Personal Data Protection Policy

Introduction – our commitment

We are committed to ensuring that all personal data is collected, stored, processed and used (together “processed”) responsibly, fairly and in compliance with all applicable personal data protection laws, including the General Data Protection Regulation (“GDPR”) (“Data Protection Laws”).

Why is this policy important?

This policy sets out the processes, policies and procedures that we adhere to in order to meet our commitment. Together these measures enable us to:

  • Comply with Data Protection Laws
  • Ensure that personal data will only be processed in accordance with the Data Protection Laws
  • Be reasonable and fair to all individuals

Scope

This policy applies to all of our personal data processing functions. It applies to our personnel (employees and in-house contractors), and to our subcontractors and suppliers.

Responsibilities and roles: our personnel

Helyx Management Team is responsible for developing and encouraging robust information handling practices within our organisation. The Management Team is responsible for compliance with Data Protection Laws.  Any breach of this Policy by our personnel will be dealt with under our internal disciplinary policy.

Responsibilities: our subcontractors and suppliers

We expect our subcontractors and suppliers to comply with all Data Protection Laws and, where applicable, to comply with this policy together with any other related policies, measures or instructions that we provide.As our subcontractor or supplier, you must protect all personal data, and must ensure that it is only used for the purpose for which it was provided in accordance with our instructions. Your obligations to us include:

  • Implementing and maintaining appropriate technical and organisational measures so that the processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.
  • Obtaining our prior written authorisation if you intend to engage another processor, and to notify us of any changes relating to additional or replacement processors.
  • Obtaining our prior written authorisation if you need to transfer the personal data to a third country or international organisation. Such written authorisation will be subject to the third country /international organisation benefiting from an adequacy decision by the EU Commission or the presence of approved appropriate safeguards.
  • Processing the personal data in accordance with the contractual terms between us. These will include:
    • Details such as: the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and our respective obligations and rights.
    • Obligations that you will: process the personal data only on our documented instructions; ensure that any person processing the personal data is subject to obligations of confidentiality; implement all appropriate technical and organisational measures; assist us in responding to requests relating to the exercise of data subject’s rights; delete or return all the personal data to us after the end of the provision of services relating to the processing, and delete existing copies unless EU or UK law requires storage of the personal data; and provide all information necessary to demonstrate your compliance with the contractual terms, including allowing for and contributing to audits or inspections conducted by us or our appointed auditor.
  • Notifying us immediately of any suspected or actual data breaches, or loss of personal data; and assisting us in investigating and resolving such.

GDPR Data Protection Principles

The policy is based on the following principles:

  • We will only process personal data for the purpose for which it was provided
  • We will not pass personal data to third parties without the legal right to do so
  • We will implement appropriate procedures, processes and controls to protect personal data

Our processing of personal data will be conducted in accordance with the data protection principles:

  • Personal data must be processed lawfully, fairly and transparently
  • Personal data can only be collected for specific, explicit and legitimate purposes
  • Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
  • Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
  • Personal data must be processed in a manner that ensures the appropriate security
  • The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability)

Personal Data Procedures and Work Instructions

We will demonstrate compliance with the data protection principles by implementing data protection policies, technical and organisational measures, as well as adopting techniques such as data protection by design, breach notification procedures and incident response plans.  A list of our related relevant policies, procedures and work instructions is provided below.

Personal Data Protection Principle Relevant Policies, Procedures and Work Instructions
Personal data must be processed lawfully, fairly and transparently DPIA Assessment Procedure

DPIA Inventory

Privacy Notice

Consent Procedure

Consent Withdrawal Procedure

Data Transfers Procedure

Data Processing Sub-Contractor Procedure

External Parties – Information Security Procedure

Personal data can only be collected for specific, explicit and legitimate purposes Data Protection Policy
Personal data must be adequate, relevant and limited to what is necessary for processing DPIA Assessment Procedure

DPIA Inventory

DPIA Review

Privacy Notice

Personal data must be accurate and kept up to date with every effort to erase or rectify without delay DPIA Assessment Procedure

DPIA Inventory

Subject Access Request

Rectification procedure

Data Retention Policy

Data Retention Review

Data Deletion

Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing Data Retention Policy

Data Retention Review

Data Deletion

Personal data must be processed in a manner that ensures the appropriate security Relevant sections of ISO 27001

Data Breach Notification Procedure

Data Breach Communication Procedure

The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability) GDPR Compliance internal audits



Get in touch

If you would like to find out more about our services and solutions please get in touch.

Thank you for submitting the form

You first name is required.

Your surname is required.

A company name is required.

Please enter a valid email address

A comment is required.