Privacy Policy

SECTION ‘A’ THE POLICY 

Layout of this document

This document comprises two sections and a number of supporting Protocols:

Section ‘A’: The Policy, which is supported by

Section ‘B’: A number of associated Annexes containing associated Processes and Protocols.

Introduction

Rensair Ltd.(RENSAIR LTD.) is a commercial enterprise that is registered in the United Kingdom. It is therefore obliged to protect all personal data it processes in compliance with the General Data Protection Regulations 2018. In addition to these requirements, as a professional company, RENSAIR LTD. is passionate about protecting the personal data[i] and Special Categories of Personal Data[ii] (previously Sensitive Personal Data) of those who interact with them, be that in relation to RENSAIR LTD.’s services and products, those employed by them, and, those who, for whatever reason, share their personal data with the company.

RENSAIR LTD. is the Data Controller[iii] and is responsible for ensuring that all necessary processes and protocols are in place to ensure that the organisation fully complies with the requirements of the General Data Protection Regulations 2018 (GDPR), the Regulations that govern all aspects of the processing personal data within the European Union.

Policy responsibility

The Managing Director of RENSAIR LTD. Ltd has overall responsibility for ensuring that this policy is managed, reviewed and implemented effectively. Day-to-day implementation is the responsibility of the Group Data Protection Officer[iv] (DPO). This Policy applies to ALL offices, businesses and remote working locations within the RENSAIR LTD. European sphere of operation.

RENSAIR LTD. Ltd. Registered with the ICO

In compliance with requirements of the GDPR and Information Commissioner’s Office, RENSAIR LTD. Ltd is registered with the ICO for the purposes of processing the personal data of employees, clients, customers and others who in the process of business pass personal data to RENSAIR LTD. Ltd. 

Intention and application of the document

This Policy has been published to give shape, form and substance to the RENSAIR LTD.’s desire to fulfil its requirements under GDPR. Its application is fully supported by the Directors and Senior Management of the company. The Policy and its associated processes and protocols fully apply to ALL who are directly employed by RENSAIR LTD. or who undertake activities related to personal data on behalf of RENSAIR LTD. Failure to comply with any or all of the requirements of this Policy and its Annexes will result in an investigation of the compliance failure and may lead to disciplinary action being taken. In certain circumstances this may lead to dismissal or the cancellation of contracts.

Who does the policy apply to?

The policy applies to:

  • ALL RENSAIR LTD. Ltd employees.
  • Directors and Board Members.
  • Contractors/Consultants or those who provide services that interface with any or all personal data processed by or that comes into the possession of RENSAIR LTD.
  • Any suspected, actual or potential breach of the policy, whether unintended or otherwise, must be reported immediately (no time delay is permissible) to the relevant manager AND the Data Protection Officer who will take all necessary steps to manage and mitigate the impact of a breach. The DPO will put in place remedial actions to prevent a recurrence of the incident.

GDPR, what is it?

The GDPR came into force on 25th May 2018 and it replaced the previous Data Protection Act 1998. The introduction of the GDPR 2018 places a higher and more stringent requirement on Data Controllers and Data Processors to protect personal data that comes into their possession. This applies equally to hard copy and electronic formats and combination of the same. Data Controllers must:

  • Use personal data only in a way that is consistent with what the Data Subject was informed of and agreed to at the time of gathering the data;
  • Keep the data safe;
  • Ensure that the Data Subject remains in control of the data at all times; and
  • Only keep the data for as long as it is necessary to do so.

The GDPR reflects the tension between the rights of the Data Subject and that of the Data Controller to, in this case, undertake business activities that require the processing of the personal data belonging to the Data Subject. However, unless there is a legitimate and demonstrable overriding legal or regulatory reason for doing so, the rights of the Data Subject as listed below will always take precedence over the rights of the Data Controller. An example of this would be the passing of personal information relating to a member of RENSAIR LTD. staff to HMRC or if RENSAIR LTD. were directed to pass personal data by a Court of Law.

GDPR EU Legislation – UK Compliance

GDPR is EU Legislation, however, whatever action results from the BREXIT negotiations, the UK Government has stated that the UK will continue to be fully GDPR compliant or will conform to the pending UK Data Protection Bill, which has been designed to totally mirror EU GDPR regulations and will be brought into law on the UK leaving the EU.

