Street Scene

Bellway Homes Ltd, Oakwood Grange

Latest Project

McCarthy & Stone (Developments) Limited
Butt Road Development

View other ongoing projects »

Trades Person?

Sign up to our database and we will contact you if opportunity arrises.
Sign Up »

Rose Builders Ltd - Parsonage House, Marks Tey, Colchester Countryside Properties - Brooklands Phase 1, Milton Keynes Taylor Woodrow Ltd - Abbortsford Park, Bury St Edmunds, Suffolk Aldi Store, Colchester Hutton Construction - Essex FM, Chelmsford

Latest News from Roberge

Data Protection Policy Item 10-16 of 26

Posted: 23/05/18 09:24

Data Protection Policy Item 10-16 of 26

10.             Accountability and Record-Keeping

10.1           The Company’s Data Protection Officer is Ben Himsworth.

10.2           The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.

10.3           The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:

10.3.1      The name and details of the Company, its Data Protection Officer, and any applicable third-party data processors;

10.3.2      The purposes for which the Company collects, holds, and processes personal data;

10.3.3      Details of the categories of personal data collected, held, and processed by the Company, and the categories of data subject to which that personal data relates;

10.3.4      Details of any transfers of personal data to non-EEA countries including all mechanisms and security safeguards;

10.3.5      Details of how long personal data will be retained by the Company (please refer to the Company’s Data Retention Policy); and

10.3.6      Detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of personal data.

 

11.             Data Protection Impact Assessments

11.1           The Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data [which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR].

11.2           Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:

11.2.1      The type(s) of personal data that will be collected, held, and processed;

11.2.2      The purpose(s) for which personal data is to be used;

11.2.3      The Company’s objectives;

11.2.4      How personal data is to be used;

11.2.5      The parties (internal and/or external) who are to be consulted;

11.2.6      The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;

11.2.7      Risks posed to data subjects;

11.2.8      Risks posed both within and to the Company; and

11.2.9      Proposed measures to minimise and handle identified risks.

 

12.             Keeping Data Subjects Informed

12.1           The Company shall provide the information set out in Part 12.2 to every data subject:

12.1.1      Where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and

12.1.2      Where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:

a)             if the personal data is used to communicate with the data subject, when the first communication is made; or

b)             if the personal data is to be transferred to another party, before that transfer is made; or

c)             as soon as reasonably possible and in any event not more than one month after the personal data is obtained.

12.2           The following information shall be provided:

12.2.1      Details of the Company including, but not limited to, the identity of its Data Protection Officer;

12.2.2      The purpose(s) for which the personal data is being collected and will be processed (as detailed in Part 21 of this Policy) and the legal basis justifying that collection and processing;

12.2.3      Where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the personal data;

12.2.4      Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;

12.2.5      Where the personal data is to be transferred to one or more third parties, details of those parties;

13.2.6      Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place (see Part 28 of this Policy for further details);

12.2.7      Details of data retention;

12.2.8      Details of the data subject’s rights under the GDPR;

13.2.9      Details of the data subject’s right to withdraw their consent to the Company’s processing of their personal data at any time;

12.2.10   Details of the data subject’s right to complain to the Information Commissioner’s Office (the “supervisory authority” under the GDPR);

12.2.11   Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and

12.2.12   Details of any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.

 

13.             Data Subject Access

13.1           Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.

13.2           Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s Data Protection Officer at Clay House, Deans Hall Business Park, Oak Road, Little Maplestead, Halstead, Essex, CO9 2RT.

13.3           Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.

13.4           All SARs received shall be handled by the Company’s Data Protection Officer.

4.5           The Company does charge a £500 fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

 

14.             Rectification of Personal Data

14.1           Data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.

14.2           The Company shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

14.3           In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

 

15.             Erasure of Personal Data

15.1           Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:

15.1.1      It is no longer necessary for the Company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;

15.1.2      The data subject wishes to withdraw their consent to the Company holding and processing their personal data;

15.1.3      The data subject objects to the Company holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so) (see Part 18 of this Policy for further details concerning the right to object);

15.1.4      The personal data has been processed unlawfully;

15.1.5      The personal data needs to be erased in order for the Company to comply with a particular legal obligation[;] OR [.]

15.1.6      [The personal data is being held and processed for the purpose of providing information society services to a child.]

15.2           Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

15.3           In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

 

16.             Restriction of Personal Data Processing

16.1           Data subjects may request that the Company ceases processing the personal data it holds about them. If a data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.

16.2           In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

Next