Introduction – our commitment
We are committed to ensuring that all personal data is collected, stored, processed and used (together “processed”) responsibly, fairly and in compliance with all applicable personal data protection laws, including the General Data Protection Regulation (“GDPR”) (“Data Protection Laws”).
Why is this policy important?
This policy sets out the processes, policies and procedures that we adhere to in order to meet our commitment. Together these measures enable us to:
- Comply with Data Protection Laws
- Ensure that personal data will only be processed in accordance with the Data Protection Laws
- Be reasonable and fair to all individuals
This policy applies to all of our personal data processing functions. It applies to our personnel (employees and in-house contractors), and to our subcontractors and suppliers.
Responsibilities and roles: our personnel
Helyx Management Team is responsible for developing and encouraging robust information handling practices within our organisation. The Management Team is responsible for compliance with Data Protection Laws. Any breach of this Policy by our personnel will be dealt with under our internal disciplinary policy.
Responsibilities: our subcontractors and suppliers
We expect our subcontractors and suppliers to comply with all Data Protection Laws and, where applicable, to comply with this policy together with any other related policies, measures or instructions that we provide.As our subcontractor or supplier, you must protect all personal data, and must ensure that it is only used for the purpose for which it was provided in accordance with our instructions. Your obligations to us include:
- Implementing and maintaining appropriate technical and organisational measures so that the processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.
- Obtaining our prior written authorisation if you intend to engage another processor, and to notify us of any changes relating to additional or replacement processors.
- Obtaining our prior written authorisation if you need to transfer the personal data to a third country or international organisation. Such written authorisation will be subject to the third country /international organisation benefiting from an adequacy decision by the EU Commission or the presence of approved appropriate safeguards.
- Processing the personal data in accordance with the contractual terms between us. These will include:
- Details such as: the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and our respective obligations and rights.
- Obligations that you will: process the personal data only on our documented instructions; ensure that any person processing the personal data is subject to obligations of confidentiality; implement all appropriate technical and organisational measures; assist us in responding to requests relating to the exercise of data subject’s rights; delete or return all the personal data to us after the end of the provision of services relating to the processing, and delete existing copies unless EU or UK law requires storage of the personal data; and provide all information necessary to demonstrate your compliance with the contractual terms, including allowing for and contributing to audits or inspections conducted by us or our appointed auditor.
- Notifying us immediately of any suspected or actual data breaches, or loss of personal data; and assisting us in investigating and resolving such.
GDPR Data Protection Principles
The policy is based on the following principles:
- We will only process personal data for the purpose for which it was provided
- We will not pass personal data to third parties without the legal right to do so
- We will implement appropriate procedures, processes and controls to protect personal data
Our processing of personal data will be conducted in accordance with the data protection principles:
- Personal data must be processed lawfully, fairly and transparently
- Personal data can only be collected for specific, explicit and legitimate purposes
- Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
- Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
- Personal data must be processed in a manner that ensures the appropriate security
- The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability)
Personal Data Procedures and Work Instructions
We will demonstrate compliance with the data protection principles by implementing data protection policies, technical and organisational measures, as well as adopting techniques such as data protection by design, breach notification procedures and incident response plans. A list of our related relevant policies, procedures and work instructions is provided below.
|Personal Data Protection Principle||Relevant Policies, Procedures and Work Instructions|
|Personal data must be processed lawfully, fairly and transparently||DPIA Assessment Procedure
Consent Withdrawal Procedure
Data Transfers Procedure
Data Processing Sub-Contractor Procedure
External Parties – Information Security Procedure
|Personal data can only be collected for specific, explicit and legitimate purposes||Data Protection Policy|
|Personal data must be adequate, relevant and limited to what is necessary for processing||DPIA Assessment Procedure
|Personal data must be accurate and kept up to date with every effort to erase or rectify without delay||DPIA Assessment Procedure
Subject Access Request
Data Retention Policy
Data Retention Review
|Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing||Data Retention Policy
Data Retention Review
|Personal data must be processed in a manner that ensures the appropriate security||Relevant sections of ISO 27001
Data Breach Notification Procedure
Data Breach Communication Procedure
|The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability)||GDPR Compliance internal audits|