The EU General Data Protection Regulation (EU) 2016/679 (GDPR) is a significant piece of European legislation which comes into force on 25 May 2018. It builds on existing data protection laws, strengthening the rights that EU individuals have over their personal data, and creating a single data protection approach across Europe.
How will FCS (UK) comply with the GDPR?
Our GDPR preparation started in June 2016 and as part of this process we are reviewing (and updating where necessary) all our internal processes, procedures, data systems and documentation to ensure that we are ready when GDPR comes into force in May 2018.
Our GDPR Principles are:
Data is processed fairly, lawfully and in a transparent manner
We will only collect, process and share personal data fairly and lawfully and for specified purposes. The GDPR restricts our actions regarding personal data to specified lawful purposes ensuring that we process personal data fairly and without adversely affecting the individual whose personal data is being processed, being a data subject.
Data is processed only for specified and lawful purposes
We will process personal data only based on one or more of the lawful bases set out in the GDPR, which includes consent. Where consent is the lawful bases then individuals will be asked for their consent either by way of a statement or a positive action. We will ensure that individuals are able to withdraw their consent as easily as they have given it. We will keep records of all consents captured to ensure compliance with the requirements of the GDPR.
We will review our consents from time to time to ensure that they are still relevant to the original purpose for which they were sought. We will not rely on consent unless it relates to the specific purpose the individual provided consent for.
Where we transfer personal data outside of the EEA, we will inform the relevant individuals and set out the reasons for this and provide them with the documentation to show adequacy of security
If the personal data includes any special category data then we will process this in accordance with the GDPR and where necessary obtain explicit consent.
Processed data is adequate, relevant and not excessive
We will only hold personal data which is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. We will therefore only collect, hold and process personal data that we need to provide our products and services to you. Furthermore, any personal data which is no longer needed will be deleted in accordance with company guidelines.
Processed data is accurate and, where necessary, kept up to date
We aim in all circumstances to only hold personal data which is accurate and kept up to date. Where inaccuracies are identified, they will be corrected without delay. We have procedures in place to ensure that personal data held and processed by us is reviewed on a regular basis to ensure it is accurate and up to date.
Data is not kept longer than necessary
We will only keep personal data for as long as it is required in accordance with the original purpose for which it was provided to us by the individual.
We will maintain retention policies and procedures to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. We will delete all records of personal data which is no longer required in accordance with company procedures.
Data is processed in accordance with an individual’s consent and rights
We acknowledge that individuals have rights when it comes to how we handle their personal data. These include rights to:
- Withdraw consent to processing at any time;
- Receive certain information about our processing activities;
- Request access to the personal data that we hold on them;
- Prevent our use of their personal data for direct marketing purposes;
- Ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
- Restrict processing in specific circumstances;
- Challenge processing which has been justified based on our legitimate interests or in the public interest;
- Request a copy of an agreement under which personal data is transferred outside of the EEA;
- Object to decisions based solely on automated processing, including profiling;
- Prevent processing that is likely to cause damage or distress to the individual or anyone else;
- Be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
- Make a complaint to the supervisory authority; and
- In limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.
In each of the above cases, we will verify the identity of an individual requesting data under any of the rights listed above and will reply within the timescales required in the GDPR.
Data is kept secure
We will protect personal data by using appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of personal data that we own or maintain on behalf of others and identified risks (including use of encryption and pseudonymising where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.
Data is not transferred to countries outside of the European Economic Area (‘EEA’) without adequate protection
The GDPR restricts data transfers to countries outside the EEA to ensure that the level of data protection afforded to individuals by the GDPR is not undermined.
We will only transfer personal data outside the EEA where the appropriate safeguards are in place, such as by having standard contractual clauses (approved by the European Commission) in place with third parties where personal data is transferred outside the EEA (not to the USA). We will inform our clients and suppliers that the individuals’ personal data is being transferred outside the EEA and seek their explicit consent for this transfer.
For more info
FCS (UK) Limited has many years’ experience of advising and installing the Cryoserver software solutions to customers.
FCS (UK) Limited is a company registered in England and Wales, with company number 5940018.
FCS (UK) Limited is a BMTRADA ISO/IEC 27001:2013 accredited company, Certificate No: 170 ensures we adhere to stringent processes for keeping our personal data and our customers’ personal data secure.
FCS (UK) Limited is registered with the Information Commissioner’s Office under Registration Number ZA123425.Blog