McLEAR needs to collect and use certain types of information about people with whom it deals in order to conduct its operations. These include current, past and prospective employees, suppliers, developers, business partners, customers and others with whom we have dealings. For example, we may occasionally be required to collect and use certain types of personal information to comply with government requirements and/or other legal obligations as well as other statutory and/or administrative functions.
Regardless of how we collect, record and/or use personal data, we are required to ensure that certain data protection standards are adhered to in all of our data processing operations. To that end, we have created a Data Protection Team which is coordinated by the Data Protection Officer (DPO). The DPO is responsible for informing and advising the Company and its staff on its data protection obligations, the privacy laws (DPA/GDPR 2018) and for monitoring compliance with those obligations and with the Company’s policies.
The DPO is also responsible for:
- The maintaining and annual review of this policy internally and with PayrNet.
- Ensuring that McLEAR have systems and controls in place to ensure on-going compliance and to evidence such compliance.
- Monitoring changes to McLEAR’s commercial activities and systems, in order to ensure that any data protection compliance implications are identified and addressed.
- Monitoring the relevant regulators’ websites and publications to identify and take appropriate actions to comply with any changes which may affect McLEAR’s compliance arrangements.
- Ensuring, amongst other things, all customer-facing documentation; marketing materials; employment contracts; terms and conditions; and Third Party contracts, to ensure compliance with Applicable Privacy Law.
- Reviewing the necessary standards of staff awareness of their responsibilities and those of McLEAR, under Applicable Privacy Law.
- Monitoring the effectiveness of staff training and the level of staff awareness of their responsibilities by preparing and carrying out a programme of periodic compliance monitoring, audits and relevant functions throughout McLEAR.
- Promptly dealing with requests from Individuals.
- Ensuring full co-operation with data protection authorities and other competent regulators.
- The Data Protection Officer report on matters related to this Policy.
Data Protection Statement
We take the issue of data protection very seriously and consider the lawful and correct treatment of personal information by McLEAR as very important to the successful operation of the company and in maintaining the confidence of those with whom we deal.
To this end we fully endorse and strive to adhere to the Data Protection Principles enumerated in the Data Protection Act 1998 (the “DPA”) as well as the European General Data Protection Regulation (GDPR).
This means that the data we hold is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
The DPA can be viewed at; http://www.legislation.gov.uk/ukpga/1998/29/contents
Status of the Policy
This policy does not form part of the formal contract of employment of our staff but it is a condition of employment that employees will abide by the rules and policies made by McLEAR. Any failures to follow the policy can therefore result in disciplinary proceedings which may result in dismissal for gross misconduct and in some circumstances, amount to a criminal offence by the individual.
The McLEAR Data Protection Team
McLEAR has a Data Protection Team comprising representatives from Legal, Compliance, Human Resources and IT Departments. The McLEAR Data Protection Team is responsible for writing, co-ordinating and implementing the McLEAR Data Protection policies and procedures which includes:
- implementing a Data Protection Impact Assessment (DPIA) process
- reviewing our contractual arrangements with sub-processors, to make sure that they also protect personal data through robust technical and organizational measures
- delivering GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design our products and business plans with privacy in mind
The McLEAR Data Protection Team is supported by and report to the Executive Management Board of McLEAR Ltd.
Responsibilities of Staff
To help uphold this Data Protection Policy, McLEAR personnel will abide by the IT and Communication Systems Policy (Schedule 26 of the McLEAR Handbook) which covers:
- Equipment security and passwords
- Systems and data security
- Use of E-mail
- Using the internet
- Personal use of our systems
- Use of Social Media
Breach of this policy may result in disciplinary action up to and including dismissal, at the discretion of the CEO. Any member of staff suspected of committing a breach of this policy will be required to co-operate with our investigation, which may involve handing over relevant passwords and login details.
We follow the GDPR 2018 at all times when asking for or handling your information including:
- Personal data shall be processed fairly and lawfully.
- Data is processed only for the purpose(s) for which it was collected.
- Data is adequate, relevant and not excessive.
This means that we will only collect the minimum data we have a legitimate interest in, to allow us to perform the service you have asked for and consented to. We will then only keep that data for as long as our legitimate interest persist. In addition to this, we will provide you with the mechanism to request information on which data we hold about you and to ask us to remove it. We will also provide you with the details of our governing bodies so as you may raise a complaint, should you feel we have not fulfilled our duty of care regarding your details.
We will ensure that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Rights to Access Information
All requests for access to Personal Data (Subject Access Requests) processed by McLEAR should be directed to the Data Protection Officer, McLEAR Ltd, Steel House, 13-17 Princes Road, Richmond, Surrey, TW10 6DQ, United Kingdom or via firstname.lastname@example.org
Any electronic data we hold about you will be stored securely behind appropriate security measures for no longer than is necessary to fulfil the purposes for which it was obtained. However, we will maintain certain elements of your Order Information for as long as the HMRC rules require, which are currently 6 years from the end of the financial year of the transaction.
Data Type: Financial
Retention Period: 6 years + 1
Data Type: Customer (Personal)
Retention Period: Retained while subject remains a customer plus 2 years or until deletion requested
Reason: Support and Marketing
Data Type: Customer (Transactional)
Retention Period: Up to 5 years
Reason: Regulatory requirements
Data Type: Non-customer
Retention Period: 2 years unless deletion requested
When the scheduled time for data deletion arrives, that data will be anonymised or securely removed from our systems and be overseen by our Head of IT.
Destruction of Paper Records
Documents that contain confidential information such as parties’ names and addresses, or which could be used by third parties to commit fraud shall be disposed of as confidential waste, requiring cross-cut shredding and incinerating.