In order to serve our clients effectively Matthews Environmental Solutions UK Limited (MES) may have to collect and use information about its customers and the suppliers with whom we work.
The lawful and appropriate treatment of information is important to MES’ successful operation and to maintaining confidence between us and those with whom we undertake business. How MES manages client and supplier data complies with the principles of the General Data Protection Regulation (GDPR).
This policy applies to client and supplier data kept by MES, in manual and electronic form, and includes how MES will respond to any data breach and other rights under the GDPR.
|Company||Matthews Environmental Solutions|
|Controller||A natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the
processing of personal data.
|Data||Information that relates to an identifiable person who can be directly or
indirectly identified from that information, for example, a person’s name,
identification number, location, online identifier. It can also include
|Any operation or set of operations which is performed on client data or on
sets of client data, supplier data, whether or not by automated means, such
as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.
|Processor||A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.|
3. DATA PROTECTION PRINCIPLES
Under GDPR, all data obtained and held by MES must be processed according to a set of core principles. In accordance with these principles, MES will ensure that:
a) Processing will be fair, lawful and transparent.
b) Data be collected for specific, explicit, and legitimate purposes.
c) Data collected will be adequate, relevant and limited to what is necessary for the purposes of processing.
d) Data is not kept for longer than is necessary for its given purpose.
e) Data will be processed in a manner that ensures appropriate security of client data including protection against unauthorised or unlawful processing, accidental loss,
destruction or damage by using appropriate technical or organisation measures.
a) We comply with the relevant GDPR procedures for international transferring of client data.
4. TYPES OF DATA HELD
The types of data we hold include:
b)Client details such as name, address, phone numbers, email addresses and correspondence.
c)Information about client sites, their equipment, and operational information such as the types and volume of waste to be incinerated.
d)Supplier details such as name, address, phone numbers, email addresses and correspondence.
All of the above information is required for our processing activities.
5. INDIVIDUAL RIGHTS
You have the following rights in relation to the client data we hold on you:
a) The right to be informed about the data we hold on you and what we do with it.
b) The right of access to the data we hold on you. More information on this can be found in the section headed ‘Access to Data’ in Section 8.
c) The right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’.
d) The right to have data deleted in certain circumstances. This is also known as ‘erasure’.
e) The right to restrict the processing of the data.
f) The right to transfer the data we hold on you to another party. This is also known as ‘portability’.
g) The right to object to the inclusion of any information.
In order to protect the data of relevant individuals, those within our business who must process data as part of their role have been made aware of our policy on data protection.
7. LAWFUL BASIS OF PROCESSING
MES acknowledge that processing may only be carried out where a lawful basis for that processing exists.
8. ACCESS TO DATA
MES’ clients and suppliers have a right to access the data that the Company maintains about them. To exercise this right, they should make a subject access request. MES will comply with the request without delay, and within one month unless, in accordance with legislation, we decide that an extension is required. Those who make a request will be kept fully informed of any decision to extend the time limit.
9. DATA DISCLOSURES
The Company will only disclose or allow access to client or supplier data to our employees or third parties who:
• Have had relevant training in data protection and security, integrity and confidentiality of personal data.
• Only use that data for the purpose of their job function.
• Will only process the data on strict instructions from the controller.
10. DATA SECURITY
Where data is computerised, it will be encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.
11. THIRD PARTY PROCESSING
Where MES engage third parties to process data on our behalf, we will ensure, via a data processing agreement with the third party, that the third party takes such measures in order to maintain the Company’s commitment to protecting data.
12. REQUIREMENT TO NOTIFY BREACHES
Where legally required, we will report a breach to the Information Commissioner’s Office within 72 hours of discovery. In addition, where legally required, we will inform the individual whose data was subject to breach.
New employees who will have access to Company data are required to read and understand the policies on data protection as part of their induction.
Employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.
The nominated data compliance officers for MES are trained appropriately in their roles under the GDPR.
All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of MES’ policies and procedures.
14. DATA PROTECTION COMPLIANCE
Any queries with regard to the compliance of data protection activities shall be forwarded to: SHEQ@matw.com
Director of Engineered Systems