Data Privacy Notice
Personal data relates to a living individual who can be identified from that data. Identification can be the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2016/679 “GDPR” and the Data Protection Act 2018.
The owner of that personal data is referenced in the legislation as the Data Subject. Lamex Food Group Limited and all Lamex Group Entities (Group’s subsidiaries) are the Data Controllers and determine how your personal data is processed and for what purposes. Lamex Food Group Limited and its subsidiaries comply with their obligations under GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
2. Purposes for collecting and using of data
We collect and use personal data for the following purposes:
- Management and administrative use;
- To conclude the supply of goods to our customers;
- To protect our customers, employees and other individuals and maintain their safety, health and welfare;
- To promote, market and advertise our products;
- To comply with a supply agreement and an order;
- To conclude the purchase of goods;
- To comply with a purchase agreement and an order;
- To conclude the transportation of goods;
- To comply with a transportation agreement;
- To conclude the storage of goods;
- To comply with a storage and haulier agreement;
- To maintain our accounts and records;
- To enable us to run our business and manage our relationship with our employees effectively, lawfully and appropriately, during the recruitment process, whilst our employees are working for us, at the time when their employment ends and after they have left our company;
- To comply with our employment contracts;
- To comply with any legal and regulatory obligations and requirements;
- To pursue the legitimate interests of our company;
- To protect our legal position in the event of legal proceedings;
- To deliver the obligations that the individuals have requested;
- To inform individuals of news, activities, services running at Lamex Group;
- To share your contact details with other processors and sub-processors so that the purchase, supply, order, storage, transportation will be concluded;
- To prevent, investigate and detect crime, fraud and anti-social behaviour and prosecute offenders;
- To handle customers’ and suppliers’ contracts, queries, complaints and disputes;
- To manage insurance claims by customers, suppliers and third parties;
- To protect our Company, our employees, our suppliers and customers, by taking legal action against third parties who have committed criminal acts or are in breach of legal obligations to Lamex Group and Lamex Entities;
- To effectively handle any legal claims or regulatory enforcement actions taken against Lamex Group and Lamex Entities and
- To fulfil our duties to our suppliers, customers, employees, shareholders and stakeholders.
3. Process of personal data
As a Company pursuing trading activities worldwide, we may sometimes need to process your data when:
- processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract;
- processing is necessary for compliance with legal obligation;
- processing is necessary to protect vital interests of a data subject or another person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
- processing is necessary for the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject;
- processing is based on the explicit consent of the data subject;
- processing is necessary for carrying out obligations under employment, social security, or a collective agreement;
- processing is necessary to protect the vital interests of the data subject or another individual where the data subject is physically or legally incapable of giving consent;
- processing relates to personal data manifestly made public by the data subject;
- processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity;
- processing is necessary for reasons of substantial public interest because of EU Member State Law;
- processing is necessary for assessing the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services and services because of EU or Member State law or a contract with a health professional;
- processing is necessary for the reasons of public interest around public health;
- processing is necessary for archiving purposes in the public interest or scientific and historical research or statistical purposes. Your personal data will be treated as strictly confidential, and will be shared only with the high management of Lamex Group.
4. Type of personal data we collect
Much of the information we hold will have been provided by you, but some may come from other internal or external sources.
The sort of information we hold regarding our employees may include disabilities, medical records, origin, religion, date of birth, nationality, bank account number, social security number, personal tax number, criminal record, credit history check, driving license and checks, family details, disciplinary records, working visa, photo, visual identifiers, performance plan progress, or gender identifiers.
The sort of information we hold regarding our customers, suppliers and third parties include name, contact detail, telephone number, email address and address.
You will inevitably be referred to in many company documents and records that are produced by you and your colleagues during the performance of your duties and the business of the company. You should refer to the Data Protection Policy.
Where necessary we may keep information relating to your health, which could include reasons for absence and reports and notes. This information will be used to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. Where we may process special categories of information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, criminal record, credit history check, family details, disciplinary records, working visa, photo, visual identifiers, performance plan progress, gender identifiers etc. we will always obtain your explicit consent to those activities, unless this is not required by law or the information is required to protect your health in an emergency.
In addition, we monitor computer and mobile telephone use, as detailed in our policy.
5. Sharing Data with Third Parties
Other than mentioned below, we will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to an external provider.
More specifically, to make certain services available to you, we may need to share your personal data with some of our service partners. These include, IT software companies, insurance companies and insurance brokers, external lawyers, consultants, external auditors etc.
