© Thysis Building Products Ltd 2014
Site by Rockwell Media
Unit 13 West Lane, Full Sutton Airfield,
Stamford Bridge, York YO41 1HS
t: 01759 377233 f: 01759 371929
For smarter roofing ventilation call 01759 377233
The term ‘Thysis.co.uk’ or ‘us’ or ‘we’ refers to the owner of the website whose registered office is 21 North Avenue Full Sutton Airfield, Stamford Bridge, York, England, YO41 1HS. Our company registration number is 05621010. The term ‘you’ refers to the user or viewer of our website.
This statement states what to expect in relation to personal information about you which is collected, handled and processed by your Data Controller Thysis Group (Thysis Building Products Ltd, Thysis Technical Mouldings Ltd), 21 North Avenue, Full Sutton Airfield, Stamford Bridge, YO41 1HS. We accept and acknowledge that all personal data that is received from you with effect from 25th May 2018 will be controlled and processed in accordance with the General Data Protection Regulations - GDPR which will come into force to replace the Data Protection Act 1998.
Your information is used to provide our products and services to you as per our terms and conditions of a signed agreement with yourselves based on your requirements as set out.
Your information may also be used;
Thysis Group (Thysis Building Products Ltd, Thysis Technical Mouldings Ltd) ensures that all personal data is held in a secure centralised system and access is restricted to Data Controllers and data users. The company has the following security procedures:
Your personal information will be revealed to third parties who will generally be located inside the European Economic Area (EEA). This data will not be shared with a country that is outside the EEA unless that country provides the same level of rules which are equivalent to those of GDPR. If this kind of data transfer is to happen, Thysis Group (Thysis Building Products Ltd, Thysis Technical Mouldings Ltd) will contact you to discuss this in depth.
Thysis Group (Thysis Building Products Ltd, Thysis Technical Mouldings Ltd) will rely on your consent that you have provided to hold and process this information whilst following the legislation governing GDPR. For purposes of paying your invoices, if required, we are legally allowed to share your information to HMRC. In addition, the company will ensure that all Data Controllers and data users are trained and compliant with the requirements of GDPR and the data will be;
You have the rights to ask for a copy of the data that we hold about you. This information is provided free of charge from 25th May 2018 when the GDPR comes into force. Requests for information can be addressed to the Data Protection Officer on the following email address: firstname.lastname@example.org
In some cases, the company may need to ask for proof of identification before the request can be processed to ensure that we are releasing the data to the right person. We will inform you if we need to verify your identity and the documents that are required. The company will normally respond to requests within a period of one month from the date we received the request. In some cases, for instance where the company processes substantial amounts of the personal data, we may respond within two months from the date when the request is received. We will inform you in writing with in one months of receiving the request if this is the case. If the subject request is of an excessive nature, the company is not obliged to comply with it. Instead, the company can agree to respond but will charge a fee, which will be based on the administrative costs. Such cases may include circumstances where a request that has already been dealt with is repeated. This will be discussed to you before it is processed.
Your data will be retained for no longer than it is needed and in accordance with our Data Retention Policy.
If you have provided us with your consent to continue to hold and process your personal data for the purpose of continuing to provide our products and services to your business based on your requirements, you have the right to withdraw this at any time. In order to do so, you need to send an email to the Data Protection Officer on: email@example.com
Thysis Group (Thysis Building Products Ltd, Thysis Technical Mouldings Ltd) is committed to being transparent about how it collects and uses the data of its clients, third parties and to meeting its data protection obligations. However, if you have a concern about how your data is collected, stored, processed, or used, you should raise your concern with Thysis Group (Thysis Building Products Ltd, Thysis Technical Mouldings Ltd) or directly to the Information Commissioner’s Office at: https://ico.org.uk
Thysis Group (Thysis Building Products Ltd, Thysis Technical Mouldings Ltd) is committed to being transparent about how it collects and uses the data of its clients, workforce, and to meeting its data protection obligations. This policy sets out the company's commitment to data protection, and procedures to be taken in case of any breach of this data under GDPR guidelines. This policy applies to data collected, processed and stored for employees/ former employees, clients, suppliers, contractors, apprentices, volunteers, interns and all stakeholders whose data is being held by the company and any other personal data processed for business purposes.
