ARENTIS Ltd. General Data Protection Regulation Policy
Introduction
The General Data Protection Regulation (GDPR) is a comprehensive update to European Law that goes into effect on 25 May 2018. The GDPR was designed to along data privacy laws across Europe and empower all EU resident’s privacy and change the way organisations approach data privacy. The GDPR applies to all organisations that hold data for EU citizens, regardless of size.
Ensuring that personal data is secure and properly dealt with is of paramount importance to ARENTIS Ltd, and we have made enhancements to processes, products, contracts and documentation to ensure we conform fully to GDPR.
Please read our Privacy Policy to learn more about how we approach data privacy.
What is considered to be Personal data?
Personal data is information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data can also include IP addresses and mobile device IDs etc.
Sensitive Personal Data is personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence). We do not collect or store any sensitive personal information.
Whose data is covered?
ARENTIS Ltd collect and store data from suppliers; subcontractors, customers and other parties such as prospective customers and persons using our websites.
Collecting Data
ARENTIS Ltd collect personal from a multitude if sources. These sources include consent forms (see Appendices), information provided in correspondence with us, information provide via our websites and other information necessary to conclude transactions and fulfil contractual obligations.
The provision of all personal data is voluntary, but we may require this to deliver a product or service, or respond to communications from you.
You may also provide us with other information through a web form, or participation in chats or community discussions.
We only hold and process data absolutely necessary for the completion of our duties, as well as limiting the access to personal data to those who act out the data processing.
ARENTIS Ltd do not knowingly sell products or services for purchase by minors. If an approach is made by a minor, we will require consent from someone with parental responsibility, and shall make reasonable efforts to verify that person is indeed a parental figure.
What is data processing?
Data processing means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
ARENTIS Ltd do not process personal data for one or more specific purposes without your consent.
We process data necessary for the performance of a contract to which the data subject is party to, or to carry out instructions at the request of the data subject prior to entering into a contract.
We record all of our processing activities. These records are compiled as to conform to Article 30 of the GDPR, and include the purpose for processing, a description of the categories of data subjects and categories of the personal data, categories of recipients to whom the personal data have been or will be discussed, and the envisaged time limit for erasure of the categories of data.
What do we use the data for?
ARENTIS Ltd utilise your personal data for activities such as contract fulfilment, responding to requests for information or quotations, providing information on products and services, monitoring customer satisfaction etc.
Full details of how we use your personal data are given in our Privacy Policy.
Consent
ARENTIS Ltd have produced standalone consent forms which are separate from any other terms and conditions we have. An unambiguous ‘opt in’ has been adopted to comply with the GDPR. Examples of these consent forms can be seen in Appendices.
You may withdraw your consent, request your data is erased, or exercise your Right to be Forgotten at any time by emailing sales@arentis.co.uk, or writing to our registered office at 2 Wortley Road, Deepcar, Sheffield S36 2UZ. Any requests will be met within 1-month of the request being received.
The GDPR does not specify an expiry on a consent given, however ARENTIS Ltd will delete all consents where no business activity has taken place for 5-years.
How do we protect your personal data?
We protect your personal information using technical and administrative security measures to reduce the risks of loss, misuse, unauthorised access, disclosure and alteration. Some of the safeguards we use are firewalls and data encryption, and information access authorisation controls.
We also ensure that privacy settings are set at a high level by default, and that data protection is designed into the development of business processes for products and services.
A copy of ARENTIS Ltd Ltd Information Security Policy is available on request.
Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
If a personal data breach results in risk to the rights and freedoms of natural persons, ARENTIS Ltd will without undue delay and where feasible, not later than 72 hours after having become aware of the breach, notify the data subject to inform them of the breach.
Subject Access Requests
As specified in the Subject Access Request section of the GDPR, an individual is entitled to the information detailed therein, in an electronic format and free of charge. The data subject is entitled to, amongst other things, confirmation as to whether or not the data concerning them is being processed, where and for what purpose.
Any Subject Access Request received by ARENTIS Ltd will be actioned within the mandatory response time of 1-month.
Sharing Data
ARENTIS Ltd do not not sell, rent, or otherwise disclose your personal information to third parties without your consent, unless required to operate our business or compelled to do so by law.
When personal data is shared with these third parties, we ensure they protect your personal information with appropriate security measures, as detailed in our Privacy Policy.
Personal data held by us will be accessible by employees of ARENTIS Ltd and its affiliated companies.
Crius Technologies Ltd also have access to your data in their capacity as our IT infrastructure support company. Crius Technologies Ltd cannot do anything with your data unless specifically instructed to do so by ARENTIS Ltd, and the data remains within our controllership.
If you have a question or a complaint about this privacy notice, our privacy standards, or our information handling practices, please contact Mr Peter Clarke, Mark Marriage or Steven Olbison Director, ARENTIS Ltd.
Effective date: May 1, 2018