Title: GDPR
Category: Associated Policies 015
Last updated: 03/09/2024 by Danni Fraser-pickard
Approved by:

Nick Bell - Group Managing Director on 25/10/2024

Version: 1.1.3

03/09/2024 10:28:10

@@ -1,5 +1,3 @@
-
-
-[COMPANY] Trading as 
-[COMPANYTA] [COMPANYREG]
+[COMPANY] - Trading as
+[COMPANYTA]

02/09/2024 14:45:26

@@ -1,6 +1,7 @@
-[COMPANY] Trading as
-[COMPANYTA] [COMPANYREG]
 
 
-#GENERAL DATA PROTECTION REGULATION - (GDPR) POLICY
+[COMPANY] Trading as 
+[COMPANYTA] [COMPANYREG]
+
+# GENERAL DATA PROTECTION REGULATION (GDPR) POLICY
 
@@ -8,6 +9,6 @@
 
-##Policy Statement
+## Policy Statement
 For the purpose of this policy, The RK Bell Group, also known as RK Bell, incorporates RK Bell Ltd, RK Bell Projects Ltd & Gworks Surfacing Ltd.
 
-The Directors and management of RK Bell Ltd & RK Bell Projects ("referred to as the Company or RK Bell") are committed to compliance with all relevant EU and Member State Laws in respect of personal data and the protection of the "rights and freedoms" of individuals whose information RK Bell collects and processes in accordance with the General Data Protection Regulation (GDPR).
+The Directors and management of RK Bell Ltd & RK Bell Projects ("referred to as the Company or RK Bell") are committed to compliance with all relevant EU and Member State laws in respect of personal data and the protection of the "rights and freedoms" of individuals whose information RK Bell collects and processes in accordance with the General Data Protection Regulation (GDPR).
 
@@ -15,18 +16,18 @@
 
-######GDPR Policy Statement
-The Directors will ensure that a GDPR Policy and management system are developed, maintained and implemented to ensure that personal data processing functions are compliant with the current legislation. This includes personal data from customers', clients', employees', suppliers' and any other personal data the organisation processes from any source.
+###### GDPR Policy Statement
+The Directors will ensure that a GDPR policy and management system are developed, maintained, and implemented to ensure that personal data processing functions are compliant with the current legislation. This includes personal data from customers, clients, employees, suppliers, and any other personal data the organisation processes from any source.
 
-To meet these aims we will ensure that the protection of personal data is an integral part of all our business activities and continuous improvement programmes. To ensure continuing improvement and compliance, the Policy and management system processes will be reviewed on an annual basis by the designated Manager.
+To meet these aims, we will ensure that the protection of personal data is an integral part of all our business activities and continuous improvement programmes. To ensure continuing improvement and compliance, the policy and management system processes will be reviewed on an annual basis by the designated manager.
 
-######Employees, Subcontractors, Suppliers and Customers
-The Company expects that all employees, partners and third parties working with or for RK Bell Ltd and/or RK Bell Projects Ltd and who have or may have access to personal data, will be mandated to have read, understood and to comply with this policy and GDPR management system.
+###### Employees, Subcontractors, Suppliers, and Customers
+The Company expects that all employees, partners, and third parties working with or for RK Bell Ltd and/or RK Bell Projects Ltd and who have or may have access to personal data, will be mandated to have read, understood, and to comply with this policy and GDPR management system.
 
-Management and supervisory staff have the responsibility for implementing this Policy throughout the Company and must ensure that data protection considerations are always given prominence.
+Management and supervisory staff have the responsibility for implementing this policy throughout the Company and must ensure that data protection considerations are always given prominence.
 
-No third party may have access to personal data held by the Company without having first entered into a data confidentiality agreement which imposes on the third-party obligations no less onerous than those to which RK Bell is committed. This agreement gives RK Bell the right to audit for compliance with the legislation.
+No third party may have access to personal data held by the Company without having first entered into a data confidentiality agreement which imposes on the third party obligations no less onerous than those to which RK Bell is committed. This agreement gives RK Bell the right to audit for compliance with the legislation.
 
-Any breach of the GDPR will be dealt with under the company disciplinary processes and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
+Any breach of the GDPR will be dealt with under the Company disciplinary processes and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
 
-######Governance
-The responsibility of the Company's policies on GDPR including revisions of this policy, lies with the Directors of RK Bell Ltd & RK Bell Projects Ltd. The management and staff of the Company will monitor the operation of this policy. By the appointment of a competent person with responsibility for data protection, the Company will ensure support for the management team, staff and clients in data protection matters.
+###### Governance
+The responsibility of the Company's policies on GDPR, including revisions of this policy, lies with the Directors of RK Bell Ltd & RK Bell Projects Ltd. The management and staff of the Company will monitor the operation of this policy. By the appointment of a competent person with responsibility for data protection, the Company will ensure support for the management team, staff, and clients in data protection matters.
 
