GENERAL DATA PRIVACY NOTICE
Lapwing UK. LTD
Your personal data – what is it? Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2016/679 the “GDPR”).
Who are we? Lapwing UK. LTD (Lapwing) is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes. How do we process your personal data? Lapwing complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. We currently use your personal data for one or more of the following purposes:
- For the carrying out of trading, namely Sales, Quotations, Purchases, Procurement, Credit Control, Payments.
- For marketing, whether by post, email, sms or telephone.
- For Legal Compliance including for Income Tax, VAT Duty, Employment Law, Health & Safety Law & any other statutory legal requirement.
- For operational purposes including arranging collections, deliveries & for delivery tracking.
- It is shared with third party organisations only for the practical carrying out any of the four steps above; eg data provided to Parcels carrier to expediate delivery of orders.
What is the legal basis for processing your personal data? To process non-sensitive data comes under:
Article 6 Data Processing – we need either:
1: Consent of the data subject; All persons who are not an active customer, supplier or employee of the Data Controller fall into this category. Persons & organisations who are an active customer/supplier/employee of Lapwing; Lapwing require your consent to hold & process your data for marketing purposes. Please click on the link here to update your Data Consent details. Or
2: Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract (where the Data subject is either trying to sell to, or purchase from, the Data Controller). Or
3: Processing is necessary for compliance with a legal obligation; Please see the table in Appendix I for the relevant legal storage requirements of various data. The Legal right for this processing only extends to the fulfilling of the legal obligation & data will not be used for other reasons. Or
4: Processing is necessary to protect the vital interests of a data subject or another person; An example of the use of this clause is for a safety recall of a product or the storage of serial numbers of machinery sold. Or
5: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; This clause is unlikely to be used by Lapwing. Or
6: Processing is necessary for the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. This would apply for instance, when details are shared with a 3rd party such as a debt collection agency. It is a legitimate interest of the data controller to recover debt.
Sensitive data such as sex, race, religion, age or personal financial information such as account numbers are covered under
Article 9 Data Processing – for these we require either
1: The explicit consent of the data subject to hold this information; Please click on the link here to update your Data Consent details. The Article 9 details recorded would be limited to payment details for clients or suppliers & personal details of employees & their families when required (e.g. for parental leave). Or
2: Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement; Or
3: Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent; Or
4: Processing relates to personal data manifestly made public by the data subject; Or
5: Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity; Or
6: Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law; Or
7: Processing is necessary for reasons of preventative or occupational medicine, for assessing the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or Member State law or a contract with a health professional; For example health screening is recommended for manual staff over the age of 40 – if ages are not recorded, Lapwing cannot provide this facility; Or
8: Processing is necessary for the reasons of public interest in the area of public health; Or
9: Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes. (Where the personal data are collected direct from the data subject, the data subject must be informed whether he or she is obliged to provide the personal data and the consequences, if he/she does not provide the data). The wording to the GDPR including full details of the processing conditions contained in Article 6 and Article 9 can be found here - https://gdpr-info.eu/.
Sharing your personal data
Your personal data will be treated as strictly confidential and will be shared only with the following organisations for the following reasons:
- For suppliers: with organisations such as our banks for payments, logistics providers for handling of freight, cloud accounting providers for storage & processing of business transaction records.
- For clients: with organisations such as our banks for payments, logistics providers for handling of freight, cloud accounting providers for storage & processing of business transaction records. Where consent has been given, with external marketing providers for the distribution of physical mail, emails, sms messages etc., but limited strictly to the promotion of goods & services from Lapwing group companies only.
- For employees: with our banks for payment of wages, with Pension Providers & statutory bodies to meet our legal obligations, health providers for preventative or occupational health reasons.
How long do we keep your personal data?
We keep your personal data for no longer than reasonably necessary and details are provided in Appendix I for the majority of common requirements. A review of Data will be held annually in December at the end of each trading year & relevant obsolete data will be permanently destroyed. Credit & Debit card details are destroyed after use as required by our PCI Compliance Procedures.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
- The right to request a copy of your personal data which Lapwing holds about you;
- The right to request that Lapwing corrects any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for Lapwing to retain such data;
- The right to withdraw your consent to the processing at any time where consent was previously given.
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]
- The right to lodge a complaint with the Information Commissioners Office.
Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
Contact Details
To exercise all relevant rights, queries of complaints please in the first instance contact Peter Ball at Lapwing, Unit 3, Keytec East Business Park, Pershore Worcs. WR10 2NX, or by email peter.ball@lapwinguk.com or by telephone on 01386 551090 You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Appendix I
Lapwing data storage – policy on retention periods
Our aim is to retain data for no longer than is necessary for the purposes for which the personal data is processed and the table below shows the retention periods for the data that we may hold.
Some personal data is retained for employment purposes, to assist in the running of the business and/or to enable individuals to be paid, in which case we generally follow the ‘recommended’ retention period. Some personal data is retained for statutory purposes, in which case we follow the ‘statutory’ retention period.
| Record | Retention period |
|---|
| Accident books, accident records, accident reports | Three years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches age 21). Statutory. |
| Accounting records | Three years for private companies, six years for public limited companies. Statutory. |
| Actuarial valuation reports | Permanently. Recommended |
| Application forms and interview notes (for unsuccessful candidates) | Six months. Recommended |
| Assessments under health and safety regulations and records of consultations with safety representatives and committees | Permanently. Recommended |
| Control of Substances Hazardous to Health Regulations (COSHH) records of tests and examinations of control systems and protective equipment | Five years from the date on which the tests were carried out. Statutory. |
| DBS, PVG, AccessNI certificates/copies | Six months. Recommended |
| DBS certificate information required by CQC | Three years or until superseded if less. Recommended. |
| Driving licence, vehicle insurance, MOT certificate details | One year after expiry unless renewed. Recommended. |
| Expatriate records and other records relating to foreign employees (e.g. visa, work permits, etc. | Six years after employment ceases. Recommended. |
| Income tax and NI returns, income tax records and correspondence with HMRC | Not less than three years after the end of the financial year to which they relate. Statutory. |
| Inland Revenue/HMRC approvals | Permanently. Recommended. |
| Invoices – Sales & Purchase | Minimum Six years. Statutory |
| Marketing Details | Reviewed Annually in December. |
| Medical records and details of biological tests under the Control of Lead at Work Regulations | 40 years from the date of the last entry. Statutory. |
| Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH) | 40 years from the date of the last entry.
Statutory. |
| Medical records under the Control of Asbestos at Work Regulations, medical records containing details of employees exposed to asbestos and medical examination certificates | 40 years from the date of the last entry (medical records); four years from the date of the last certificate.
Statutory. |
| Medical records under the Ionising Radiations Regulations 1999 | Until the person reaches 75 years of age, but in any event for at least 50 years.
Statutory. |
| National minimum wage records | Three years after the end of the pay reference period following the one that the records cover.
Statutory. |
| Parental leave records | Five years from birth/adoption of the child or 18 years if the child receives a disability living allowance.
Recommended. |
| Pension scheme investment policies | 12 years from the ending of any benefit payable under the policy.
Recommended. |
| Pension scheme money purchase details | Six years after transfer or value taken.
Recommended. |
| Pensioners’ records | 12 years after benefit ceases.
Recommended. |
| Personnel files and training records (including disciplinary records and working time records) | Six years after employment ceases.
Recommended. |
| Records relating to children and young adults | Until the child/young adult reaches age 21.
Statutory. |
| Redundancy details, calculations of payments, refunds, notification to the Secretary of State | Six years from the date of redundancy. Recommended. |
| Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity | Six years from the end of the scheme year in which the event took place. Statutory. |
| Security Industry Authority (SIA) licence details | One year after expiry unless renewed. Recommended. |
| Senior executives' records (that is, those on a senior management team or their equivalents) | Permanently. Recommended. |
| Serial Number Register | Permanently. |
| SMP, SAP, SSPP records, calculations, certificates (Mat B1s) or other medical evidence, notifications, declarations and notices | Three years after the end of the tax year in which the leave period ends. Statutory. |
| Statutory Sick Pay records, calculations, certificates, self-certificates | Six years after the employment ceases. Recommended. |
| Time cards | Two years after audit. Recommended. |
| Wage/salary records (also overtime, bonuses, expenses) | Six years. Statutory. |
| Working time records | Two years from date on which they were made. Statutory. |
| Works Council minutes | Permanently. Recommended. |
| VAT Records | Six years. Statutory. |
