GDPR Policy

 

 

1. Introduction

AbsorboPak is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.

This policy sets forth the expected behaviours of AbsorboPak Employees and Third Parties in relation to the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to an AbsorboPak Contact (i.e. the Data Subject).

The Management of AbsorboPak is fully committed to ensuring continued and effective implementation of this policy and expects all AbsorboPak Employees and Third Parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.

2. Scope

This policy applies to all Processing of Personal Data in electronic form (including electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.

3. Definitions

Anonymisation: Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person.

Consent: Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Contact: Any person past, present or prospective who is or may become a data subject of AbsorboPak

Data Controller: A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Processor: A natural or legal person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller.

Data Protection: The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.

Data Subject: The identified or Identifiable Natural Person to which the data refers.

Employee: An individual who works part-time or full-time for AbsorboPak under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary employees and independent contractors.

Encryption: The process of converting information or data into code, to prevent unauthorised access.

GDPR Coordinator: Person appointed to manage data compliance obligations on behalf of AbsorboPak.

Identifiable Natural Person: Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data: Any information (including opinions and intentions) which relates to an identified or Identifiable Natural Person.

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Processing: Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means.

Profiling: Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or general characteristics relating to an Identifiable Natural Person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement.”

Third Country: Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.

Third Party: An external organisation with which AbsorboPak conducts business and is also authorised to, under the direct authority of AbsorboPak Process the Personal Data of AbsorboPak Contacts.

Pseudonymisation: Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a “key” that allows the data to be re-identified.

4. Policy

4.1 Data Protection by Design

To ensure that all Data Protection requirements are identified and addressed when designing or purchasing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing. [Art. 25]

4.2 Compliance Monitoring

The GDPR Coordinator is responsible for monitoring compliance with the policy. [Art 5]

4.3 Data Protection Principles

AbsorboPak has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of Personal Data:

Principle 1: Lawfulness, Fairness and Transparency

Personal Data is processed lawfully, fairly and in a transparent manner in relation to the Data Subject. This means, AbsorboPak will inform the Data Subject and/or the data controller where Processing will occur (transparency), the Processing must match the description given to the Data Subject and /or data controller (fairness), and it must be for one of the purposes specified. [Arts. 5 & 12]

Principle 2: Purpose Limitation

Personal Data is collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes. AbsorboPak will specify exactly what the Personal Data collected will be used for and limit the Processing of that Personal Data to only what is necessary to meet the specified purpose. [Art. 6]

Principle 3: Data Minimisation

Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed. AbsorboPak does not store any Personal Data beyond what is strictly required. [Art 5]

Principle 4: Accuracy

Personal Data is accurate and, kept up to date.

AbsorboPak has in place processes for identifying and addressing out-of-date, incorrect and redundant Personal Data. [Art. 5d]

Principle 5: Storage Limitation

Personal Data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed. [Art 5e]

Principle 6: Integrity & Confidentiality

Personal Data is Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing, and against accidental loss, destruction or damage. AbsorboPak uses appropriate technical and organisational measures to ensure the integrity and confidentiality of Personal Data is maintained. [Arts 5f, 24 & 32]

Principle 7: Accountability

The Managing Director is ultimately responsible for compliance with data protection regulations. The GDPR coordinator provides administrative support [Art 5].

4.4 Data Collection

4.4.1 Data Sources

Personal Data is collected only from the Data Subject and/or the data controller and also from information freely available in the public domain.

4.4.2 Data Subject Consent

AbsorboPak will obtain Personal Data only by lawful and fair means and, where appropriate with the knowledge and Consent of the individual concerned. Where a need exists to request and receive the Consent of an individual prior to the collection, use or disclosure of their Personal Data, AbsorboPak is committed to seeking such Consent. [Art.5 &6]

AbsorboPak has implemented a simple system for a Data Subject to withdraw their Consent at any time. [Art.7]

4.4.3 Data Subject Notification

AbsorboPak will, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the Processing of their Personal Data.

When the Data Subject is asked to give Consent to the Processing of Personal Data and when any Personal Data is collected from the Data Subject, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following apply:

* The Data Subject already has the information

* A legal exemption applies to the requirements for disclosure and/or Consent. [Art. 13]

4.4.4 External Privacy Notices

This policy is published on the AbsorboPak website at http://www.AbsorboPak.ie.

4.5 Data Use

4.5.1 Data Processing

AbsorboPak uses Personal Data for the following business purposes: [Art. 13

* Fulfilment of client orders

* Dispatch, Delivery and collection of client orders

* Processing Returns orders for clients

* Sales prospecting (CRM)

* Engaging suppliers to provide services

* Current, past and potential future Employee personnel records

* Salary payments to employees

* Evaluation of candidates for employment

* Recruitment

4.5.2 Special Categories of Data

AbsorboPak does not gather or process any data which could be categorised as special. Neither does it collect or process any data related to children [Arts 8, 9 &10].

4.5.3 Data Quality

AbsorboPak will adopt all necessary measures to ensure that the Personal Data it receives from data controllers is processed only as instructed.

