General Data Protection Policy – UK ENERGY SOLUTION LTD
This data protection policy adheres to the requirements of the General Data Protection Regulations (GDPR) 2018 and applies to customer data, suppliers, business contracts, self-employed (sub) contractors and employees (data subject).
The General Data Protection Regulations 2018
UK Energy Solution Limited acts both as a Data Controller and Processor.
Personal data includes any information relating to an identified or identifiable natural person. It includes data such as a name, contact details, and location data- and can also include factors specific to the physical, economic, cultural or social identity of that person.
These rules apply regardless of whether data is stored electronically, on paper, or on other materials.
In compliance with the law, personal information must be processed lawfully, fairly and transparently- namely by:
- Data subject giving consent freely in a clear, unambiguous, affirmative action for one or more specific purposes.
- Necessary to meet contractual obligations entered by the data subject.
- For purposes of the legitimate interests pursued by the controller.
- Necessary to comply with legal obligations of the controller.
- Necessary to protect the vital interests of the data subject.
- Necessary for tasks in the public interest or exercise of authority vested in the controller.
- The data must be stored safely and not disclosed unlawfully.
Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- Used fairly and lawfully.
- Used for limited, specifically stated purposes.
- Used in a way that is adequate, relevant and not excessive.
- Kept for no longer than is absolutely necessary.
- Handled according to people’s data protection rights.
- Kept safe and secure.
- Not transferred outside the European Economic Area without adequate protection.
There is stronger legal protection for more sensitive information, such as:
- Ethnic background
- Political opinions
- Religious beliefs
- Sexual orientation
- Criminal records
The policy applies to all data that the Company holds relating to identifiable individuals including:
- Postal address
- Email address
- Telephone numbers
- Financial information
- Plus any other information relating to individuals.
Risk to UK Energy Solution LTD
- Breaches of confidentiality
- Reputational damages
- Exposure to potential fines of up to £20,000,000
- Everyone who works for or on behalf of UK Energy Solution LTD has a responsibility for ensuring data is collected, stored and handled appropriately.
General staff guidelines
- Individual data should not be shared with unauthorised individuals without the consent of data subject.
- Data protection training to be provided by Directors / Senior Managers or other approved providers to all staff periodically.
- Employees and self-employed individuals working on behalf of UK Energy Solution Limited must keep all relevant data secure.
- Strong passwords must be used on all IT equipment.
- Data should be regularly reviewed and updated and if no longer required it should be deleted or professionally disposed of.
- Data stored on paper must be stored securely to prevent unauthorised access.
- When files are not required, they should be kept in a secure place.
- Data that is no longer required needs to be shredded and disposed of securely.
- Data stored on removable media should be locked away and secure when not in use.
- Data should only be stored on designated drivers and servers.
- Data should be backed up frequently.
- Data should never be saved directly to laptops or other mobile devices.
- All servers and computers containing data should be protected by approved security software and a firewall.
- When working with personal data, employees and self-employed agents should ensure the screens of their computers are always locked when unattended.
- Personal data should not be shared informally.
- Data must be encrypted before being transferred electronically.
- Employees should not save copies of personal data on their own personal computer.
- Data to be held in as few places as necessary to reduce risk of unauthorised access.
- Staff to ensure all data is updated.
- In some circumstances where we cannot service your enquiry directly, we may pass your enquiry to SolarPanelQuoter why will contact you by telephone and email.
The GDPR provides the following rights for individuals:
- The right to be informed-
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
- The right of access-
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
- The right to rectification-
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure-
The right to erasure is also known as ‘the right to be forgotten’.
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
- The right to restrict processing-
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
- The right to data portability-
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy, or transfer personal data easily from one IT environment to another, in a safe and secure way- without hindrance to usability.
- The right to object-
Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling) and direct marketing (including profiling).
The application of the above individual rights will be as directed by the Information Commissioner Office (ICO) guidance advice contained at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights
In the event of a data security breach we will implement our Breach Management Plan Protocol (BMPP) looking at:
- Containment and recovery
- Assessment of ongoing risk
- Notification of breach, if merited
- Evaluation and response
The application of the BMPP will be as directed by the Information Commissioner Office guidance advice contained at https://ico.org.uk/media/fororganisations/documents/1562/guidance_on_data_security_breach_management.pdf.
In the event that a customer wishes to have their personal data removed, they need to email email@example.com