Data Protection (GDPR) Policy
General Statement of Gama Electronics’s Duties and Scope
Gama Electronics (Gama) is required to process relevant personal data regarding members of staff, volunteers, applicants and customers as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.
Data Protection Controller
The appointed Data Protection Controller (DPC) will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the Data Protection Act 1998. The Freedom of Information Act 2000 and the Protection of Freedoms Act 2012 are also relevant to parts of this policy.
This will be the responsibility of the Managing Director of Gama Electronics.
Gama recognises The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) .
Gama shall, so far as is reasonably practicable, comply with the Data Protection Principles (the Principles) contained in the Data Protection Act to ensure all data:-
- Be obtained fairly and lawfully to be processed
- Processed for a lawful purpose only
- Be adequate, relevant and not excessive
- Be accurate and up to date
- Will not be kept for longer than necessary
- Shall be processed in accordance with the data subject’s rights
- Kept secure
- Not transferred to other countries without adequate protection
- Data: any information held by Gama for the purposes Gama business.
- Data Subject: an individual who is the subject of the personal data.
- Sensitive Data: information that would identify a specific individual who is the subject of the personal data.
- Personal Data: any information held about a living person.
Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary. Personal data may also include sensitive personal data as defined in the Act.
Processing of Personal Data
Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data, and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.
Processing covers almost anything which is done with or to the data, including:
- Obtaining data
- Recording or entering data onto the files
- Holding data, or keeping it on file without doing anything to it or with it
- Organising, altering or adapting data in any way
- Retrieving, consulting or otherwise using the data
- Disclosing data either verbally, giving it out or by sending it on email, or simply by making it available
- Combining data with other information
- Erasing or destroying data
Sensitive Personal Data
Gama may be required to process sensitive personal data. Sensitive personal data includes data relating to financial information, Taxation information, medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.
Rights of Access to Information
Data subjects have the right of access to information held by Gama, subject to the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the DPC. Gama will endeavour to respond to any such written requests as soon as is reasonably practicable.
The information will be imparted to the data subject as soon as is reasonably possible after it has come to Gama’s attention and in compliance with the relevant Acts.
Certain data is exempted from the provisions of the Data Protection Act which includes the following:-
- National security and the prevention or detection of crime
- The assessment of any tax or duty
- Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon Gama, including Safeguarding and prevention of terrorism and radicalisation
The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the DPC.
Gama will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.
If an individual believes that Gama has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the member of staff should utilise the Gama grievance procedure.
Gama will take appropriate technical and organisational steps to ensure the security of personal data.
All Gama staff are responsible for ensuring that:
- Any personal data, which they process, is kept securely.;
- Personal information is not disclosed accidentally or otherwise to any unauthorised third party.
All staff will be made aware of this policy and their duties under the Act.
Gama, and therefore all staff, are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.
An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems.
Should the need arise, Gama must ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
Retention of Data
Gama may retain data for differing periods of time for different purposes as required by statute or best practices. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data. Normal Data will be destroyed after 10 years
Gama will keep central personnel records indefinitely. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references.
Compliance with the Act is the responsibility of all staff of Gama. Any deliberate breach of the data protection policy may lead to disciplinary action being taken or even a criminal prosecution.
Gama owns and operates a CCTV Security System for the purposes of crime prevention and detection, and Safeguarding.
Where a data subject can be identified, images will be processed as personal data.
Download as a PDF: Gama Electronics – Data Protection (GDPR) Policy