General Data Protection Regulation

General

We are committed to full implementation of the GDPR provisions and recognise our obligations concerning personal data collection, retention and disposal. In particular, we will ensure that:

  • Any data held is for a specific legitimate purpose.

  • Data is kept safely and securely.

  • Data is deleted or destroyed when no longer required for a specific legitimate purpose or upon request from the person to whom it pertains.

Subject Access Requests

We recognise that individuals have the right to access their personal data and supplementary information and will comply with the one-month timeframe for responses set down in the GDPR. As a general rule, a copy of the requested information will be provided free of charge although we reserve the right to charge a “reasonable fee” when a request is considered unfounded, vexatious or repetitive. If this proves necessary, the data subject will be informed of their right to contest our decision with the supervisory authority (the Information Commissioner’s Office (ICO).

As set out in the GDPR, any fee will be notified in advance and will be based on the administrative cost of providing the information. 

Right to Erasure

We recognise that individuals have the general right to have their personal data deleted or destroyed. Requests should in the first instance be addressed to gdpr@winlock.co.uk. Where there is no legitimate commercial, legal or statutory requirement to continue to hold the data such requests will be granted. If the request is refused the specific requirement for which the data is to be retained will be set out together with the expected timescale for retention. 

Privacy 

We will implement data protection “by design and by default”, as required by the GDPR. 

Data Transfers Outside the EU

We will not undertake any transfers of personal data outside the EU. 

Children 

We will not hold any personal data on children under 16 save to record employee benefits to which the child is or may become entitled. 

Data Loss 

If a data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, the people affected will be informed as soon as possible and the ICO will be notified within 72 hours. 

GDPR Contact 

All requests relating to GDPR should be addressed in the first instance to gdpr@winlock.co.uk.