Personal data – what is it?

The GDPR regulations indicate that personal data is primarily data ‘that relates to a living individual who can be identified from that data or from that data plus other personal data the Data Controller holds on that Data Subject[v] (the person to whom the data relates).

The word ‘processing’[vi] is the collective term for any and all activities carried out on the data. The GDPR governs the processing of personal data in any format including hard and electronic formats.

Data Subject Rights

Data Subjects have eight clear rights. They are as follows:

  • The right to be informed:This right gives the Data Subject the right to be informed about what their personal data is being used for. RENSAIR LTD. provides this in the form of a Privacy Notice which is made available prior to gathering the personal data. GDPR states that such information must be:
  1. Concise, transparent, intelligible and easily accessible;
    1. Written in clear and plain language, particularly if addressed to a child; and
    2. Provided free of charge.
  • The right of access:Data Subjects residing anywhere in the world have the right to ask any EU-based organisation if they hold or are processing any personal data about them (there is NO geographical limitation placed on the location of the requestor). If the organisation is processing data, the subject can request a copy of that data. This is known as a Subject Access Request (SAR). After having verified the identity of the requestor, the data must be provided in a clear way and must not include code of any type that would render the data meaningless to the Data Subject. A SAR must be complied without delay and within 20 working days of receiving the request; that is, the data requested will be in the possession of the Data Subject, in a format that they request, on or before the 20th working day of the request being received. The request must be completed free of charge. In exceptional circumstances – if the request is considered complex, the time to respond can be extended to 40 working days. However, the Data Subject must be notified of the delay within the initial 20 days. They must also be provided with the reasons for that delay. The Information Commissioner will scrutinise the delay justification, if a complaint is made by the Data Subject in relation to the extension and make a decision as to its validity.
  • The right of rectification:The Data Subject can have personal data rectified if it is found to be inaccurate or incomplete. As above, the rectification must be carried out within 20 working days or, where it is complex, within 40 working days. NB: where personal data has been disclosed to third parties you must inform them of the rectification where possible. Where appropriate, the Data Controller must also inform the Data Subject about the third parties to whom the data has been disclosed. Similarly, the DS has the right to be informed as to the source of any personal data that has been transferred to or come into the possession of RENSAIR LTD.. This has implications for the tracking of personal data from such sources as trade shows, exhibitions and third-party sources etc.
  • The right to erasure:Also known as the ‘Right to be forgotten’. The broad principle here is to enable a Data Subject to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Erasure must be done thoroughly and completely; it is not acceptable for the data to be removed from the organisation’s computer system but still be recoverable from a backup of the system. Where data has been disclosed to third parties, RENSAIR LTD. must inform those third parties about the requirement to erase personal data that has been shared by them unless it is impossible or involves disproportionate effort to do so. There are also some specific Regulatory and Legislative requirements where the Data Controller can refuse to comply either fully or partially with a request for erasure.
  • The right to restrict processing:The DS can at any time and without giving reason require that all processing of their data be restricted or stopped completely. When processing has been restricted by the Data Subject, RENSAIR LTD. may continue to store the data, but cannot further process it. It is vitally important that systems are in place to ensure the restriction is fully respected by all functions that make up the RENSAIR LTD. organisation. If the data has been supplied to third parties, it is the responsibility of the Data Controller to ensure that third parties are aware of the restrictions and fully comply with the rights of the Data Subject.
  • The right to data portability: This is a new feature of the GDPR and it permits a Data Subject to obtain their personal data from a Data Controller for their own purposes and use it across a range of different organisations and services. The data must be transferred by RENSAIR LTD. in a safe and secure way and should be provided in a useable format. This right must be complied with within 20 working days or, in the case of a complex request, within 40 working days.
  • The right to object: Data Subjects have the right to object to the processing of their personal data including processing carried out for the purposes of profiling or direct marketing. In the case of a request to cease using data for direct marketing, the processing must stop as soon as the objection is received. NB: there are NO exemptions or grounds to refuse or delay this request.

