1. Who We Are

We are Netli Ltd (trading as “Netli” and “CareJob.co”), a company incorporated in Scotland with registered number SC507046 and having our registered office address at 39 Hanover Street, Edinburgh, Scotland, EH2 2PJ

We are a data controller for the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) and related data protection legislation.

2.  How to contact us
If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact us using the details set out below. Initial enquiries should be directed to Mr Stephen Wilson as follows:

• By post: 39 Hanover Street, Edinburgh EH2 2PJ
• By phone: 0131 510 4003
• By email: GDPR@just2029.temp.domains
• Online: https://netli.co/contact-us

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

3.  Our commitment

We are committed to protecting your personal data and your privacy. This privacy notice aims to give you information on how we collect and process your personal data.

It is important that you read this privacy notice when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

This version of our privacy notice was last updated on 20 November 2018.

4. To whom does this privacy notice apply?
This privacy notice applies to the following categories of data subjects:

• Temporary workers or contractors who have applied to enter into a “contract for services” with our clients through our Workforce platform (“temporary works”).
• Job seekers or other applicants for permanent employment in the public and private sector who have applied to enter into a “contract for services” with our clients through our Workforce platform or CareJob.co website (“candidates”).
• Employees or other representatives of our clients whose personal data we must process in order to fulfil our contractual obligations (“client contacts”).
• Individuals who are our business contacts where the individual or the individual’s organisation supplies goods or services to us, provides professional services, provides a candidate reference, has expressed an interest in us or has any other business relationship with us (including where the individual’s organisation is a public authority, an industry body or regulatory authority or similar) (“business contacts”).
• All individuals who visit our websites www.netli.co, www.carejob.co or our social media accounts (“website users”). This privacy notice does not apply to employees and other current, former or prospective staff of Netli Ltd. We have separate privacy notices for such purposes.

5.  Children
We do not knowingly collect any personal data relating to children.

6.  About the personal data that we collect and process

“Personal data” or “personal information” is any information relating to or about an individual from which that person can be directly or indirectly identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection. This includes health data, racial or ethnic origin, political or religious affiliations or criminal records.

We may from time to time obtain special categories of personal data (in particular health data) about candidates in the course of providing our services to our clients. We may also from time to time obtain information about “criminal convictions and offenses” about candidates. We only obtain such special category data with the consent of the candidate.

The table set out in SCHEDULE 1 summaries the personal data we collect and process, how we use it (“our processing purposes”) and why we use it (“the lawful bases of processing”).

We may also collect, use and share “Aggregated Data” such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature of our website. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

7. How is your personal data obtained?
We use different methods to collect personal data from and about you including through:

Direct interactions.

You may give us your identity, contact, financial, transactional or similar personal data when you correspond with us by post, phone, e-mail or otherwise, including when you use our Workforce platform.

Direct interactions with business contacts and client contacts.

You may give us your identity, contact, financial, transactional and other business related personal data when you correspond with us, including when:

1. You or your organisation negotiate and/or enter into a contract with us; or
2. You or your organisation provide services or products to us or your or your organisation receive services from us; or
3. You provide a reference for a candidate; or
4. You provide us with your business card.

Automated technologies or interactions.

As you interact with our websites, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies.

Third parties or publicly available sources.

We may receive personal data about you from various third parties and public sources as set out below:

Where you are a client contact or business contact, your organisation or business may provide us with your identity and contact data;

• We may obtain identity and contact data from publicly available sources such as social media (such as LinkedIn or Twitter), Companies House or other organisations’ websites;
• We may obtain contact, financial and transaction data from providers of payment and credit card services;
• We may obtain technical data (relating to the use of our website or Workforce platform) from analytics providers or search information providers.

