Fair Processing Policy
All processing of information about data subjects within or by Strategic Maintenance Planning Ltd. is within the scope of this procedure.
The GDPR Owner is responsible for ensuring that the Fair Processing Notice is correct and that mechanisms exist for making all data subjects aware of the contents of this notice prior to Strategic Maintenance Planning Ltd. commencing collection of the their data. All staff that may need to collect personal data are required to follow this procedure.
3.1. Authorisation – Those responsible for processing personal data may only do so where this activity has been authorised by the GDPR Owner.
3.2. Informed – In particular, data subjects must be informed, prior to the collection of data, of the following information:
3.2.1. the identity of Strategic Maintenance Planning Ltd. (name contact details);
3.2.2. the purposes for which personal information will be processed;
3.2.3. how long the personal data will be stored, or the criteria under which it is stored;
3.2.4. a description of how (if at all) this information will be disclosed to third parties;
3.2.5. information about the individual’s rights relating to their personal data, including the right of access to personal information, right to withdraw consent, right to rectify personal data, right to have personal data erased, right to strict processing, the right to lodge a complaint with the Information Commissioner’s Office (ICO) https://ico.org.uk/
3.2.6. whether personal information is transferred outside the European Union, and whether the destination has been the subject of an adequacy decision or a reference to the safeguards in place;
3.2.7. details of any automated processing, such as profiling, that will be performed on the personal data supplied;
3.2.8. whether the personal data must be supplied to fulfil or enter into a contract, as well as whether there are any possible consequences of failing to provide personal data;
3.2.9. any other information that would make the processing fair.
3.3. Clarity – All such information provided to data subjects is in clear, plain language.
3.4. Inclusion – This information is contained in the Fair Processing Notice issued to all data subjects before Strategic Maintenance Planning Ltd. processes their data.
3.5. Marketing – Where personal information is collected for marketing purposes or might be used in the future for marketing purposes, the Fair Processing Notice shall include the following statement:
‘Marketing use: your personal information may be used for marketing purpose. You do not have to agree to this. If you object to the use of your personal data for this purpose, please email firstname.lastname@example.org and ask for removal of your details. All our electronic marketing material carries an unsubscribe option, so you can also unsubscribe at any time.’
3.6. Marketing Statement – Where Strategic Maintenance Planning Ltd. is collecting personal data for marketing purposes and has sought the specific consent of the data subject to this purpose, the Fair Processing Notice must carry the following clause:
‘Explicit consent to marketing use: you have given the Organisation explicit consent to use your personal information for [purpose]. You may withdraw this consent at any time, simply by emailing email@example.com. We will promptly withdraw your details from our marketing lists.’
3.7. Consent Withdrawal – The GDPR Owner shall incorporate procedures that indicate, where processing has been based upon consent and the consent is withdrawn, that consent has been withdrawn and that processing based on that consent will cease.
3.8. Deletion/Removal – The GDPR Owner is responsible for monitoring all requests for removal of withdrawals of consent and maintains a register of all such requests and ensures that all removals are completed within 30 days.
3.9. Consent Collection – The GDPR Owner is responsible for ensuring that, where other sectorial requirements or legislation require explicit consent for marketing, the Fair Processing Notice shall contain procedures for collecting this consent.
3.10. Sensitive Personal Information – Where sensitive personal information is being collected for a particular purpose(s), the GDPR Owner shall ensure that the Fair Processing Notice explicitly states the purpose(s) for which sensitive personal information is or might be used.
3.11. New Data Collection Methods – The GDPR Owner is responsible for ensuring that all new data collection methods are reviewed and signed off to ensure that such methods can be demonstrated as compliant with data protection legislation and good practice.
3.12. Fair Processing Notices
3.12.1. The GDPR Owner is responsible for maintaining a register of Fair Processing Notices which identifies for each Fair Processing Notice (FPN) the version number, the issue and withdrawal dates, the locations used and, by reference to the data collection purposes, the purposes for which personal data is collected. Any additional issues, such as simplified expressions, foreign language, other formats, designed to ensure that the target group can actually access and understand the FPN, are also described here.
3.13. Changes to the Use of Personal Data
3.13.1. Personal data may only be processed for the purpose for which it was originally corrected. All requests for changes to the use of personal data must be put in writing using plain language that is clear and concise which sets out the original purpose, the proposed new or additional purpose and the reason for the change.
3.13.2. The request must be approved by the GDPR Owner, who is also responsible for determining if additional consent must be sought from the data subject. Where additional consent is required, the GDPR Owner will determine the form that this consent must take and the process to be followed by Strategic Maintenance Planning Ltd. in informing the data subject about the new purpose and obtaining the data subject’s consequent consent. Where a relevant exemption applies, the GDPR Owner will identify this exemption in the authorisation to process.
In all cases, the GDPR Owner is responsible for amending the Data Inventory Record with details of the new purpose, cross-referenced to the Authorisation to Process.
3.14. Data Sharing
3.14.1. The GDPR Owner is responsible for ensuring that, where personal data is to be shared with a third party organisation, this sharing is compatible with Strategic Maintenance Planning Ltd.’s notification to the ICO and with the terms contained in its Fair Processing Notice.
3.14.2. The GDPR Owner is responsible for ensuring, where information is to be shared with a third party, that this sharing is compatible with the Fair Processing Notice previously made available to the data subject and any consent given by the data subject, and that a written agreement is drafted by Strategic Maintenance Planning Ltd.’s legal advisers and entered into by the third party, and that this agreement:
3.14.3. Describes both the purposes for which the information may be used and any limitations or restriction on the further use of the personal information for other purposes.
3.14.4. Includes an undertaking from the third party or other evidence of its commitment to processing the information in a manner which will not contravene the DPA.
3.14.5. Where the law allows data to be shared without the data subject’s consent, the agreement contains specific safeguards/controls to protect the personal information in the context of the GDPR.
3.14.6. The GDPR Owner is responsible for ensuring, where data collected by Strategic Maintenance Planning Ltd. is matched with other data to create data profiles that these profiles are only used within the context of its notification to the ICO and with what the data subject has consented to.
The GDPR Owner is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the GDPR.
A current version of this document is available to directors of Strategic Maintenance Planning Ltd. and is published on SharePoint.
This procedure was approved by the Managing Director on 13th March 2018 and is issued on a version controlled basis under his signature.