Updated April 2022
Introduction
This document sets out the obligations of JSL Services Group Ltd (“the Company”) with regard to data protection and the rights of people with whom it works in respect of their personal data under the Data Protection Act 2018 (“the Act”) and in compliance with the General Data Protection Regulation (25th May, 2018)
This Privacy Statement describes the data we hold, where it is held and how it is protected. The procedures set out herein must be followed by the Company, its employees, contractors, agents, consultants, partners or other parties working on behalf of the Company. Written contractual consent of compliance will be sought by all parties before mentioned.
The Company views the correct and lawful handling of personal data as key to its success and dealings with third parties. The Company shall ensure that it handles all personal data correctly and lawfully.
Personal and Sensitive Data
All data within the our control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.
The principles of the GDPR shall be applied to all data processed:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Rights of Data Subjects
Under the GDPR, data subjects have the following rights which JSL Services Group Limited adhere to:
- The right to be informed that their personal data is being processed.
- The right to access any of their personal data held by the Company within 30 days of making a request.
- The right to prevent the processing of their personal data (right to erasure)
- The right to rectify, block, erase or destroy incorrect personal data.
- The right to lodge a complaint with a supervisory authority.
Data we hold
Personal data is defined by as data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
GDPR also defines “special category data” as personal data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
The Company only holds personal data which is directly relevant to its dealings with a given data subject by contractual obligations to provide support services. That data will be held and processed in accordance with the data protection principles and with this Policy. The following data may be collected, held and processed by the Company from time to time:
- Full names of users
- Temporary passwords
- Dates of birth
- Home address details
- Private and work based telephone details
- Private and work based email addresses
- Previous employment information
- Working hours
Please note we do NOT hold personal passwords in any of our systems for individual users.
Sub-Processors
JSL may use the following sub-processors with regards to processing client data in order to provide our support services. We will ensure we have suitable GDPR compliant contracts in place with these sub-processors by the 25th May 2018 to continue using their services. The following sub-processors are listed below and ask that if you have any objections to the use of these sub-processors to contact us at help at jslgroup.co.uk – please include a reasonable explanation to the objection;
- Autotask (UK) Limited (our internal helpdesk system and PSA)
- Redstor Limited (Data backups)
- Veeam Software (UK) Limited (Data backups and / or disaster recovery)
- Microsoft Corporation Limmited
- Intuit Limited (financial data / records)
- Docusign Incorporated (online electronic signature service)
Processing Personal Data
Any and all personal data collected by the Company is collected in order to ensure that the Company can facilitate efficient transactions with third parties including, but not limited to, its customers, partners, associates and affiliates and efficiently manage its employees, contractors, agents and consultants. Personal data shall also be used by the Company in meeting any and all relevant obligations imposed by law.
Personal data may be disclosed within the Company. Personal data may be passed from one department to another in accordance with the data protection principles and this Policy. Under no circumstances will personal data be passed to any department or any individual within the Company that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed.
The Company shall ensure that:
- All personal data collected and processed for and on behalf of the Company by any party is collected and processed fairly and lawfully;
- Data subjects are made fully aware of the reasons for the collection of personal data and are given details of the purpose for which the data will be used;
- Personal data is only collected to the extent that is necessary to fulfil the stated purpose(s);
- All personal data is accurate at the time of collection and kept accurate and up-to-date while it is being held and / or processed;
- No personal data is held for any longer than necessary in light of the stated purpose(s) and will be recorded on our retention policy;
- All personal data is held in a safe and secure manner, taking all appropriate technical and organisational measures to protect the data;
- All personal data is transferred using secure means, electronically or otherwise;
- No personal data is transferred outside of the UK or EEA (as appropriate) without first ensuring that appropriate safeguards are in place in the destination country or territory; and
- All data subjects can exercise their rights set out in “rights of data subjects” section above.
Data Protection Procedures
See our Data Protection Policy for more detailed information.
The Company shall ensure that all of its employees, contractors, agents, consultants, partners or other parties working on behalf of the Company comply with the following when processing and / or transmitting personal data:
- All emails containing personal data must be encrypted;
- Personal data may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances;
- Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
- Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;
- Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
- Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient. Using an intermediary is not permitted;
- All hardcopies of personal data should be stored securely in a locked box, drawer, cabinet or similar;
- All electronic copies of personal data should be stored securely using passwords and suitable data encryption, where possible on a drive or server which cannot be accessed via the internet; and
- All passwords used to protect personal data should be changed regularly and should not use words or phrases which can be easily guessed or otherwise compromised in line with our company password policy.
- Secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk. JSL will NOT remove any hardware containing data from any site for disposal unless written consent is received from a nominated contact. Any employee of JSL that does so is in breach of this policy.
- All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner with demonstrable competence in providing secure disposal services and certificates of destruction will be supplied.
- All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process.
Organisational Measures
The Company shall ensure that the following measures are taken with respect to the collection, holding and processing of personal data:
- A designated officer (“the Designated Officer”) within the Company shall be appointed with the specific responsibility of overseeing data protection and ensuring compliance with the GDPR.
- All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company are made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and shall be furnished with a copy of this Policy.
- All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data will be appropriately trained to do so.
- All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data will be appropriately supervised.
- Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed.
- The Performance of those employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed.
- All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract. Failure by any employee to comply with the principles or this Policy shall constitute a disciplinary offence. Failure by any contractor, agent, consultant, partner or other party to comply with the principles or this Policy shall constitute a breach of contract. In all cases, failure to comply with the principles or this Policy may also constitute a criminal offence under the GDPR, depending on the severity.
- All contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the GDPR.
Access by Data Subjects
A data subject may make a subject access request (“SAR”) at any time to see the information which the Company holds about them. They should be made in writing to:
The Director (s)
JSL Services Group Limited
The Old Post Office
Wycombe Road
Studley Green
Bucks. HP14 3XA
Upon receipt of a SAR the Company shall have a maximum period of 30 days within which to respond. The following information will be provided to the data subject:
- Whether or not the Company holds any personal data on the data subject;
- A description of any personal data held on the data subject;
- Details of what that personal data is used for;
- Details of any third-party organisations that personal data is passed to and why; and
- Details of any technical terminology or codes.
Notification to the Information Commissioner’s Office
As a data controller, the Company is required to notify the Information Commissioner’s Office that it is processing personal data. The Company is registered in the register of data controllers.
Data controllers must renew their notification with the Information Commissioner’s Office on an annual basis. Failure to notify constitutes a criminal offence.
Any changes to the register must be notified to the Information Commissioner’s Office within 28 days of taking place.
The Designated Officer shall be responsible for notifying and updating the Information Commissioner’s Office.
Implementation of Policy
This Policy shall be deemed effective as of 01/04/2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This Policy has been approved & authorised by:
Name: |
Mr Jai Lablans |
Position: |
Managing Director |