PBE and its associated subsidiaries (herein after referred to as the “Company”), is committed to complying with its obligations under applicable data protection laws, including the UK Data Protection Act 2018, UK General Data Protection Regulations (“UK GDPR”) and the EU General Data Protection Regulations (“EU GDPR”). This policy sets out how the Company handles personal data (as defined below) in accordance with those laws.
The purpose of this policy is to establish rules governing the collection, handling, disclosure, and storage of personal data and to ensure all such processing activities comply with all applicable data protection laws to which the Company is subject.
This policy is applicable to all Company directors, officers and employees and any agents, consultants or independent contractors of the Company who process personal data on its behalf. All such individuals will be referred to as “employees” for the purpose of this policy. Failure to comply with this policy may result in disciplinary action.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication (can be by a statement, declaration, or a clear positive action) of the data subject’s wishes by which they signify agreement to the processing of their personal data.
Data Protection Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of data processing activity. A DPIA should be conducted for all major system or business change programmes, which involve the processing of personal data and are required for all new processing activities where Sensitive Personal Data is processed.
Data Protection by Design: embedding data protection principles into the design of systems and practices involving personal data by implementing the appropriate technical and organisational measures in an effective manner.
Data Protection Notice: notice setting out the information to be provided to data subjects when the Company collects personal data relating to them.
Data Subject: a living, identified or identifiable individual about whom the Company processes personal data.
Personal Data: any information relating to an identified person, or a person who can be identified by means reasonably likely to be used, and which may include a person’s name, email address, telephone number, IP address, postal address, job title and statements of opinion about a person.
Processing: any operation or set of operations, automated or not, which is performed on personal data, such as collection, storage, use, transfer, disclosure, or deletion.
Processing Service Provider: any natural person or entity that carries out processing of personal data on behalf of the Company.
Sensitive Personal Data: personal data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; biometric (e.g., fingerprints or facial recognition) or genetic information; or information about a person’s health, sex life or sexual orientation, or relating to criminal convictions or offences (including allegations).
Data protection principles relating to the processing of personal data
1. Lawfulness, fairness, and transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
For processing to be lawful, the personal data must be processed on an identified and documented legal ground. Therefore, whenever an employee processes personal data, it is important that they have identified the legal basis upon which they rely for the data processing activity.
The GDPR sets out six legal bases for data processing, of which, the following four legal bases are relevant to the data processing activities carried out by the Company:
- Legitimate interests of the data controller: this legal basis is most likely to apply where the data is used in ways that people would reasonably expect, and which have minimal privacy impact. For example, this provision will apply to performance reviews and many administrative processing tasks.
- Necessary for a contract with the data subject: the processing is necessary for the performance of a contract between the Company and the individual or for steps leading up to entering into a contract. For example, processing the personal details of an employee who is or will be under a contract of employment with the Company.
- Necessary to fulfil a legal obligation: the processing is necessary for the Company to comply with a law to which it is subject, for example, the disclosure of employee salary information to the relevant tax authorities.
- Consent: the data subject has given clear consent to the Company to process their data for one or more specific purposes. Consent is only appropriate if the data subject is given a genuine choice with regard to accepting or declining the terms. If this is not the case, an alternative legal basis must be established to allow processing to occur. Data subjects must be able to withdraw their consent at any time, in which case, unless one of the other lawful bases applies, data processing must cease. Consent should be relied upon only where no other lawful purpose is available.
For processing to be fair and transparent, data subjects must be provided with detailed and specific information relating to the processing of their data. The information should be provided through a Data Protection Notice (also referred to as a privacy or fair processing notice) which is easily accessible and written in clear and plain language. The Data Protection Notice should make the data subject aware of their rights and the potential risks associated with the processing activity, as well as the safeguards that are in place to protect their personal data.
2. Purpose limitation
Personal data must be collected only for specified, explicit and legitimate purposes. Personal data must not be further processed in any manner incompatible with those purposes.
Personal data shall not be used for new, different, or incompatible purposes from that disclosed to the data subject at the time the data was first obtained, unless the data subject has been informed of the new purposes and they have consented where necessary.
When assessing whether a purpose of further processing is compatible with the first purpose, various factors should be assessed such as, any link between the two purposes for processing, the context in which the personal data has been collected and the likely expectations of the data subjects, the existence of appropriate safeguards (e.g., encryption) and the possible consequences of the further processing for the data subjects.