The EU General Data Protection Regulation (GDPR) is the most important change to data protection and privacy law in two decades. It was approved by the EU Parliament in April 2016 and comes into force in the UK on 25th May 2018. The GDPR (2018) will replace the Data Protection Act 1998 on the handling of data. While it is similar to the current regime under the 1998 Act in many ways, it is a great deal more modern, taking into account major advances in science and technology. Most importantly for businesses, it is more demanding.
1.1 Data is the information which is stored electronically, on a computer, or in certain paper-based filing system
1.2 Data subjects this refers to the subject of personal data. For the purpose of this policy, it includes all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
1.3 Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.4 Data Controllers are the decision makers. Under GDPR, this is the legal or natural person, agency, public authority or any other regulatory body which alone or together with others, determine the means or purposes of processing personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; they have a responsibility to establish practices and policies in line with the regulation.
1.5 Data users include employees whose work involves using personal data. Data users have a duty to protect the information they handle by following the company data protection and security policies at all times.
1.6 Data Processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. This person acts only under instructions from the Data Controller, keeping personal data secure from loss or destruction and unauthorised access.
1.7 Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Any activity that involves use of the data.
1.8 Sensitive personal data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, biometric data, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions and will usually require the express consent of the person concerned.
1.9 Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
1.10 Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
1.11 Cross-border processing means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
1.12 International Organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or based on, an agreement between two or more countries.
1.13 Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This may include: hacking attack, human error, equipment failure, inappropriate access controls (not using passcodes) which give rights to authorisation use, Unforeseen circumstances like flood or fire, loss of equipment’s like mobile phones, laptops extra.
In this context, employees/ former employees, clients, suppliers, contractors, apprentices, volunteers, interns and all stakeholders whose personal data is held by the company have the following rights:
a. The right to be informed; as a key transparency prerequisite under the GDPR, data subjects have the right to be informed about the collection and use of their personal data. This include: purposes for processing personal data, your retention periods and who their data will be shared with. This communication provided to a data subject must be transparent, concise, intelligible, and easily accessible, in clear and plain language.
b. The right to access; data subject has the right to request from the Data Controller confirmation as to whether or not personal data concerning him/her are being processed; and, where that is the case, access to the personal data and the information below;
c. The right of rectification; data subjects are entitled to have inaccurate data rectified by the controller without undue delay. Taking into account the purposes of the processing, the data subject must have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
d. The right to erasure (Right to be forgotten); this gives the data subject the right to request the controller that personal data concerning him/her can be removed without delay and the controller has the obligation to erase personal data without undue delay. This can be in situations whereby;
e. The right to restrict processing; data subjects have the right to request the restriction of processing their personal data. This only applies in certain circumstances. When processing is restricted, the controller is permitted to store personal data, but not use it. Data subjects can make a request for restriction verbally or in writing. This is responded to in 1 month.
f. The right to data portability; this allows data subjects to obtain and reuse their personal data for their own purposes across different services. These include moving, copying or transferring personal data easily from one IT environment to another in a safe and secure way, without interruption to usability.
g. The right to object; data subjects have the right to object to processing based on legitimate interests, direct marketing (including profiling), processing for purposes of historical /scientific research and statistics or the performance of a task in the public interest of an official authority (including profiling).
h. Rights in relation to automated decision making and profiling; GDPR has provisions on automated decision making (making an individual decision only by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual). The later can be part of an automated decision-making process. In this case, GDPR applies to all. Article 22 of GDPR has additional guidelines to protect individuals if you are carrying out solely automated decision making that has legal or equally substantial effects on them. This type of decision making can only be carried out where the decision is:
The main responsibilities for organisations with reference to Article 5(2) of the legislation state that for ‘Data Controllers’ to be compliant with personal data, the following principles must be established.
