IMPORTANT: This policy is of critical importance. A breach or non-compliance may lead to
disciplinary action including, in serious cases, dismissal.
PCI-PAL (UK) Limited needs to collect and use personal data about people. This includes information for internal use such as past, present and prospective employees as well as customer information in order to carry on its business and meet its customers' requirements effectively.
We recognise that the lawful and correct treatment of personal data is very important to successful operations and to maintaining our customer's confidence in ourselves.
Any personal data which we collect, record or use in any way whether it is held on paper, on computer or other media will have appropriate safeguards applied to it to ensure that we comply with the General Data Protection Regulation 2016 (GDPR), the Data Protection Act 2018 (DPA 2018), and any subsequent applicable legislation. We fully endorse and adhere to the six principles of Data Protection as set out in the GDPR. These principles state that personal data must be;
-
Processed in a Lawful, Fair and Transparent manner
-
Processed for specified, explicit and limited purposes and not in any other way which would be incompatible with those purposes
-
Adequate, relevant and limited to what is necessary for the purposes of processing
-
Accurate and kept up to date
-
Kept in a form which allows identification of individuals for no longer than is necessary
-
Processed in a manner that ensures appropriate security of the personal data
To meet the requirements of the principles, we will:
-
Observe the conditions regarding the fair collection and use of personal data
-
Meet our obligations to specify the purposes for which personal data is used
-
Collect and process appropriate personal data only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
-
Ensure the quality of personal data used
-
Apply strict checks to determine the length of time personal data is held for
-
Ensure that the rights of individuals, about whom the personal data is held, can be fully exercised under the GDPR
-
Take appropriate security measures to safeguard personal data
-
Ensure that personal data is not transferred abroad without suitable safeguards
Our purpose for holding personal data and a general description of the categories of people and organisations to whom we may disclose it are listed in the Data Protection register. You may view this online (http://www.ico.org.uk) or obtain a copy from the Information Commissioner's Office.
We have a responsible marketing policy and do not give details of our customers or related individuals to any other company. We may contact customers by mail or telephone with details of products and services offered by other companies within the PCI-PAL PLC group. If they do not wish to be marketed in this way they can email the Data Protection Officer at dataprotection@pcipal.com or write to the Data Protection Officer, PCI-PAL (UK) Ltd, 7 Gamma Terrace, Ransomes Europark, Ipswich IP3 9FF.
Personal information we collect as a business on behalf of third parties will be treated in the same responsible way as any other personal information we hold. This information will be held securely within our systems and passed to the relevant third parties in a secure manner.
When we collect any personal data from an employee, we will inform them why we are collecting their data and what we intend to use it for. Where we collect any sensitive data, we will take appropriate steps to ensure that we have explicit consent to hold, use and retain the information. Sensitive data is personal data about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life, sexual orientation, or genetic or biometric data. Details of the commission or alleged commission of any offence and any court proceedings relating to the commission of an offence are also sensitive data.
Under the General Data Protection Regulation and the Data Protection Act, any individual may write to the Data Protection Officer at the above address and request a copy of the information which we hold about them, amongst other Rights to restrict data processing, rectify inaccurate data, or erase their data. Any such Rights requests by any individual, including vaguely-worded queries or inaccurate demands, must be relayed to the Data Protection Officer promptly as PCI Pal has a legal duty to respond to all such queries within a short timeframe. Failure to do so may lead to disciplinary action including, in serious cases, dismissal.
