General Data Protection Regulation (GDPR)
Everyone who works for or with Floribunda Rose has some responsibility for ensuring data is collected, stored and handled appropriately. The following is a working document, guide and training tool applicable across the entire Floribunda Rose brand. It comprehensively outlines the activities of key departments and how we as a company upheld the privacy, protection and data security of personal details of customers and employees alike in our day-to-day operations.
Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
When access to confidential information is required, employees can request it.
Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
Personal data should not be disclosed to unauthorised people, either within the company or externally.
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
In the event of a suspected data breach inform either Sarah Diligent or William Mazuch immediately. In the cases of severe data breaches, the company has an obligation to notify the ICO without undue delay and by no later than 72 hours; and notify the individual whose personal data is affected by the breach.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Sensitive Personal Data
The GDPR refers to sensitive personal data as “special categories of personal data”.
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
GDPR requires that personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”
Why we need your personal data
For administrative purposes, the Company keeps and processes records of its employees’ personal data, including address, date of birth and next of kin. The Company also processes records containing certain “sensitive” data, including information about gender and race, which it uses to monitor and promote its equal opportunities policy, and medical records, which the Company keeps for health and safety reasons as well as for the for the purposes of the administration and management.
Your details will not be given to any other third party, nor signed up to our customer database. All mentioned providers demonstrated compliance and we are satisfied with their processes.