Data Protection Policy
Updated: February 2024
Date of next review: February 2025
Introduction
In order to run our business, we collect information about the people with whom we work. These are known as ‘data subjects’ and may include shareholders, directors, employees, customers or suppliers, current, past and prospective.
This personal information is handled according to the requirements of the General Data Protection
Regulation (Regulation (EU) 2016/679) (“GDPR”), the Privacy and Electronic Communications Regulations
(“PECR”) and all related UK regulations (collectively known as “DP Laws”) in the course of complying with
our obligations as an employer and/or dealing with issues arising from the provision of goods and services
to the public. The Act gives certain rights to people whose ‘personal data’ we may hold. We consider that
the secure and ethical treatment of personal data is integral to our successful operations and to maintaining
the trust of the persons we deal with.
WCF Ltd is registered to process personal data and is named as the Data Controller under the register kept by the Information Commissioner.
WCF Ltd have privacy policies for all its data subjects which are published online and provided to data subjects in the appropriate manner. We also have detailed policies for each category of subject intended to help our employees process this personal data in accordance with the requirements of the DP Laws and provide periodic training to help them fulfil their roles in respect of personal data.
Information covered by DP Laws
The Act uses the term ‘personal data’ which essentially means any recorded information held by us and from which a living individual can be identified. It will include a variety of information including names, billing and delivery addresses, telephone numbers, e-mail addresses and other personal details, including digital information such as social media metadata and IP address.
Data Protection Obligations
WCF is committed to processing personal data in compliance with the principles below and to demonstrating such compliance. The fundamental “Principles” relating to the processing of personal data are that it should be:
- Processed fairly and lawfully and in a transparent manner;
- Obtained only for specified, explicit and legitimate purposes and not used for other purposes;
- Adequate, relevant and limited to what is necessary for the purpose for which it is processed;
- Accurate, kept up to date and, where it is inaccurate, erased or rectified without delay;
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which that personal data is being processed;
- Processed in a manner that ensures appropriate security, including protection against unauthorised and against accidental loss, destruction or damage;
- Processed in accordance with the rights of data subjects under the GDPR; and
- Not be transferred outside of the European Economic Area except where specific conditions are met.
Lawful Basis
WCF relies on one of the following as the legal basis on which it processes personal data:
- Where it is necessary for the performance of our contract;
- Where it is necessary for compliance with our legal obligations;
- Where it is necessary for the purposes of WCF’s legitimate business interests; and in some cases;
- Where the data subject has given their consent for the processing of their personal data.
WCF may also rely on the following legal bases for processing personal data (although this is likely to be rare):
- Where we need to protect the data subject’s vital interests (or someone else’s’ vital interests); or
- Where it is needed in the public interest
Individuals’ Rights
Data subjects have other rights under DP Laws in relation to their personal data. This includes:
- The right to request that we rectify, or erase information held about them without undue delay (“right to be forgotten”);
- The right to ask us to limit the processing of this information;
- The right (if we are processing information based on consent, such as for marketing purposes) to withdraw such consent;
- The right to object to certain processing of personal information (including the right to object to processing of personal data for direct marketing purposes at any time); and
- The right to obtain and re-use their data (i.e. ask us to move, copy or transfer it to another organisation).
Subject Access Requests
All data subjects have the right at any time to request to see personal information held about them either digitally or on file. All such requests must be in writing and should be forwarded immediately to our Company Secretary Pam Murray at Crawhall, Brampton, Cumbria, CA8 1TN or pam.murray@wcf.co.uk. We have 30 working days to respond to the request and provide data subjects with a copy of all the relevant personal information we hold about them. Where we are unable to provide the data this will be clearly communicated.
Our Commitment
We are committed to taking all reasonable steps and measures to ensure that:
- We comply with DP Laws and follow good practice;
- We protect the rights of the data subjects whose personal data we hold;
- We are open about how we capture, process and retain personal data;
- We only hold personal data that is accurate and up to date and promptly rectify or delete any inaccurate data;
- We only utilise personal data for the purposes for which it was obtained;
- We do not hold personal data for any longer than is necessary for the purposes for which it was obtained;
- We put in place appropriate security measures against unauthorised or unlawful processing of personal data held and against accidental, destruction or damage to, such data;
- We do not disclose personal information to any third party except as set out in our Privacy Policies;
- We carry out due diligence on our third-party data processors to verify that they have appropriate technical and organisational measures to protect our personal data;
- We do not transfer any personal data outside the European Economic Area (“EEA”) without the appropriate safeguards;
- We deal with any subject access requests promptly and courteously;
- We report any unlawful access to the ICO in accordance with DP Laws;
- We will carry out regular reviews of our data policies and ensure that our Privacy Policies are updated; and
- We ensure that our employees are appropriately trained to understand the contents of our data policies and their contribution to compliance with the requirements of the DP Laws;