@@ -34,4 +35,3 @@
 
-##GDPR - Summary & Assurance Statement
-
+## GDPR - Summary & Assurance Statement
 
@@ -39,36 +39,35 @@
 
-######Changes to data protection law 
- new data protection legislation is coming into force in 2018 which aims to further protect people's privacy and prevent data breaches. The new law applies to all bodies, businesses and other organisations that process personal data. The legislation comprises the GDPR which comes into force on 25 May 2018 and the new Data Protection Act (DPA) 2018 which came into force on 6 May 2018.
+###### Changes to Data Protection Law
+New data protection legislation came into force in 2018, which aims to further protect people's privacy and prevent data breaches. The new law applies to all bodies, businesses, and other organisations that process personal data. The legislation comprises the GDPR, which came into force on 25 May 2018, and the new Data Protection Act (DPA) 2018, which came into force on 6 May 2018.
 
-######What's new? 
- the GDPR builds on existing data protection laws. It gives enhanced protection for personal data and imposes stricter obligations on those process personal data. The new obligations include:
+###### What's New?
+The GDPR builds on existing data protection laws. It gives enhanced protection for personal data and imposes stricter obligations on those who process personal data. The new obligations include:
 
--###TAB###what an individual's personal data is collected, they must be given more information about how it will be used through enhanced privacy notices
--###TAB###individuals will have much stronger rights to have their personal data corrected, erased and/or provided to them.
+- When an individual's personal data is collected, they must be given more information about how it will be used through enhanced privacy notices.
+- Individuals will have much stronger rights to have their personal data corrected, erased, and/or provided to them.
 
-######What is personal data? 
- personal data is any information that relates to an identified or identifiable living person (e.g. employees, members of the public or customers). It generally includes their name, address, phone number, date of birth, place of birth, place of work, their political beliefs, ethnicity, religion or sexuality (as well as other information about them). Information which indirectly identifies a person will also be personal data. This would be the case where a single piece of information could not be used to identify a person but could do so in combination with other date or identifiers.
+###### What is Personal Data?
+Personal data is any information that relates to an identified or identifiable living person (e.g. employees, members of the public, or customers). It generally includes their name, address, phone number, date of birth, place of birth, place of work, their political beliefs, ethnicity, religion, or sexuality (as well as other information about them). Information which indirectly identifies a person will also be personal data. This would be the case where a single piece of information could not be used to identify a person but could do so in combination with other data or identifiers.
 
-######Who needs to comply with the new requirements?
- the GDPR applies to both 'Controllers' and 'Processors'. A Controller is the person/organisation which, solely or with other, determines the purposes and means of processing personal data. A Processor is the person/organisation which processes the personal data on behalf of the Controller. In most of the company contracts, the Company is the Controller and the supplier is the Processor.
-
-As an employee, supplier, sub-contractor or customer we hold your details on file. RK Bell hold and securely store information in hard copy as well as electronic format. The data held has been obtained through business to business contact in order to fulfil and undertake projects and contracts, together with employee data. The data we hold includes names, email addresses and phones numbers, however none of this data is sold to any other party and is only used in order to complete RK Bell contracts.
-###Supplier/Subcontractor GDPR requirements
-|No:###TAB###|The Supplier/Subcontractor confirms that it will:|
-|---|---|
-|1###TAB###|Act only on written instructions from RK Bell (unless otherwise required by law)|
-|2###TAB###|Ensure any processing of personal information is limited to the processing set out in the contract or RK Bells' written instruction|
-|3###TAB###|On the instruction of RK Bell delete or return all personal information to RK Bell when the Subcontractor/Supplier ceases to be relevant|
-|4###TAB###|Ensure that any individuals processing the data are subject to a duty of confidentiality and comply with the Suppliers obligations under GDPR|
-|5###TAB###|Take appropriate technical and organisational security measures to ensure compliance with GDPR|
-|6###TAB###|Only use a sub-processor with the prior written consent of RK Bell and will ensure that such sub-processor shall comply with these GDPR requirements|
-|7###TAB###|Assist RK Bell to meet its obligations under GDPR in relation to allowing data subjects to exercise their rights under the legislation|
-|8###TAB###|Be able to demonstrate (including through records, inspections & audits) to RK Bell at any point compliance with GDPR and maintain a record of all data processing carried out on behalf of RK Bell|
-|9###TAB###|Report a data breach to RK Bell as Data Controller within 24hrs of becoming aware of a breach|
-|10###TAB###|Appoint a Data Protection Officer if the organisation carries out large-scale data processing|
-|11###TAB###|Only transfer personal data to third countries with RK Bell's prior written consent and in compliance with GDPR|
-|12###TAB###|Notify RK Bell immediately if it considers that any of our instructions infringe the GDPR|
-|13###TAB###|Notify RK Bell immediately if it receives a request from an individual to access the personal data held on them, or if an individual asks to exercise its right under the GDPR, and provide RK Bell with relevant assistance
-|14###TAB###|Cooperate with the ICO as necessary|
+###### Who Needs to Comply with the New Requirements?
+The GDPR applies to both 'Controllers' and 'Processors'. A Controller is the person/organisation which, solely or with others, determines the purposes and means of processing personal data. A Processor is the person/organisation which processes the personal data on behalf of the Controller. In most of the Company contracts, the Company is the Controller, and the supplier is the Processor.
 
