UK GDPR and EU GDPR Statement
This statement sets out FCS (UK) Limited and the FCS group of companies’ (the “Group”) approach to Data Protection, in line with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”) and where applicable the General Data Protection Regulation ((EU) 2016/679) (“EU GDPR”).
Together the “Applicable Data Protection Laws”.
How will the Group comply with the Applicable Data Protection Laws?
We have reviewed (and updated where necessary) all our internal processes, procedures, data systems and documentation to ensure that we are compliant with the Applicable Data Protection Laws.
Our Data Protection Principles are:
Data is processed fairly, lawfully and in a transparent manner
We will only collect, process and share personal data fairly and lawfully and for specified purposes. The Applicable Data Protection Laws restrict our actions regarding personal data to specified lawful purposes ensuring that we process personal data fairly and without adversely affecting the individual whose personal data is being processed, being a data subject.
Data is processed only for specified and lawful purposes
We will process personal data only based on one or more of the lawful bases set out in the Applicable Data Protection Laws, which includes consent. Where consent is the lawful bases then individuals will be asked for their consent either by way of a statement or a positive action. We will ensure that individuals are able to withdraw their consent as easily as they have given it. We will keep records of all consents captured to ensure compliance with the requirements of the Applicable Data Protection Laws.
We will review our consents from time to time to ensure that they are still relevant to the original purpose for which they were sought. We will not rely on consent unless it relates to the specific purpose the individual provided consent for.
Where we transfer personal data outside of either the UK or the EEA, we will inform the relevant individuals and set out the reasons for this and provide them with the documentation to show adequacy of security.
If the personal data includes any special category data then we will process this in accordance with the Applicable Data Protection Laws and where necessary obtain explicit consent.
Processed data is adequate, relevant and not excessive
We will only hold personal data which is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. We will therefore only collect, hold and process personal data that we need to provide our products and services to you. Furthermore, any personal data which is no longer needed will be deleted in accordance with company guidelines.
Processed data is accurate and, where necessary, kept up to date
We aim in all circumstances to only hold personal data which is accurate and kept up to date. Where inaccuracies are identified, they will be corrected without delay. We have procedures in place to ensure that personal data held and processed by us is reviewed on a regular basis to ensure it is accurate and up to date.
Data is not kept longer than necessary
We will only keep personal data for as long as it is required in accordance with the original purpose for which it was provided to us by the individual.
We will maintain retention policies and procedures to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. We will delete all records of personal data which is no longer required in accordance with company procedures.
Data is processed in accordance with an individual’s consent and rights
We acknowledge that individuals have rights when it comes to how we handle their personal data. These include rights to:
- Withdraw consent to processing at any time;
- Receive certain information about our processing activities;
- Request access to the personal data that we hold on them;
- Prevent our use of their personal data for direct marketing purposes;
- Ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
- Restrict processing in specific circumstances;
- Challenge processing which has been justified based on our legitimate interests or in the public interest;
- Request a copy of an agreement under which personal data is transferred outside of the EEA;
- Object to decisions based solely on automated processing, including profiling;
- Prevent processing that is likely to cause damage or distress to the individual or anyone else;
- Be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
- Make a complaint to the supervisory authority; and
- In limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.
In each of the above cases, we will verify the identity of an individual requesting data under any of the rights listed above and will reply within the timescales required in the Applicable Data Protection Laws.
Data is kept secure
We will protect personal data by using appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of personal data that we own or maintain on behalf of others and identified risks (including use of encryption and pseudonymising where applicable). We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.
Data is not transferred to countries outside the UK or the EEA without adequate protection
The UK GDPR and the EU GDPR restrict data transfers outside (1) the UK and (2) the EEA to ensure that the level of data protection afforded to individuals is not undermined.
We will only transfer personal data outside of the UK (in the case of FCS (UK) Limited) or the EEA (in the case of Forensic & Compliance Systems Limited) where the appropriate safeguards are in place, such as by having international data transfer agreements (approved by the Information Commissioners Office) or standard contractual clauses (approved by the European Commission) in place with third parties where personal data is transferred outside either the UK or the EEA. We will inform our clients and suppliers that the individuals’ personal data is being transferred outside the UK or the EEA and seek their explicit consent for this transfer.
For more info
FCS (UK) Limited has many years’ experience of advising and installing the Cryoserver software solutions to customers.
FCS (UK) Limited is a company registered in England and Wales, with company number 5940018.
FCS (UK) Limited is a BMTRADA ISO/IEC 27001:2013 accredited company, Certificate No: 170 ensures we adhere to stringent processes for keeping our personal data and our customers’ personal data secure.
FCS (UK) Limited is registered with the Information Commissioner’s Office under Registration Number ZA123425.Blog