NB: RENSAIR LTD. must inform individuals of their right to object at the point of first communication and in their Privacy Notice. The right to object must be ‘explicitly brought to the attention of a Data Subject and must be presented clearly and separately from other information’.

  • Rights in relation to automated decision making and profiling. Data Subjects have the right not to be subject to decisions based solely on automated processing where the decision has legal or similarly significant effects on the individual.

Recruitment and discipline processes

All of the above have implications in relation to recruitment and wider HR processes. 

How does RENSAIR LTD. process personal data?

RENSAIR LTD. will seek to fully comply with our obligations under the GDP Regulations and we do that in a range of ways. These include:

  • Keeping personal data up to date.
  • Only collecting personal data that is applicable to our needs.
  • Not retaining data that becomes excess to our needs.
  • Protecting personal data from loss, misuse, unauthorised access or disclosure.

We will do this by ensuring that appropriate physical, technical, electronic and operational data security measures are in place and that our staff are suitably trained and managed with regard to the processes and protocols required to comply with the Regulations.

What is the legal basis that allows RENSAIR LTD. to process personal data?

The GDPR requires that a legal justification be established before personal data is processed; this is dependent upon the use to which the data will be put by RENSAIR LTD.. This protects both the Data Subject and the Data Controller by ensuring that personal data will only be used for the purposes that the Data Subject has explicitly agreed to. These are:

  • Processing is necessary for the purposes of the legitimate interests pursued by RENSAIR LTD. or a third party except where such interests are overridden by the interests, rights or freedoms of the data subject.
  • Explicit, informed and verifiable consent is given by the data subject.
  • Processing is necessary for RENSAIR LTD. to comply with Legal or Regulatory requirements.

How does RENSAIR LTD. use personal data?

RENSAIR LTD. will use personal data:

  • To enable us to provide professional business-related services.
  • To enable employee management and administration and for those who from time to time provide services to RENSAIR LTD. as consultants or contractors.
  • To comply with organisational Legal and Regulatory requirements placed upon RENSAIR LTD..
  • For direct marketing purposes including informing the DS of RENSAIR LTD. product news, events, activities and services – direct marketing will only be undertaken with prior, informed, express and verifiable consent; this consent can be removed by the Data Subject at any time. NB: a DS may opt out of receiving marketing materials yet still remain a customer of RENSAIR LTD..

Data sharing agreements

RENSAIR LTD. is a standalone enterprise registered in the United Kingdom and is the sole Data Controller for all personal data that it processes or is processed on its behalf. RENSAIR LTD. is therefore responsible for the safety and security of that data. Data sharing is defined as the disclosure of personal data by RENSAIR LTD. to any third-party organisation; this includes but is not limited to RENSAIR LTD.’s parent and subsidiary organisations. An example of this would be the sharing of the personal data (name etc.) of a private individual, a client who had made a complaint about a product or services supplied by RENSAIR LTD. with Respired Ltd. For this reason, RENSAIR LTD. complaints procedure will be based upon a ‘Complaint Number’ which will be allocated to each individual complaint. This number can be shared with the Respired LTD. allowing the complaint to be dealt with effectively but access to the remainder of the complainant’s personal details to remain restricted.

Data Sharing may be considered appropriate when the Data Subject has given informed, express and verifiable consent to the data sharing taking place with that specified organisation or a third party, or where there is a justified UK or EU compliant legal or regulatory requirement on RENSAIR LTD. to do so.

Data Sharing Agreements (DSA) must be in writing, retained as a record of permission and adequately address the following issues:

  • The informed and express consent of the Data Subject.
  • The purpose for sharing.
  • The organisations with whom the data will be shared.
  • The geographical location of the organisation with whom the data will be shared.
  • The data items to be shared.
  • The quality of the data – accuracy, relevance and usability.
  • Data security.
  • Retention and disposal of the data.
  • The Data Subjects rights to exercise their rights.

When will personal data be shared with third parties?

Personal data will be treated as strictly confidential and will only be shared with third parties when:

  • RENSAIR LTD. has the Data Subject’s express, informed and verifiable consent in writing to do so; or
  • When there is a UK or EU Legal or Regulatory requirement for that sharing to take place.

