- This Policy serves to outline the aspects of General Data Protection Regulation (GDPR) relevant to CSI’s operation and ensure CSI complies with legislation.
- This Policy applies to all CSI employees at all times when collecting, handling, or processing personal data in any format (hardcopy, digital) during the course of CSI’s business activities.
- Applies to all CSI employees when handling private data.
- Definitions and Abbreviations
- GDPR - General Data Protection Regulation:
Personal data – Data that can identify an individual (e.g. name, address, email, National Insurance Number, bank details)
SME – Small and Medium-sized Enterprises, companies with less than 250 employees.
- General Data Protection Regulation:
GDPR rules for businesses and organisations:
- With the coming into force of the GDPR law as of 25 May 2018, companies now have certain obligations in relation to collecting, processing, and storing personal information.
In the context of its current activities, CSI does not collect or store any data about patients, including patient personal details. However, CSI does collect, process, and store personal data in the form of contact details of suppliers, clients, and other entities for the purpose of carrying out its business and operational activities.
- Justification for collecting, processing, and storing
- Any personal data collected, processed or stored must be justified (i.e., it must have a justifiable purpose). There are 3 types of justification
• Legal Obligation – The personal data is required in order to fulfil a CSI Legal Obligation – This category would include CVs of employees kept on file for compliance with GDP/GMP requirements, this also applies when keeping certain records on file which may contain personal data (e.g. email addresses) such as shipment records kept on file for 7 years
• Contractual – The personal data is required to fulfil CSI’s contractual obligations - This includes CSI collecting personal information about its employees to manage payments and pensions; all business contacts with existing suppliers and clients; and the contacts of third-party entities which CSI is required to involve in order to fulfil its contracts (e.g. The client providing the contact person at their appointed depot).
• Legitimate Interest – This is personal data which CSI has a legitimate interest in – Examples include contacts of prospective clients, suppliers, and other potential business partners; the personal details of candidates to CSI job vacancies.
• Personal data that cannot be justified by any of the categories above should not be collected, processed, or kept by CSI.
For further details of our Policy please contact email@example.com