8.  Failure to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.

9.  Marketing

If you are an individual consumer, we will only provide you with direct marketing communications where you have consented to receive such communication or you have contacted us directly to request specific information about our services. You can subscribe to such marketing communications, and you can adjust your marketing preferences at any time by contacting us at GDPR@just2029.temp.domains

If you represent another business, we may provide you with direct marketing communications where we feel that this may be relevant to your business (provided that you have not opted out of such communications). When we use your personal data for such purposes, we do so on the basis that it is in our legitimate interests to pursue direct marketing, provided that it constitutes fair processing of your personal data to do so.

You can also opt-out or unsubscribe from all or some of these marketing communications at any time by contacting us at GDPR@just2029.temp.domains

Where you opt out of receiving these marketing communications, this opt-out will not apply to personal data provided to us for any other purpose.

10.  Do We Share with Third Parties?

There may be circumstances in which we may also need to share your personal data with certain third parties (strictly on a confidential, business need-to-know basis). Where you are a candidate, we will share your personal data with our client where you have applied for a job with that client through our Workforce platform or CareJob.co website.

We will only share your special category personal data with a client with your explicit consent. Please note that if you decline to share any personal data with a potential employer then your application may not be considered.

Other third parties to which we may transfer your personal data include:

• Your business or organisation, for the purpose of providing our services to your business or organisation, or receiving products or services from your business or organisation.
• Service providers acting as processors who provide IT and system administration services.
• Professional advisers including lawyers, bankers, accountants, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
• Any relevant accreditation body or trade association.
• Any relevant regulatory authority or law enforcement agency, including HM Revenue & Customs, courts or tribunals who require reporting of processing activities in certain circumstances.
• Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. Any sharing of your personal data will only take place where you have provided your consent, we are legally obliged to do so, where it is necessary for the performance of a contract with you or where it is in our legitimate interests to do so, including as follows:

• To maintain network and information security.
• To provide services to our clients.
• To develop and improve our services in order to remain competitive.
• To establish, protect and defend our legal rights.
• To pursue our commercial objectives where this does not override your rights and freedoms as a data subject.

11.  International Transfer of Personal Data

We generally do not transfer your personal data out of the European Economic Area (EEA). However, whenever we are required to transfer your personal data out of the EEA (for example where a client is located outside of the EEA), we ensure a similar degree of protection is afforded to it by ensuring that appropriate safeguards are implemented, including any of the following:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, European Commission: Model contracts for the transfer of personal data to third countries.
• Where we use providers based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the European Union and the USA. For further details, see European Commission: EU-US Privacy Shield.
• You have provided your explicit consent to the transfer of your personal data outside of the EEA.
• The transfer is necessary for the purposes of performing a contract between us and you.

12.  Automated decision making and profiling

We may make automated decisions about you during the assessment stage of the recruitment process. This may result in a candidate being deemed not suitable for a position by means of a solely automated assessment. We only undertake this activity with the candidate’s explicit consent.

13.  How long do we retain your personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Please contact us at GDPR@just2029.temp.domains for further details about our retention periods.

14.  Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and the Information Commissioner’s Office of a breach where we are legally required to do so.

15.  Your rights
Your personal data is protected by legal rights, which include your rights to:

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you.  This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, following your request.
• Object to processing of your personal data. Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to estab- lish, exercise or defend legal claims; or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your personal data to you or to a third party (data portability). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used theinformation to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of these rights, please contact us at GDPR@just2029.temp.domains

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You also have the right to complain to the Information Commissioner’s Office, which regulates the processing of personal data, about how we are processing your personal data.

Schedule 1

Personal data will be processed by us where you consent to the processing or where that processing is necessary for 1) the performance of a contract with you; or 2) compliance with a legal obligation to which we are subject; or 3) the purposes of our legitimate interests (or those of a third party).

We have set out below a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us at GDPR@just2029.temp.domains if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

1. Data from website users (any visitor to our websites)

What personal data do we collect?

• Technical data including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website)
• Usage data (including information about your visit and how you use our website)

How do we use your personal data?

