Data Protection Policy

Data Protection Policy


CONTENTS

Data Protection Policy. 1

Document Information. 1

Version History. 1

1.      Purpose. 2

2.      Introduction. 2

3.      Scope. 2

4.      Responsibilities. 2

5.      Data Protection Principles. 3

6.      Data Subject Rights. 4

7.      Special Category Data. 5

8.      Consent 5

9.      Security. 5

10.        Data Retention. 6

11.        Data Breaches. 6

12.        Data Transfers. 6

13.        Data Protection By Design.

14.        Monitoring And Review.. 7

 

 

 

 

 

 

 

1.Purpose

The purpose of this policy is to set out Remote Asset Management’s (hereinafter referred as RAM) approach to data protection and data privacy.

2.Introduction

RAM provides vehicle tracking and fleet management services through RAM Tracking, RAM Assist, RAM Live and RAM Job Assist. Remote Asset Management Ltd is registered at First Floor, Nelson House, George Mann Road, Leeds, England LS10 1DJ and is regulated by the laws of England and Wales.

The personal data that RAM processes to provide these services relates to its employees/staff, clients, clients’ employees, prospect clients and other individuals as necessary. 

RAM processes the personal data of staff, customers, customers’ employees, suppliers and is committed to ensuring that all the personal data that it processes is carried out in accordance with all data protection law.  

RAM ensures that good data protection practice is embedded in the culture of our staff and our organisation.

RAM’s other data protection policies and procedures are:

  • Record of Processing Activities (ROPA)
  • Privacy notices (website and employees)
  • Personal Data Breach Procedure and a Data Breach Register
  • Data Retention Policy
  • Data Subject Rights Procedure and Data Subject Rights Request Register
  • Supplier Due Diligence Procedure
  • Data Breach Procedure
  • IT security policies

‘Data Protection Law’ includes the UK General Data Protection Regulation 2016/679; the UK Data Protection Act of 2018 and all relevant UK data protection legislation.

3.Scope

This policy applies to all personal data processed by RAM and is part of RAM’s approach to compliance with data protection law. All RAM staff, partners or third parties who have, or may have access to personal data are expected to have read, understood, and comply with this policy and failure to comply may lead to disciplinary action for misconduct, including dismissal or contract termination.

4.Responsibilities

RAM is a data controller and data processor under the UK GDPR/DPA 2018.

 

Key responsibilities are:

 

  • All managers are responsible for ensuring personal data is handled in accordance with RAM’s policies and procedures and for encouraging best practice in the handling of personal data.
  • The Data Protection Lead is accountable to the Board of Directors and for ensuring compliance with data protection law can be demonstrated.
  • Compliance with data protection law is the responsibility of all employees, partners and third parties working on behalf of RAM.
  • The Group CEO is ultimately accountable for ensuring RAM is compliant with data protection law.

 

RAM will ensure that all staff, partners or third parties who handle personal data on its behalf are aware of their responsibilities under this policy and other relevant data protection and information security policies, and that they are adequately trained and supervised. Breaching this policy may result in disciplinary action for misconduct, including dismissal or contract termination. Obtaining (including accessing) or disclosing personal data in breach of RAM’s data protection policies may also be a criminal offence.

5.Data Protection Principles

RAM complies with the data protection principles set out below. When processing personal data, it ensures that:

  • It is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
  • It is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
  • It is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
  • It is accurate and, where necessary, kept up to date and that reasonable steps will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay (‘accuracy’).
  • It is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).
  • It is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

RAM is responsible for complying with the data protection principles and will demonstrate this in accordance with Article 5(2) “Accountability” by implementing policies and procedures, technical and organisational measures and keeping documentation such as breach records and Data Subject Rights Request records.

 

For more information on what steps need to be taken when a data subject exercises one or more of the rights Data Subject Rights, please see RAM’s Data Subject Rights Procedure.

 

 

 

6.Data Subject Rights

RAM has processes in place to ensure that it can facilitate any request made by an individual to exercise their rights under data protection law. All staff have received training and are aware of the rights of data subjects. Staff can identify such a request and know who to send it to.

All requests will be considered without undue delay and satisfied within one calendar month of receipt as far as possible.  

RAM will ensure the rights as detailed below can be exercised by data subjects.

Informed: The right to be informed about the collection and use of personal data is addressed via company privacy notices.

Subject access: The right to request information about how personal data is being processed, including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:

  • The purpose of the processing.
  • The categories of personal data.
  • The recipients to whom data have been disclosed or which will be disclosed.
  • The retention period.
  • The right to lodge a complaint with the Information Commissioner’s Office.
  • The source of the information if not collected direct from the subject; and
  • The existence of any automated decision-making.

Rectification: The right to allow a data subject to rectify inaccurate personal data concerning them.

Erasure: The right to have data erased and to have confirmation of erasure, but only where:

  • The data is no longer necessary in relation to the purpose for which it was collected, or
  • Where consent is withdrawn, or
  • Where there is no legal basis for the processing, or
  • There is a legal obligation to delete data.

Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:  

  • If the accuracy of the personal data is being contested, or
  • If our processing is unlawful but the data subject does not want it erased, or
  • If the data is no longer needed for the purpose of the processing but it is required by the data subject for the establishment, exercise, or defence of legal claims, or
  • If the data subject has objected to the processing, pending verification of that objection.

Data portability: the right to receive a copy of personal data which has been provided by the data subject and which is processed by automated means in a format which will allow the individual to transfer the data to another data controller. This would only apply if RAM was processing the data using consent or based on a contract.

Object to processing: The right to object to the processing of personal data relying on the legitimate interests processing condition unless RAM can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims.

Object to automated profiling: The right to object where solely automated decision-making is being carried out that has legal or similarly significant effects on the data subject.

 

7.Special Category Data

This includes the following personal data revealing:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
  • An individual’s health
  • A natural person's sex life or sexual orientation
  • Criminal convictions or offences.

RAM will apply additional organisational and technical measures to protect special category data where processed based on risk to the data subject.

RAM will only process special category data where it has an Article 6 lawful basis and an Article 9 exception to do so.

8.Consent

RAM understands the conditions of consent as defined in Article 7 of the GDPR and will ensure that:

  • Consent is a specific, informed, and unambiguous indication of the data subjects wishes.
  • The data subject can withdraw consent at any time.
  • Withdrawal of consent is as easy as it was to give.
  • Where information society services are provided to children, consent of the parent/guardian will be obtained based on the age limits defined in the country concerned.
  • Records of consent are kept as evidence.
  • The data subject is competent to give consent and is doing so freely without duress.

Whenever RAM relies on consent as lawful basis for any processing activity, it is necessary to maintain logs of consent. It will be the responsibility of Data/Process Owner.

9.Security

RAM will always assess the risk of processing personal data to the data subject and

  • Ensure that personal data is stored securely using software that is kept-up-to-date and supported. 
  • Access to personal data shall be role based, limited to personnel who need access and appropriate security shall be in place to avoid unauthorised sharing of information.
  • When personal data is deleted, this shall be done safely such that the data is irrecoverable.
  • Appropriate back-up and disaster recovery solutions shall be in place.
  • Staff are given information security training and information security policies and procedures are adhered to.
  • Personal data is encrypted where possible at rest and in transit.
  • Where possible personal data is anonymised or pseudonymised
  • All passwords used meet password policy requirements.
  • Anti-malware software is deployed on all devices handling personal data.
  • Paper documents containing personal data shall be stored in lockable cabinets.

10.Data Retention

Data retention schedule in the records of processing activities shall be implemented to ensure that all information kept for legal, regulatory, and business requirements is limited. Remote Asset Management will ensure that processes are in place for secure disposal when data no longer needs to be retained for legal, regulatory, and business requirements. An automatic or manual executed process is to be in place for identifying and ensuring secure removal of data.

11.Data Breaches

RAM is dedicated to complying with the requirements for responding to and reporting a data breach. Data breaches can come in many forms, including but not limited to:

  • Insider threat
  • Malware attacks
  • Accidental web exposure
  • Data in transit

Data breaches will be identified, and, where they present a risk to the data subject, the Information Commissioner’s Office will be notified without undue delay and within 72 hours of them being discovered. Breaches will be assessed, and mitigation will be applied to ensure the breach does not continue or happen again. Data Subjects impacted by this will be notified where there is a high risk to them and/or according to the ICO advice. Any sub processors or data controllers RAM use will also be notified as per contractual agreements. For more information check RAM’s Data Breach Procedure.

12.Data Transfers

RAM will ensure that if any personal data is transferred to any third party, RAM will conduct a supplier due diligence using supplier due diligence procedure and sign a data transfer agreement to ensure the security of the data. If you are taking initiative of onboarding a new supplier, check the procedure and contact the DPO at privacy@ramtracking.com.

RAM will ensure that any personal data transferred to third countries or third parties in third countries will not be transferred without suitable safeguards which may include:

  • International Data Transfer Agreement (IDTA)
  • Standard contract clauses + UK Addendum
  • Binding corporate rules
  • Adequacy decision
  • An exception as defined in Article 49 of the GDPR

 

13.Data Protection By Design

Data Protection by Design allows for Data Protection to be built into a business’s ethos but ensuring processes, services and other ideas are risk assessed from a GDPR point of view. RAM is committed to practicing this throughout the business to ensure systems are built with data protection as the first thought, rather than an afterthought. All staff must declare new processes involving data to ensure this assessment is completed where needed.

Whenever RAM is starting a new process involving personal data, a Data Privacy by Design Checklist is completed and reviewed.

14.Monitoring And Review

This policy was last updated on 10/08/2023 and shall be regularly monitored and reviewed, at least annually.

 

 

Ask us anything