Spearhead Machinery Ltd – Data Policy
1.0 Introduction and background
The purpose of this policy is to outline how Spearhead Machinery Limited has established measures to maintain compliance with the EU General Data Protection Regulation.
The policy contains two components:
Section 2.0 – measures to re-enforce accountability and governance measures
Section 3.0 – measures to demonstrate the protection of information rights of the data subject.
This policy is reviewed and updated annually by the Spearhead Machinery Data Compliance Officer who can be contacted via firstname.lastname@example.org.
Article 5 of the GDPR requires that personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
In addition, there is a requirement that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
2.0 Accountability and governance
This policy outlines comprehensive but proportionate governance measures designed to achieve and maintain compliance with the General Data Protection Regulation. These measures have been designed to minimise the risk of breaches and uphold the protection of personal data.
This section on accountability and governance considers:
- Roles and responsibilities – The responsibilities of the Chief Executive, Data Compliance Officers, information owners and general employees
- Documentation – Spearhead Machinery Limited’s requirements in respect of documenting processing
- Data protection by design and default – Spearhead Machinery Limited requirements for Data Protection Impact Assessments.
- Lawful basis for processing – Spearhead Machinery Limited policy on determining the basis for processing.
- Security – Security policy measures designed to protect information confidentiality, integrity and availability.
- Contracts – the measures that should be in place to ensure contractual relationships maintain GDPR compliance
- International transfer – Oversight measures for international transfer of data.
- Data breaches – Principles for detecting and responding to data breaches.
Roles and responsibilities
- Spearhead Machinery Ltd has a ‘Data Compliance Officer’ (DCO).
- The DCO’s responsibilities include:
- Informing and advising the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- Acting as the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
- The DCO reports to the Chief Executive on a quarterly basis.
- The Chief Executive reports to Alamo Inc annually.
- All employees of Alamo Group Europe Ltd and its subsidiaries are responsible for adhering to this policy.
- Where Spearhead Machinery Ltd is a controller for personal data, Spearhead Machinery Ltd maintains documentation in a manner consistent with Article 30(1) of the GDPR.
- Where Spearhead Machinery Ltd is processor for personal data, Spearhead Machinery Ltd maintains documentation in a manner consistent with Article 30(2) of the GDPR.
- If Spearhead Machinery Ltd processes special category or criminal conviction and offence data, Spearhead Machinery Ltd documents:
- the condition for processing under the Data Protection Bill;
- the lawful basis for processing; and
- whether the personal data is erased and retained in accordance with Spearhead Machinery Ltd policy.
- Spearhead Machinery Ltd conducts regular reviews of the personal data processed and updates documentation accordingly.
2.3 Data protection by design and default
- Spearhead Machinery Ltd carries out a Data Protection Impact Assessment (‘DPIA’) when:
- using new technologies; and
- the processing is likely to result in a high risk to the rights and freedoms of individuals.
- The decision of whether to conduct a DPIA is supported by a documented risk assessment and is endorsed by the Data Compliance Officer.
2.4 Lawful basis for processing
- The lawful basis for processing must be considered and documented in line with the ‘Documentation’ section of this policy.
- With new systems or processes, Spearhead Machinery Ltd must determine the lawful basis and purpose of processing before beginning processing (usually as a part of the DPIA).
- The Spearhead Machinery Ltd public privacy notice includes the lawful basis for processing as well as the purposes of the processing.
- Spearhead Machinery Ltd has defined and implemented an Information Security Procedure and supporting management system to maintain effective and proportionate security.
- Whenever Spearhead Machinery Ltd acts as a controller a written contract must be in place with the processors. Standards to be applied to the contracts have been defined by the Information Commissioner’s Office.
- Whenever Spearhead Machinery Ltd acts as a processor, Spearhead Machinery Ltd must only act on the documented instructions of a controller (as specified in a valid written contract). Standards to be applied to the contracts have been defined and are documented by the Information Commissioner’s Office.
- On an annual basis, the DCO will review third party relationships to determine the risk posed by processing. This will be documented as a part of a DPIA.
- Based on this assessment, the DCO will determine the most appropriate means to validate that contractual obligations in relation to data processing are being adhered to.
- The DCO will present this assessment, and the results of compliance visits, to the Chief Executive at least annually.
2.7 International transfers
- Requests for international transfer of data must be submitted to the DCO.
- The DCO must record requests for international transfer received.
- The DCO will consider the DPIA in relation to this transfer and the appropriate means of adopting safeguards.
2.8 Data breaches
- The DCO must be notified of all breaches to this policy as soon as possible.
- The DCO must record breaches and work with the information owner to consider the likely impact of the breach.