• To improve the user experience and administer the functionality of our website
• To respond to general and specific enquiries

Why do we use your personal data?

• Necessary for our legitimate interests (to maintain network security and website relevance for visitors to our website)
• Necessary to comply with a legal obligation

2. Data from temporary workers and candidates

What personal data do we collect?

• Identity data (including full name and title, nationality, immigration status, National insurance (NI) number, tax code and other tax information, date of birth, proof of identity and proof of residence)
• Contact data (including business address, email address and telephone num- bers)
• Employment data (including professional qualifications, employment history, continuous professional development (CPD) undertaken, and re-validation information to ensure you meet the requirements)
• Marketing and communications data (including your preferences in receiving marketing from us and your communication preferences)
• Special category data (including health data such as sickness leave, parental leave, disability information and any other health data relevant to the position being applied to, or data relating to racial or ethnic origin or other data relevant to equal opportunity monitoring)
• Criminal convictions data (including information relating to any unspent criminal convictions or offences)

How do we use your personal data?

• For recruitment purposes, payroll purposes , assignments with clients, health and safety, human resource requirements,regulatory requirements and statutory reasons such as HMRC requirements.

Why do we use your personal data?

• Necessary for us to perform services for you
• Necessary to comply with a legal obligation
• Where you have consented to receive marketing information
• Where we process any special category data, we do soonly with your explicit consent
• Where we process any criminal convictions data, we do so only with your explicit consent

3. Data from client contacts (any contact person of an existing or former client)

What personal data do we collect?

• Identity data (including full name and title)
  Contact data (including business address, email address and telephone numbers)
• Employment data (including job title and role)
• Transaction data (including information obtained by providing services to your organisations and other details of our interactions including financial information, correspondence and conversations)
• Marketing and communications data (including your preferences in receiving marketing from us and your communication preferences)

How do we use your personal data?

To process and deliver services to your organisation including:

• Providing information about our services on request;
• Carrying out our services;
• Managing payments, fees and charges;
• Collecting and recovering money owed to us;
• Dealing with any client complaints and receiving feedback;and
• Corresponding with you in connection with our services. To manage our relationship with you as our client contact To notify your organisation about changes to our terms and conditions or privacy notice

Why do we use your personal data?

• Necessary for us to perform contracts with our corporate clients
• Necessary for our legitimate interests (to respond to your correspondence with us, to keep our records up to date, manage client relationships and to recover debts due to us)
• Necessary to comply with a legal obligation

4. Data from business contacts (actual, former or prospective business contacts)

This includes:

• Staff or other contacts at our third party suppliers (including professional advisors)
• Individuals or representatives of organisations who have expressed an interest in our business, and
• Anyone else with whom we have contact in a business context

What personal data do we collect?

• Identity data (including full name and title)
• Contact data (including business address, email address and telephone numbers)
• Employment (including job title and role, employer)
• Transaction data (including details about products and services provided by you (or your organisation) to us, details of payments to and from you (or your organisation) and other details of our interactions including correspondence and conversations)
• Marketing and communications data (including your preferences in receiving marketing from us and your communication preferences)

How do we use your personal data?

To manage our business relationships with suppliers and sub-contractors,professional advisors, regulatory authorities and others, which will include:

1. Seeking or maintaining business relationships with various organisations, including accreditation and regulatory authorities;
2. Assessing the suitability of any existing or potential supplier or other business relationship;
3. Negotiating and entering into appropriate contracts for the supply of goods or services to us, carrying out any obligations under such contracts (including obligations of payment) and if necessary enforcing any such contracts;
4. Undertaking on-going monitoring and management of our relationship with suppliers and other professional and businesscontacts;
5. Interacting with other organisations or persons (including partners, other advisers or sub-contractors) in the course of providing services to our clients; and
6. Investigating any complaints or enquiries.

Why do we use your personal data?

