14 GDPR 

14.1 Employee Data Protection Policy (GDPR Compatible) 

During your employment, the Company will keep certain details relating to your employment on file. These details may be held centrally, electronically or locally within personal files. Your acceptance of the terms of this contract gives the Company explicit authority and permission to hold such data in accordance with the principles of GDPR Guidelines. 

From time to time, the information kept may be used for various purposes in the normal course of your employment. However, information will not be disclosed to third parties unless the disclosure is authorized by you or is required in order to meet a statutory requirement or where the disclosure has been instructed. The purpose of this policy is to; 

• comply with the law 

• following good practice 

• protecting clients, staff and other individuals 

• protecting the organisation 

Types of data 

• Employee information 

• Customer information 

• Policy statement 

14.2 The right to be informed 

Every employee of this company has the right to know how the company is processing their information and where it is stored. The details of the information will be provided at their induction, General information that we will provide include what craft Locals will be using the information for, and who you’ll share it with. 

14.3 The right of access 

• We will seek to maintain accurate information and require employees to inform the Human Resources department of any changes to their information as soon as possible. 

• Information about Data Subjects will not be disclosed to other organisations or to individuals who are not members of our organisation, staff or trustees except in circumstances where this is a legal requirement, where there is explicit or implied consent or where information is publicly available elsewhere. 

• Data Subjects will be entitled to have access to information held about them by us and for what purpose within 30 days or submitting a request, this request can be taken by your Manager, company director or the HR and compliance Manager. 

• You may at any time request to see the contents of any files, documents or electronic data that relates to you. This information will normally be provided within 30 days of your request at no charge. 

14.4 The right to rectification 

The individual is entitled to request that their data rectified – if it’s inaccurate, out of date or incomplete. In order to make a request for rectification, you should ask either the date Controllers or parties acting on behalf of the data controller: 

The data controller should; 

• Inform the individual about third parties you have sent their data to where appropriate 

• Inform those third parties that the data is being rectified, where possible 

• Comply with a request for rectification within one month. This can be extended by two months if a request is complex. 

14.5 The right to erasure 

An employee has the right to request to have their data removed when there’s no reason to continue processing it, the individual’s right to be forgotten is only under specific circumstances. This includes: 

• Where processing data is no longer necessary for the purpose it was first collected 

• When an individual has objected to having their data processed or has withdrawn consent 

• data was unlawfully processed, so is in breach of GDPR 

It’s important to know that: 

• In certain circumstances, you can refuse a request to erase an individual’s data. This includes if it’s being processed to comply with a legal obligation for performing a task that’s been carried out in the public’s interest. Other examples include refusal for public health purposes, or the exercise of legal claims. 

• The right also is not limited to processing that causes the individual damage or distress, as current per Data Protection Act guidelines. However, any damage or distress caused is likely to make an individual’s case for erasing their data stronger. 

14.6 The right to restrict processing 

Employees have the right to block or suppress the processing of their data for the following reasons, including: 

• If the company no longer needs the data, but the individual needs it to establish or defend a legal claim. 

• When processing is restricted, the company is allowed to store that data but not process it any further and retain enough information to ensure a restriction is respected. 

14.7 The right to data portability 

The right to data portability only applies where the individual in question has provided the data, if processing is based on the individual’s consent or to perform a contract and when processing is done by automated means. 

14.8 The right to object 

The employee has the right to object to their data being processed. If it is concerned with processing being based on three areas: 

• Legitimate interest, or performing a task in the public interest or an exercise of official authority, including profiling 

• Direct marketing 

• For purposes of scientific/historical research and statistics 

• This must be carried out free of charge and within one month. 

When an Employee objects to processing that’s based on legitimate interest or research, they should have “grounds relating to their particular situation” for their request to be accepted. When processing concerns research, the company is not required to comply with an objection where the processing is necessary for the performance of a public interest task 

Rights in relation to automated decision making and profiling 

An employee has the right not to be subject to a business’s automatic decision making in certain circumstances. Craft Locals will provide safeguards for an individual against the risk that it might make a potentially damaging decision, without human intervention. 

The right “not to be subject to a decision” applies when it’s: 

• Based on automated processing 

• Produces a legal effect or a similarly significant effect on an individual 

For an Employee to have this right, the company will ensure that they can obtain human intervention and express their point of view and will also ensure they’re able to receive an explanation about an automated decision and challenge it. 

Profiling according to GDPR is as follows; 

• The GDPR states that profiling is any form of automated processing which is used to analyse or evaluate an individual’s personal details. This includes their health, behaviour, personal preferences, performance at work, economic situation, and where they live. When processing data for profiling, Craft Locals will ensure: 

• It’s fair and transparent by providing meaningful information, including the significance and expected consequences 

• They will implement measures, so you can correct inaccuracies and minimise the risk of errors • That personal data is secure in a manner that is proportionate to the risk to the rights and freedoms of individuals and to prevent discriminatory effects. 

© 2017 Craft Locals LTD