Purpose
The aim of this Policy is to lay out clearly how Impact Sign Solutions Ltd. controls, holds and processes data in line with the requirements of the General Data Protection Regulations and the Data Protection Act 2018.

Impact Sign Solutions Ltd. will ensure that it follows the principles contained within the GDPR when dealing with personal and sensitive data:

• Data will be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Data will be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data held and processed will adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Data will be accurate and, where necessary, kept up to date. Every reasonable step will be taken to ensure that personal data that is inaccurate is erased or rectified without delay.
• Data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed and in line with legislative and government recommended requirements for data retention.
• Data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Responsibility for Data Privacy
Impact Sign Solutions Ltd. does not require the appointment of a Data Protection Officer for the following reasons:

• The Company is not a “public authority”.
• The “core or primary activities” of the company do not require regular and systematic monitoring of data subjects on a large scale.

Responsibility for Data Privacy within the business is held by:
Andy Borrow – MD Impact Sign Solutions Ltd. – andy@impactsignsolutions.co.uk

Andy will advise on a quarterly basis the following: current policy, the results of internal auditing and implement any changes required.

Data Definitions
Personal Data: This is data that can “identify” a person. Examples include name, photo, email address (personal or business), bank details, medical information etc.

Sensitive Data: This is information relating to medical records, religion, sexual orientation etc. and now also includes genetic and biometric data.

Employee Data
How Employee Data will be used:

As an employer, Impact Sign Solutions Ltd. needs to keep and process information about its employees for normal employment purposes. The information held and processed will be used for management and administrative purposes only and in order to enable the Company to run the business and manage its relationships with its employees effectively, lawfully and appropriately, during the recruitment process, whilst employed, at the time when employment ends and after leaving. This includes using information to enable the Company to comply with its employment contract, to comply with any legal requirements and pursue its legitimate interests.

It may sometimes be necessary to process employee data to pursue legitimate business interests, for example to prevent fraud, for administrative purposes or in reporting potential crimes. The Company will never process employee data where these interests are overridden by your own interests.

Much of the information we hold will have been provided by employees, but some may come from other internal sources, such as Line Managers, or in some cases, external sources, such as referees.

The type of information held includes (but is not limited to):

• Curriculum Vitae
• References
• Date of Birth
• Passport and Right to Work Information
• Contact and location information (Home address, telephone numbers and email addresses – work and personal).
• Contract of employment and any amendments to it
• Correspondence with or about the employee
• Information needed for payroll, benefits and expenses purposes
• Emergency contact details
• Records of holiday, sickness and other absence
• Records relating to employee career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records.
• Computer and Company Mobile Phone use
  Employees will, of course, inevitably be referred to in many company documents and records that are produced by the employee and/or and their colleagues in the course of carrying out their duties and the business of the company.
  Where necessary, the Company may keep information relating to employees’ health, which could include reasons for absence and GP/Occupational Health reports and notes. This information will be used in order to comply with the Company’s health and safety and occupational health obligations – to consider how employee health affects their ability to do their job and whether any adjustments to that job might be appropriate. The company also needs this data to administer and manage statutory and company sick pay.

Data Based on Consent

There are two types of the employee data that the Company holds/processes that will rely on obtaining consent from Employees:

• Employee Photos
• Occupational Health Referrals and GP Medical Report Requests

Where we are processing data based on consent, Employees have the right to withdraw that consent at any time.

Sharing Data with Third Parties

The Company will only disclose information about employees to third parties if legally obliged to do so or if it needs to comply with its contractual duties to its employees, for instance, if it is required to pass on certain information to an external payroll provider, pension provider or health insurance schemes.

Employee personal data will be stored for a period of 6 years following employment end, after which it will be securely shredded.

If the Company intends to process employee personal or sensitive data for a purpose other than that which it was collected the employee will be provided with information on that purpose and any other relevant information.

Customer Data
How Customer Data will be used:

The Company needs to keep and process information about its customers for business and contact purposes. The information held and processed will be used for service provision and administrative purposes only and in order to enable the Company to run the business and manage its relationships with its customers effectively, lawfully and appropriately.
The type of information held includes (but is not limited to):
• Customer Name and Company Name
• Contact details (telephone numbers, address and email addresses).
• Records and notes of customer meetings/discussions held.

Sharing Data with Third Parties

The Company may be required to share customer data (limited to contact and location details) with third party processors (such as courier companies).

The Company will not share customer data with any third-party processor for any purpose other than for legitimate business interests and provided these are not overridden by the interests of the Customer.

The Rights of the Individual

Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) all individuals have a number of rights with regard to their personal data. All individuals have the right to request from the Company access to and rectification or erasure of personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.

Data Subject Access Requests (DSAR)

Individuals are allowed access to their personal data. The Company will provide a copy of this information free of charge, however, if requests are considered to be manifestly unfounded, excessive or repetitive, the Company will consider charging the individual a reasonable fee.

