1. Name & Contact Details of Organisation
Littleton Drive, Huntington, Cannock, Staffordshire, WS12 4TS Tel: 01543 500044
1. Name & Contact Details of Organisation
2. Status of Key Organisational Personnel
Mr Quentin Jones – Managing Director Ms Kerry Collis – Company Director Mr Alan Hasell – Company Director
Mr Tony Lane – Company Director
Mr Benjamin White – Company Director
3.1 This document has been prepared bespoke to the business activity of Megatech Ltd hereinafter referred to as They, Their, We and Us and Ourselves.
3.2 This document has been prepared and approved by the Directors of Megatech Ltd following a data audit conducted on 21st January 2020 in accordance with the GDPR.
3.3 The purpose of this document is to demonstrate the Data Protection protocols employed by Megatech Ltd and will be kept updated as appropriate.
3.4 Megatech Ltd is a Data Controller under the provisions of the GDPR and the Data Protection Act 2018 and is registered with the UK Information Commissioners office.
ICO Registration Number: ZA640477
3.5 The Data Processing Contact for this business is: Ms Emily Wheeler
3.6 In the course of business, we may act as Data Processor under contract for clients and other third parties in business. However, this document relates to activities conducted as Data Controller in our own capacity.
4.1 As a Data Controller, We will take all the necessary steps to comply with the Data Protection Act 2018 and other relevant legislation and regulations when handling any personal data which is provided to us.
This includes ensuring that data under our control is:
4.1.1 Fairly and lawfully processed.
4.1.2 Processed for limited purposes.
4.1.3 Adequate, relevant and not excessive.
4.1.4 Accurate and not kept for longer than necessary.
4.1.5 Processed in accordance with the prescribed rights.
4.1.6 Secure and not transferred to countries outside the European Economic Area without appropriate safeguards.
4.2 Our data processing contact can be contacted at the above address for the following reasons: -
4.2.1 To obtain a copy of the personal data we hold about an individual.
4.2.2 If someone believes any personal data or information which we hold about them is incorrect or incomplete. NB: Any information or data which is found to be incorrect will be corrected as soon as possible.
4.2.3 To have an individual’s personal data removed entirely from our systems.
4.3 There is no charge for these services. As soon as we are satisfied as to the identity of the person making the request, we will send them, within a month of the request a copy of all the data we hold relating to them.
4.4 As soon as we are satisfied as to the identity of the person making a removal request and the data is not required to be kept for any other lawful reason or purpose it will be removed from our systems forthwith.
4.5 As soon as we are satisfied as to the identity of the person making a rectification request the data in question will be corrected or rectified as appropriate in our systems forthwith.
4.6 If anyone is unhappy with any of the responses given by us, they may complain to the Regulator at the Information Commissioners Office on 0303 123 1113.
5. Data under Control – Lawful bases in parentheses.
5.1 Following the completion of an information audit and consideration of the rules regarding completion of a Data Protection Impact Assessment, we have concluded that the Data under our control are identified as arriving from Eight separate sources.
5.1.1 Prospective and existing Customers providing their information for the purposes of contracting with us for goods or services. (Contract)
5.1.2 Prospective and existing Customers providing their personal information either Online or Offline including Social Media, telephone and by written means to ourselves or third parties to request information regarding our available products and services. (Consent)
5.1.3 Customers information received both Online or Offline including Social Media, telephone and by written means to Ourselves or third parties to facilitate contractual obligations regarding our products and services. (Contract)
5.1.4 People providing their personal information either Online or Offline including Social Media, telephone and by written means because they are interested in working with us or learning more about working with us. (Consent)
5.1.5 Online or Offline face to face meetings with people who provide their personal information to us for the purposes of later contact regarding products and services provided by us. (Consent)
5.1.6 Our Employees who provide their details for our information for the purposes of working with us. (Legal Obligation)
5.1.7 Suppliers of products and services to us who provide information of themselves or relevant individuals who assist them to provide us with products and services on their behalf. (Contract)
5.1.8 People identified through our CCTV/Biometric systems. (Legitimate Interest)
6. Lawful Bases for processing
6.1 We understand there are 6 Lawful bases for data processing:
6.1.1 Consent: [Art 6 (1) a GDPR] Where we process information with the specific consent of the individual concerned, whether for our services or for referral to our professional partners.