+As an employee, supplier, sub-contractor, or customer, we hold your details on file. RK Bell holds and securely stores information in hard copy as well as electronic format. The data held has been obtained through business-to-business contact in order to fulfil and undertake projects and contracts, together with employee data. The data we hold includes names, email addresses, and phone numbers; however, none of this data is sold to any other party and is only used in order to complete RK Bell contracts.
 
+### Supplier/Subcontractor GDPR Requirements
+| No: | The Supplier/Subcontractor confirms that it will: |
+|---|---|
+| 1 | Act only on written instructions from RK Bell (unless otherwise required by law). |
+| 2 | Ensure any processing of personal information is limited to the processing set out in the contract or RK Bell's written instruction. |
+| 3 | On the instruction of RK Bell, delete or return all personal information to RK Bell when the Subcontractor/Supplier ceases to be relevant. |
+| 4 | Ensure that any individuals processing the data are subject to a duty of confidentiality and comply with the Supplier's obligations under GDPR. |
+| 5 | Take appropriate technical and organisational security measures to ensure compliance with GDPR. |
+| 6 | Only use a sub-processor with the prior written consent of RK Bell and will ensure that such sub-processor shall comply with these GDPR requirements. |
+| 7 | Assist RK Bell to meet its obligations under GDPR in relation to allowing data subjects to exercise their rights under the legislation. |
+| 8 | Be able to demonstrate (including through records, inspections & audits) to RK Bell at any point compliance with GDPR and maintain a record of all data processing carried out on behalf of RK Bell. |
+| 9 | Report a data breach to RK Bell as Data Controller within 24 hours of becoming aware of a breach. |
+| 10 | Appoint a Data Protection Officer if the organisation carries out large-scale data processing. |
+| 11 | Only transfer personal data to third countries with RK Bell's prior written consent and in compliance with GDPR. |
+| 12 | Notify RK Bell immediately if it considers that any of our instructions infringe the GDPR. |
+| 13 | Notify RK Bell immediately if it receives a request from an individual to access the personal data held on them, or if an individual asks to exercise their rights under the GDPR, and provide RK Bell with relevant assistance. |
+| 14 | Cooperate with the ICO as necessary. |

02/09/2024 13:34:36

@@ -1,4 +1,3 @@
-
 [COMPANY] Trading as
-[COMPANYTA]
+[COMPANYTA] [COMPANYREG]
 
@@ -46,4 +45,4 @@
 
--###TAB###what an individual's personal data is collected, they must be given more information about how it will be used through enhanced privacy notices
--###TAB###individuals will have much stronger rights to have their personal data corrected, erased and/or provided to them.
+- what an individual's personal data is collected, they must be given more information about how it will be used through enhanced privacy notices
+- individuals will have much stronger rights to have their personal data corrected, erased and/or provided to them.
 
