Scope: All applicants, employees, work experience and former employees.
C&C Metal Trading Limited values the personal information you provide and would not want to use your personal data in a way that you wouldn’t expect. Data is an important part of the employment relationship. This policy ensures that all data is collected, stored, retrieved and disposed of at C&C Metal Trading Limited in line with the General Data Protection Regulation (GDPR). The company is registered as a user of recorded personal details. Only relevant and authorised staff as designated by the Managing Director can access data stored and processed by the company.
Personal Data, under the GDPR, is defined as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
The list below is a non-exhaustive list of examples of personal data that C&C Metal Trading Limited may store:
Personal Data will be processed and safe guarded by staff within the HR Department and senior management as necessary. All personal data held by the company is:
Management shall ensure that we only obtain, store, use and disclose data in accordance with the policy and must assist in the monitoring of the policy and answering individuals’ concerns.
The term ‘processing’ relates to the handling, storing and use of data as described above. C&C Metal Trading Limited process personal data for applicants, current employees and former
employees in line with employment and other legislation, the company keep personnel files for no longer than is necessary. Common practice in the UK is 6 years after the employee has left, or 3
months if an application was made but unsuccessful.
The company holds personal data (as specified above) on current employees for the following reasons:
The company holds personal data (as specified above) on applicants for the following reasons:
These reasons are referred to as “legitimate interests” and are in place to ensure safe and lawful employment, and are not held longer than is legally necessary. When destroyed, personal data is
shredded and disposed of securely.
Under GDPR all current and former employees have the following rights:
All individuals have the right to know what information is held on them and how it is processed.
At application to join the company, all personal data such as CV’s, application forms, interview and assessments will be held by the HR department for a maximum of three months.
All employees complete an induction with C&C Metal Trading Limited which provides the company with the information needed to legally employ them. This includes contact details, occupational
health details, equal opportunities details and right to work and drive in the UK details. The information will need to be updated regularly to ensure accuracy, and outdated information will be
disposed of by shredding.
The information will be collected by managers/trainers and sent to HR for processing. No copies or scans will be kept by the site. The HR staff will then enter it onto the HR system for reasons stated in the Personal Data section of this policy. The essential and relevant details will be shared securely with the Payroll department to ensure all employees are added and paid correctly.
There may be occasions where, if a fine is received for an employee occurring a fine whilst driving a company vehicle, where selected personal information will be shared with the insurance
department to process the fine. There may also be times in an emergency where contact details are given to carefully selected third parties, such as a manager who is concerned about an
employee; emergency services in case of an accident; references for former employees; or a lawyer for any legal cases involving the relevant employees. This will have minimal to no impact on
employees, however any concerns should be raised to the HR or Health and Safety Department.
For specifics on their own data, the individual should contact the HR Department.
All individuals are entitled to access information the company holds on them; this includes physical files, electronic files, OpenHR records, payroll records and emails. All current and former
employees also have the right to confirm their data is being/has been processed.
To gain access, a “Subject Access Request” form must be submitted and sent to HR. All requests will be acknowledged without unreasonable delay, and information given to the employee within
one calendar month. However, where a large quantity of data has been processed, it may not be reasonable to process it within one month. Where this happens the employee will be written to with
an extension of no more than two calendar months.
Where an access request is made, the company reserve the right to identify the employee requesting the information. If a request is made via email, then the information will be returned to
the employee via the same method of communication unless specified otherwise, in a universal format.
Access is free of charge, however if an employee requests information that is (1) unfounded and/or (2) excessive and/or repetitive of a previous request, a reasonable fee may be charged to cover
cost of administrative resources used providing the information.
All individuals have the right to correct or amend any information on them if inaccurate or incomplete. If, for a reason as stated in the “Right to be Informed” section, employee personal data
has been shared with a third party, the data given will be rectified and the relevant employee informed.
All rectification requests should be addressed to the HR Department, who will complete the request in no more than 1 calendar month. If no action is taken, the HR Department will write to the
individual with a justification and explanation for next steps.
