Purpose and Background
Hol ler Chauffeur Drive Ltd (HCD), holds i nform ation about drivers, customers and other peo ple involved with our business activities. HCD h as a responsibility to look after this information properly, and to ensure we comply with the EU General Data Protection Regulation (G DPR) which comes into force in the UK from 25th May 2018. It is expected that the G DPR will continue to form the basis of UK Data Protection legislation, even once the UK has left the EU, so it is therefore fully taken into account in this policy. Data Protection good practice is not just a m at ter of legal compliance and ticking boxes. Da ta Protection is about taking care of our drivers and clients and ensurin g that we are respecting their privacy. Poor practice or a serious breach could not only harm ind ividuals but would also have a serious effect on the reputation of Holler Chauffeur Drive Ltd and we value our good time. Scope This policy applies to information relating to individuals (d rivers & customers/clients) which is h eld by Hol ler Chauffeur Drive Ltd. Our legal basis for using people’s data Everything we do with records about individuals — obtaining the information, storing it, using it, sharing it, even Deleting it - will have an acceptable legal basis. There are six of these: • Consent from the individual (or someone authorised to consent on their behalf). • Where it is necessary in connection with a contract between HCD Chauffeur Drive and an individual. • Where it is necessary because of a legal obligation — if the law says we must. • Where it is necessary in an emergency, to protect an individuals ’vital interests’. • Where it involves the exercise a* a public function – i.e. m ost activities of most govern ment, local government and other public bodies. • Where it is necessary in our legitimate interests, as long as these are not outweighed by the interests of the individual. Where we are basing our processing on consent we will be able to ‘demonstrate’ that we hold consent. This means having a record of who gave consent, when they gave it, how they gave it (e.g. on the website, on a form, verbally) and what they actually consented to. In the case of legitimate interests, we will do a balancing test, and be confident that our legit inn ate interests in using the data i n a particular way — for exa mple in provid in g our services — are not over-ridden by the interests of the individual. Data Protection Principles Data Protection compliance is based largely on a set of Principles. The six GDPR Principles say that: • Whatever you do with people‘s information has to b e fair and legal. This includes making sure that they know what you are doing with the information about them. • When you obtain information, you must be clear why you are obtaining it, and must then use it onIy for the original purpose(s). • You must hold the right information for your purposes: it must be adequate, relevant and limited to what is necessary. • Your information must be accurate and, where necessary, up to date. • You must not hold information longer than necessary. • You must have appropriate security to prevent your information being lost, damaged, or getting into the wrong hands. This policy reflects each of these principles. Transparency & purposes (first and second principles) We will make key information available to people at the time we collect information from them. This includes: • the identity and contact details of H oller Chauffeur Drive Ltd and the person who is responsible for Data Protection; • the purposes we intend to use the data for and our ‘legal basis’ for this; • what we regard as our ‘legitimate interests’, if this is our basis *or processing; • any specific recipients of the d ata (eg. TfL or Google Analytics). Other information will be ma de available where relevant. This includes: • the period for which the persona data will be stored, o if that is not possible, the criteria used to determine that period; • details o* the individual’s rights, such as to request a copy of al! the data held; • the right to withdraw consent if that is the legal basis for processing (but not retrospectively); • whether the provision of personal data is a statutory or contractual requirement, or a reauirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data. In both cases, we will only tell people things they won’t already know. When a driver or client signs up for our Holler Chauffeur Drive Ltd service they know that we will keep a record about them and their activities with us. Direct marketing One explicit right that people have is to stop us sending them marketing material (by post, phone, email or text) if they don’t want it. When we collect information from people that might be used for marketing we will say so at the time and ask them if they are happy to hear from us. The wording will be along the lines of: “We would like to keep you up to date with information about Holler Chauffeur Drive Ltd services. Please tick here to indicate which method(s) you are happy for us to use: Mail o, Phone o, Email o, Text o” These rules are o my for marketing. They do not stop us from contacting people in whatever is the most convenient way to give them information about things they have already signed up to, or for other administrative purposes. Data quality, record keeping and retention (third, fourth and fifth principles) Our activities will be more effective and appropriate if we have good quality records about the people we are Working for and with, our customers and our drivers. GDPR insists on this. We will ensure we have the information we need, but no more (it must be adequate, relevant and limited to what is necessary) and it will be as accurate as we can ma Ke it and — where necessary — kept as up to date as possible. We will n ot keen it longer than necessary. We will ensure that our staff are fully aware that the individual concerned has the right to see all the information recorded about them by Holler Chauffeur Drive Ltd. Holler Chauffeur Drive Ltd has a clear policy on how long to keep personal information and this is directly linked to the retention for our compliance with Transport for London obligations of service. We h ave established a process for ensuring that data is deleted or destroyed at the appropriate time to comply with this requ rement. Security (sixth principle) We well take good care of the information we hold, whether on our computer systems or on paper, and make sure that all our staff have the appropriate guidance and training so that they treat your information appropriately. Responsibilities Responsibility for compliance with the GDPR lies with Holder Chauffeur Drive Ltd, not with any specific individual. However, Holler Chauffeur Drive Ltd have designated someone to head on, keeping up to date with any developments, checking that we are complying and have the evidence to prove it, giving advice to drivers/clients and handling any issues such as a data breach or a Subject Access Request. The individual currently designated can be contacted at the following email address GDPR@hcdchauffeurdrive.co.uk