Privacy Policy

INTRODUCTION 

At Drumgrange we are committed to protecting and respecting your privacy.

This policy explains what, when and why we collect personal data, the legal basis for processing, how long the data will be retained and your rights in respect to the data. 

Drumgrange will adhere to the 6 data protection principles that are central to the general Data Protection Regulation (GDPR):

(1) Lawfulness, fairness and transparency

(2) Purpose limitation

(3) Data minimisation

(4) Accuracy

(5) Storage limitation

(6) Integrity and confidentiality

 

WHO IS COLLECTING THE DATA?

This policy related to data being collected by Drumgrange Ltd, Registered Office: Unit A, The Forum, Hanworth Lane, Chertsey, Surrey, KT16 9JX, Registered in England No. 1460044.

In this policy 'Drumgrange', 'we', refers to Drumgrange Ltd. the Company, including both the Chertsey and Portland sites.

Any questions in relation to this policy should be sent by email to the Drumgrange Data Protection Representative (DPR) [email protected] or alternately telephone +44 (0)1932 581100 and ask for the DPR.

 

WHAT DATA IS BEING COLLECTED?

Drumgrange collects and processes personal data relating to the following data subjects:

(1) Employees

     Name, address, email, telephone number, next of kin, payroll, pension, personnel information (including but not limited to, annual leave, sickness,
     performance reviews).

(2) Customers, Suppliers and Business Contacts

      Name, title, address, email, telephone number.

(3) Candidates

      Name, address, email, telephone number, CV, covering letter and references.

 

WHAT IS THE LEGAL BASIS FOR PROCESSING THE DATA?

Drumgrange have identified the following legal basis for processing of personal data under the GDPR for the data subjects:

(1) Employees

     Contract, Legal Obligation

(2) Customers, Suppliers and Business Contacts

      Contract, Legitimate Interest

(3) Candidates

      Contract, Legitimate Interest

 

WILL THE DATA BE SHARED WITH ANY THIRD PARTIES?

Drumgrange may disclose your personal data to third parties insofar as reasonable necessary for the purposes, and on the legal basis as set out in this policy.

 

HOW WILL THE INFORMATION BE USED?

Drumgrange will use the information only for the purpose for which it was obtained. 

(1) Employees

     We will use the information provided to fulfil your contract of employment.

(2) Customers, Suppliers and Business Contacts

      We will use the information provided to maintain contact with you for 'relationship management' and for the fulfilment of any contract or supply of goods. We
      may use your contact information to send you Christmas cards, calendars, newsletters that we circulate form time to time and news about any events we are
      organising or participating in. 

(3) Candidates

      We will use the information provided on your application form to process your application, if successful this information will be held in your personnel file.

 

WILL THE DATA BE TRANSFERRED OUT OF THE EU? 

Drumgrange utilises Typeform (“Typeform S.L.”), a GDPR-compliant software company based in Barcelona, to build job application forms, collect and collate information about candidates, and facilitate the job application process.

Candidate data submitted to Drumgrange via Typeform are hosted on Amazon Web Service (AWS) servers, which are primarily located in Virginia, United States. Third-party access to information is prevented by implementing in-transit data encryption (end-to-end, including within the virtual private cloud at AWS) using secure TLS cryptographic protocols (TLS 1.2). Data at rest, including backups of the information, is encrypted using Advanced Encryption Standard (AES) with a 256-bit key.

To find out how Typeform processes data, please read their privacy policy here. To see their security and compliance framework certification, click here.

 

HOW LONG WILL THE DATA BE STORED FOR?

Drumgrange will not retain personal data for longer than necessary for the purpose that it was obtained.

We will retain your personal data as follows:

(1) Employees

     (a) Personnel file - 6 years post-employment

     (b) Accounting records - 3 years

     (c) Medical records (General) - 40 years

     (d) Medical records (Ionising Radiation) -50 years or age 75

(2) Customers, Suppliers and Business Contacts

      (a) Subject to annual review

(3) Candidates

      (a) Not invited to interview - Not retained beyond the recruitment campaign

      (b) Unsuccessful following interview - 1 year beyond the recruitment campaign

      (c) Successful - Transferred to personnel file

Notwithstanding the above, Drumgrange may retain personal data where the retention is necessary for legal obligations and statutory compliance. 

 

WHAT RIGHTS DOES THE DATA SUBJECT HAVE?

the GDPR provides the following rights to data subjects:

(1) The right to be informed.

      The information as specified within this Privacy Policy on who is collecting the personal data, what data is being collected, the legal basis for processing,        
      whether it is shared with third parties, how the data will be used and how long it will be stored. You will be informed of the purpose for which the personal
      data is being collected, or reference made to this policy, at the time of data collection.

(2) The right of access.

      You have the right to access the personal data we hold about you, how we process the data and why. Any Subject Access Request (SAR) should be made to
      the DPR.

(3) The right to rectification.

      You have the right to have any in accurate or incomplete information rectified. Requests for rectification should be made to the DPr, identified above. 

(4) The right to erasure. 

      You have the right, in some circumstances, to have the personal data held about to erased.  Requests for erasure of personal data should be made to the
      DPR.

(5) The right to restrict processing.

      You have the right to restrict the processing of personal data held about you. Requests for restriction of processing should be made to the DPR, identified
      above.

(6) The right to data portability.

      You have the right in some circumstances to request a copy of your personal data and use it for other purposes. Requests for data portability should be made
      to the DPR.

(7) The right to object.

      You have the right to object on how we process your personal data, see below on how to complain.

(8) Rights with respect to automated decision making and profiling.

     Drumgrange does not use any automated decision making or profiling of personal data.

 

HOW CAN THE DATA SUBJECT MAKE A COMPLAINT?

In the first instance should you have a complaint about how we process your personal data please contact the Drumgrange Data Protection Representative. If you are not satisfied with the response you have the right to complain to the Information Commissioner's Office (ICO), https://ico.org.uk/concerns or call the ICO Helpline +44 (0)303 123 1113.