@@ -57,18 +56,18 @@
 ###Supplier/Subcontractor GDPR requirements
-|No:###TAB###|The Supplier/Subcontractor confirms that it will:|
+|No: |The Supplier/Subcontractor confirms that it will:|
 |---|---|
-|1###TAB###|Act only on written instructions from RK Bell (unless otherwise required by law)|
-|2###TAB###|Ensure any processing of personal information is limited to the processing set out in the contract or RK Bells' written instruction|
-|3###TAB###|On the instruction of RK Bell delete or return all personal information to RK Bell when the Subcontractor/Supplier ceases to be relevant|
-|4###TAB###|Ensure that any individuals processing the data are subject to a duty of confidentiality and comply with the Suppliers obligations under GDPR|
-|5###TAB###|Take appropriate technical and organisational security measures to ensure compliance with GDPR|
-|6###TAB###|Only use a sub-processor with the prior written consent of RK Bell and will ensure that such sub-processor shall comply with these GDPR requirements|
-|7###TAB###|Assist RK Bell to meet its obligations under GDPR in relation to allowing data subjects to exercise their rights under the legislation|
-|8###TAB###|Be able to demonstrate (including through records, inspections & audits) to RK Bell at any point compliance with GDPR and maintain a record of all data processing carried out on behalf of RK Bell|
-|9###TAB###|Report a data breach to RK Bell as Data Controller within 24hrs of becoming aware of a breach|
-|10###TAB###|Appoint a Data Protection Officer if the organisation carries out large-scale data processing|
-|11###TAB###|Only transfer personal data to third countries with RK Bell's prior written consent and in compliance with GDPR|
-|12###TAB###|Notify RK Bell immediately if it considers that any of our instructions infringe the GDPR|
-|13###TAB###|Notify RK Bell immediately if it receives a request from an individual to access the personal data held on them, or if an individual asks to exercise its right under the GDPR, and provide RK Bell with relevant assistance
-|14###TAB###|Cooperate with the ICO as necessary|
+|1 |Act only on written instructions from RK Bell (unless otherwise required by law)|
+|2 |Ensure any processing of personal information is limited to the processing set out in the contract or RK Bells' written instruction|
+|3 |On the instruction of RK Bell delete or return all personal information to RK Bell when the Subcontractor/Supplier ceases to be relevant|
+|4 |Ensure that any individuals processing the data are subject to a duty of confidentiality and comply with the Suppliers obligations under GDPR|
+|5 |Take appropriate technical and organisational security measures to ensure compliance with GDPR|
+|6 |Only use a sub-processor with the prior written consent of RK Bell and will ensure that such sub-processor shall comply with these GDPR requirements|
+|7 |Assist RK Bell to meet its obligations under GDPR in relation to allowing data subjects to exercise their rights under the legislation|
+|8 |Be able to demonstrate (including through records, inspections & audits) to RK Bell at any point compliance with GDPR and maintain a record of all data processing carried out on behalf of RK Bell|
+|9 |Report a data breach to RK Bell as Data Controller within 24hrs of becoming aware of a breach|
+|10 |Appoint a Data Protection Officer if the organisation carries out large-scale data processing|
+|11 |Only transfer personal data to third countries with RK Bell's prior written consent and in compliance with GDPR|
+|12 |Notify RK Bell immediately if it considers that any of our instructions infringe the GDPR|
+|13 |Notify RK Bell immediately if it receives a request from an individual to access the personal data held on them, or if an individual asks to exercise its right under the GDPR, and provide RK Bell with relevant assistance
+|14 |Cooperate with the ICO as necessary|

GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

Policy Statement
GDPR - Summary & Assurance Statement

Supplier/Subcontractor GDPR Requirements

GDPR

RK Bell Group - 10596233 - Trading as RK Bell Ltd 00587692 - RK Bell Projects Ltd 06637268- Gworks Surfacing Ltd 10596233

GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

Policy Statement

For the purpose of this policy, The RK Bell Group, also known as RK Bell, incorporates RK Bell Ltd, RK Bell Projects Ltd & Gworks Surfacing Ltd.

The Directors and management of RK Bell Ltd & RK Bell Projects ("referred to as the Company or RK Bell") are committed to compliance with all relevant EU and Member State laws in respect of personal data and the protection of the "rights and freedoms" of individuals whose information RK Bell collects and processes in accordance with the General Data Protection Regulation (GDPR).

Compliance with the GDPR legislation is described by this policy.

GDPR Policy Statement

The Directors will ensure that a GDPR policy and management system are developed, maintained, and implemented to ensure that personal data processing functions are compliant with the current legislation. This includes personal data from customers, clients, employees, suppliers, and any other personal data the organisation processes from any source.

To meet these aims, we will ensure that the protection of personal data is an integral part of all our business activities and continuous improvement programmes. To ensure continuing improvement and compliance, the policy and management system processes will be reviewed on an annual basis by the designated manager.