3. Data minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Employees shall only process the personal data they actually need to achieve the specific processing purpose. Personal data must not be collected purely on the possibility that it might be useful in the future. For example, collecting a data subject’s mobile number and full postal address when all communications will take place via email is not permitted.
When personal data is no longer required for the specified purposes, employees shall anonymise or delete the information in accordance with the Company’s Document Retention Policy.
Personal data must be accurate and, where necessary, kept up to date. The accuracy of personal data must be checked at the point of collection and at regular intervals during the period for which it is maintained.
Employees must take steps to delete or correct inaccurate, misleading, or out of date personal data as soon as they become aware of any deficiency in the quality of the personal data.
5. Storage limitation
Personal data must not be kept in a form, which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed.
Employees shall follow the process of destruction or erasure of all personal data that is no longer required, as set out in the Company’s Document Retention Policy.
6. Integrity and confidentiality
Personal data shall be processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
The Company shall maintain on a continuous basis, the appropriate technical and organisational measures to protect personal data against security breaches. A risk-based approach shall be adopted having regard to the type of personal data processed, the volume of personal data and the possible consequences to the data subjects, should a breach occur.
Each employee is responsible for protecting the personal data to which they have access in the course of their employment with the Company and must follow all procedures and utilise all technologies put in place by the Company to maintain the security of all personal data from the point of collection to the point of destruction. For specific information, please refer to the IT Function.
Each employee shall protect the confidentiality, integrity, and availability of the personal data by:
- giving access to the personal data only to the people who are authorised to use the personal data (confidentiality);
- ensuring the personal data is accurate and suitable for the purpose for which it is processed (integrity); and
- ensuring the personal data is available to the authorised users when they need it for authorised purposes (availability).
Sensitive personal data
The processing of sensitive personal data is subject to an extra layer of control. In addition to the lawful bases set out above, a further justification is required. For example, the data subject has given explicit consent to the processing, the processing is necessary for carrying out the employment obligations of the Company or where the Company needs to establish, exercise, or defend its legal rights.
Where employees intend to process sensitive personal data, they shall refer to the Data Protection Impact Assessment Guidelines and carry out a DPIA as appropriate.
Dealing with personal data breaches
Data breaches occur when third parties unlawfully obtain personal data. (e.g., when a database is hacked) or when personal data is mislaid or misdirected due to poor controls and procedures. In either case, data breaches can have serious consequences for the Company.
If an employee suspects that a breach of personal data has occurred, they should not attempt to investigate the matter themselves, but should preserve all evidence and follow the procedure set out in the Data Breach Response Procedure.
Sharing personal data and international transfers
The Company has put in place an intra-group agreement to govern the basis on which we share personal data and protect it within our group companies.
Employees may only share the personal data held by the Company with third parties, such as service providers, if the following criteria are met:
- the third party has a need to know the information for purposes of providing the contracted services;
- • sharing the personal data complies with the Data Protection Notice provided to the data subjects and if required, the data subject’s consent has been obtained;
- • the third party has agreed to comply with the Company’s data security standards, policies, and procedures (or the equivalent) and has put in place adequate security measures; and
- • a fully executed written contract is in place that contains all the relevant data protection obligations on the third party
Certain local laws restrict the international transfer of personal data and lay down safeguards to protect the privacy and fundamental rights of the data subjects. For example, in the case of GDPR, considerations need to be made when transferring data outside of the European Economic Area.
Where personal data is being handled by a PBE entity which is subject to GDPR or other data protection laws that have requirements to protect personal data transferred between countries/regions, the personal data will not be transferred unless the appropriate steps have been put in place to protect such personal data as required by the relevant law.
Employees must carry out a DPIA before undertaking any processing of personal data, which may involve a cross-border transfer and should follow the procedure set out in the Data Protection Impact Assessment Guidelines
- Data Breach Response Procedure
- Data Protection Impact Assessment Guidelines
- Document Retention Policy
This policy is issued by way of guidance only. It does not form part of an employee's contract of employment or otherwise have any contractual effect. This policy may be varied, withdrawn, or replaced at any time by the Company at its absolute discretion.