5. Data Protection Principles. 3
13. Data Protection By Design.
The purpose of this policy is to set out Remote Asset Management’s (hereinafter referred as RAM) approach to data protection and data privacy.
RAM provides vehicle tracking and fleet management services through RAM Tracking, RAM Assist, RAM Live and RAM Job Assist. Remote Asset Management Ltd is registered at First Floor, Nelson House, George Mann Road, Leeds, England LS10 1DJ and is regulated by the laws of England and Wales.
The personal data that RAM processes to provide these services relates to its employees/staff, clients, clients’ employees, prospect clients and other individuals as necessary.
RAM processes the personal data of staff, customers, customers’ employees, suppliers and is committed to ensuring that all the personal data that it processes is carried out in accordance with all data protection law.
RAM ensures that good data protection practice is embedded in the culture of our staff and our organisation.
RAM’s other data protection policies and procedures are:
‘Data Protection Law’ includes the UK General Data Protection Regulation 2016/679; the UK Data Protection Act of 2018 and all relevant UK data protection legislation.
This policy applies to all personal data processed by RAM and is part of RAM’s approach to compliance with data protection law. All RAM staff, partners or third parties who have, or may have access to personal data are expected to have read, understood, and comply with this policy and failure to comply may lead to disciplinary action for misconduct, including dismissal or contract termination.
RAM is a data controller and data processor under the UK GDPR/DPA 2018.
Key responsibilities are:
RAM will ensure that all staff, partners or third parties who handle personal data on its behalf are aware of their responsibilities under this policy and other relevant data protection and information security policies, and that they are adequately trained and supervised. Breaching this policy may result in disciplinary action for misconduct, including dismissal or contract termination. Obtaining (including accessing) or disclosing personal data in breach of RAM’s data protection policies may also be a criminal offence.
RAM complies with the data protection principles set out below. When processing personal data, it ensures that:
RAM is responsible for complying with the data protection principles and will demonstrate this in accordance with Article 5(2) “Accountability” by implementing policies and procedures, technical and organisational measures and keeping documentation such as breach records and Data Subject Rights Request records.
For more information on what steps need to be taken when a data subject exercises one or more of the rights Data Subject Rights, please see RAM’s Data Subject Rights Procedure.
RAM has processes in place to ensure that it can facilitate any request made by an individual to exercise their rights under data protection law. All staff have received training and are aware of the rights of data subjects. Staff can identify such a request and know who to send it to.
All requests will be considered without undue delay and satisfied within one calendar month of receipt as far as possible.
RAM will ensure the rights as detailed below can be exercised by data subjects.
Informed: The right to be informed about the collection and use of personal data is addressed via company privacy notices.
Subject access: The right to request information about how personal data is being processed, including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:
Rectification: The right to allow a data subject to rectify inaccurate personal data concerning them.
Erasure: The right to have data erased and to have confirmation of erasure, but only where:
Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:
Data portability: the right to receive a copy of personal data which has been provided by the data subject and which is processed by automated means in a format which will allow the individual to transfer the data to another data controller. This would only apply if RAM was processing the data using consent or based on a contract.
Object to processing: The right to object to the processing of personal data relying on the legitimate interests processing condition unless RAM can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims.
Object to automated profiling: The right to object where solely automated decision-making is being carried out that has legal or similarly significant effects on the data subject.
This includes the following personal data revealing:
RAM will apply additional organisational and technical measures to protect special category data where processed based on risk to the data subject.
RAM will only process special category data where it has an Article 6 lawful basis and an Article 9 exception to do so.
RAM understands the conditions of consent as defined in Article 7 of the GDPR and will ensure that:
Whenever RAM relies on consent as lawful basis for any processing activity, it is necessary to maintain logs of consent. It will be the responsibility of Data/Process Owner.
RAM will always assess the risk of processing personal data to the data subject and
Data retention schedule in the records of processing activities shall be implemented to ensure that all information kept for legal, regulatory, and business requirements is limited. Remote Asset Management will ensure that processes are in place for secure disposal when data no longer needs to be retained for legal, regulatory, and business requirements. An automatic or manual executed process is to be in place for identifying and ensuring secure removal of data.
RAM is dedicated to complying with the requirements for responding to and reporting a data breach. Data breaches can come in many forms, including but not limited to:
Data breaches will be identified, and, where they present a risk to the data subject, the Information Commissioner’s Office will be notified without undue delay and within 72 hours of them being discovered. Breaches will be assessed, and mitigation will be applied to ensure the breach does not continue or happen again. Data Subjects impacted by this will be notified where there is a high risk to them and/or according to the ICO advice. Any sub processors or data controllers RAM use will also be notified as per contractual agreements. For more information check RAM’s Data Breach Procedure.
RAM will ensure that if any personal data is transferred to any third party, RAM will conduct a supplier due diligence using supplier due diligence procedure and sign a data transfer agreement to ensure the security of the data. If you are taking initiative of onboarding a new supplier, check the procedure and contact the DPO at privacy@ramtracking.com.
RAM will ensure that any personal data transferred to third countries or third parties in third countries will not be transferred without suitable safeguards which may include:
Data Protection by Design allows for Data Protection to be built into a business’s ethos but ensuring processes, services and other ideas are risk assessed from a GDPR point of view. RAM is committed to practicing this throughout the business to ensure systems are built with data protection as the first thought, rather than an afterthought. All staff must declare new processes involving data to ensure this assessment is completed where needed.
Whenever RAM is starting a new process involving personal data, a Data Privacy by Design Checklist is completed and reviewed.
This policy was last updated on 10/08/2023 and shall be regularly monitored and reviewed, at least annually.
Do you have a question? Ask us anything