This is also known as the right to be forgotten, and applies to all individuals who wish to have their personal data removed or processing stopped. Where this is the case, the employee/former
employee must put their request in writing to the HR department and specify the reasons. Under the GDPR act, the following reasons are acceptable for data to be erased or processing stopped:
The company has the right to refuse a request for any of the following reasons:
Processing personal data is the action of, or intention to, use data held on an individual. All individuals of whom the company hold personal data for have the right to restrict or bock the
processing of their data. If this is the case, the company may still store the data but it will not be used.
Personal data can be restricted when:
In some cases, the data may be able to continue to be stored but not used for processing, and in which case there will be enough data stored to ensure the restriction is respected. The restriction
will also apply to any data shared with a third party organisation. If an individual wishes to restrict data, a request must be made to the HR department in writing.
All individuals have the right to access their own information, which they provided to the company, in order to use their data elsewhere. Where this is the case the individual should make their
request to the HR department in writing. The request should specify:
The HR department will complete the request without unreasonable delay and within 1 calendar month of receipt. Where the quantity of data is large or complex, this may be extended by the HR
department by explaining, in writing, the reason and duration of extension as long as it is for no longer than two further months. The output from the request will be structured and produced in a
common and easy to access format. Where the data requested will identify a second individual, the company will assess whether the processing of the request will impact on them before complying.
All individuals have the right to object to:
Where this is the case the individual must put their objection in writing to the HR department. The company will stop any processing of the individuals’ data unless:
All individuals have a right to object to the processing of their personal information from the first point of interaction, and must be presented clearly and separately from other information.
Rights in Relation to Automated Decision Making and Profiling
The company do not use automated decision making or profiling for prospective, current or former employees, nor do we engage with third party suppliers to provide these services on our behalf.
Any young person who engages with C&C Metal Trading Limited who are under the age of 16 will be presented with the same information and data forms as a regular employee. However, a parent/guardian must sign to agree to the storing of their personal data.
Due to the nature of the business, and the licences surrounding the operation of vehicles, it is likely the only individuals that will engage with C&C Metal Trading Limited in an employment relationship will be those undertaking work experience. Where this is the case any personal data held on the individual, such as emergency contact details and dates of work experience, will be archived three months after their work experience ends. All details during this three month period will be stored securely by HR so that no other persons will have access to their personal information. All information regarding this will also be explained to their parent/guardian and school to ensure transparency in our processes.
It is the responsibility of every individual to comply with the GDPR. Personal data should only be shared if it (1) belongs to you and (2) no one else can be identified from your personal data or (3)
you have the authorisation from the person whom the data is regarding.
Data can be in paper or electronic format, and access to this will only be available to senior management and individuals who have special functions, such as Human Resources, Health and
Safety, and Accounts.
All computerised data is password protected, therefore only allowing access to the authorised personnel. Electronic systems available for company use, which is used to store or process
personal data are:-
All paper-based personnel files containing data are stored in locked cupboards in Head Office, with restricted access to the keys and files. All archived personal data are stored in the same way.
Other recording devices which may be introduced or are currently in existence are:-
A personal data breach is identified as any personal data that has had a breach of security leading to destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. All cases will be assessed on their individual merits to determine the severity of the breach before any action is taken. Where there is a serious data breach that will likely cause risk to the rights and freedoms of individuals, the company will report it to the Information Commissions Office. The company have their own extensive security systems, procedures, assessments and audits in
place to ensure that a data breach does not occur. Any data breach of personal data relating to an individual will be thoroughly investigated by the senior management of the company.
It is expected that all individuals employed or undertaking work experience will comply with data protection regulations. Individuals must obey this policy and not store or disclose personal data
without the permission of the Company Secretary and the individual concerned. Where an individual is found to have breached the policy or GDPR act, a full and thorough investigation will be held. Breaches of this policy may constitute gross misconduct and be dealt with in accordance with the disciplinary policy and procedure.
The policy will be reviewed on an ongoing basis. It will be necessary to meet the demands of new technology and systems in general and staff will be informed if there are any changes which affect
C&C Metal Trading Ltd