IOS Care GDPR POLICY
This GDPR POLICY sets out how IOS Care (“the Company” or “We”) handle the personal data of our employees, workers, suppliers, customers and other third parties under the General Data Protection Regulation (“GDPR”). This policy outlines what is required for the Company to comply with the GDPR in terms of obtaining, handling, processing, storing, transporting and the destruction of personal data.
This policy applies to all personal data that is processed by the Company regardless of the way in which it is stored or whether it relates to past or present employees, workers, customers, or supplier contacts.
Employees who use personal data in their day to day roles must comply with this policy when processing data. Any breach of this policy may result in disciplinary action being taken.
- Personal Data Protection Principles:
The Company complies with the GDPR, which clearly sets out principles on the processing of personal data. All personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject
Where the data subject has given consent, the Company may process the data for the performance of a contract with the data subject, to meet legal compliance obligations, to protect the data subject’s vital interests or to pursue the Company’s legitimate business interests.
- Collected for specified, explicit and legitimate purposes (purpose limitation)
Personal Data cannot be used for different or incompatible purposes which were not disclosed when the data was obtained. The Data Subject should be informed of any new usage of their Personal Data and consent may be required before processing.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation)
The Company may only collect and process Personal Data that is required for business purposes or for purposes linked to an individual’s employment. Excessive or irrelevant Personal Data must not be processed.
- Accurate and where necessary kept up to date (Accuracy)
Every reasonable step must be taken to ensure that Personal Data is accurate. Personal Data must be checked at the point of collection and at regular intervals thereafter. Personal Data that is inaccurate must be securely destroyed.
Employees have a responsibility to notify the Company of any changes to their Personal Data.
- Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation)
Personal Data that is no longer required, must be securely destroyed or erased from Company systems. This includes requiring third parties to delete such data where applicable. The different retention periods are detailed in the Retention and Breach Policy.
- Processed in a manner that ensures it security (Security, Integrity and Confidentiality)
Personal Data must be secured using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- Not transferred to another country without appropriate safeguards being in place (Transfer Limitation)
Data transfers to countries outside of the EEA is restricted, unless appropriate conditions are met. Personal Data will be transferred across borders when you transmit, send, view or otherwise access data in or send it to, a different country.
- Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests)
The rights and requests of Data Subjects are noted below:
The Rights of Data Subjects
The GDPR sets out the rights for Data Subjects in terms of how the Company handles Personal Data. These rights are:
- The right to withdraw consent at any time
- The right to be informed i.e. understand how and why data is processed
- The right to request access to Personal Data
- The right to erasure (the right to be forgotten)
- The right to restrict processing
- The right of rectification
- The right of data portability
- Rights with respect to automated decision-making (ADM) and profiling
If you wish to access copies of your data, you must complete a Subject Access Request form. This will allow you to make a formal request in writing and the Company will normally respond within one month.
How Personal Data will be used
As part of our day to day business, we will collect and process personal data. We only use personal data for the purpose for which the Company initially collected it. For this reason, we must:
- be clear about why we are collecting personal data and it’s intended use.
- communicate this to you in advance of using/disclosing it for any new/different reason.
- be clear about how personal data is being stored, accessed and the retention period.
Our Obligations as an Employer
We will use your particularly sensitive personal information in the following ways:
- We will use information relating to leaves of absence, which may include sickness absence or
- family related leaves, to comply with employment and other laws.
- We will use information about your physical or mental health, or disability status, to ensure
your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence, to take legal advice on our obligations to you and to administer benefits.
- We will use trade union membership information to pay trade union premiums, register the
status of a protected employee and to comply with employment law obligations.
Your obligations to us
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Do we need your consent?
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law.
In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data.
If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
Disclosure and Sharing of Personal Data
If there is a requirement to disclose or share personal data, we must ensure that it is done in line with GDPR requirements and must only be shared with the relevant people that need to know the information. If this involves a third party i.e. HR Services provider, then the appropriate agreement between the two parties must be in place.
Transferring of Personal Data
The Company will process your personal data for all purposes associated with your employment including administrative, financial, regulatory, payroll, pensions, holiday entitlement, sickness monitoring/management and overall performance.
Your personal data (including sensitive data) may be processed in another country within the European Economic Area where required by third parties such as pension providers as is necessary for carrying out all purposes and obligations relating to your employment with the Company.
