Personal Data Protection PolicyDnipro 14.03.2019
PERSONAL DATA PROTECTION POLICY OF INTERPIPE UKRAINE, LLC
This policy sets out Interpipe Ukraine, LLC (hereinafter LLC) general approach to the General Data Protection Regulation (GDPR) as of April 24, 2016 and applies to all personal data received, held and/or processed by the LLC or any of its agents relating to any identifiable living person. Personal information held about any identifiable living person will be handled sensitively and confidentially by all staff, Members of the LLC Board and agents.
All employees, Board’s Members and agents must comply with this policy and GDPR. In doing so, they will:
- Treat all personal and sensitive information as confidential;
- Comply with the law regarding the protection and disclosure of information;
- Not disclose information without the prior informed consent of the individual concerned, except in the circumstances detailed below under “disclosure” or where otherwise permitted by the law;
In addition to the above they also will make no attempt to gain access to information they are not authorized to have.
All personal information about our customers and/or their representatives will be:
- Obtained, held and processed fairly;
- Held for specific purposes and used only for those purposes (which shall be the same as stated in LLC Data Protection Notification);
- Accurate, relevant and kept up to date;
- Corrected if shown to be inaccurate;
- Protected against loss or disclosure;
- Kept no longer than is necessary and destroyed when no longer required, in line with the best practices;
- Made available to the data subject on request.
The objectives of this Policy are:
- to ensure compliance with the GDPR and regulatory requirements in relating to confidentiality;
- to ensure all staff across the LLC are aware of, and understand the importance of, data protection and confidentiality;
- to ensure the protection of personal and sensitive information of staff and customers and/or their representatives.
DATA PROTECTION AND CONFIDENTIALITY POLICY
Data Protection and Confidentiality Policy aims to ensure that customers and/or their representatives are able to have access to their own information within relevant timescales.
It also have as purpose to ensure all necessary procedures regarding disclosure of personal information are in place for staff, Board’s Members and agents.
And to ensure all staff receive appropriate data protection training, with regular updates or when significant data protection guidance changes.
RESPONSIBILITIES AND REQUIREMENTS
1. All staff and agents involved have a responsibility to effectively manage personal data. Managers should ensure all their staff receive adequate data protection training.
2. All personal information must be treated as confidential and must only be disclosed for purposes that are notified to the Information Commissioner's Office (formerly known as the Data Protection Registrar), to:
- Employees of the LLC and/or agents, where the information is necessary for their work;
- Others in accordance with the Data Protection notification.
3. All computerised and manual filing systems containing data relating to any identifiable living person must be documented in the Data Information Asset Register which ensures the data is:
- identified, including where it came from, is stored, who it has been shared with, whether consent has been given;
- accurate and kept up to date and retained only so long as required;
- notified to the designated Data Protection Officer.
Such systems must be designed and operated so as to comply with the Data Protection principles.
4. Any person may ask the LLC for the data that the it or its agents hold about them. Any such request should be immediately passed to the Data Protection Officer for action (a response must be made within 30 calendar days). Any data that the person is entitled to see must be presented in plain language in hard copy format. Additionally, where necessary, the information will be provided verbally.
5. Any breach in the policy must be reported immediately to the Data Protection Officer. A breach could have very grave consequences for an individual or the LLC and will be treated as a serious matter. Disciplinary action, including dismissal in a serious case, will be taken against any employee of LLC who commits a breach of this policy. The employee may also be open to criminal proceedings that may result in an unlimited fine or a custodial sentence.
ACCESS TO INFORMATION AND DISCLOSURE OUTSIDE THE LLC
Staff of the LLC will generally have access to all the information they need to carry out their work and they have a duty to keep that information confidential.
In the unlikely event that any information needs to be disclosed to someone outside the LLC, staff must explain to an individual why this is necessary and obtain written consent before doing so. If an individual does not give consent, this should be noted and special arrangements should be made for recording information and access to it. However, relevant agreements and protocols are in place that allow the exchange of information between the LLC and the relevant Local Authorities in relation to the processing of housing applications and in the prevention of crime and anti-social behavior. There are certain situations where, by law, staff do not have to obtain prior permission to disclose personal information about individuals. These are:
- To comply with the law (e.g. the Police, Prosecution, Secret Service, Tax Office or a court order);
- When there is evidence of fraud;
- In connection with court proceedings;
- Anonymously for statistical reporting or research purposes, providing it is not possible to identify the individual to whom the information relates;
- Where specifically enabled by the terms of registration of the GDPR;
Any information disclosed must be necessary for the purpose for which it is disclosed.
All personal information will be destroyed as soon as practicable when it is no longer needed. The method of disposal should be appropriate to the confidentiality of the information in accordance with the LLC Data Protection Guidance.
1. The Executive Management Team is required to ensure compliance across the LLC with this policy.
2. Senior Management will be accountable for the management of data protection within the LLC. Any complaints made relating to breaches or possible breaches of confidentiality will be reported to the LLC Director of Operations/LLC Chief Executive for investigation and recorded on the Data Protection Log.
This policy will be monitored as part of the annual policy review programme.
Position responsible for review: Data Protection Officer