• Performance of a contract with you (where relevant)
• Necessary for ourlegitimate interests (to manage third party relationships, to seek supply arrangements appropriate for our business, to run our business efficiently and profitably, to enhance, modify and improve our services,and to pursue our commercial objectives where this does not over ride your rights and freedoms as a data subject)
• Necessary to comply with a legal obligation

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at GDPR@just2029.temp.domains

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Further details on how we handle special category data are set out in our Special Category Data Policy. Please contact us for further information or a copy of the policy.

Further details on how we handle criminal convictions data are set out in our Criminal Convictions Data Policy. Please contact us for further information or a copy of the policy.

1. Purpose

The purpose of this Policy is to outline how Netli Ltd (trading as “Netli” or “CareJob.co”), has established measures to maintain compliance with the EU General Data Protection Regulation (hereinafter referred to as the “GDPR”). The Policy contains two components:

• Section 2.0 – Measures to re-enforce accountability and governance.
• Section 3.0 – Measures to demonstrate the protection of information rights of the data subject.

Netli Ltd supports the right to privacy, including the rights of individuals to control the dissemination and use of personal data that describes them, their personal choices, or life experiences. In the course if its business, it is necessary for Netli Ltd to record, store, process, transmit, and otherwise handle private information about individuals.

Netli Ltd takes these activities seriously and provides fair, secure, and fully-legal systems for the appropriate handling of this private information. All such activities at Netli are intended to be consistent with both generally accepted privacy ethics and standard business practices.

 

2. Scope

This policy applies to all Netli Ltd employees, contractors, temporaries, and consultants, and other workers. All of these people are expected to be familiar with and fully in compliance with these policies. Workers who are not in compliance are subject to disciplinary action up to and including termination.

This policy also applies to outsourcing organisations that perform information- processing services on behalf of Netli Ltd. Use of outsourcing organisations to process personal data must always include a contractual commitment to consistently observe these policies and related Netli Ltd procedures and standards as specified by the Information Security department. All outsourcing organisations handling personal data provided by Netli Ltd must periodically issue certificates of compliance with this policy, and permit Netli Ltd to initiate independent audits to determine compliance with this policy.

 

3.  Terms and Definitions

Personal data
Any information relating to an individual. Such data includes name, address, telephone number, social security number, driver’s license number, and personal business transaction details. For example, such a person could be a purchaser of Netli Ltd products. The following policies do not apply to statistical reports or other collections of information in which specific natural persons are not identifiable.

Processing of personal data or “processing”
Any operation or set of operations performed on personal data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combination, blocking, erasure or destruction.

Owner
The Netli Ltd manager or executive, who determines the purposes for processing personal data, and who makes decisions about the security mechanisms to be used to protect such personal data.

Custodian
The Netli Ltd manager, or third-party organisation manager if processing is outsourced, who processes personal data according to the instructions provided by the Owner.

Third party
Any person, partnership, corporation, public authority, government agency, or any other entity other than the individual, Owner, Custodian, and the persons who, under the direct authority of the Owner or the Custodian, are authorized to process the data.

Recipient
The person, public authority, government agency, or any other entity to whom personal data is disclosed, even if the recipient is a third party.

Consent
Any freely-given informed indication of his or her wishes by which the individual signifies his or her agreement to have his or her personal data processed, which may include disclosure.

Partner
Any non-employee of Netli Ltd who is contractually bound to provide some form of service to Netli Ltd.

User
Any Netli Ltd employee or partner who has been authorised to access any Netli Ltd electronic information resource.

 

4. Specific Policy Requirements

 

Policy Principles

Article 5 of the GDPR requires that personal data shall be:

• Processed lawfully, fairly and in a transparent manner in relation to individuals;
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• Kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

In addition, there is a requirement that, “The controller shall be responsible for, and be able to demonstrate, compliance with the principles”.

 

Accountability and governance

This Policy outlines comprehensive but proportionate governance measures designed to achieve and maintain compliance with the General Data Protection Regulation. These measures have been designed to minimise the risk of breaches and uphold the protection of personal data.

 

Roles and responsibilities

While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. Netli Ltd is expected to put into place comprehensive but proportionate governance measures.

Netli Ltd has defined Simeon Grigorovich as the ‘Data Compliance Officer’. The DCO’s responsibilities include:

1. Informing and advising Netli Ltd and its employees about their obligations to comply with the GDPR and other data protection laws.
2. Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
3. Acting as the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
4. The DCO reports to the Board of Directors of the relevant entity on a quarterly basis.

The Board’s responsibility is to provide effective governance over Netli Ltd’s affairs for the benefit the shareholders and to balance the interest of its diverse stakeholders, including its customers, employees, international suppliers and communities.

Head of IT will report to the Enterprise Risk Management Committee (ERMC) any Data breach escalated to them. Employees are obligated to report any breach to the DCO of the company as soon as they are aware of it.

 

Documentation

The GDPR contains explicit provisions about documenting Netli Ltd’s processing activities. Netli Ltd must maintain records on several things such as processing purposes, data sharing and retention. Netli Ltd may be required to make the records available to the Information Commissioner Office (the “ICO”) on request.

Policy requirements:

Where Netli Ltd is a controller for personal data, Netli Ltd maintains documentation in a manner consistent with Article 30(1) of the GDPR. Where Netli Ltd is processor for personal data, Netli Ltd maintains documentation in a manner consistent with Article 30(2) of the GDPR.

If Netli Ltd processes special category or criminal conviction and offence data, Netli Ltd documents:

• The condition for processing under the Data Protection Bill;
• The lawful basis for processing; and
• Whether the personal data is erased and retained in accordance with Netli Ltd Policy. Netli Ltd conducts regular reviews of the personal data processed and updates documentation accordingly.

 

Data protection by design and default

Under the GDPR, Netli Ltd has a general obligation to implement technical and organisational measures to show that Netli Ltd has considered and integrated data protection into processing activities.

Policy requirements:

Netli Ltd carries out a Data Protection Impact Assessment (‘DPIA’) (Appendix III) when:

• Using new technologies; and
• The processing is likely to result in a high risk to the rights and freedoms of individuals.
• Processing that is likely to result in a high risk includes (but is not limited to):
• Systematic and extensive processing activities, including profiling and where decisions that have legal effects or similarly
• Significant effects on individuals.
• large scale processing of special categories of data or personal data relation to criminal convictions or offences. This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms e.g. based on the sensitivity of the processing activity. The decision of whether to conduct a DPIA is supported by a documented risk assessment and is endorsed by the DCO.

Lawful basis for processing

Under the GDPR, there are six available lawful bases for processing. Netli Ltd has documented the relevant lawful basis for processing and the purpose of that processing in its Information Asset Register.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever Netli Ltd processes personal data:

Consent: The individual has given clear consent for you to process their personal data for a specific purpose.

Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).

Vital interests: The processing is necessary to protect someone’s life.

Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Policy requirements:

• The lawful basis for processing must be considered and documented in line with the ‘Data Audit’ as detailed in Appendix I of this Policy.
• With new systems or processes, Netli Ltd must determine the lawful basis and purpose of processing before beginning processing (usually as a part of the DPIA).
• The Netli Ltd public privacy notice includes the lawful basis for processing as well as the purposes of the processing.
• If Netli Ltd is processing special category or criminal offence data, both a lawful basis for processing and a special category condition for processing must be documented in the Data Audit document and DPIA.
• Netli Ltd should document both the lawful basis for processing and the special category condition to demonstrate compliance and accountability.
• Netli Ltd obtains the consent of possible candidate to process the employment application through the website.

 

Security

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

It requires that appropriate technical or organisational measures are used.

Policy requirements:

• Netli Ltd has defined and implemented an IT Security Policy and supporting management system to maintain effective and proportionate security.

 

Contracts

The GDPR requires diligence and clarity in entering into third-party relationships. Whether Netli Ltd is a processor or controller, there are mandatory requirements relating to the contracts that are in place.

Policy requirements:

• Whenever Netli Ltd acts as a controller a written contract must be in place with the processors. Standards to be applied to the contracts have been defined by the Information Commissioner’s Office.
• Whenever Netli Ltd acts as a processor, Netli Ltd must only act on the documented instructions of a controller (as specified in a valid written contract). Standards to be applied to the contracts have been defined and are documented by the Information Commissioner’s Office.
• On an annual basis, the DCO will review third party relationships to determine the risk posed by processing. This will be documented as a part of a DPIA.
• Based on this assessment, the DCO will determine the most appropriate means to validate that contractual obligations in relation to data processing are being adhered to.
• The DCO will present this assessment, and the results of compliance visits, to the Board at least annually.

 

International transfers

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Netli Ltd may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Adequate safeguards may be provided for by:

• A legally binding agreement between public authorities or bodies;

• Binding corporate rules (agreements governing transfers made between organisations within in a corporate group); standard data protection clauses in the form of template transfer clauses adopted by the Commission;
• Standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
• Compliance with an approved code of conduct approved by a supervisory authority; certification under an approved certification mechanism as provided for in the GDPR; contractual clauses agreed authorised by the competent supervisory authority; or
• Provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.

Policy requirements:

• Requests for international transfer of data must be submitted to the DCO once for each function, and type of document.
• The DCO must record requests for international transfer received.
• The DCO will consider the DPIA in relation to this transfer and the appropriate means of adopting safeguards.

 

Data breaches

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority. In some cases, organisations will also have to report certain types of data breach to the individuals affected.

Policy requirements:

• The DCO must be notified of all breaches to this Policy as soon as possible.
• The DCO must record breaches and work with the information owner to consider the likely impact of the breach.
• Where a breach is considered notifiable to the Information Commissioner, the DCO must immediately inform the Board.
• A notifiable breach has to be reported by the DCO to the relevant supervisory authority within 72 hours of Netli Ltd becoming aware of it. The notification must contain:
  • The nature of the personal data breach including, where possible:

• The categories and approximate number of individuals concerned; and
• The categories and approximate number of personal data records concerned.
• The name and contact details of the data protection or other contact point for more information. A description of the likely consequences of the personal data breach.
• A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, Netli Ltd will notify those concerned directly.

• The DCO must present an analysis of breaches and near misses to the board at least annually.
• All employees must be trained to recognise and escalate breaches.

 

Compliance and reporting

Monitoring compliance with the GDPR is a key role of the Data Compliance Officer (‘DCO’). The DCO must also report compliance to the Board.

Policy requirements:

• The DCO is responsible for developing a compliance monitoring plan for this Policy.
• The compliance monitoring plan should be submitted to the Board for approval at least annually.
• Progress to deliver the plan, exceptions noted, breaches and near misses and updates on progress to address material deviations from compliance with the Policy must be reported to the DCO to the Board at least quarterly.

 

Training and awareness

Employee awareness of the GDPR, and their role to protect the privacy of data subjects, is core to Netli Ltd’s compliance programme.

Policy requirements:

• Employees must be trained on the requirements of this Policy at least annually through the annual Compliance Training and the induction training for new joiners.

 

Individual rights

The GDPR provides the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erase
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling. Right to be informed

The right to be informed encompasses Netli Ltd’s obligation to provide ‘fair processing information’, typically through a privacy notice.

Policy requirements:

Netli Ltd maintains a privacy notice and publishes this publicly (Appendix II).

 

Right of access

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.