6.1.2 Contract: [Art 6 (1) b GDPR] The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the direct request of the data subject prior to entering into a contract.
6.1.3 Legal Obligation: [Art 6 (1) c GDPR] The processing is necessary for a compliance with a legal obligation to which the controller is subject.
6.1.4 Vital Interests: [Art 6 (1) d GDPR] The processing is necessary in order to protect the vital interests of the data subject or of another natural person.
6.1.5 Public Task: [Art 6 (1) e GDPR] The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6.1.6 Legitimate Interests: [Art 6 (1) f GDPR] The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
NB: This Basis is only available following a Legitimate Interests Assessment and the application of the three part Legitimate Interests Assessment Test.
6.2 We also understand the principles relating to Special Category Data, being the type of data which could create more significant risks to a person’s fundamental rights and freedoms.
6.3 We are involved with Special Category data for our employees, when we are dealing with sensitive data our subsidiary legal basis for employees are described in Section 11 of this document.
7. Children’s Data
7.1 As a general rule we do not contract with children to provide products or services.
7.2 We may record details of client’s children if relevant and appropriate to our business activity or for the purpose of giving the client advice and may subsequently reference such children in our records. In all cases where a child is under 13 years, we receive parental consent to record the child’s details.
8. Individuals Rights
8.1 We are aware of the individual’s rights protected by the GDPR and Data Protection Act 2018 as being the following:
8.1.1 The right to be informed
8.1.2 The right of access
8.1.3 The right to rectification
8.1.4 The right to erasure
8.1.5 The right to restrict processing
8.1.6 The right to data portability
8.1.7 The right to object
8.1.8 The right not to be subject to automated decision making, including profiling.
8.3 We do not conduct automated data processing activity or operate within areas where Data Portability would be encountered
8.4 In our Online presence and Website there is provided a method for contacting us and requesting Access to any data held by ourselves subject to the usual legal controls.
9. Subject Access Requests
We have determined a policy to comply with Subject Access Requests (SARs). It is referenced in our Online Privacy Notice and will consist of the following:
9.1 Request for information held on a Data Subject
9.1.1 The SAR will be notified to or come to the notice of our Data Processing Contact who will:-
9.1.2 Make enquiries as to the identity of the enquirer and contemporaneously establish the type and quantity of relevant Data under Control by Us.
9.1.3 Gather or arrange to be gathered the information in preparation for despatch to the enquirer.
9.1.4 Supervise the despatch of the data within the prescribed timescale of one month.
9.1.5 Record the details of the SAR and the fact of its completion.
9.2 Request for the Rectification or Removal of Data
9.2.1 The SAR will be notified to or come to the notice of our Data Processing Contact who will:
9.2.2 Make enquiries as to the identity of the enquirer and contemporaneously establish the type and quantity of relevant Data under Control by Us.
a) The Data will be checked for accuracy and rectified where necessary. Or,
b) The Data will be checked for lawful reasons to retain, then if there are none, gathered together and removed from Our systems and records if applicable.
9.2.3 Notify the enquirer as to the changes made (if any) within the prescribed timescale of one month.
9.2.4 Record the details of the SAR and the fact of its completion.
9.3.1 To access what personal data is held, identification will be required. We will accept the following forms of ID when information on personal data is requested:
a) A National ID card.
b) A Driving Licence.
c) A Valid Passport.
d) A Birth Certificate
e) A Utility bill not more than three months old.
9.3.2 A minimum of one piece of photographic ID listed above and one other document from the list is required.
9.3.3 Until We are satisfied with the documents provided, further identification may be sought before personal data can be released.
9.3.4 Failure or refusal to provide the requested identification or if the identification provided is not satisfactory, no personal data held by Us will be released.
9.3.5 In the circumstances outlined in clause 9.3.4 above our refusal to comply with the request will be recorded and the enquirer informed.
9.3.6 Enquiries by third parties will also require identification checks and confirmation by the primary Data Subject.
9.3.7 Requests which are manifestly unfounded or excessive will incur a charge which will be calculated taking into consideration the administrative task involved in complying with the request.