RENSAIR LTD. may use other organisations to provide a service such as cloud-based IT management software and applications for administrative support, the bulk storage of data, website hosting, or for necessary IT support. The organisations selected and appointed to provide these services will only be engaged if they can demonstrate that they are fully GDPR compliant and that they have signed a contract with RENSAIR LTD. to the effect that they fully comply with the data security policies and processes prescribed by RENSAIR LTD.

Retention and disposal of personal data

RENSAIR LTD. is committed to processing personal data in a responsible and compliant manner. It has developed and will maintain a compliant Retention and Disposal Schedule which will delineate the timescales for the retention or disposal of personal data; this will apply equally to data held in hard-copy, electronic versions and any combination of the same. In the case of hard copy data, it will only be disposed of onsite either by self-shredding or by contracting the services to a reputable service provider. The Retention and Disposal Schedule will also govern:

  • Who is responsible to authorise the disposal of personal data;
  • How the disposal will be undertaken; and
  • How the disposal will be recorded and signed off.

The retention requirements of personal data vary greatly dependent upon the type of data that is being processed. RENSAIR LTD. will use the guidance provided by the ICO to inform this process. There are three broad areas:

  • The Regulatory, Legislative;
  • Operational requirements placed upon RENSAIR LTD.;
  • The Data Subject’s agreement to the information that is being processed. However, Data Subjects have the right to require RENSAIR LTD. to cease processing their data at any time, and RENSAIR LTD. will do that providing there is no Legal, Regulatory or operational requirement to prevent it.

Accessing personal data

There are two broad avenues for people to access personal data. They are as follows:

  • Subject Access Request (SAR) – A request made directly by the Data Subject for access to their personal data.
  • Third Party Access Request – A request made by anyone other than the Data Subject for personal data belonging relating to another data subject.
  • The difference being that a Data Subject can exercise their rights under the Regulations to obtain access to their personal data by making an SAR, however, a person or organisation making a Third Party Access Request must have an explicit and justifiable Legal or Regulatory authority to have access to the personal data before the Data Controller can make personal data available to them.
  • The response procedures and protocols for responding to an SAR and a Third-Party Access Request is outlined at the attached Annexes.

Further processing

If RENSAIR LTD. wishes to use a Data Subject’s personal data for a new purpose (not covered by the use expressly agreed by the DS with RENSAIR LTD. before providing the data), then RENSAIR LTD. is required to provide the DS with a notice fully explaining this new use, purposes and processing conditions and seek the agreement of the DS before any processing takes place. NB: If permission is not granted then the new use is not permitted. The notification and request process and support documentation must be recorded and logged for future use in the event of a complaint or review.

Will Data Subjects be informed about any data breaches that impact them?

Yes, RENSAIR LTD. will do this in compliance with GDPR requirements.

How do you make a complaint relating to the processing of your data?

There are two options by which a data subject can exercise their rights, make requests for further information, or make a complaint in relation to RENSAIR LTD.’s processing of their personal data.

Option 1. To Rensiar Ltd

Address:

The Data Protection Officer

RENSAIR LTD.

Email:        contact@rensair.com

Option 2. To the Information Commissioner’s Office

Address:

The Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place
Belfast BT7 2JB

Telephone: +44 (0)28 9027 8757

Email:        ni@ico.org.uk

Website:    www.ico.uk

Breaches in Security

If, despite the security measures that have been put in place (Information Security Policy), a suspected, actual or potential breach in data security occurs, it is essential that it is dealt with effectively and expeditiously. A breach may arise from a theft, a deliberate attack on RENSAIR LTD. data processing, unauthorised use of personal data by a member of staff, accidental loss or equipment failure. No matter how the breach occurs, all RENSAIR LTD. management, staff, employees and contractors MUST respond appropriately by:

  • Reporting the breach without delay to their Manager AND the Data Protection Officer or, in their absence, the Director of Finance or the MD.
  • Follow the processes laid out in the Personal Data Breach Protocol including the notification of the DS and the ICO if deemed to fall within their requirements.
  • Record their actions in the Data Breach Audit Log.
  • Identify the potential scope, source, impact and risk of the breach on the Data Subject and the organisation.
  • Review associated Policies, Processes, Protocols and retraining requirements.
  • Retrain all staff.