Employees, Subcontractors, Suppliers, and Customers

The Company expects that all employees, partners, and third parties working with or for RK Bell Ltd and/or RK Bell Projects Ltd and who have or may have access to personal data, will be mandated to have read, understood, and to comply with this policy and GDPR management system.

Management and supervisory staff have the responsibility for implementing this policy throughout the Company and must ensure that data protection considerations are always given prominence.

No third party may have access to personal data held by the Company without having first entered into a data confidentiality agreement which imposes on the third party obligations no less onerous than those to which RK Bell is committed. This agreement gives RK Bell the right to audit for compliance with the legislation.

Any breach of the GDPR will be dealt with under the Company disciplinary processes and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

Governance

The responsibility of the Company's policies on GDPR, including revisions of this policy, lies with the Directors of RK Bell Ltd & RK Bell Projects Ltd. The management and staff of the Company will monitor the operation of this policy. By the appointment of a competent person with responsibility for data protection, the Company will ensure support for the management team, staff, and clients in data protection matters.

GDPR - Summary & Assurance Statement

Changes to Data Protection Law

New data protection legislation came into force in 2018, which aims to further protect people's privacy and prevent data breaches. The new law applies to all bodies, businesses, and other organisations that process personal data. The legislation comprises the GDPR, which came into force on 25 May 2018, and the new Data Protection Act (DPA) 2018, which came into force on 6 May 2018.

What's New?

The GDPR builds on existing data protection laws. It gives enhanced protection for personal data and imposes stricter obligations on those who process personal data. The new obligations include:

When an individual's personal data is collected, they must be given more information about how it will be used through enhanced privacy notices.
Individuals will have much stronger rights to have their personal data corrected, erased, and/or provided to them.

What is Personal Data?

Personal data is any information that relates to an identified or identifiable living person (e.g. employees, members of the public, or customers). It generally includes their name, address, phone number, date of birth, place of birth, place of work, their political beliefs, ethnicity, religion, or sexuality (as well as other information about them). Information which indirectly identifies a person will also be personal data. This would be the case where a single piece of information could not be used to identify a person but could do so in combination with other data or identifiers.

Who Needs to Comply with the New Requirements?

The GDPR applies to both 'Controllers' and 'Processors'. A Controller is the person/organisation which, solely or with others, determines the purposes and means of processing personal data. A Processor is the person/organisation which processes the personal data on behalf of the Controller. In most of the Company contracts, the Company is the Controller, and the supplier is the Processor.

As an employee, supplier, sub-contractor, or customer, we hold your details on file. RK Bell holds and securely stores information in hard copy as well as electronic format. The data held has been obtained through business-to-business contact in order to fulfil and undertake projects and contracts, together with employee data. The data we hold includes names, email addresses, and phone numbers; however, none of this data is sold to any other party and is only used in order to complete RK Bell contracts.

Supplier/Subcontractor GDPR Requirements

No:	The Supplier/Subcontractor confirms that it will:
1	Act only on written instructions from RK Bell (unless otherwise required by law).
2	Ensure any processing of personal information is limited to the processing set out in the contract or RK Bell's written instruction.
3	On the instruction of RK Bell, delete or return all personal information to RK Bell when the Subcontractor/Supplier ceases to be relevant.
4	Ensure that any individuals processing the data are subject to a duty of confidentiality and comply with the Supplier's obligations under GDPR.
5	Take appropriate technical and organisational security measures to ensure compliance with GDPR.
6	Only use a sub-processor with the prior written consent of RK Bell and will ensure that such sub-processor shall comply with these GDPR requirements.
7	Assist RK Bell to meet its obligations under GDPR in relation to allowing data subjects to exercise their rights under the legislation.
8	Be able to demonstrate (including through records, inspections & audits) to RK Bell at any point compliance with GDPR and maintain a record of all data processing carried out on behalf of RK Bell.
9	Report a data breach to RK Bell as Data Controller within 24 hours of becoming aware of a breach.
10	Appoint a Data Protection Officer if the organisation carries out large-scale data processing.
11	Only transfer personal data to third countries with RK Bell's prior written consent and in compliance with GDPR.
12	Notify RK Bell immediately if it considers that any of our instructions infringe the GDPR.
13	Notify RK Bell immediately if it receives a request from an individual to access the personal data held on them, or if an individual asks to exercise their rights under the GDPR, and provide RK Bell with relevant assistance.
14	Cooperate with the ICO as necessary.

Reviewed: 03/09/2024
v1.1.3

Approved by: