Purpose
This Policy serves to outline the aspects of General Data Protection Regulation (GDPR) relevant to CSI’s operation and ensure CSI complies with legislation.
Scope
This Policy applies to all CSI employees at all times when collecting, handling, or processing personal data in any format.
Responsibilities
Applies to all CSI employees when handling private data.
Definitions and Abbreviations
· GDPR – General Data Protection Regulation
· Personal data – Data that can identify an individual (e.g. name, address, email, National Insurance Number, bank details)
· SME – Small and Medium-sized Enterprises (companies with less than 250 employees)
References
General Data Protection Regulation
GDPR rules for businesses and organisations
Policy
With the coming into force of the GDPR law as of 25 May 2018, companies now have certain obligations in relation to collecting, processing and storing personal information. In the context of its current activities, CSI does not collect or store any data about patients, including patient personal details. However, CSI does collect, process and store personal data in the form of contact details of suppliers, clients and other entities for the purpose of carrying out its business and operational activities.
Justification for collecting, processing, and storing
Any personal data collected, processed or stored must be justified (i.e. it must have a justifiable purpose). There are three types of justification:
· Legal Obligation – The personal data is required in order to fulfil a CSI Legal Obligation. This category would include CVs of employees kept on file for compliance with GDP/GMP requirements. This also applies when keeping certain records on file which may contain personal data (e.g. email addresses), such as shipment records kept on file for seven years.
· Contractual – The personal data is required to fulfil CSI’s contractual obligations. This includes CSI collecting personal information about its employees to manage payments and pensions; all business contacts with existing suppliers and clients; and the contacts of third-party entities that CSI is required to involve in order to fulfil its contracts (e.g. the client providing the contact person at their appointed depot).
· Legitimate Interest – This is personal data that CSI has a legitimate interest in. Examples include contacts of prospective clients, suppliers and other potential business partners, and the personal details of candidates for CSI job vacancies.
Personal data that cannot be justified by any of the categories above should not be collected, processed, or kept by CSI.
For further details of our Policy, please contact info@csint.com.