GDPR Induction, training and performance

It is a requirement of employment with RENSAIR LTD. that ALL staff and those who supply services on a contracted or consultancy basis fully comply with the requirements of this and other associated Policies. In order to do that effectively, it is vital that training and information be supplied to ALL of the above individuals before they commence any activities that bring them into contact with personal data. Training is mandatory. Attendance will be formally recorded, as will the outcomes of any competency tests undertaken by participants. Training interventions will be as follows:

  • Induction / On-boarding of new members of staff. It is essential that all new full and part-time joiners be made aware of the competencies (skills and knowledge) requirements under GPDR.
  • Initial training for ALL existing members of staff.
  • Refresher training conducted on an annual basis and when a change in legislation or process makes upskilling necessary.
  • Overview training for any contractor or service supply staff who may have contact with or access to personal data of any type.
  • Training will include a multi choice knowledge test.

A Training Register will be completed for each training intervention. This will include:

  • The content of the training.
  • The date and duration of the training.
  • The name of the person who delivered the training.
  • The name and business identifier of those who attend the training.

Pre-planned Data Protection Audits

It is essential that RENSAIR LTD. DPO undertakes regular Data Protection Audits in order to:

  • Keep pace with changes in GDPR and related legislation;
  • Maintain high levels of GDPR compliance; and to
  • Ensure that processes, procedures and protocols are applied effectively across the organisation.
  • DPA Compliance Audits will be undertaken on a minimum of a sixth-monthly unannounced basis to allow an effective understanding of GDPR performance to be developed. An audit report will be furnished to the MD outlining performance, any remedial action to be taken and this will form part of the ongoing ISO QA reports.

 

SECTION ‘B’ Annexes

ANNEX ‘A’

GDPR Principles

GDPR principles lay out the responsibilities placed on a Data Controller to process data. The following are extracted from Article 5 of the Regulations. The GDPR requires that personal data be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Collected for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Using appropriate technical or organisational measures.

NB: “The Data Controller (RENSAIR LTD.) shall be responsible for, and be able to demonstrate, compliance with the principles.”

ANNEX ‘B’

Lawful Basis for Processing

Under the GDPR, RENSAIR LTD. must have lawful reason for processing personal data and they MUST be able to adequately demonstrate (justify) that reason when asked. There are six lawful bases available to RENSAIR LTD. and each are of equal importance but not all are applicable to every contextual need. The application is determined by the relationship between RENSAIR LTD. and the Data Subjects whose data they process. The reasons are as follows:

Consent: The Regulations require a high standard of consent by the Data Subject:

  1. Consent MUST be opt-in rather than opt-out: GDPR specifically bans ‘pre-ticked’ opt-in boxes on websites.
  2. The consent statement must be clear, concise and unambiguous.

Vague or blanket generic consent is not allowed – separate consent statements must be obtained for separate things – marketing separate from sales-related permission to process.

The Data Subject must be made aware of the purpose that the data will be used for before the data is gathered. An effective and clear Privacy Notice will greatly assist in meeting this requirement.

Consent statements must be kept clear from any other documentation such as terms and conditions etc.

It is vitally important that clear records exist that demonstrate and confirm that permission was granted by the Data Subject.

  • The consent of the Data Subject for processing of their Personal Data can be withdrawn at any time. It is vital that the Data Subject is told before they consent that they have the right to withdraw consent and that the process is simple and fool proof. It is vitally important that the Data Controller can demonstrate prior informed consent was established.

The processing is necessary for the performance of a contract:

For example: if you need to process information in order to prepare and submit a contract. This again should be documented as the lawful basis.

The processing is necessary for compliance with a legal obligation.

For example: where an employer is obliged to disclose employee salary details to HMRC.

The processing is necessary to protect the vital interests of the Data Subject or some other person.

For example: To protect someone’s life.

The processing is necessary for the performance of a task carried out in the public interestFor example: The interests are normally set out in law.

 

The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party.