The company ensure data it collects and Processes from data subjects, is complete and accurate in the first instance and is updated to reflect the current situation of the Data Subject. [Art. 5]

The measures adopted by AbsorboPak to ensure data quality include:

* Correcting Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification. [Arts 15 & 16]

* Keeping Personal Data only for the period necessary to satisfy the permitted uses or applicable statutory retention period. [Art.5]

* The removal of Personal Data if in violation of any of the Data Protection principles or if the Personal Data is no longer required. [Arts 5 & 17]

* Restriction, rather than deletion of Personal Data, insofar as:

o a law prohibits erasure. [Art 23]

o erasure would impair legitimate interests of the Data Subject. [Art. 23]

o the Data Subject disputes that their Personal Data is correct, and it cannot be clearly ascertained whether their information is correct or incorrect.

4.5.4 Profiling & Automated Decision-Making

AbsorboPak does not engage in Profiling or automated decision-making [Art. 22].

4.5.5 Digital Marketing

AbsorboPak will not use or monetise personal data that it has already received through third parties other than for the purposes for which it was received it [Art. 21].

4.6 Data Retention

To ensure fair Processing, AbsorboPak has implemented a data retention policy to ensure Personal Data is not retained by for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further Processed. [Art 5]

4.7 Data Protection

AbsorboPak has adopted physical, technical, and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or Processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment. [Arts 24 & 32]

The security measures include:

* Preventing unauthorised persons from gaining access to data processing systems in which Personal Data are Processed.

* Preventing persons entitled to use a data processing system from accessing Personal Data beyond their needs and authorisations.

* Ensuring that Personal Data in the course of electronic transmission during transport cannot be read, copied, modified or removed without authorisation.

* Ensuring that access logs are in place to establish whether, and by whom, the Personal Data was entered into, modified on or removed from a data processing system.

4.8 Data Subject Requests

AbsorboPak has implemented a procedure for dealing with data subject access requests. The GDPR Coordinator will facilitate the exercise of Data Subject rights related to:

* Information access.

* Objection to Processing.

* Objection to automated decision-making and profiling.

* Restriction of Processing.

* Data portability.

* Data rectification.

* Data erasure.

If an individual makes a request relating to any of the rights listed above, AbsorboPak will consider each such request in accordance with all applicable Data Protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature. [Arts 15, 18 & 20]

A response to each request will be provided within 30 days of the receipt of the written request from the Data Subject. Appropriate verification must confirm that the requestor is the Data Subject or their authorised legal representative. Data Subjects shall have the right to require AbsorboPak to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data.

If AbsorboPak cannot respond fully to the request within 30 days, they will nevertheless provide the following information to the Data Subject, or their authorised legal representative within the specified time:

* An acknowledgement of receipt of the request.

* Any information located to date.

* Details of any requested information or modifications which will not be provided to the Data Subject, the reason(s) for the refusal, and any procedures available for appealing the decision.

* An estimated date by which any remaining responses will be provided.

* An estimate of any costs to be paid by the Data Subject (e.g. where the request is excessive in nature).

* The name and contact information of the AbsorboPak individual who the Data Subject should contact for follow up.

4.9 Law Enforcement Requests & Disclosures

In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes: [Art. 17]

* The prevention or detection of crime.

* The apprehension or prosecution of offenders.

* The assessment or collection of a tax or duty.

* By the order of a court or by any rule of law.

4.10 Data Protection Training

All AbsorboPak Employees that have access to Personal Data have been informed of their responsibilities under this policy. All new employees will have the policy outlined to them as part of their staff induction training. [Art. 39]

4.11 Data Transfers

AbsorboPak only transfers data to third parties where it is necessary for the conclusion or performance of a contract in the interest of the Data Subject and/or at the request of a data controller. AbsorboPak does not transfer data outside the EU [Art. 44].

4.12 Complaints Handling

Data Subjects with a complaint about the Processing of their Personal Data, should put forward the matter in writing to the GDPR Coordinator. An investigation of the complaint will be carried out to the extent that is appropriate based on the merits of the specific case. The Data Subject will be kept informed of the progress and the outcome of the complaint within a reasonable period.

If the issue cannot be resolved then the Data Subject may, at their option, seek redress through mediation, binding arbitration, litigation, or via complaint to the Data Protection Authority within the applicable jurisdiction [Arts 15 & 19].

4.13 Breach Reporting

Any individual who suspects that a Personal Data Breach has occurred due to the theft or exposure of Personal Data must immediately notify the GDPR Coordinator providing a description of what occurred. [Arts 33 & 34].

AbsorboPak has implemented a procedure for dealing with information security breaches. The GDPR Coordinator will investigate all reported incidents to confirm whether or not a Personal Data Breach has occurred. If a Personal Data Breach is confirmed, AbsorboPak will follow the relevant authorised procedure based on the criticality and quantity of the Personal Data involved.

5. Policy Maintenance

All inquiries about this policy, including requests for exceptions or changes should be directed to the GDPR Coordinator at AbsorboPak.

5.1 Publication

This policy shall be available to all AbsorboPak Employees.

5.2 Effective Date

This policy is effective as of 25th May 2018.

5.3 Revisions

The GDPR Coordinator is responsible for the maintenance and accuracy of this policy. Changes to this policy will come into force when published on AbsorboPak Policy Portal website link to be set up.