Integrale Limited General Data Protection Policy

May 2018

Data Collection

Data collection and processing for the purposes of accounting, including but not limited to names, addresses, contact information, payment information is required to fulfil the legal obligations of the company and its directors. Data collected for this purpose will be held for as long as is legally required and then securely destroyed, as described below.

Integrale Ltd (Integrale) may collect data during the course of business and may include all and any personal data provided to the client by service users. This information is required for Integrale to provide contractually obligated services to clients and will be retained for a maximum of 10 years, or until such time as this is no longer required.

This information may be considered as held for ‘legitimate interests’ under GDPR until such time as the client requests removal of such data.

If you have concerns that Integrale may hold personal data without legitimate interest in that data, please contact us and advise if you no longer wish that data held.

Sharing of Data

Integrale do not share data with third parties, other than those concerned with the specific project on which you provided your data to us.  This data is held and shared only for the purposes of providing our legitimate consultancy service, legal compliance, HR and accountancy.

Retention of Data

Integrale operates the following retention schedule, but if data is no longer required it may be deleted in advance of these timescales:

  • Accountancy – All financial data will be retained for 6 financial years in line with UK financial requirements. In some cases data will be stored for 10 years to ensure the company is able defend any potential legal claim.
  • HR records will be held for up to 6 years from the point at which the employees employment ends, to ensure the company is able to defend any potential county court or high court claim. In some cases data will be stored for 10 years to ensure the company is able prove safeguarding measures were adhered to.
  • Quotation, sales or marketing data will be removed within a 24 month period of the data no longer having a valid use in the case of prospective information. Customer information (including previous and existing customer) may be retained for up to 10 years to ensure the company is able to defend any potential legal claim.
  • Preliminary or outline design and project data will be removed within a 24 month period of the data no longer having a valid use. Final design, issued reports and other pertinent client and project information (including previous and existing clients) may be retained for up to 10 years to ensure the company is able to defend any potential legal claim.

Data Destruction

Electronic information stored on redundant media / systems will be securely destroyed by a third party, WEEE recycling and data destruction specialist.

Documented data containing sensitive information is securely destroyed on-site or off-site by a third party document destruction company.

The above destruction methods ensure Integrale controls data destruction and complies with legislative requirements, whilst ensuring client, employee and confidential business information is kept secure at all times.

Technical / Business Security Measures

Integrale takes the security of data very seriously and takes steps to ensure data is kept safe:

  • Our premises are securely locked and alarmed. Visitors to our offices are accompanied / monitored at all times.
  • Documentation is securely managed within the business via the use of lockable rooms, storage / filing cabinets.
  • All business devices, where applicable / possible are password protected.
  • Staff are not permitted to use personal devices to access or use company data unless the device is password protected, to ensure data remains managed and protected at all times.
  • Our day-to-day business may require us to store our data online. Integrale will only use secure online business applications from reputable organisations who themselves comply with GDPR.
  • Integrale where possible, will always ensure that applications and/or operating systems are running the very latest secure versions of the software and will where possible, ensure the latest security updates and patches are applied where it is safe to do so.
  • All staff must adhere to this GDPR policy.

List of Your Rights

GDPR includes the rights for individuals to be informed, to have access to data, to have the right to rectification, erasure, to restrict processing, to have the right to data portability, to object, nad to not be subject to automated decision making (including profiling).

Integrale, will where possible, conform in full and to completion to these rights within 30 days of notification. This period of compliance may be extended by a further two months where requests are complex or numerous. In this case the individual will be notified within 30 days of receipt.

To ensure data security, Integrale will need to verify the identity of the person making the request, using “reasonable means”.

In some instances Integrale will be unable to conform to the individual’s rights. In these instances, Integrale will partially conform to the individual’s rights and where possible notify the individual as why the company was unable to fully comply.

Information will be provided free of charge. A reasonable fee may apply when a request is manifestly unfounded or excessive, particularly if it is repetitive or for requests for further copies of the same information.

Where a particular situation becomes unclear or the individual disagrees, advice and guidance will be sought from the Information Commissioners Office.

If you would like to exercise this right, please write to the Data Protection Officer below.

Data Protection Officer

Please use the contact information below to write to the Data Protection Officer. In order for us to fully comply with your rights under the act, all requests being made should clearly mention “General Data Protection Regulations” and include your full name, address and relevant contact information for a response. Requests submitted by any other means than written letter may not be processed.

Data Protection Officer

Name: Dr Kay Boreland

Position: Company Director

Address: Integrale Limited, Suite 7, Westway Farm, Bishop Sutton, Bristol, BS39 5XP

Data Breaches

In the unlikely event of a serious data breach, Integrale will contact you via the last known contact details we hold on file for you or your organisation. You will be informed as far as is technically possible of the data that has been potentially compromised and where you can seek further advice about your rights.