Data Protection Policy
About this policy
During our activities we, Cosworth Group, will process personal data (which may be held on paper, electronically, or otherwise) and we recognise the need to treat it in an appropriate and lawful manner. As an EU-based organisation Cosworth Group must comply with the General Data Protection Regulation (GDPR) 2016 from 25thMay 2018.
The purpose of this policy is to make you aware of how we will handle personal data relating to individuals within your organisation.
This policy does not form part of any goods, service or supply contract and we may amend it at any time.
Cosworth are registered with the UK Information Commissioner’s Office with the following registration numbers:
- Cosworth Group Holdings ZA334077
- Cosworth Limited ZA330159
- Cosworth Electronics Limited Z8921672
This policy is reviewed by the Data Controller on an annual basis, or whenever our working business practices change. It supported by other business practices such as IT, security and regular training of our staff. Cosworth carry out regular Due Diligence on all partner organisations around data protection, all of which must be GDPR compliant.
Data Protection Officer
By law, Cosworth must appoint a Data Protection Officer. Their role is to:
- to inform and advise you about your obligations to comply with the GDPR and other data protection laws;
- to monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
- to advise on, and to monitor, data protection impact assessments;
- to cooperate with the supervisory authority; and
- to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
The nominated Data Protection Officer for the organisation is: HR Manager – Powertrain
Data protection principles
We will comply with the data protection principles in GDPR, which say that data must be:
- processed fairly, lawfully and in a transparent manner;
- collected and processed only for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary for those purposes;
- accurate, up to date and not kept in an identifiable form for longer than necessary for the purposes for which it is processed.
- processed in accordance with the data rights of individuals
- securely held, including protection by technical and organizational measures, against unauthorised or unlawful processing and against accidental loss, destruction or damage.
“Personal data” means recorded information we hold about from which a subject can be identified. It may include contact details, other personal information, photographs, expressions of opinion about a data subject or indications as to our intentions about that data subject. “Processing” means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.
Sensitive personal data is defined as personal data consisting of information as to:
- racial or ethnic origin
- political opinions,
- religious beliefs or other beliefs of a similar nature,
- membership of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
- physical or mental health or condition,
- sexual life,
- commission or alleged commission of any offence, or
- any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
This policy applies to all personal and sensitive data within the organisation.
Cosworth must be transparent with all individuals about what data is collected, stored and processed about them. Whilst GDPR only covers the rights of EU-subjects, we apply these principles to all data subjects regardless of location.
Fair and lawful processing
We will usually only process personal data where consent has been given, where the processing is necessary to comply with our legal obligations, or to fulfil or prepare a contract.
GDPR requires Cosworth to establish one of the following lawful basis for processing data:
- Consent:We hold recent, clear, explicit, and defined consent for the individual’s data to be processed for a specific purpose.
- Contract:The processing is necessary to fulfil or prepare a contract for the individual.
- Legal obligation: We have a legal obligation to process the data (excluding a contract).
- Vital interests: Processing the data is necessary to protect a person’s life or in a medical situation.
- Public function: Processing necessary to carry out a public function, a task of public interest or the function has a clear basis in law.
- Legitimate interest: The processing is necessary for our legitimate interests and does not outweigh the individuals’ rights.
We will only process “sensitive personal data” where a further condition is also met. Usually this will mean that explicit consent has been given, or that the processing is legally required.
How we are likely to use your personal data
We will process data about individuals for administrative and management purposes and to enable us to fulfilagreed contracts, such as supplying goods and service, or receiving goods and services.We may also process sensitive personal data to comply with legal requirements and obligations to third parties.
Processing for limited purposes
We will only process personal data for the specific purpose or purposes you have been notified of or for any other purposes specifically permitted by GDPR.
Adequate, relevant and non-excessive processing
Personal data will only be processed to the extent that it is necessary for the specific purposes notified.
We will keep the personal data we store accurate and up to date. Data that is inaccurate or out of date will be destroyed. Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold.
We will not keep personal data for longer than is necessary for the purpose. This means that data will be destroyed or erased from our systems when it is no longer required. For guidance on how long certain data is likely to be kept before being destroyed please ask your Cosworth Key Account Manager.
Processing in line with individual rights
Individuals have the right to:
- Be informed
- Have access to your data
- To rectify or update your data
- To erase your data
- To restrict the processing of your data
- To port your data to another place
- To object to the processing of your data
- Not to take part in automated decision making and profiling
Cosworth will not deny data subjects any of the aforementioned rights.
We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if they agree to comply with those procedures and policies, or if they put in place adequate measures.
Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.
Data will only be transferred outside of the European Economic Area (EEA) under the guidance of the Data Protection Officer.
Providing information to third parties
We will not disclose personal data to a third party without consent unless we are satisfied that they are legally entitled to the data. Where we do disclose personal data to a third party, we will have regard to the data protection principles.
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without consent of the data subject. Under these circumstances, Cosworth will disclose requested data subject to checks that the request is legitimate.
Subject access requests
If an individual wishes to know what personal data we hold about them, they must make the request in writing. All such written requests should be forwarded to email@example.com. Cosworth will aim to provide the relevant data without delay, and within 30 days. They may be asked to provide relevant identification to start this process.
Breaches of this policy
In the event of a data breach, Cosworth must report to the UK Information Commissioner’s Office within 72 hours of the event with details of:
- The nature of the personal data breach including, where possible:
- The categories and approximate number of individuals concerned; and
- Categories and approximate number of personal data records concerned;
- The name and contact details of the Data Protection Lead.
- A description of the likely consequences of the personal data breach.
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measure taken to mitigate any possible adverse effects.
If you have any concerns around data protection affecting Cosworth, its employees, or its clients, please contact us at the earliest opportunity via firstname.lastname@example.org