Legitimate interests is the most flexible lawful basis for processing but it may not always be the most appropriate. There are three elements:

  • RENSAIR LTD. can identify a legitimate interest;
  • RENSAIR LTD. can demonstrate that processing is necessary to fulfil the legitimate interest; and
  • RENSAIR LTD. can balance those legitimate interests against the Data Subject’s interests, rights and freedoms?

[i] Personal Data: Is any information relating to a living individual who can be identified by the data directly or indirectly. Personal data can be held in electronic and hard copy formats. GDPR widens the definition of personal data to include ‘outline identifiers’ such as Internet Protocol (IP) addresses.

[ii] Special Categories of Personal Data: was previously referred to as ‘Sensitive Personal Data’. GDPR defines special categories as: ‘Personal data that reveals racial or ethnic origins, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.’

[iii] Data Controller: The Data Controller is the legal entity that determines the purpose and manner in which personal data will be processed.

[iv] Data Protection Officer: The person appointed by RENSAIR LTD. to ensure the day-to-day management of the GDPR compliance activities are implemented and maintained to ensure compliance throughout the organisation. They report directly to the MD in all GDPR associated matters.

[v] Data Subject: The Data Subject is the living person to whom the data refers. In the context of RENSAIR LTD. this will include all employees, contractors, suppliers, customers, clients and all who share their personal data with RENSAIR LTD..

[vi] Processing: Includes: gathering, storage, using, sharing, altering or disposal of personal data.

[1] Personal Data: Is any information relating to a living individual who can be identified by the data directly or indirectly. Personal data can be held in electronic and hard copy formats. GDPR widens the definition of personal data to include ‘outline identifiers’ such as Internet Protocol (IP) addresses.

[2] Special Categories of Personal Data: was previously referred to as ‘Sensitive Personal Data’. GDPR defines special categories as: ‘Personal data that reveals racial or ethnic origins, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.’

[3] Data Controller: The Data Controller is the legal entity that determines the purpose and manner in which personal data will be processed.

[4] Data Protection Officer: The person appointed by RENSAIR LTD. to ensure the day-to-day management of the GDPR compliance activities are implemented and maintained to ensure compliance throughout the organisation. They report directly to the MD in all GDPR associated matters.

[5] Data Subject: The Data Subject is the living person to whom the data refers. In the context of RENSAIR LTD. this will include all employees, contractors, suppliers, customers, clients and all who share their personal data with RENSAIR LTD..

[6] Processing: Includes: gathering, storage, using, sharing, altering or disposal of personal data.

Privacy Notice

Introduction

Rensair Ltd.(RENSAIR LTD.) is a commercial enterprise registered in the United Kingdom. We are passionate about protecting the personal data of those who interact with us in relation to our services and products; those who work for us and those who, for whatever reason, share their personal data with us.

RENSAIR LTD. is the Data Controller and is responsible for ensuring that all necessary processes and protocols are in place to ensure the organisation fully complies with the requirements of the General Data Protection Regulations 2018 (GDPR), the Regulations that govern all aspects of the processing of personal data within the European Union.

Personal data – what is it?

The GDPR regulations indicate that personal data is primarily data ‘that relates to a living individual who can be identified from that data or from that data plus other personal data the Data Controller holds on that Data Subject (the person to whom the data relates).

The word ‘processing’ is the collective term for any and all activities carried out with the data and includes: gathering, using, sharing, altering or disposal of personal data. GDPR governs the processing of personal data in any format including hard and electronic formats, or in any combination of the same. 

How do we process your personal data?

RENSAIR LTD. seeks to fully comply with our obligations under the GDPR and we do that in a range of ways. These include: keeping personal data up to date; only collecting personal data that is applicable to our needs, not retaining data that becomes excess to our needs; by protecting personal data from loss, misuse, unauthorised access or disclosure. We will do this by ensuring that appropriate technical and operational data security measures are in place and that our staff are suitably trained and managed with regard to the processes and compliance protocols required to comply with the Regulations.

What is the legal basis that allows RENSAIR LTD. to process your personal data?

