GGR Group is fully committed to ensuring compliance with the requirements of data protection legislation, including the General Data Protection Regulation. The company has procedures in place with the aim of ensuring that all personnel employed within the group, who have access to, control or process personal data collected and/or held by or on behalf of the GGR Group are fully aware of and abide by their duties in accordance with all relevant applicable legislation.
Statement of Policy
The company needs to collect and use information about people with whom it works in order to operate and carry out its lawful business functions. These may include members of the public, current, past and prospective employees, clients, customers and suppliers.
Additionally, the group may be required by law to collect and use information in order to comply with wider legal requirements. This personal information must be handled and dealt with properly however it is collected, recorded and used and applies to all types of media, including paper/hard copy, electronic computer records or recorded by other means.
GGR Group regards the lawful and appropriate treatment of personal information as an integral and important source of data, to assist us in completing successful business operations. It is essential therefore, to protect data received and provide assurance that the data we hold or use is properly protected to all parties with whom GGR Group carries out its business. GGR Group fully endorses and will endeavour to adhere to all the Principles of the General Data Protection Regulation.
Handling Personal data
Personal data is defined as any information relating to an identified or identifiable natural person
Special category data is defined as personal data consisting of information as to:
- Racial or ethnic origin
- Political opinion
- Religious/philosophical beliefs
- Trade union membership
- Physical or mental health or condition
- Sexual life or sexual orientation
- Biometric data
GGR Group will, through management and use of appropriate controls, monitoring and review:
- Use personal data in the most efficient and effective way to deliver the best possible service to our clients
- Strive to collect and process only the data or information which is needed in accordance with the lawful basis principles set out in GDPR
- Use personal data for such purposes which will be made clear at the point of collection, or for purposes which are legally permitted
- Strive to ensure information is accurate
- Not keep information for longer than is necessary
- Securely destroy data which is no longer needed
- Take appropriate technical and organisational security measures to safeguard information (including unauthorised or unlawful processing and accidental loss or damage of data)
- Ensure that information is not transferred abroad without suitable safeguards
- Ensure that there is general information made available to the public of their rights to access information
- Ensure that the rights of people about whom information is held can be fully exercised under the General Data Protection Regulation
These rights include:
- The right to be informed
- The right of access to personal information
- The right to request rectification
- The right to request erasure
- The right to restrict processing in certain circumstances
- The right to data portability
- The right to object to processing
The Principles of Data Protection
Anyone processing personal data must comply with 6 principles of good practice. These principles are legally enforceable.
Summarised, the principles require that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in an manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures in accordance with the rights of data subjects under the Act. The Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and ‘special category’ data.
How We Process Your Personal data
GGR complies with its obligations under the General Data Protection Regulations by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes:
- To undertake and deliver the training and testing services that individuals have requested.
- To process registration applications on behalf of third parties that we work in partnership with.
- To store customer information relevant to our businesses requirements, for example marketing and research, customer support and account handling.
Our legal basis for holding or processing personal information is based on on one or more of the following criteria;
- We have gained the consent of the data subject;
- We need the data to aid in the successful performance of a contract with the data subject or to take steps to enter into a contract
- We need the data for the purposes of compliance with a legal obligation;
- Processing is necessary for the legitimate interests of either GGR or any third party partners we work with, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Sharing Your Personal Data
Your personal data will be shared only with third parties, once the data subject has authorised us to do so.
How Long We Keep Your Personal Data
We keep any personal data for no longer than reasonably necessary for us to meet our business needs and obligations and for the purposes that we acquired the data in the first instance.
Right to Withdraw Consent
We offer you the right to withdraw consent of use of your personal data via a withdraw consent form notice.
This policy will be reviewed annually as a minimum, in line with the company management system review policy. The policy will also be reviewed following any change in legislation or following a breach or loss of personal data.
Chief Executive Officer Date: 20 April 2018