At AL Batavon we are committed to maintaining your privacy and respecting the privacy of any data we hold on file for you or your company.
At AL Batavon we are committed to maintaining your privacy and respecting the privacy of any data we hold on file for you or your company. As such, personal data is processed in accordance with the EU Regulation 2016/679 or the ‘General Data Protection Regulations’ (GDPR).
Definitions – for the purposes of this policy:
- “Personal data” refers to information that relates to an identifiable person who can be either directly or indirectly identified from such information. For example, a person’s name, identification number, location information, or online identifiers. This can also relate to pseudonymised information. (A.4 GDPR)
- “Personal data breach” refers to a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of/access to personal data which is transmitted, stored or otherwise processed by AL Batavon Ltd. (A.4 GDPR)
- “Special Categories of Personal Data” are types of personal data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and sexual orientation data (A.9 GDPR). The scope of this definition will also include data pertaining to criminal convictions and offences (A.10 GDPR).
- “Processing” refers to any operation or sets of operations performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, alignment or combination, erasure and destruction (A.4 GDPR).
Data Protection Principles
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. We will ensure that:
- Processing will be fair, lawful and transparent
- Data be collected for specific, explicit, and legitimate purposes
- Data collected will be adequate, relevant and limited to what is necessary for the purposes of processing
- Data will be kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
- Data is not kept for longer than is necessary for its given purpose
- Data will be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- We will comply with the relevant GDPR procedures for international transferring of personal data
If you are unhappy with our data protection policies or how your data has been processed you are entitled to lodge a complaint with a supervisory authority.
Categories of Data Processed:
Employees, workers and subcontractors:
We keep several categories of personal data on our employees and related groups in order to carry out effective and efficient processes, business and working relationships. We keep this data in a secure personnel file relating to each employee and we also hold some data within our computer systems, for example, our holiday booking system.
Specifically, we process the following types of data (as appropriate to your status):
- Personal details such as name, address, phone numbers
- Name and contact details of your next of kin
- Gender, marital status, information of any disability you have or other relevant medical information
- Right to work documentation
- Information on your race and religion for equality monitoring purposes
- Information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter
- References from former employers
- Details on your education and employment history etc
- National Insurance numbers
- Bank account details
- Tax codes
- Driving licence
- Criminal conviction information
Moreover, we also process information relating to your employment with us, including:
- Job title and job descriptions
- Wider terms and conditions of employment
- Details of formal and informal proceedings involving you such as letters of concern, disciplinary and grievance proceedings, your annual leave records, appraisal and performance information
- Internal and external training modules undertaken
- Information on time off from work including sickness absence, family related leave etc
- CCTV footage
- Building access card records
- IT equipment use including telephones and internet access.
The company will process special categories of personal data in accordance with the new GDPR guidelines and this data will only be processed where a suitable lawful basis applies. The lawful bases for processing of employee data are contained within the privacy notice for employees, which is available on request from management.
Customers and Suppliers
AL Batavon Ltd collects and processes personal data in relation to individuals who are, or are working with, our suppliers and customers. This processing includes:
- Contact details:
- Name, title, position, work identification numbers, department, business unit; and
- E-mail address, telephone numbers, delivery address, work location and tax information such as VAT or tax numbers.
Lawful bases for processing
AL Batavon understands processing may only be carried out where a lawful basis exists under GDPR. We have assigned a lawful basis against each processing activity. For guidance on the lawful bases below please see the ICO (regulator) website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/)
Where our use of customer data relates to delivery purposes or customer queries, we rely on legitimate interests as our lawful basis. Processing in this way is necessary and proportionate to allow for effective delivery of goods and practical customer service and this usage is likely to be expected by prospective customers. We’ve concluded the benefits from this kind of processing outweigh potential impact on the rights and freedoms of the customer; unjustified harm is also unlikely to result from breaches relating to this data. We will also continue marketing to existing, recent customers under the justification of legitimate interests, as they would reasonably expect to continue hearing from us. We will also rely on legitimate interests to cover telesales marketing to existing customers and prospective merchant branches of existing customer organisations. We offer an opt-out procedure and do not contact TPS/CTPS registered individuals or organisations in compliance with GDPR. On ‘legitimate interests assessment’, we have concluded that similar corporations would expect contact in this way; the potential nuisance factor to merchant stockists is also low and these businesses do not generally involve vulnerable individuals who may experience serious detriment from this communication. If you do not wish to be contacted in this way, please contact firstname.lastname@example.org with an objection.
Where direct marketing to individuals with no previous purchase history and no contractual basis we may rely on consent as our lawful basis. We recognise the high standard attached to consent under GDPR and understand valid consent must be freely given, specific, informed and unambiguous. Where consent is sought, we do so on a specific and individual basis and attain separate consents for separate processing activities. Consenters will be given clear explanations of processing, informed of the consequences of their consent and informed of their right to withdraw consent or opt-out of such marketing. Where no other lawful basis applies, we may also seek consent.