A Data Subject Access Request must be made to the MD (Andy Borrow). The Company will respond within one month of receiving this DSAR. Should a request be complex or numerous, the Company will reserve the right to extend this period to a further two months.

Individuals have the right to lodge a complaint to the Information Commissioners’ Office if they believe that that the Company has not complied with the requirements of the GDPR or the Data Protection Act 2018 with regard to their data.

The Right of Erasure

The right of erasure does not mean provide the individual with a “right to be forgotten”. Individuals can request for personal data to be erased or to prevent processing in the following circumstances:

• Where data is no longer necessary in relation to the purpose for which it was originally collected/processed.
• When the individual withdraws consent (applies only to data where consent is required for processing).
• Where there is no legitimate interest for continuing the processing.
• If the data was unlawfully processed.
• To comply with a legal obligation.

There are some circumstances where the Company can refuse to comply with a request for erasure; this will be dependent on the type of data and the processing need.

Data Security

Impact Sign Solutions Ltd. takes the security of its data seriously. All processing and storage of data is subject to suitable security precautions relevant to the type and use of that data.

We protect the privacy of your information using highly secure, password-protected servers. The online and offline security measures we adopt protect information we have against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of or damage to personal data.

Any credit card or personally identifying information divulged to Impact Sign Solutions Ltd. via our website will be stored on secure servers and not released to any other party without your explicit written authorisation.

Pages on our website that request payment information are protected using SSL (Secure Socket Layer - see below) security, which encrypts any data transmitted. Once you enter a credit/charge card number, we will never display the entire card number if the page is recalled after you have submitted it. This also covers the use of the "Back" button on your browser. The inner digits will always be displayed as asterisks, protecting your card number from other users of your computer or anyone who happens to see the screen.

Data Breaches

The investigation and reporting of Data Breaches are the responsibility of the Data Privacy Committee and will be reported to the Information Commissioners Office in accordance with the reporting requirements of GDPR and the Data Protection Act 2018.

Impact Signs Privacy Policy

Who is collecting and using your personal data?
Impact Sign Solutions Ltd. will act as a “data controller” for any personal data that you provide to us.  As such, we will ensure that the data given to us is processed in line with your rights under the EU General Data Protection Regulations and associated data protection laws currently applicable in the UK.

Please note that failure to provide your personal data:
Will not enable Impact Sign Solutions Ltd. To provide quotations, purchase order, or enter into a contract for the supply or purchase of goods and services.

Why are we collecting your personal data?
We are collecting your personal data for the following purposes;
Impact Sign Solutions Ltd. needs to keep and process information about its customers & suppliers for business and contact purposes. The information held and processed will be used for service provision and administrative purposes only and in order to enable the Company to run the business and manage its relationships with its customers effectively, lawfully and appropriately.
The type of information held includes (but is not limited to):
• Customer Name and Company Name
• Contact details (telephone numbers, address and email addresses).
• Records and notes of customer meetings/discussions held.

We rely upon the following laws to process your personal data:
Contract & Data Protection Act 2018 to fulfil Impact Sign Solutions Ltd. contractual obligations and for any preliminary work that is asked for before entering into a contract:

• Provide a quotation
• Create artwork
• Provide an enquiry

Who we will share your personal data with?
Impact Sign Solutions Ltd. may be required to share customer data (limited to contact and location details) with third party processors (such as courier companies).
Impact Sign Solutions Ltd. will not share customer data with any third-party processor for any purpose other than for legitimate business interests and provided these are not overridden by the interests of the Customer

How long will we hold your personal data?
Impact Sign Solutions Ltd. regularly review our information and erase personal data when we no longer need it. Our reasons for keeping data, is for honouring our guarantees and retrieval of technical details relating to a job, where repair, maintenance or repeat may be required. For example, if a letter is broken, we would record the specific colour, font, material, thickness, size, fixing method, location etc. To do this we would need to retrieve the information by the company name, or if applicable the individual.

Exercising your rights;
Under the Data Protection Act 2018, The Freedom of Info Act 2000 and the EU General Data Protection Regulations you have the following rights;

• The right of access to your own personal data
• The right to request rectification or deletion of your personal data
• The right to object to the processing of your personal data
• The right to request a copy of the information you provide us in machine readable format
• The right to withdraw your consent to any processing that is solely reliant upon your consent

Should you wish to exercise any of your rights, you should contact us here info@impactsignsolutions.co.uk Please note these rights are not absolute and each request will be treated individually in accordance with the applicable laws.

Your right to complain
If you wish to complain about the way that your personal data has been handled by Impact Sign Solutions Ltd. you should contact us here: info@impactsignsolutions.co.uk. Your complaint will then be investigated in accordance with our Customer Feedback/Complaints Procedure.

If you remain dissatisfied with the way your personal data has been handled, you may refer the matter to the Information Commissioner’s Office whose contact details are below.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Email: casework@ico.org.uk