3.1 To process personal data in a fairly, lawfully and in a transparency manner.
3.2 Personal data must be processed for limited purposes and in an appropriate way.
3.2 To process, obtained personal data for specified and lawful purposes.
3.4 Personal data must be adequate, relevant and not excessive for the purpose for which it is being processed.
3.5 Personal data must be accurate and up to date.
3.6 Personal data must not be kept for longer than necessary for the purpose.
3.7 Personal data must be processed in accordance with the ‘data subject’s’ individual’s rights.
3.8 Personal data must be processed in a way that guarantees appropriate security including protection against unauthorised or unlawful processing/access, alternation, accidental loss, disclosure, damage or destruction using appropriate organisational measures.
3.9 Personal data must be erased or rectified without delay, having accomplished the purposes for which it is processed.
3.10 Personal data must not in any way be shared with a country that is outside the EEA unless that country encounters the same level of rules which are equivalent to those of GDPR. If this kind of data transfer is to happen, the Data Controller must contact the data subject to discuss this in depth.
3.11 Accountability; Data Controller must be accountable for personal data and must comply with all the principles governing it.
These are set out in Article 6 of the GDPR. Data Controllers must at least apply one of these whenever personal data is processed.
a. Consent: data subject has given clear consent for you to process their personal data for a specific purpose.
b. Contract: processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
c. Legal obligation: processing is necessary for you if you are to comply with the law (not including contractual obligations).
d. Vital interests: processing is obligatory it is to protect someone’s life.
e. Public task: processing is essential for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
f. Legitimate interests: processing is compulsory for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
According to article 6 of the GDPR, consent is one of the six legal bases to process personal data. For a company to process any kind personal data you must obtain consent from the data subject or the controller should consider any lawful grounds on which this data should be processed. Consent can only be on applicable lawful basis if the data subject is offered control and a genuine choice to either accepting or declining the terms are offered without detriment. When asking for consent, a Data Controller has the responsibility to assess whether it will meet all the requirements to obtain valid consent. If acquired in full compliance with the GDPR, it gives data subjects control over whether or not personal data about them will be processed. If not, the data subject’s control becomes deceptive and consent will be an invalid basis for processing, rendering the processing of data to be unlawful. It is the duty of the data protection officer to obtain and maintain a record of this consent and must inform the data subject all elements that are critical to make a choice. Once consent is received, personal data must be processed, stored and used following GDPR principles. Below is some of the information required for obtaining valid consent:
It is the duty of all organisations to report personal data breach to the relevant supervisory authority. This must be done within 72 hours of becoming aware of the breach, where possible. If the breach is likely to result in a substantial risk of unfavourably affecting individual rights and freedoms, the Data Controller must also inform those individuals without undue delay. A record of any kind of personal data breaches must be kept, regardless of whether you are required to notify or not.
The EU General Data Protection Regulation (GDPR) contains rules on giving privacy information to data subjects that are more detailed and specific. An emphasis is placed on making privacy notices comprehensible and accessible. Private notices must be communicated to a data subject by a Data Controller before or at the time of collecting personal data in a simple and understandable language.
Privacy notices must include sufficient information which contain; rights of data subjects in relation to their personal data, purposes of processing personal data, retention period, types of personal data collected, methods of processing, any international transfers and if this data will be shared by third parties. Conditions on which personal data is transferred and security measures for data protection.
Privacy notices must clearly specify ways in which personal data is going to be used. For example; if personal data is going to be transferred to a third party or international organisation, privacy notice must highlight this and state the destination where personal data is going to be transferred.
Differences in what you are required to provide depending on where you are collecting data including collecting personal data direct from the data subject or from a third party must also be emphasized.