The Company will not transfer your personal data to any countries outside of the EEA.
You have the right of access and the right to rectify your data. At the expiry of your employment with the company, your data will be retained for the legislated time limit and its deletion will be in line with the Company’s published retention schedule.
The correct and lawful processing of Personal Data is essential for the successful operation of the business. The Company takes its responsibility of protecting data very seriously and all other parties who operate in/with the Company are required to comply with the standards set out in this policy.
Failure to comply with the provisions set out in the GDPR may expose the Company to potential fines of up to €20 million or 4% of annual turnover, whichever is the highest.
All departments, Directors, Management and staff are responsible for ensuring that all Employees comply with this policy and need to follow the appropriate practices, processes, controls and training to ensure compliance.
Reporting of Breaches
The Data Controller is required to report any personal data breaches to the applicable regulator within 72 hours of any such breach.
If you know or suspect that a data breach has taken place, you must contact the DPO immediately.
You may also contact the DPO with any questions about the operation of this policy, other related policies, or the GDPR or if you have any concerns that this policy is not being followed. You must always contact us if:
- You are unsure of the lawful basis which you are relying on to process Personal Data.
- You need to reply on consent and/or need to capture Explicit Consent.
- You are unsure about the retention period for the Personal Data being processed.
- You are unsure about security of Personal Data.
- There has been a Personal Data Breach.
- You need help dealing with any rights invoked by a Data Subject.
- You are involved in new or changes in processing activity.
- You are likely to use social media, which might involve using Personal Data.
- You need assistance with any contracts or other business areas in relation to sharing Personal Data with third parties.
All third-party service providers who process Personal Data on behalf of the Company must also comply with the above.
Retention of Personal Data
Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. This applies to both electronic and paper based personal data.
Examples of potential Personal Data Breaches are:
- Unauthorised disclosure of Personal Data to a third party without any justification, consent or authorisation.
- Failure to contact the DPO when required.
- Unauthorised disclosure of Personal Data about a client, third party or colleague in an inappropriate forum, including but not limited to social media posts, email correspondence or telephone conversations.
- Unauthorised disclosure of Personal Data to a colleague, where that colleague has no access to that Personal Data and no work-related need or justification to access it.
- Loss of Personal Data.
This list is not exhaustive.
The GDPR requires the Company to follow certain rules and privacy laws when marketing to customers. A Data Subjects prior consent is required for electronic direct marketing i.e. by email or text. The exception for existing customers (the “soft opt in”) allows the Company to send marketing emails or texts if we have obtained contact details during a sale to that person, we are marketing similar products or services and we gave the Data Subject an opportunity to opt out of marketing when first collecting the details.
A Data Subject must be offered the right to opt out of direct marketing, which should be offered in a clear and unambiguous manner. Any objection should be promptly actioned, and their details removed.
All Employees are responsible for the security of all personal data or sensitive data held by the Company about Data Subjects.
Personal data should only be processed by Employees when it is required to complete their job i.e. payroll may have access to bank details etc.
All personal data must be stored securely regardless of the format i.e. electronic, paper etc. The Company’s clear desk and screen policy should be adhered to always. Electronic documentation, databases etc should be password protected and access restricted to maintain confidentiality.
Security measures to keep data secure include:
- Restricted office entry controls.
- Lockable desks and cupboards.
- Password protection for individual access.
- Virus protection.
- Secure methods of disposing of paperwork.
Glossary of Data Protection Terms
Data is information that is held regardless of how it is stored.
Data Subject relates to a living individual about whom we hold personal data.
Personal Data means data relating to a living individual who can be identified from that data e.g. name, address, or date of birth, which is factual. Also, it can be more subjective e.g. action or behaviour. Personal data may not necessarily contain the name of an individual to be classed as personal data. The use of a unique number or location data may be sufficient to identify an individual.
Data Controller IOS.
Sensitive Personal Data includes data about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, the use of genetic data, biometric data, physical or mental health, sex life, sexual orientation and personal data relating to criminal offences or convictions. Sensitive personal data can only be processed under strict conditions and will usually require the express consent of the person concerned.
Processing is any activity that involves collection, use or destruction of any personal data. It includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes the transfer of personal data to third parties.
Consent: freely given, specific, informed and transparent agreement by the Data Subject. Automated Decision Making (ADM): when a decision is made, which is based solely