GENERAL DATA PROTECTION REGULATION POLICY
Introduction and Aim
FusionFSM is a privately owned Sales & Marketing business operating in the foodservice market place based in office premises in Henley, Oxfordshire and Rochester, Kent. Our business activity is providing our clients with Sales, Marketing, Research and Consultancy services in the foodservice market place.
This General Data Protection Regulation (GDPR) policy applies to all of the company’s operations. The Directors are responsible to the Board of Directors for ensuring that the policy is implemented. However, ll employees have a responsibility in their area to ensure that the requirements of the policy are met. In order to comply with all relevant and current legislation with regard to data protection, the Company and all its employees will adhere to the following:
Duties and Obligations as a Data Controller:
When collecting personal data from individuals in order to carry out the legitimate business
of the Company, we will:
1. Maintain a written record, in electronic format, of the following:
1.1 where we have acquired the data from
1.2 what we intend to use it for
1.3 where it will be kept and how long we intend to keep the data
1.4 who will have access to the data
1.5 whether the data will be shared with any third parties
2. An annual audit will take place to document data flows within the company.
3. Ensure the data is kept safe and secured, password protected if in electronic format and locked safely away when not in use if in a printed format.
4. Avoid printing, where possible, copies of any personal data.
5. Keep the data only for as long as is necessary, which will be reviewed annually
6. Remove data when requested by a customer.
7. Annual audits will take place in order to ascertain the data’s necessity to the company. Data will be removed at this time if the data is not deemed to be essential for the Company’s business needs.
8. Documentation is kept on the processes to identify and report Data Breaches to the relevant persons within FusionFSM.
9. Ensure that any data shared with third parties will be used within the guideline of GDPR.
10. Data Protection Awareness and Compliance training will be given to all employees
Duties and Obligations as a Data Processor:
1. When processing personal data, the processor will do so in a controlled environment that will prevent the data being seen by an unauthorised third party.
2. When processing personal data on behalf of a Client, the employee managing the project will obtain from the Client explicit written instructions concerning the specific way in which they wish Fusion FSM to use the data.
3. If any data is obtained from a client for a sales or research campaign, any data that was not already known to Fusion will be returned to the client on completion of the campaign. Fusion will not keep a copy of this data.
Legitimate Interest Assessment (LIA):
1. Much of the data held by FusionFSM, is covered by the Legitimate Interest Basis (Article 6(100) due to the business to business nature of the majority of FusionFSM’s communication.
2. Written consent will be obtained where this is not the case (individual employees, associates and sole traders).
3. This is covered in more detail in the FusionFSM LIA document (available on request).
Processing of Staff’s Personal Data:
1. The Company will process employees’ personal data in order to comply with allits legal obligations under current employment and social security law.
2. The Company will also process employees’ personal data for the purposes of recruitment, performance of the contract of employment, management, planning and organisation of work, equality and diversity in the workplace and health and safety at work.
3. The Company may, from time to time, share some of its employees’ personal data with a Third Party, in order for the employee to carry out duties under his / her contract of employment. Prior to sharing the data, the Company will obtain the employee’s consent in writing. The employee will have the right to withdraw this consent at any given time by giving the Company notice in writing.
4. After an employee has left the company, their data will be archived in case of future legitimate requirements to access the data. An audit will be held every year to ascertain whether or not this data is still required to be held. If not, it will be removed from the archive.
Monitoring and auditing:
Progress against the Company’s GDPR compliance will be monitored at Company Board Meetings.
This GDPR Policy is available on request. If you wish to obtain a copy or would like to discuss
our Policy and Legitimate Interest Assessment Analysis, please telephone our Head Office on
01491 845 320.