- Where a breach is considered notifiable to the Information Commissioner, the DCO must immediately inform the Chief Executive.
- A notifiable breach has to be reported by the DCO to the relevant supervisory authority within 72 hours of Alamo Group Europe and its subsidiaries becoming aware of it. The notification must contain:
- The nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned.
- The name and contact details of the data protection or other contact point for more information.
- A description of the likely consequences of the personal data breach.
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
- Where a breach is likely to result in a high risk to the rights and freedoms of individuals, Alamo Group Europe Ltd and its subsidiaries will notify those concerned directly.
- The DCO must present an analysis of breaches and near misses to the Chief Executive at least annually.
- All employees must be trained to recognise, and escalate breaches.
2.9 Compliance and reporting
- The DCO is responsible for developing a compliance monitoring plan for this policy.
- The compliance monitoring plan should be submitted to the Chief Executive for approval at least annually.
- Progress to deliver the plan, exceptions noted, breaches and near misses and updates on progress to address material deviations from compliance with the policy must be reported to the DCO to the Chief Executive at least quarterly.
2.10 Training and awareness
- Employees must be trained on the requirements of this policy at least annually.
3.0 Individual rights
- The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
3.1 Right to be informed
- Spearhead Machinery Ltd maintains a privacy notice and publishes this publically.
3.2 Right of access
- All requests from subjects for access to their data should be submitted immediately to the Data Compliance Officer, (DCO). The DCO must log the request and will:
- Consider whether the request is manifestly unfounded or excessive;
- Request copies of information held from information owners within Spearhead Machinery Ltd. Review the information to ensure it does not impair the privacy of another data subject;
- Consider whether the request warrants a fee (if it requires a significant amount of data) and
- Respond to the original request.
- A response to the request must be provided without delay and at the latest within 30 days of receipt. In the event the request is particularly complex or numerous, the period of compliance can be extended by a further two months If this is the case, the DCO must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
- Perfomance against the response target of one month must be reported to the Chief Executive at least annually.
3.3 Right to rectification
- Requests for rectification must be treated in the same way as requests for access. The following, additional, measures will apply:
- If Spearhead Machinery Ltd has disclosed the personal data in question to third parties, the DCO must inform them of the rectification where possible.
- The DCO must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
- The information owner will be responsible for ensuring the request for rectification are actioned on the information they are responsible for.
- The DCO will be responsible for validating whether requests for rectification have been properly addressed.
3.4 Right to erasure
- Spearhead Machinery Ltd can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defence of legal claims.
- Requests for erasure of data should be submitted immediately to the DCO and will follow the same principles as for right to access and right to rectification.
- If Spearhead Machinery Ltd has disclosed the personal data in question to third parties, the DCO must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
3.5 Right to restrict processing
- Requests to restrict processing will be submitted to the DCO and will follow the same principles as for right to access and right to rectification, with the following additional requirements:
- The DCO must inform individuals when Spearhead Machinery Ltd decides to lift a restriction on processing
3.6 Right to data portability
- Requests for data under the right to data portability must be submitted to the DCO.
- The DCO is responsible for recording these and requesting the information from the information owner(s).
- The DCO will also review the data to ensure the privacy of other data subjects is not adversely impacted.
- The DCO will provide the personal data in a structured, commonly used and machine readable form, submitted using a secure transfer mechanism.
- The information will be provided within one month of the original request.
- Performance against this timescale must be reported by the DCO to the Chief Executive at least annually.
3.7 Right to object
- Requests that object to processing must be submitted to the DCO.
- The DCO is responsible for recording and assessing these.
- Where instructed by the DCO, Spearhead Machinery Ltd must immediately stop processing the personal data unless:
- There are demonstrable and compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- The processing is for the establishment, exercise or defence of legal claims.
- Spearhead Machinery Ltd must inform individuals of their right to object “at the point of first communication” and in its privacy notice.
3.8 Rights relating to automated decision making including profiling
- Spearhead Machinery Ltd ensures it has a lawful basis to carry out profiling and/or automated decision-making and documents this.
- Spearhead Machinery Ltd sends individuals a link to our privacy statement when we have obtained their personal data indirectly. In this communication, Spearhead Machinery Ltd explains how people can access details of the information we used to create their profile.
- Spearhead Machinery Ltd informs people who provide their personal data how they can object to profiling, including profiling for marketing purposes.
- Spearhead Machinery Ltd has procedures for customers to access the personal data input into the profiles so they can review and edit for any accuracy issues.
- Spearhead Machinery Ltd only collects the minimum amount of data needed and have a clear retention policy for the profiles we create.
- The DCO regularly checks Spearhead Machinery Ltd systems for accuracy and bias and feed changes back into the design process.