Privacy Policy

Our procedures

Fair and lawful processing

 

We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.

 

The Company responsibilities:

·         To keep up to date about data protection responsibilities, risks and issues

·         To review all data protection procedures and policies on a regular basis (annually).

·         To arrange data protection training and advice, as appropriate, for all staff members and those included in this policy

·         To answer questions on data protection from staff, customers and suppliers.

·         To respond to individuals such as clients and employees who wish to know which data is being held on them by Battlefield Beers.

·         To check and approve with third parties that handle the company’s data any contracts or agreement regarding data processing e.g. accountants, pensions providers etc.

·         To ensure all members of staff are aware of their obligation to report actual or potential data protection compliance failures, in order for an investigation to take place.

 

The processing of all data must be:

·         Necessary to deliver our services

·         In our legitimate interests and not unduly prejudice the individual's privacy

·         This provision will apply to routine business data processing activities.

 

Privacy Notice

Our Terms & Conditions of Business contains a Privacy Notice to customers on data protection.

 

The notice:

·         Sets out the purposes for which we hold personal data on customers and employees

·         Highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers

·         Provides that customers have a right of access to the personal data that we hold about them

 

Sensitive personal data

In all cases if the company is to process sensitive personal data, we would require the data subject's explicit consent to do this, unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed. 


Accuracy and relevance

The company will ensure that any personal data it processes is accurate, adequate, relevant and not excessive, and the purpose for which it was obtained is clearly stated as necessary.. The company will not process personal data obtained for one purpose for any unconnected purpose, unless the individual concerned has agreed to this, or would otherwise reasonably expect this.

 

Individuals may ask that we correct inaccurate personal data relating to them.


Personal Data

All staff must take reasonable steps to ensure that personal data the company holds about them is accurate and updated as required.

The company understands that the accuracy of personal data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.

Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.


Data security

The company must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, e.g. accountants for payroll, the company will ensure that data security arrangements are in place.

 

Storing data securely

·         In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it, namely in the office areas of the unit within a folder.

·         Printed data should be shredded when it is no longer needed

·         Data stored on a computer should be protected by strong passwords known only to relevant staff.

·         Data stored on CDs or memory sticks must be stored securely when they are not being used

·         Servers containing personal data must be kept in a secure location, away from general office space

·         Data should be regularly backed up in line with the company’s backup procedures. Data is backed up daily.

·         Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.

·         All servers containing sensitive data must be approved and protected by security software and strong firewall.

 

Data retention

·         The company must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines. Employee records are kept for six years after termination of their contract. Customer records are kept until the company no longer trades with the customer.

 

Transferring data internationally

 

·         Under normal circumstances, the company does not transfer data outside the UK.

Subject access requests

Under the Data Protection Act 1998, individuals are entitled, subject to certain exceptions, to request access to information held about them.