All processing of personal data by Drayton Tank & Accessories Ltd, otherwise referred to as �the company� is within the scope of this procedure.
1. The Data Protection Officer / GDPR Representative is responsible for ensuring that the privacy notice(s) is correct and that mechanisms exist such as having the
2. Privacy Notice(s) on the company website to make all data subjects aware of the contents of this notice prior the company commencing collection of their data.
3. All staff that need to collect personal data are required to follow this procedure.
3. Procedure Article 12
1. The company identifies the legal basis for processing personal data before any processing operations take place by clearly establishing, defining and documenting:
1.1. the specific purpose of processing the personal data and the legal basis to process the data under:
1.1.1. consent obtained from the data subject;
1.1.2. performance of a contract where the data subject is a party;
1.1.3. legal obligation that the company is required to meet;
1.1.4. protect the vital interests of the data subject, including the pro-tection of rights and freedoms;
1.1.5. official authority of the company or to carry out the processing that is in the public interest;
1.1.6. necessary for the legitimate interests of the data controller or third party, unless the processing is overridden by the vital inter-ests, including rights and freedoms;
1.1.7. national law.
1.2. any special categories of personal data processed and the legal basis to process the data under:
1.2.1. explicit consent obtained from the data subject;
1.2.2. necessary for employment rights or obligations;
1.2.3. protect the vital interests of the data subject, including the pro-tection of rights and freedoms;
1.2.4. necessary for the legitimate activities with appropriate safe-guards;
1.2.5. personal data made public by the data subject;
1.2.6. legal claims;
1.2.7. substantial public interest;
1.2.8. preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, provision of health or social care treatment, or management of health and social care systems and services, under the basis that appropri-ate contracts with health professionals and safeguards are in place;
1.2.9. public health, ensuring appropriate safeguards are in place for the protection of rights and freedoms of the data subject, or pro-fessional secrecy;
1.2.10. national laws in terms of processing genetic, biometric or health data.
2. The company records this information in line with its data protection impact as-sessment and data inventory.
4. Privacy notices
1. When personal data collected from data subject with consent
1.1. the company is transparent in its processing of personal data and provides the data subject with the following:
1.1.1. the company identity, and contact details of the Data Protection Officer / GDPR Representative and any data protection representatives;
1.1.2. The purpose(s), including legal basis, for the intended processing of personal data (clause 4.2 below);
1.1.3. Where relevant, the company legitimate interests that provide the legal basis for the processing;
1.1.4. Potential recipients of personal data;
1.1.5. Any information regarding the intention to disclose personal data to third parties and whether it is transferred outside the EU. In such circumstances, the company will provide information on the safeguards in place and how the data subject can also obtain a copy of these safeguards;
1.1.6. If the company is based outside of the EU and the data subject resides within it (the EU), the company provides the data subject with contact details of a data protection representative in the EU;
1.1.7. Any information on website technologies used to collect personal data about the data subject;
1.1.8. Any other information required to demonstrate that the pro-cessing is fair and transparent.
1.2. All information provided to the data subject is in an easily accessible for-mat (PDF, printed letter, email), using clear and plain language, especially for personal data addressed to a child.
1.3. the company facilitates the data subject’s rights in line with the data pro-tection policy and the subject access request procedure.
1.4. Privacy notice for this personal data processing is recorded
2. When data is contractually required for processing
2.1. the company processes data without consent in order to fulfil contractual obligations (such as bank details to process salaries, postal address in or-der to supply products and services, etc.).
2.2. Privacy notice for this personal data processing is recorded
3. When personal data has been obtained from a source other than the data subject
3.1. the company makes clear the types of information collected as well as the source of the personal data (publicly accessible sources) and provides the data subject with:
3.1.1. the company (data controller) identity, and contact details of the Data Protection Officer / GDPR Representative and any data pro-tection representatives;
3.1.2. The purpose(s), including legal basis, for the intended processing of personal data;
3.1.3. Categories of personal data;
3.1.4. Potential recipients of personal data;
3.1.5. Any information regarding disclosing personal data to third parties and whether it is transferred outside the EU – the company will provide information on the safeguards in place and how the data subject can also obtain a copy of these safeguards;
3.1.6. Any other information required to demonstrate that the pro-cessing is fair and transparent.
3.2. Privacy notice for this personal data processing is recorded
1. The company provides the information stated in clauses 3 and 4 above within:
1.1. one month of obtaining the personal data, in accordance with the specific circumstances of the processing;
1.2. at the first instance of communicating in circumstances where the personal data is used to communicate with the data subject;
1.3. when personal data is first disclosed in circumstances where the personal data is disclosed to another recipient.
2. Clauses 3 and 4 above do not apply:
2.1. If the data subject already has the information;
2.2. If the provision of the above information proves impossible or would in-volve an excessive effort;
2.3. If obtaining or disclosure of personal data is expressly identified by Mem-ber State law; or
2.4. If personal data must remain confidential subject to an obligation of professional secrecy regulated by Member State law, including a statutory obligation of secrecy.