Lamex Group only allows the service providers to handle your personal data when we have confirmed that they apply appropriate data protection and security controls. We also impose contractual obligations on service providers relating to data protection security.
Aside from the service providers, Lamex Group will not disclose your personal data to third parties, except as set out below. We may share your data with:
- Our carefully selected partners who provide Lamex Group branded products and services, if we have your consent to do so;
- Governmental bodies, regulators, law enforcement agencies, court/tribunals and insurers where we are required to do so either to comply with our legal obligations, or to exercise our legal rights, or for the prevention, detection, investigation of crime, prosecution and for the protection of our employees, suppliers and customers.
In limited and necessary circumstances, your information may be transferred outside of the EEA or to an international organisational to comply with our legal or contractual requirements. We have in place safeguards to ensure the security of these data as we monitor that all our processors outside of the EEA are registered to the relevant Data Protection Authorities or follow the relevant Data Protection Regulations. We have always to ensure that the transfer will be compliant with the Data Protection Law and all personal data will be secured. One standard practice is to use “standard data protection clauses” which have been approved by the European Commission for such transfers. (https://ec.europa.eu/info/law/law-topic/data- protection_en)
6. Retention of Data
Your personal data will be stored for a period of 6 years plus current years. As stated in our Data Protection Policy and our Data Retention Policy, personal data should not be stored and held for more than six years after it ceases to be current, unless there is a specific reason for doing so. The definition of current will vary according to the personal data.
It should be remembered that the current plus six years rule is the usual maximum period of retention. If there is no need to keep personal data that long, then it should be disposed of securely before the six years’ time limit. Exemptions from the rule of 6 years retentions are the following categories:
- Job applicants and Contractors Records are retained for seven years plus the current year;
- Financial Records are retained for ten years plus the current year;
- Data Protection Requests are retained for seven years plus the current year;
- Personnel Records are retained for ten years plus the current year;
- Health and Safety Records are retained for ten years plus the current year;
When the above-mentioned period of each data category is expired, Lamex has the right to erase or destroy the personal data without any impact.
7. Future Process of data
When in the future we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information.
Lamex Group is committed to keeping your personal data safe and secure. Our security measures include:
Encryption of data;
- Regular cyber security assessments and crisis management exercises to ensure that we are ready to respond to cyber security attacks and data security incidents;
- Daily penetration testing of systems;
- Security controls which protect the entire Lamex Group’s IT infrastructure from external attack and unauthorised access and
- Internal policies setting out our data security approach and training for employees.
9. Legal Basis for processing your data
Lamex collects and uses personal data because it is necessary for:
- The purposes of complying with our duties and exercising our rights under a contract for the sale or a purchase or transportation or storage of goods;
- The purposes of complying with our duties and exercising our rights under an employment contract or a contract with a third party;
- The pursuit of our legitimate interest and
- To comply with legal obligations.
In general, we will only rely on consent as a legal basis for processing in relation to direct marketing purposes (very limited with respect to Lamex Group). Where we are processing data based on consent, the data subjects have the right to withdraw that consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.
10. Your Rights
Under the General Data Protection Regulation and the Data Protection Act 2018 the data subject has many rights with regards to its personal data. The rights that you have are the following:
- The right to request from us access to and rectification or erasure of their personal data;
- The right to restrict processing, object processing of your personal data;
- The right to request that Lamex as the Data Controller provides you with your personal data and where possible, to transmit that data directly to another data controller, known as the right to data portability (only where processing is based on consent or it is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means);
- The right to request a copy of your personal data that Lamex holds about you from our Senior Responsible Officer, Michael Crane;
- The right to withdraw your consent to the processing at any time (only if consent is relied upon as a processing condition) at any time which will not affect the lawfulness of the processing before your consent was withdrawn;
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data (only applies where processing is based on legitimate interest);
- The right to lodge a complaint with the Information Commissionaire Officer if you believe that Lamex has not complied with the requirements of the GDPR or the DPA 2018 regarding your personal data.
11. Contact Information
Lamex Food Group Limited and all Lamex Entities (the Group’s subsidiaries) are the Controllers of the data for the purposes of GDPR and DPA 2018.
To exercise all relevant rights, queries of complaints and if you have any concerns as how your data is processed you can contact:
Michael Crane, Senior Responsible Officer at firstname.lastname@example.org or at 0044 (0) 1992 473 879 or you can send a letter to our Senior Responsible Officer at 2ndFloor Building B, Turnford Place, Great Cambridge Road, Turnford, Broxbourne, Hertfordshire, EN10 6NH, UK.