compelling reason for its continued processing;

*    the right to restrict processing-the individual can “block” or suppress/restrict processing of data;

*    the right to data portability-allows individuals to obtain and reuse their personal data for their own purposes across different services;

*    the right to object-if processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority; direct marketing; or processing for the purposes of scientific/historical research and statistics;

*    the right not to be subject to automated decision-making including profiling-this can only be carried out if it is necessary for the performance of the contract ; authorised by European or UK state law or based on an individual’s explicit consent

In the course of your work you may come into contact with and use confidential information about people such as names and addresses or even information about a customer’s circumstances, families, health and other private matters. Strict rules set by the GDPR/DPA are in place to protect that information from being used in the wrong way. Similarly, the Company holds personal data about you. You can help by ensuring that this is kept up to date e.g. change of address. As well as this you have two further rights under GDPR/DPA. Firstly, you can request that the Company prevents processing of data likely to cause substantial and unwarranted damage or distress to you and, secondly, you can request that the Company prevent any automatic decision-taking in relation you.

How does C J Lang keep data secure?

The Company protects personal data with appropriate technical, organisational and procedural measures:

*    IT department maintain a suite of data and cyber security controls to prevent outside hacking/intrusion, stealing of personal data

*    Risk assessment of potential data leaks is regularly reviewed

*    Internal security measures to prevent access to personal identifying information ranging from physical to electronic controls data are in place

*    A data security awareness information and training course is available for each line manager and their staff to make them aware of their responsibilities

Data Retention

C J Lang will follow legislative retention periods, and where applicable, best practice periods set for retention for the various types of data containing personal identifying information will be applied. For example HR records will be kept for 6 years after the employment ceases. In the case of CCTV please refer to the Data Protection Policy Addendum-CCTV and Images for more information on the retention period.

Data Subject Access Request Procedure

GDPR/DPA gives an individual the right to find out what information is held about them by C J Lang. The individual can also verify the lawfulness of the processing. This process of data access is described as Data Subject Access Request. The applicable procedure will be as follows:

Any request must be submitted by an individual either electronically or in writing and should be accompanied by information to the company that confirms the individual’s identity before we take action to comply with your request. You can do this by providing a copy of your passport or photo card driving licence. The request and accompanying detail should be sent to the:

Data Protection Officer
C J Lang & Son Limited
Head Office
78 Longtown Road
Dundee
DD4 8JU

Or by email to dpo@cjlang.co.uk

The Company will provide the requested information within one month of receipt of the original request. There is no charge for a reasonable request. However, where the request is complex or numerous, the Company will extend the period of compliance by a further two months. If this is the case, C J Lang will inform you within one month of receipt of the original request and explain why the extension is necessary.

For requests that are manifestly unfounded or excessive, the Company will charge a reasonable fee, taking into account administrative costs incurred or refuse to respond but explain at the latest within one month why to you and inform you of your right to complain to a supervisory authority such as the Information Commissioners Office (ICO) and to judicial remedy without undue delay.

Where C J Lang processes a large quantity of information about an individual and the request is for a large amount of personal data GDPR/DPA permits the Company to ask an individual to specify the information that the request relates to.

Before any Data Subject Access request is processed the Company must verify the identity of the person making the request. If the ID of the requester cannot be verified, the Company will not comply with the request.

If the request is made in writing, the Company will provide the information on portable media using a commonly used electronic format and send the information by mail to the individual’s request address.

Upon receipt of the data you may request to have the personal data rectified, particularly if it is inaccurate or incomplete. Where there is no compelling reason for data’s continued processing, you can request deletion or removal. You also have the right to request “blocking or suppressing processing of personal data.

Data Breaches

A personal data breach can mean a breach of data security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Any such leakage is unacceptable to C J Lang and will be investigated immediately. The following procedure will be invoked should Individuals and/or employees discover such an event:

Notification of breach- details of any breach should be immediately reported to the Data Protection Officer by writing to the mail or e-mail address already given.

Acknowledgement- the DPO will promptly acknowledge receipt of the breach notification.

Investigation- the DPO will initiate an investigation into the raised complaint/concern.

Notifying the Information Commissioner’s Office (ICO)-the Company is obliged to notify the ICO where a breach is likely to result in a risk to the rights and freedoms of individuals. This is a notifiable breach. For example, a loss of customer details where the breach may leave individuals open to identity theft. This must be reported to the ICO. On the other hand, the loss of, or inappropriate alteration, of a staff telephone list would not normally need reporting to the ICO.

The notifiable breach will be reported by the DPO to the ICO within 72 hours of C J Lang becoming aware such a breach. The notification will include the categories and approximate number of individuals affected and the categories and approximate numbers of personal data records concerned. A description of the likely consequences of the data breach will be given too together with a description of the control measures taken or to be taken to mitigate any possible adverse effects.

High Risk to the Rights and Freedoms of individuals- if the breach presents a high risk to the rights and freedoms of individuals, the Company must directly notify all affected individuals.

Breach Resolution- the DPO, where the data breach has been established, will resolve the breach and close any gaps in our data security management.

Feedback- the Company will inform the individual(s) in writing that the matter has been investigated, what the findings of the investigation were and what remedies have been applied to resolve the data breach.

Appeal- if employees are unhappy with the feedback from the DPO, they can appeal and take the matter further by writing to the Director of their respective division.  The grounds of appeal should be outlined and once received will be considered by the responsible Director. Their appeal will be acknowledged. The appeal may or may not be upheld. Any decision made by the Director will be final.

Non-employees can write to the Chief Executive Officer. The grounds of appeal should be outlined and once received will be considered by the CEO or their nominated senior deputy. The appeal will be acknowledged. The appeal may or may not be upheld. Any decision made by the Chief Executive or their senior deputy will be final.

Evaluation and Review- C J Lang will evaluate any data breach, whether notifiable to the ICO or not, to enable continuous improvement of its data security management. Where a review results in improvement(s) being highlighted these will be put into effect.

Line Management Obligations

Line management should ensure that any information gathered, held or processed about employees, customers, or suppliers at local level:

    Will be treated as confidential, held secure with access strictly controlled

    Kept up to date

    Will not be disclosed irresponsibly

    Must be accurate

    Must have a genuine and relevant business purpose

    Destroyed in an appropriate manner when no longer relevant

They should also pay particular attention to risks if transmitting confidential employee information by e-mail and encrypt any documents.

Marketing and GDPR

The Privacy and Electronic Communication Regulations (P.E.C.R) is self-standing legislation separate from GDPR/DPA. GDPR/DPA broadly governs the processing of any personal data for any purpose whereas PECR in direct marketing terms more applies to all electronic mail as well as text messages, telephone calls and fax messages for the purposes of direct marketing and business/commercial communications.

The GDPR overlap is where “consent” for a legal basis to process data is required. The valid consent should be freely given, specific and informed. It should be given without any ambiguity and by a statement of clear affirmative action. The individual should be able to withdraw their consent at any time and request to be forgotten should they so wish. This may refer to direct or e-marketing activity towards retailers, customer loyalty type schemes, etc.

Photography and GDPR- where a photograph is taken in connection with issuing a security pass the legal basis for processing will be a legitimate interest or, perhaps contractual obligation or indeed for legal purposes ( applying for a personal licence). Where a photograph is to be used for external marketing purposes “consent” is required from the individual(s).For children under 18 there must always be parental consent. For adults, their consent should be obtained prior to the taking of photos, unless some of the images captured are incidental to the photograph, inadvertently captured.

Review

The Policies and the associated Privacy statements will be reviewed annually to ensure up to date and best practice as well as legislative compliance.