Privacy Notice – Dorset Electrical and Fire Alarms Ltd
This policy is intended to provide information about how Dorset Electrical and Fire Alarms (DEFA) will use (or “process”) personal data about individuals including: its staff; its customers, and the employees of its customers.
This Privacy Notice applies alongside any other information that DEFA may provide about its use of personal data, for example when collecting data via an online or paper form.
This Privacy Notice also applies in addition to DEFA’ other relevant terms and conditions and policies, including:
DEFA Terms of Trading
Any contract between DEFA and its staff or customers;
the DEFA’ retention of records policy;
as to how concerns or incidents are recorded;
the DEFA’ IT policies.
the DEFA’ health and safety policies,
Anyone who works for, or acts on behalf of, the DEFA (including staff, work experience and service providers) should also be aware of and comply with this Privacy Notice and the DEFA Data Protection Policy for staff, which also provides further information about how personal data about those individuals will be used.
This privacy notice aims to explain:
- Why we need to process personal data;
- The types of personal data that we collect and process;
- How we collect data;
- The legal basis of our use of your personal data;
- Where we disclose your information to other parties;
- How long we will keep your information for;
- Your rights in regard to your personal data;
- Our use of data collected from IT systems and assets;
- How to contact us.
Why DEFA needs to process personal data
To carry out its ordinary duties to staff and customers, DEFA needs to process a range of personal data about individuals as part of its daily operations.
Some of this activity DEFA will need to carry out to fulfil its legal rights, duties or obligations – including those under a contract with its staff, or customers.
Other uses of personal data will be made in accordance with DEFA’s legitimate interests, provided that these are not outweighed by the impact on individuals and provided it does not involve special category or sensitive types of data.
The types of personal data we collect and process
This may include the following categories, by way of example:
- names, addresses, telephone numbers, e-mail addresses and other contact details;
- bank details and other financial information, e.g. about customers who purchase directly from DEFA;
- personnel files;
- where appropriate, information about individuals’ health and welfare, and contact details for their next of kin;
- references given or received by DEFA about prospective employees, current employees, and relevant information provided by previous employers and/or other professionals or organisations working with employees;
- correspondence with and concerning staff and customers; and
- images captured by the DEFA CCTV system (in accordance with the DEFA CCTV policy);
How DEFA collects data
Generally, DEFA receives personal data from the individual directly. This may be via a sales order, an application form, correspondence, submission of a CV or simply in the ordinary course of interaction or communication.
However, in some cases personal data will be supplied by third parties (for example via a business customer providing personal data of an employee to fulfil an order, or from an agency with whom an individual has provided data for the purposes of seeking employment).
The legal basis of our use of your personal data
DEFA identifies that personal data is used under the following legal bases:
On the basis of fulfilling our contractual obligations:
- To enable us to run the business and manage our relationship with employees effectively, lawfully and appropriately, during the recruitment process, and whilst within DEFA employment.
- To safeguard employees’ welfare and meet our duty of care.
- To give and receive information and references about past, current and prospective employment.
- For managing our relationships with our suppliers including assessing a suppliers’ qualification or conducting supply-chain assurance activity on our suppliers.
- To fulfil customer orders where a business customer has provided delivery information such as names, addresses and contact details to enable delivery of goods to one of their employees or contractors.
On the basis of its legitimate interests:
- To conduct day-to-day business operations such as the recording of personal data in Management Review records, to format personal data for storage within the businesses’ CRM, and the exchange data with Agencies to facilitate the placement of temporary staff.
- To monitor (as appropriate) use of DEFA’s IT and communications systems in accordance with the DEFA’s IT acceptable use policy;
- For security purposes,
- To carry out or cooperate with any DEFA or external complaints, disciplinary or investigation process; and
- Where otherwise reasonably necessary for DEFA’s purposes, including to obtain appropriate professional advice and insurance for DEFA.
- To provide training and educational services to support employees in meeting their roles and responsibilities.
On the basis of meeting our legal or regulatory obligations:
- For the purposes of research and statistical analysis, including that imposed or provided for by law (such as tax, diversity or gender pay gap analysis);
- To enable relevant authorities to monitor DEFA’s performance and to intervene or assist with incidents as appropriate;
On the basis of consent:
- To receive speculative submission of Job search letters and CVs.
- To distribute newsletters and marketing material to our customer base such as when a customer or prospective customer signs up to receive marketing emails via our website.
Where DEFA is relying on consent as a means to process personal data, any person may withdraw this consent at any time.
In addition, DEFA will on occasion need to process special category personal data (e.g. concerning health, ethnicity, religion, biometrics or gender) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, or from time to time by explicit consent where required. These reasons will include:
- As part of any DEFA or external complaints, disciplinary or investigation process that involves such data; or
- For legal and regulatory purposes (for example diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.
On The basis of Vital Interests:
- To safeguard employees’ welfare and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition or other relevant information where it is in the individual’s interests to do so: for example, for medical advice and cooperation with police, for insurance purposes or to caterers or organisers of functions to be made aware of dietary or medical needs;
Disclosure of your details to others
Occasionally, DEFA will need to share personal information relating to its operations with third parties, such as:
- professional advisers (e.g. lawyers and accountants);
- government authorities (e.g. HMRC, DfE, police or the local authority); and
- appropriate regulatory bodies
For the most part, personal data collected by DEFA will remain within the business and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis). Particularly strict rules of access apply in the context of medical records held and accessed only by the HR Manager or otherwise only with the express consent of the individual.
Finally, in accordance with Data Protection Law, some of the DEFA’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the DEFA’s specific directions.
How long we will keep your information for
DEFA will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary staff personnel files is up to 7 years following departure from the business. However, incident reports or medical related data may need to be kept much longer, in accordance with specific legal requirements.
We have defined retention periods for different categories of personnel data according to these principles and this information is held in the DEFA Retention Policy.
Individuals have various rights under Data Protection Law to access and understand personal data about them held by DEFA, and in some cases ask for it to be erased or amended or have it transferred to others, or for DEFA to stop processing it – but subject to certain exemptions and limitations.
Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, or who has some other objection to how their personal data is used, should put their request in writing to the Data Protection Manager.
DEFA will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits (which is one month in the case of requests for access to information).
DEFA will be better able to respond quickly to smaller, targeted requests for information. If the request for information is manifestly excessive or similar to previous requests, DEFA may ask you to reconsider, or require a proportionate fee (where Data Protection Law allows it).
The right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals, or information which is subject to legal privilege (for example legal advice given to or sought by DEFA, or documents prepared in connection with a legal action).
The rights under Data Protection Law belong to the individual to whom the data relates.
When someone visits our website, we collect standard internet log information and details of visitor behaviour patterns. This is to allow us to monitor user behaviour and visit rates. This information is anonymous. Where we gather personal information, this will be made clear.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
Where we link to third party websites, they will have their own privacy and cookies policies and it is your responsibility to review these. We cannot accept any responsibility or liability for the policies of third party websites.
Responsibility for Data Protection
The designated Data Protection Manager in DEFA is Vanessa Damen, Director.
The Data Protection Manager is responsible for all issues relating to Data Protection and any queries should be directed to her on email@example.com or 01202 670003
If you have any questions about this privacy notice or our treatment of your personal
data, please write to us by email or by letter to this address:
Unit 1a, 8 Cowley Road
Nuffield Industrial Estate