Trafalgar Compliance Services Limited
Data Protection (GDPR) Company Policy
Policy brief & purpose
Our Data Protection company policy refers to Trafalgar's commitment to treat information of employees, customers, stakeholders or other interested parties with the utmost care and confidentiality.
With this policy, we ensure that the company behaves in a fair and moral manner concerning the gathering, storing and handling of data. This process will be carried out with transparency and respect towards the rights of individuals who entrust it with their information.
This policy applies to all parties (employees, job candidates, customers, suppliers etc.) who provide any amount of information to the company. The policy will be followed by all employees of the company and its subsidiaries as well as contractors, consultants, partners and any other external entity. Generally, it refers to anyone who is in close collaboration with the company or acts on its behalf and may need occasional access to data.
The company will need to obtain and process information of people that will serve its business purposes. The information may refer to any offline or online information that makes a person identifiable such as names, addresses, places of employment, usernames and passwords, digital footprints, photographs, social security numbers, financial data etc. The company commits to collect this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to the company, the following rules are mandatory: The data will be collected fairly and for lawful purposes only
The data will be processed by the company within its legal and moral boundaries the data will not be stored for more than the specified amount of time the data will be accurate and kept up-to-date.
The data will not be distributed to any party other than the ones agreed upon by the owner of the data (exempting legitimate requests from law enforcement authorities) The data will not be transferred to organizations, states or countries that do not have adequate data protection policies The data will not be communicated informally.
The data will be protected against any unauthorized or illegal access by internal or external parties In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs.
Specifically the company must:
Let people know which of their data is collected
Inform people about how their data will be processed
Inform people about who has access to their information
Allow people to request the modification, erasing, reduction or correction of the data contained in the company’s databases
Have provisions in cases of lost, corrupted or compromised data
Allow the right for an individual’s information to be deleted
To exercise data protection the company is committed to:
Develop transparent data collection procedures
Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)
Build secure networks to protect online data from cyber attacks
Include contract clauses or communicate statements on how data will be handled
Inform individuals of the amount of time that their data will be preserved
Declare its data protection provisions publicly (e.g. on website)
Ensure all concerned parties have read the policy and adhere to it
Train employees in online privacy and security measures
Restrict and monitor access to sensitive data
Establish clear procedures for reporting breach of privacy or data misuse
All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possibly legal action.
Smartlog Servers are housed within a 24x7x365 manned security and monitoring data center which has proximity access control, restricted biometric access, internal and external CCTV, perimeter and motion sensor alarms with an onsite network operations center.
The application is protected by SSL (Secure Socket Layer) encrypted link, with a 3 tier authentication process.
Compliance with General Data Protection Regulations (GDPR) and registration with Information Commissioner’s Office (ICO)
In line with the General Data Protection Regulation (GDPR) we are registered with the Information Commissioner’s Office as Safesmart Ltd. at the address below.
All data is held on secure servers located within UK or EEA
Data protection compliance manager is Samantha Secker, requests for information relating to data held and processed should be sent to firstname.lastname@example.org
Policy review term will be no more than 12 months from the date of previous review or when a significant event prompts an earlier review such as a change in legislation or regulation.
Annual revision of policy
Addition of server location within EU
Change from DPA to GDPR