This consent may be withdrawn retroactively at any time (without detriment). Please e-mail email@example.com with details of the relevant consent in place and your desire to be withdrawn from our consent registry document.
Where processing is necessary either to fulfil obligations of an existing contract or to carry-out a request prior to entry to a contract (e.g. a quote) we may rely on a contractual or pre-contractual lawful basis. This will only be done where processing is a necessary, targeted and proportionate way of achieving the service in relation to the contract (not maintaining our general business model). If processing is not necessary for the contract we will consider either legitimate interests or direct consent as listed above.
We rely on contractual obligations as our lawful basis for weekly logistical e-mail updates to account customers. These e-mails are compiled to include pertinent, useful information for site managers and we have updated this correspondence to include an opt-out and this updated privacy notice. Where this information is sent to personal e-mail addresses contractual obligations does not apply, so we have
Finally, in a limited range of circumstances we may rely on a legal obligation as our lawful basis for processing, such as in relation to salary details for HMRC. This basis will only be relied upon where processing is absolutely necessary to fulfil such legal obligation.
Individual rights under data protection law
Right to be informed (A.12-14 GDPR)
We update individuals of our policies and compliance with data protection law through our privacy statement. Where data is collected from the subject they will be informed upon collection. Alternatively, where data is collected from a third-party, privacy information will be provided within one calendar month latest when communicating with the data subject.
Right to access personal data (A.15 GDPR)
You can request a ‘subject access request’ containing a summary and copy of all personal data held on file or processed. These requests can be made verbally or in writing and will be returned in a commonly used electronic format within one calendar month. AL Batavon reserves the right to extend this response time to two months where the request is particularly complex or your organisation has made multiple requests in short succession.
Right to rectification (A.16 GDPR)
You can request we complete or rectify incomplete or incorrect data held on file. These requests can be made verbally or in writing and we will respond within one calendar month. These requests will not be refused unless they are deemed to be ‘manifestly unfounded or excessive’.
Right to erasure (A.17 GDPR)
You can request we wipe your personal data from our systems or third-party processor systems we may have shared your data with. Requests will only be refused where the request is ‘manifestly unfounded or excessive’ and must be completed within one month. This right will not apply where a legal obligation has been relied upon as our lawful basis for processing, or where information may need to be retained for the defence or establishment of legal claims.
Right to restriction (A.18 GDPR)
You can request to restrict our processing of your personal data either verbally or in writing. Upon restriction we will continue to store, but not process, your data and subsequently we will only process restricted data with consent or for the establishment, exercise or defence of legal claims.
Data Portability (A.20 GDPR)
Where processing is based on an active consent you have the right to request a copy of all data held on file to be transferred to a new data controller. This will be delivered in a structured, commonly used and machine-readable form within one month.
Right to Object (A.21 GDPR)
Where processing is based on legitimate interests as a lawful basis you have the right to object to the use of your information. Where you are an individual you have an absolute right to stop your information being used for direct marketing. Following an objection, processing will not continue unless an extremely compelling reason exists to do so, of which you would be informed. Processing will be halted on objection within a month and without undue delay.
Automated Individual Decision Making
We do not currently use automated processing or profiling to make decisions using customer, employee or supplier data. Where this may be performed in future this would only be carried-out in compliance with GDPR, ensuring that this is necessary for a contractual or pre-contractual basis or is based on explicit consent. (A.22 GDPR)
Third Party Processing
Where we engage third parties to process data on our behalf, such as courier firms for delivery, we will ensure via a data processing agreement with the third party that the third party takes suitable measures to maintain our commitment to protecting data in compliance with GDPR.
The company may also disclose information where under a legal obligation. This includes exchanging information with other companies and organisations to prevent fraud.
International Data Transfers
The Company does not transfer personal data to any recipients outside of the EEA.
Data Breach Notification Procedure
All data breaches will be recorded on our Data Breach Register. Where legally required, we will report a breach to the Information Commissioner within 72 hours of discovery. In addition, where legally required, we will inform the individual whose data was subject to breach. More information on breach notification is available in our Breach Notification policy.
Records and retention
AL Batavon keeps records of its processing activities including the purpose for the processing and retention periods in its Data Record, in accordance for the GDPR requirements for companies with under 250 employees. These records will be kept up to date so that they reflect current processing activities.
The company keeps personal data only for as long as retention is deemed necessary for the specific purposes for which that personal data is processed. Data is retained in accordance with relevant laws and internal company guidelines.
Our appointed compliance officer is Ann Chidzey. You can contact our compliance officer with related queries at firstname.lastname@example.org.