GDPR Policy

DATA PROTECTION LAW
The data protection act 1998 is fully complied with.
We follow the eight most important principles. Data must:
• Be processed fairly and lawfully
• Be obtained only for specific, lawful purposes
• Be adequate relevant and not excessive
• Be accurate and kept up to date
• Not be held for any longer than necessary
• Processed in accordance with the rights of data subjects
• Be protected in appropriate ways
• Not be transferred outside the European Economic Area (EEA) unless that country or territory also ensures adequate protection

PEOPLE RISKS AND RESPONSIBILITIES

POLICY SCOPE
The policy applies to:
• The Offices of Packaging2Buy
• The cloud infrastructure of Packaging2Buy
• All staff and volunteers of Packaging2Buy
• All contractors, suppliers and other people working on behalf of Packaging2Buy

It also applies to all data that the company holds relating to identifiable individuals, even if the information technically falls outside of the data protection Act 1998. This can include:
• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• Plus, any other information relating to individuals

DATA PROTECTION RISKS
This policy helps to protect Packaging2Buy from data security risks including:
• Breaches of confidentiality. For instance, information being given out inappropriately.
• Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
• Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

RESPONSIBILITIES
Everyone who works for or with Packaging2Buy has some responsibility for ensuring data is collected, stored and handled appropriately.
Each person that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
• The board of directors are ultimately responsible for ensuring that Packaging2Buy meets its legal obligations.
• Inclusion of data protection within regular management and staff meetings to be updated, reviewed, responsibilities qualified, risks and any issues discussed.
• Arrange data protection training and advice for personal covered in this policy
• Handling data protection questions from staff and anyone else covered by this policy
• Dealing with individual requests to see data that the company holds

Outsourced/third party companies that work with us.
• We monitor all third-party companies that we work with to make sure that no data is removed from a customer site or cloud infrastructure without a customer’s instruction to do so. For instance, copying databases in order to fix corruptions.
• In rare cases where a third party may need to access data, we sign and hold non-disclosure agreements
• When working with Microsoft, we monitor all interaction with a customer’s system. No data is removed from local premise or cloud infrastructure apart from rare instances when event logs are required to repair a customer’s network.

STAFF GUIDELINES
• The only people with access data covered by this policy will be those who need it for their work.
• Data will not be shared informally. When access to confidential information is required employees are to request it from the managing director.
• Packaging2Buy will provide training to all employees to help them understand their responsibility when handling data.
• Employees are to keep all data secure, by taking sensible precautions and following the guidelines below.
• Strong passwords are used and will never be shared.
• Multi-Factor Authentication (MFA) will be used by all staff when accessing our systems
• Personal data will not be disclosed to unauthorised people, either within the company or externally.
• Data will be reviewed regularly and updated if it is found to be out of date. If no longer required data will be shredded.
• Employees should seek help from one of the Directors if they are unsure of any aspect of data protection.

DATA STORAGE
When data is stored on paper it will be kept in a secure place where unauthorised people cannot see it.
• When not required any paper or files will be kept in a locked drawer or filing cabinet
• Employees are to make sure paper and printouts are not left where unauthorised people can see them, e.g. on a printer etc.
• Data printouts will be shredded and disposed of securely when no longer required.
• Data stored electronically is protected from unauthorised access, accidental deletion and malicious hacking attempts.
• Electronic data is protected by strong passwords that are changed regularly and not shared between employees. Multi-Factor authentication (MFA) is also used by all staff
• Occasionally data may be stored on removable media, these are kept locked away securely and when no longer required data is deleted.
• Data is stored in our cloud infrastructure environment protected by MFA
• On-site servers containing any personal data are not used
• Data is backed up off site frequently. Backups are done regularly and not held on-site.
• Data is never saved directly to laptops, desktops or other mobile devices.
• All servers and computers containing data are protected by approved software, firewall and MFA security.
• Customer devices held within our office for repairs will also be covered under this policy. Customer data may be backed up, restored and will be deleted when no longer required.

Packaging2Buy hold a certificate of registration with the Information Commissioners Office.
Packaging2Buy also all hold valid ISO9001 certification.

DATA USE
Personal data is of no value to Packaging2Buy unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft. Therefore the following must be adhered to:
• When working with personal data employees must ensure the screens of their PC’s are always locked when left unattended.
• Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
• Data must be encrypted before being transferred electronically.
• Personal data should NEVER be transferred outside the European Economic Area.
• Employees should not save copies of personal data to their own PC’s.
• Employees always access and update the central copy of any data.
• No personal data will be copied from a customer site to our own cloud infrastructure. Only configuration data may be held to help support the customer.

DATA ACCURACY
The law requires Packaging2Buy to take reasonable steps to ensure data is kept accurate and up to date.
• Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
• Staff should take every opportunity to ensure data is updated. For instance. confirming contact details when a customer calls.
• Packaging2Buy will make it easy for data subjects to update the information Packaging2Buy holds about them.
• Data should be updated as inaccuracies are discovered. As an example, if a customer can no longer be reached on their stored contact number or email address it should be removed from the database.

SUBJECT ACCESS REQUESTS
All individuals who are the subject of personal data held by Packaging2Buy are entitled to ask what information the company holds on them and why
• Ask how to gain access to it
• Be informed how to keep it up to date
• Be informed how the company is meeting its data obligations.
• All “Opt-in” data saved and used for the purposes of marketing, all individuals are always given an “Opt-out” option. If an “Opt-out” option is received the data is removed and deleted accordingly.

If an individual contacts the company requesting this information, this is called a subject request.

Subject access requests should be made via email to privacy@packaging2buy.co.uk

Staff will provide the relevant data within a reasonable time
Most importantly staff will always verify the identity of anyone making a subject access request before handing over any information.

DISCLOSING DATA FOR OTHER REASONS
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances Packaging2Buy will disclose requested data. However, the Directors will ensure the request is legitimate, seeking assistance from the company’s legal advisor if necessary.

PROVIDING INFORMATION
Packaging2Buy aims to ensure the individuals are aware that their data is being processed and that they understand
• How the data is being used
• How to exercise their rights
• How to “Opt-out” of any/all marketing activity.