QMMS Privacy Policy

This document refers to personal data, meaning information concerning any living person, that allows them to be identified.

Brief introduction to General Data Protection Regulation (‘GDPR’)

The General Data Protection Regulation 2016 replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual member states that were developed in
compliance with the Data Protection Directive 95/46/EC (for the UK, The Data Protection Act 1998 which commenced on 1 March 2000). The purpose of the GDPR is to protect the rights and privacy of living individuals, and to ensure that data about them are not processed without their knowledge and are processed with their consent wherever possible. The GDPR covers personal data relating to living individuals and defines a category of sensitive personal data which are subject to more stringent conditions on their processing than other personal data.

The GDPR covers data held in electronic formats, and also applies to manual data which are held in “a relevant filing system”.

QMMS Ltd is a Data Controller in respect of the data for which it is responsible. This means that QMMS Ltd is responsible under the GDPR for decisions in regard to the processing of personal data, including the decisions and actions of external data processors acting on QMMS Ltd’s behalf. The GDPR requires that processing should be carried out according to eight Data Protection Principles. These are outlined below.

The GDPR also requires that a legitimate basis is provided for processing any personal data, and the data subject is made aware of the legitimate basis. For data processed by QMMS, the legitimate basis will be either a contract or a legitimate business interest for either QMMS or the subject.

Introduction of the GDPR has resulted in a requirement for internal documentation of data processing activities (including the purposes of processing personal data, data sharing and data access requests).

Data Protection Principles

The GDPR gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

The GDPR works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

The second area covered by the GDPR provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records. QMMS is fully committed to these principles.

Personal Data

h3>

‘Personal Data’ means any information relating to an identified or identifiable person; an identifiable person is anyone who can be identified, directly or indirectly from that data. Identification can be by the information alone or in combination with other information that is within our possession, control or from other information to which we legally have access.

The personal data QMMS may hold

QMMS may hold and process personal data (personal addresses, telephone numbers and email addresses) for individuals who have provided this, rather than business contact
details, to QMMS. QMMS does not hold any sensitive personal data for its clients or business associates.

How the personal data will be used

QMMS may use such personal data for contacting individuals in their professional capacity, for the following reasons (with the following legal bases):

  • Following up enquiries made by the individual regarding QMMS services (legitimate interest)
  • Providing the results of analyses (contractual agreement)
  • Invoicing (contractual agreement)
  • Providing information on services relevant to the individual’s business (legitimate interest)
  • Providing information on training opportunities of interest to the individual in their business capacity (a legitimate interest)
  • Informing individuals of relevant research projects to which they might be able to contribute (a legitimate interest)

QMMS does not conduct automatic data processing or profiling.

QMMS may share your personal data (ie your name and telephone number / email address) with SUM-IT Computing solely for the purposes of fulfilling our contractual obligations to you (eg computer support) or with a specified vet or advisor if third party permission has been given.

How the data is kept secure

All data is typically stored within the UK and never outside the EEA.

Personal data may be held in paper format, in a locked area of the QMMS building with no public access, or electronically, in password protected systems.

QMMS employees with access to the data will be informed of the QMMS Privacy Policy and are required to sign a confidentiality agreement.

QMMS will ensure that any third parties with whom data is necessarily shared are GDPR compliant.

Any back-ups of data that leave Company premises are held on encrypted hard drives.

No personal data is stored on non-company computers as they fall outside the control of QMMS as the Data Controller.

In line with GDPR, significant breaches will be reported to the Information Commissioner’s Office within 72 hours. In the case of a major breach affecting a subject’s data we will contact the subject.

Data retention

QMMS keep your personal data for no longer than reasonably necessary, however there are circumstances when we may retain Personal Data for a longer period:

  • where we have a statutory or regulatory obligation to retain the Personal Data
  • to ensure that our business is properly run in an efficient and compliant manner

Your rights

You have the right to:

  • Request a copy of the personal information QMMS holds about you
  • Correct data held that is incomplete or inaccurate
  • Request the data to be erased from QMMS records (if there is no legal reason – eg for tax and accounting purposes – for it to be retained)
  • Restrict the processing of data in certain circumstances
  • Have the data QMMS holds transferred to another organisation in certain circumstances
  • Object to certain types of processing such as direct marketing

If you have any queries or requests, please contact:

Prof Andrew Bradley
QMMS Ltd
Cedar Barn
Easton Hill
Easton
Wells
Somerset
BA5 1DU

Tel. 01749 871 171

Email: andrew.bradley@qmms.co.uk

Further information about the GDPR can be found at https://ico.org.uk/fororganisations/guide-to-the-general-data-protection-regulation-gdpr/