Under the GDPR, individuals will have the right to obtain:

• Confirmation that their data is being processed; access to their personal data; and
• Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice. Policy requirements:

All requests from subjects for access to their data should be submitted immediately to the DCO using the form under Appendix V. The DCO must log the request and will:

• Consider whether the request is manifestly unfounded or excessive;
• Request copies of information held from information owners within Netli Ltd;
• Review the information to ensure it does not impair the privacy of another data subject;
• Consider whether the request warrants a fee (if it requires a significant amount of data) and respond to the original request. A response to the request must be provided without delay and at the latest within one month of receipt. In the event the request is particularly complex or numerous, the period of compliance can be extended by a further two months. If this is the case, the DCO must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Performance against the response target of one month must be reported to the Board by the DCO at least annually.

 

Right to rectification

The GDPR gives individuals the right to have personal data rectified if it is inaccurate or incomplete.

Policy requirements:

• Requests for rectification must be treated in the same way as requests for access. The following, additional, measures will apply: If Netli Ltd has disclosed the personal data in question to third parties, the DCO must inform them of the rectification where possible.
• The DCO must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. The information owner will be responsible for ensuring the request for rectification are actioned on the information they are responsible for.
• The DCO will be responsible for validating whether requests for rectification have been properly addressed.

 

Right to erasure

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances. These include:

Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. When the individual withdraws consent.

When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).

The personal data must be erased in order to comply with a legal obligation. The personal data is processed in relation to the offer of information society services to a child.

Policy requirements:

Netli Ltd can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

• To exercise the right of freedom of expression and information;
• To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
• For public health purposes in the public interest;
• Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
• The exercise or defence of legal claims.

Requests for erasure of data should be submitted immediately to the DCO and will follow the same principles as for right to access and right to rectification. If Netli Ltd has disclosed the personal data in question to third parties, the DCO must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.

 

Right to restrict processing

Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, Netli Ltd is permitted to store the personal data, but not further process it.

Netli Ltd is required to restrict the processing of personal data in the following circumstances:

• Where an individual contest’s the accuracy of the personal data, Netli Ltd should restrict the processing until Netli Ltd has verified the accuracy of the personal data.
• Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and Netli Ltd considers whether its legitimate grounds override those of the individual.
• When processing is unlawful, and the individual opposes erasure and requests restriction instead.
• If Netli Ltd no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.

Policy requirements:

• Requests to restrict processing will be submitted to the DCO and will follow the same principles as for right to access and right to rectification, with the following additional requirements:
  • The DCO must inform individuals when Netli Ltd decides to lift a restriction on processing.

 

Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to data portability applies:

• To personal data an individual has provided to a controller;
• Where the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means. Policy requirements:

Requests for data under the right to data portability must be submitted to the DCO. The DCO is responsible for recording these and requesting the information from the information owner(s).

The DCO will also review the data to ensure the privacy of other data subjects is not adversely impacted. The DCO will provide the personal data in a structured, commonly used and machine-readable form, submitted using a secure transfer mechanism.

The information will be provided within one month of the original request. Performance against this timescale must be reported by the DCO to the Board at least annually.

 

Right to object

Individuals have the right to object to:

• Processing for purposes of scientific/historical research and statistics.
• Policy requirements: Requests that object to processing must be submitted to the DCO. The DCO is responsible for recording and assessing these. Where instructed by the DCO, Netli Ltd must immediately stop processing the personal data unless:
  • There are demonstrable and compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • The processing is for the establishment, exercise or defence of legal claims. Netli Ltd must inform individuals of their right to object “at the point of first communication” and in its privacy notice.

6. Special category data and criminal offences data

Introduction:

This section of the policy document deals the Data Protection Act 2018 (the DPA), in respect of special category data and information about criminal offences:

• Procedures for securing compliance with the principles in Article 5 of the General Data Protection Regulation (GDPR) and section 35(4) of the DPA – principles relating to processing of personal data – in connection with the processing of personal data in reliance on the condition in question; and
• Policies regarding the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained. Personal data is any information by which a living individual can be identified. Individual identification can be by information alone or in conjunction with other information. Certain categories of personal data have additional legal protections when being processed. These categories are referred to in the legislation as “special category data” and are data concerning:
  • Health
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Sex life or sexual orientation

The processing of criminal offence data also has additional legal safeguards. Criminal offence data includes information about criminal allegations, criminal offences, criminal proceedings and criminal convictions.