The GDPR requires a legal justification be established before personal data is processed and this is dependent upon the use to which the data will be put. This protects you, the Data Subject, by ensuring that your personal data will only be used for the purposes that you have explicitly agreed to. These are:

  • Processing is necessary for the purposes of the legitimate interests pursued by RENSAIR LTD. or a third party except where such interests are overridden by the interests, rights or freedoms of the data subject.
  • Explicit consent by you, the data subject.

Processing is necessary for RENSAIR LTD. to comply with Legal or Regulatory requirements. Examples of this could be our legal obligations to maintain certain records so that we may carry out our obligations under employment, social security or social protection law, or a collective agreement.

How do we use your personal data?

Personal data will be used as follows:

  • To enable us to provide professional business-related services.
  • To enable employee management and administration and for those who from time to time provide services to RENSAIR LTD. as consultants or contractors.
  • To comply with organisational Legal and Regulatory requirements placed upon RENSAIR LTD..
  • For direct marketing purposes including informing you of RENSAIR LTD. product news, events, activities and services – direct marketing will only be undertaken with your prior, informed and express consent; this consent can be removed by you at any time.

When will we share your personal data with third parties?

Your personal data will be treated as strictly confidential and will only be shared with third parties when:

  • RENSAIR LTD. has your explicit, informed and express consent to do so.
  • When there is a Legal or Regulatory requirement for that sharing.
  • Where we use other organisations to provide a service, such as cloud-based IT management software or applications for administration support, the storage of data, website hosting, or for necessary IT support, these organisations will only be selected and appointed if they can prove they are fully GDPR compliant and have signed a contract with RENSAIR LTD. to the effect that they will fully comply with the data security policies and processes prescribed by RENSAIR LTD. 

How long do we keep your personal data?

The retention requirements of personal data vary greatly dependent upon the type of data that is being processed. There are two broad areas:

  • The Regulatory, Legislative or operational requirements placed upon RENSAIR LTD.
  • Your agreement to the information that is being processed: You have the right to require RENSAIR LTD. to cease processing your data at any time, and we will do that in as far as any Legal, Regulatory or operational requirements prevent that.

 

Your rights relating to your personal data and processing undertaken by RENSAIR LTD.

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

  • The right to request to be informed as to the personal data which we process about you; this is known as a making a Subject Access Request (SAR). If you are making an SAR it must be made in writing; email or letter format will suffice.

To allow us to process your SAR effectively, please include the following information:

  • Your full name;
  • Your full address including any Post Code;
  • Your telephone number in case we need to contact you;
  • Your email address in case we need to contact you;
  • Sufficient information that will allow us to clearly identify the information; where available an order or invoice number, an approximate data of RENSAIR LTD.’s initial contact with you as information of this type will greatly assist us in responding to your SAR or enquiry in a timely manner.
  • The email address to forward your SAR to is listed at Point 14 below.

The right to require RENSAIR LTD. to correct without delay any errors / inaccuracies including out of date information that are identified in your personal data.

The right to request that your personal data be erased where it is no longer necessary for us to retain such data.

The right to withdraw your consent to the processing taking place at any time.

The right to request that RENSAIR LTD. provides you the data subject with your personal data and where possible, to transmit on your written request, that data directly to a data controller that you have identified.

The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.

The right to object to the processing of personal data.

The right to lodge a complaint with the Information Commissioner’s Office.

Further processing

If we wish to use your personal data for a new purpose, not covered by the use expressly agreed by you with RENSAIR LTD., then we will provide you with a notice explaining this new use, purposes and processing conditions. 

Will I be informed about any data breaches that impact me?

Yes, we will do this in compliance with GDPR requirements.

How do you make a complaint relating to the processing of your data?

You have two options by which you can exercise your rights, make requests for further information, or make a complaint in relation to RENSAIR LTD.’s processing of your personal data. This must be done in writing; email or letter format will suffice. Please send you requests to: 

Rensair Ltd.

Address:

The Data Protection Officer

Email:              sales@rensair.com

If you require further information in relation to GDPR please contact the Information Commissioner’s Office. Contact details as follows:

 

The Information Commissioner’s Office

3rd Floor 14 Cromac Place
Belfast BT7 2JB

Telephone:      +44 (0)28 9027 8757

Email:              ni@ico.org.uk

Website:          www.ico.org.uk

Contact Us