Data Protection Policy
Salko UK Ltd is required to maintain certain personal data about current, past and prospective employees, clients, customers, and suppliers. In addition, it may be required by law to collect and use information in order to comply with the requirements of relevant third parties; for the purposes of satisfying operational and legal obligations.
Salko UK Ltd recognises the importance of the correct and lawful treatment of personal data. It maintains confidence in the organisation and provides for successful operations.
This personal data, whether it is held on paper, on computer or other media, will be subject to the appropriate legal safeguards as specified in the General Data Protection Regulations (GDPR) 2016.
Salko UK Ltd fully endorses and adheres to the eight principles of the Data Protection Act. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation, and storage of personal data.
Employees and any others who obtain, handle, process, transport and store personal data for Salko UK Ltd must adhere to these principles and this policy. Please note that breaches to data security may be considered as Gross Misconduct and therefore if proven the Company may have to consider an individual’s summary dismissal from the Company.
Principles: The principles require that personal data shall:
- Be processed fairly and lawfully, and shall not be processed unless certain conditions are met;
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
- Be adequate, relevant and not excessive for those purposes;
- Be accurate and, where necessary, kept up to date;
- Not be kept for longer than is necessary for that purpose;
- Be processed in accordance with the data subject’s rights;
- Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures;
- And not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Satisfaction of principles: In order to meet the requirements of the principles, Salko UK Ltd will:
- observe fully the conditions regarding the fair collection and use of personal data;
- meet its obligations to specify the purposes for which personal data is used;
- collect and process appropriate personal data only to the extent that it is needed to fulfil operational or any legal requirements;
- ensure the quality of personal data used;
- apply strict checks to determine the length of time personal data is held;
- ensure that the rights of individuals about whom the personal data is held, can be fully exercised under the Act;
- take the appropriate technical and organisational security measures to safeguard personal data;
- And ensure that personal data is not transferred abroad without suitable safeguards.
Salko UK Ltd Designated Data Controller
The Company’s HR Administrator is responsible for ensuring compliance with the Data Protection Act and implementation of this policy on behalf of the Managing Director.
Salko UK Ltd is registered with The Information Commissioner’s Office under registration reference ZA197075.
Status of the policy
This policy has been approved by the MD, and any breach will be taken seriously and may result in formal action. Any employee / Operative who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the HR Administrator in the first instance.
All individuals who are the subject of personal data held by Salko UK Ltd are entitled to:
- Ask what information Salko UK Ltd holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed what Salko UK Ltd is doing to comply with its obligations under the General Data Protection Regulations (GDPR) 2016.
Employee / Operative responsibilities: All employees / Operative are responsible for:
- Checking that any personal data that they provide to Salko UK Ltd is accurate and up to date.
- Informing Salko UK Ltd of any changes to information which they have provided, e.g. changes of address.
- Checking any information that Salko UK Ltd may send out from time to time, giving details of information that is being kept and processed.
Data security: The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff are responsible for ensuring that:
- Any personal data that they hold is kept securely.
- Personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party. Please note that you can be liable to prosecution if you deliberately give out personal details without permission.
- They do not send offensive emails about other people, their private life’s or anything else that could bring the Company’s name into disrepute.
Whenever you are unsure of what is required or you otherwise need guidance in data protection, you should consult the MD.
Reporting a Security Breach or Loss of Personal Data
If you are aware or suspect that there has been a security breach or a loss of personal data then you need to notify the HR administrator as soon as possible so this issue can be investigated.
Rights to access information
Employees and other subjects of personal data held by Salko UK Ltd have the right to access any personal data that is being kept about them on computer and also have access to paper-based data held in certain manual filing systems. This right is subject to certain exemptions that are set out in the Data Protection Act. Any person who wishes to exercise this right should make the request in writing to the HR Administrator.
If personal details are inaccurate, they can be amended upon request.
Salko UK Ltd aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days of receipt of request unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
Sometimes it is necessary to access individual business communications during their absence, for example, when they are off during illness or while on holiday. Unless mailbox settings are such that the individuals who need to do this already have permission to view other inboxes.
Access may also be granted in very limited circumstances subject to compliance with any legal requirements to access email marked PERSONAL. Examples are when we have reasonable suspicion that they may reveal evidence of unlawful activity; including instances where there may be a breach of this Policy and or a Contract within the Salko UK Ltd.
Publication of Salko UK Ltd information
Information that is already in the public domain is exempt from the General Data Protection Regulations (GDPR) 2016. This would include, for example, information on staff contained within externally circulated publications. Any individual who has good reason for wishing details in such publications to remain confidential should contact the QHSE Compliance Manager.
The need to process data for normal purposes has been communicated to all data subjects. In some cases, if the data is sensitive, for example information about health, race or gender, express consent to process the data must be obtained.
Retention of data
Salko UK Ltd will keep some forms of information for longer than others. All staff are responsible for ensuring that information is not kept for longer than necessary and in line with company operating procedures, below is an overview of general record retention periods and were further guidance may be obtained in relation to the records.
|Type of record||Retention period||Format|
|Accident /Investigation Reports||4 years after end of investigation||Electronic/
|Health Safety and Environment Records||In line with Company Management Systems||Electronic|
|General File Share||As defined by Business Departmental Head in order to fulfil business operational requirements/in line with operational procedures||Electronic|
|Email Accounts||Deleted 3 months after staff leave unless request submitted to IT to retain||Electronic|
|CVs and job applications (not recruited)||6 months after notification||Electronic/ Hard|
|Disciplinary records||6 years following end of employment||Electronic|
|TUPE||In line with Company Management Systems||Electronic|
|Staff Personnel files||6 years following end of employment||Electronic/ Hard|
|Redundancy records||6 years after redundancy||Electronic/ Hard|
|Sickness/Maternity/Adoption and Paternity Pay||3 years after the end of the tax year they relate to||Electronic/ Hard|
|Wage/Salary (overtime, bonus, expenses)||6 years||Electronic|
|Contractual/Client/Supplier information||5 years from when the business relationship ceases||Electronic|
|CCTV footage||As defined within operational controls||Electronic|
4th January 2021
- Changes to the Date Protection Regulations – implementation of the revised EU General Data Protection Regulations (GDPR) – EU 2016/679 that came into force on the 25th May 2018