This policy meets the following requirements of the DPA:

• Paragraph 1 of Schedule 1 requiring that an appropriate policy document be in place where the processing of special category personal information necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection
• Paragraph 5 of Schedule 1 requiring that an appropriate policy document be in place where the processing of special category personal data is necessary for reasons of substantial public interest. The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 6 to 28 of Schedule 1 to the DPA.
• Section 42 requiring that an appropriate policy document is in place in respect of processing of personal information for law enforcement purposes

7. Securing compliance with the principles in Article 5 of GDPR

Article 5 of the GDPR sets out the data protection principles. These are our procedures for ensuring that we comply with them.

Principle 1

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

We will:

Ensure that personal data is only processed where a lawful basis applies and where processing is otherwise lawful.

Only process personal data fairly and will ensure that data subjects are not misled about the purposes of any processing.

Ensure that data subjects receive full privacy information so that any processing of personal data is transparent.

Principle 2

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

We will:

Only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice.

Not use personal data for purposes that are incompatible with the purposes for which it was collected. If we use personal data for a new purpose that is compatible, we will inform the data subject first.

Principle 3

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

We will:

Only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.

Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

We will:

Ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.

Principle 5

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

We will:

Only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.

Principle 6

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

We will:

Ensure that there are appropriate organisational and technical measures in place to protect personal data.

Retention and erasure

We will:

Ensure where special category personal data or criminal offences data are processed, that:

• There is a record of that processing and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data.
• Data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
• Where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous.
• We retain personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To work out the right retention period for personal data, we consider the following matters:

• The amount, nature, and sensitivity of the personal data.
• The potential risk of harm from unauthorised use or disclosure of personal data.
• The purposes for which we process your personal data and whether we can achieve those purposes through other means; and
• Any legal or regulatory requirements. Once services are no longer required from us by a person, we will retain and securely destroy their personal information in accordance with our data retention schedule.

Appendix I – Privacy Notice

Monitoring of Internal Activities

In general terms, Netli Ltd does not engage in blanket monitoring of internal communications. It does, however, reserve the right at any time to monitor, access, retrieve, read, or disclose internal communications when a legitimate business need exists that cannot be satisfied by other means, the involved individual is unavailable and timing is critical to a business activity, there is reasonable cause to suspect criminal activity or policy violation, or monitoring is required by law, regulation, or third-party agreement.

At any time, Netli Ltd may log web sites visited, files downloaded, and related information exchanges over the Internet. Netli Ltd may record the numbers dialled for telephone calls placed through its telephone systems. Department managers may receive reports detailing the usage of these and other internal information systems and are responsible for determining that such usage is both reasonable and business-related.

All files and messages stored on Netli Ltd processing systems are routinely backed up to tape, disk, and other storage media. This means that information stored on Netli Ltd information processing systems, even if a worker has specifically deleted it, is often recoverable and may be examined at a, later date by system administrators and others designated by management.

At any time and without prior notice, Netli Ltd management reserves the right to examine archived electronic mail, personal computer file directories, hard disk drive files, and other information stored on Netli Ltd information processing systems. This information may include personal data. Such examinations are typically performed to assure compliance with internal policies, support the performance of internal investigations, and assist with the management of Netli Ltd information processing systems.

Violations

Any violation of this policy may result in disciplinary action, up to and including termination of employment. Netli Ltd reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Netli Ltd does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties.

Accordingly, to the extent permitted by law, Netli Ltd reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.

Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.

References

ISO 27002 – 15.1.4 Data protection and privacy of personal information.