General Data Protection Regulation Policy
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018.
GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Grax Limited is committed to protecting the rights and freedoms of individuals with respect to the processing of personal data.
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
Grax Limited is registered with the ICO (Information Commissioners Office) under registration reference: ZA336739 and has been registered since 4th April 2018.
GDPR includes the following rights for individuals
- The right to be informed
- The right of access
At any point an individual can make a request relating to their data and Grax Limited will need to provide a response (within 1 month). Grax Limited can refuse a request, if we have a lawful obligation to retain data i.e. from HMRC, but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
- The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. Staff records must be kept for 6 years after the member leaves employment, before they can be erased. This data is archived securely.
- The right to restrict processing
Customers and staff can object to Grax Limited processing their data. This means that records can be stored but must not be used in any way.