Data Protection Policy

The purpose of this Policy is to ensure that everyone handling personal information on behalf of Lexxic is aware of the requirements of the General Data Protection Regulation (GDPR).

This Policy applies to all personal data obtained, used and held by us. This may be factual information such as names and addresses, or expressions of opinion, images or other recorded information that can identify or tell something of significance about a living individual.

Any questions regarding this Policy and our Privacy Practices should be sent by email to: hello@lexxic.com or by writing to: Lexxic Ltd, Unit CH3.20, Kennington Park, 1-3 Brixton Road, London, SW9 6DE. Alternatively, you can telephone +44 (0) 330 311 2720.

 

Principles

The GDPR provides a framework for organisations to ensure that personal data is handled properly, and gives individuals important rights in relation to their personal information, including being able to find out what information is held about them.

The GDPR applies to all processing of personal data. ‘Processing’ means almost anything that can be done to data, including (but not limited to) obtaining, organising, using, retrieving, consulting, disclosing and destroying data.

We collect and use personal details about current, past and prospective employees, contractors, suppliers, clients, customers and other contacts as part of our work, in order to provide or improve services, administer contracts of employment and to comply with various legal requirements we are subject to. However it is recorded or used, whether on paper, electronically, or in any other medium, this data must be dealt with properly.

 

Definitions - what the GDPR covers

  • Personal data. The GDPR only applies to personal data and not to any other type of information. Personal data means any information relating to a living individual who can be identified from that information, either on its own or in combination with other information. Examples of personal data we handle includes: job applications; email addresses; staff appraisals; expense claims.

  • Special category data. This means information about an individual’s: racial/ethnic origin; political opinions; religious beliefs; trade union membership; physical/mental health; sex life and sexual orientation; criminal activities or alleged criminal activities; genetic data; and biometric data. Information in this category needs to be handled with extra care. If a data protection breach involves special category data, the ICO (Information Commissioner’s Office) is more likely to penalise the organisation responsible. Examples of special category data we handle include: client neurological diagnosis; medication; a job applicant’s declaration of a criminal conviction; information about adjustments needed to accommodate a diagnosed condition; a letter from a doctor about an employee’s illness.

 

Please note that some personal data not legally defined as ‘special category data’ can still be highly confidential and require a similar level of care; e.g. bank account details; staff appraisal records etc.

 

Data protection principles

The GDPR sets out eight data protection principles that anyone processing personal data must comply with. These state that personal data must be:

  1. Processed fairly and lawfully and in a transparent manner in relation to individuals.

  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

  4. Accurate and kept up-to-date.

  5. Not kept for longer than necessary for the purpose.

  6. Processed in line with data subjects’ rights.

  7. Processed in a manner that ensures appropriate security of the personal data.

  8. Not transferred to people or organisations situated in countries without adequate protection.

 

Fair and lawful processing

For personal data to be processed lawfully, data must be processed on the basis of one of the legal grounds set out in the regulations. These include, among other things: the data subject’s consent to the processing, or that the processing is necessary for the performance of a contract with the data subject; for the compliance with a legal obligation to which the data controller is subject; or for the legitimate interest of the data controller or the party to whom the data is disclosed. When special category data is being processed, additional conditions must be met. When processing personal data as data controllers in the course of our business, we will ensure that those requirements are met.

 

Processing for limited purposes

In the course of our business, we may collect and process the personal data set out in our Privacy Policy. This may include data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources (for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).

We will only process personal data for the specific purposes set out in the Schedule or for any other purposes specifically permitted by the GDPR.  We will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter.

 

Notifying data subjects

If we collect personal data directly from data subjects, we will inform them about:

  • The purpose(s) for which we intend to process that personal data.

  • The types of third parties, if any, with whom we will share or to whom we will disclose that personal data.

  • The means, if any, with which data subjects can limit our use and disclosure of their personal data.

 

If we receive personal data about a data subject from other sources, we will provide the data subject with this information as soon as possible thereafter.

 

We will also inform data subjects whose personal data we process that we are the data controller with regard to that data, and who the Data Protection Officer is.

 

Adequate, relevant and non-excessive processing

We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject and not further processed in a manner that is incompatible with those purposes. 

 

Accurate data

We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

 

Timely processing

We will not keep personal data longer than is necessary for the purpose or purposes for which data was collected. We will take all reasonable steps to destroy or erase from our systems, all data which is no longer required.

 

Processing in line with data subjects’ rights

We will process all personal data in line with data subjects’ rights, in particular their right to:

  • Request access to any data held about them by a data controller.

  • Prevent the processing of their data for direct marketing purposes.

  • Ask to have inaccurate data amended.

  • Prevent processing that is likely to cause damage or distress to themselves or anyone else.

 

Data security

We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. 

 

We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if there is agreement to comply with those procedures and policies.

 

We will maintain data security by protecting the confidentiality, integrity and availability of personal data, defined as follows:

  • Confidentiality means that only people who are authorised to use the data can access it.

  • Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.

  • Availability means that authorised users should be able to access the data if they need it for authorised purposes.

Security procedures include:

  • Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)

  • Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.

  • Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC/laptop when it is left unattended.

 

Data breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data; for example: access by an unauthorised third party; sending data to an incorrect recipient; losing computer devices which contain personal data; alteration of personal data without permission.

 

If as result of a breach it is likely that there will be a risk to an individual’s rights or freedoms, the data controller must inform the ICO within 72 hours.

 

If the breach is likely to result in a high risk to the rights and freedoms of individuals those individuals concerned must be informed directly and without due delay.

 

Lexxic’s Data Incident Response Procedure should be followed.

 

Transferring personal data to a country outside of the UK

We may transfer any personal data we hold to a country outside the UK, provided that one of the following conditions applies:

  • The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.

  • The data subject has given their consent.

  • The transfer is necessary for one of the reasons set out in the Regulations, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.

  • The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.

  • The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.

 

Subject to the requirements of processing in line with data subjects’ rights (see above), personal data we hold may also be processed by staff operating outside the UK who work for us or for one of our suppliers. The staff may be engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.

 

Disclosure and sharing of personal information

We may share personal data we hold with any member of our group, which includes our subsidiaries, as defined in section 1159 of the Companies Act 2006.

 

We may also disclose personal data we hold to third parties:

  • In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.

  • If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.

If we are under a duty to disclose or share a data subject’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This included exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

We may also share personal data we hold with selected third parties for the purposes set out in the Schedule.

Dealing with subject access requests

The Regulation gives individuals a formal right to see all the information held about them by an organisation (a so-called Subject Access Request). This right applies to any personal data held in electronic form (email, Word document, spreadsheet, database, voicemail, photo, video etc.) as well as to most data held in hard copy form.

 

If you receive a written subject access request, you should forward it promptly to the Data Protection Officer as we are required to respond to requests within a statutory time frame of 30 calendar days.

 

When committing any personal data to permanent record (including emails), keep in mind at all times that the person you are writing about has the right to see that information, subject only to very limited exceptions. Consequently you should not say anything that you would not be prepared for them to see. Be factual, objective and professional in what you say.

 

Changes to this Policy

This Policy was last reviewed in August 2023.