Data Protection Policy

1.   Purpose

The purpose of this policy is to ensure that Country First Limited comply with the provisions of the General Data Protection Act 2018 when processing personal data.

Country First Limited adheres to the eight principles of data protection as laid down by the Act. In accordance with those principles personal data shall be:

  • Processed fairly and lawfully
  • Processed for specified purposes only
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept longer than necessary
  • Processed in accordance with data subjects’ rights
  • Processed and held securely
  • Not transferred outside the countries of the European Economic Area without adequate protection.

The document covers how Country First uses, manages and controls the personal data held by it to enable to undertake its business.

2.   Data Held and Use

Country First Limited holds personal data pertaining to clients it undertakes work for, companies it purchase services from and its employees.

  • This allows it to invoice for work done and ensure payments made in settlement are monitored and recorded.
  • Record enquiries and plan work.
  • Record work done by employees and pay the correct remuneration.
  • Purchase services and pay associated bills.

3.   Storage of the Data

All data personal data pertaining to the business is held in systems which are only accessible to the relevant personnel using a specific ID and password access,

4.   Responsibilities of the Data Protection Officer

  • Drawing up guidance, giving advice and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of information.
  • Ensure compliance with subject access rights and ensuring that data is released in accordance with subject access legislation under the General Data Protection Act 2018.
  • Ensure that any data protection breaches are resolved, catalogued and reported appropriately in a swift manner and in line with guidance from the Information Commissioner’s Office.
  • Investigating and respond to complaints regarding data protection including requests to cease processing personal data.

5.   Staff and management responsibilities

Those involved with process personal data relating to the company’s business must comply with the requirements of this policy.

Staff and committee members must ensure that:

  • All personal data is kept securely.
  • No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party.
  • Personal data is kept in accordance with the companies retention schedule.
  • Any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Office.
  • Any data protection breaches are swiftly brought to the attention of the Data Protection Office and that they support the Data Protection Office in resolving breaches;
  • Where there is uncertainty around a Data Protection matter advice is sought from the Data Protection Office.

Staff who are unsure about who are authorised third parties to whom they can legitimately disclose personal data should seek advice from the Data Protection Office.

6.   Third-Party Data Processors

Where external companies are used to process personal data on behalf of the company, responsibility for the security and appropriate use of that data remains with the company.

  • Where a third-party data processor is used:
  • Data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data.
  • Reasonable steps must be taken that such security measures are in place;
  • A written contract establishing what personal data will be processed and for what purpose must be set out;
  • A data processing agreement, available from the Data Protection Office, must be signed by both parties.

For further guidance about the use of third-party data processors please contact the Data Protection Office.

7.   Contractors

The company is responsible for the use made of personal data by anyone working on its behalf.  Any management or staff members who employ contractors, short term or voluntary staff must ensure that they are appropriately vetted for the data they will be processing. In addition they should ensure that:

  • Any personal data collected or processed in the course of work undertaken for the company is kept securely and confidentially;
  • All personal data is returned to the company on completion of the work, including any copies that may have been made. Alternatively that the data is securely destroyed and the company receives notification in this regard from the contractor or short term / voluntary member of staff;
  • The company receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the contractor;
  • Any personal data made available by the company, or collected in the course of the work, is neither stored nor processed outside the UK unless written consent to do so has been received from a company manager.
  • All practical and reasonable steps are taken to ensure that contractors, short term or voluntary staff do not have access to any personal data beyond what is essential for the work to be carried out properly.

8.   Subject Access Requests

The company is required to permit individuals to access their own personal data held by Country First via a subject access request. Any individual wishing to exercise this right should do so in writing to the Data Protection Office and a charge may be made for this request. A standard form is available from the Data Protection Office or on the company web site.

The company aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within the 40 calendar days.

Individuals will not be entitled to access information to which any of the exemptions in the Act applies. However, only those specific pieces of information to which the exemption applies will be withheld and determining the application of exemptions will be made by the Data Protection Office.

The company currently charges £10 to make a subject access request.

9.   Contact

Queries regarding this policy or the GDPR at large should be directed to the Data Protection Office at

Country First Ltd
47 Beverley Road
Maidstone
Kent
ME16 9DU.