Privacy Policy

DATA PROTECTION POLICY

Statement 

Data Protection Policy for the Stocktake UK Ltd (Registered in England 3050000), Stockcheck Ltd (Reg in England 1706466) and Stocktake Solutions Ltd (t/a Logonn, Reg in England 03298875) group of Companies. All of which are registered at Gillow House, Broughton Hall, Skipton, BD23 3AN.

As part of the working relationship with our customers only necessary information is recorded and stored. This will only be stored for the purposes required to execute our business. The following information may be stored.

  • First and Last Name
  • Position
  • Employer
  • Contact Details (company, e-mail, phone, physical business address)

This information will be retained for the duration of the working relationship with our customers, and for a period thereafter to ensure all matters have been mutually settled.

Use of the Logonn Stocktaking Software

Logonn stocktaking software, may be offered to a Customer for use by their own employees. In these instances the following information may be stored.

  • First and Last Name
  • Position
  • Employer
  • Contact Details (company, e-mail, phone, physical business address)

It is the responsibility of the Customer’s Data Controller to inform us of changes to the Users who require access to their stocktake data within the Software. This information should be sent via e-mail to support@logonn.co.uk.

Generic User logins are not permitted, and it is advised not to share login user information.

A Customer’s Data Controller may request a list of users with access to their stocktake data via the Logonn software. This request should be sent via e-mail to support@logonn.co.uk

Definitions

Data Subject: a living individual.

Data Controller: the person or organisation that determines the means and the purpose of processing the personal data.

Data Protection Legislation: includes (i) the Data Protection Act 2018, (ii) the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation, for so long as the GDPR is effective in the UK, and (iii) any successor and supplemental legislation to the Data Protection Act 1998 and the GDPR, in particular the Data Protection Bill 2017-2019 and the E-Privacy Directive (and its proposed replacement), once it becomes law.

Personal data: is any information that identifies a living individual (data subject) either directly or indirectly. This also includes special categories of personal data. Personal data does not include data which is entirely anonymous or the identity has been permanently removed making it impossible to link back to the data subject.

Processing: is any activity relating to personal data which can include collecting, recording, storing, amending, disclosing, transferring, retrieving, using or destruction.

Special categories of personal data: this includes any personal data which reveals a data subject’s, ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic, biometric or health data, sex life and sexual orientation.

Criminal records data: means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

Guidelines as Outlined to Employees of Stocktake UK, Stockcheck & Stocktake Solutions (t/a Logonn)

What are the GDPR principles?

We are a data controller. This means that we are required by law to ensure that everyone who processes personal data and special categories of personal data during the course of their work with us does so in accordance with the data protection legislation, including the GDPR principles. In brief, the principles say that:

  • Personal data must be processed in a lawful, fair and transparent way.
  • The purpose for which the personal information is collected must be specific, explicit and legitimate.
  • The collected personal data must be adequate and relevant to meet the identified purpose.
  • The information must be accurate and kept up to date.
  • The personal data should not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which it is used.
  • The personal data must be kept confidential and secure and only processed by authorised personnel.

Other rules under the GDPR state that:

  • The transfer of personal data to a country or organisation outside the EEA should only take place if appropriate measures are in place to protect the security of that data.
  • The data subject must be permitted to exercise their rights in relation to their personal data.

The Company and all employees must comply with these principles and rules at all times in their information-handling practices. We are committed to ensuring that these principles and rules are followed, as we take the security and protection of data very seriously.

You must inform us immediately if you become aware that any of these principles or rules have been breached or are likely to be breached.

Privacy Notices

  • Personal data must be processed in a lawful, fair and transparent way.

Before you begin collecting or processing personal data directly from a data subject you must ensure that an appropriate privacy notice has been issued to the data subject. Different notices are used for employment and commercial purposes. The content of the privacy notice must provide accurate, transparent and unambiguous details of the lawful and fair reason for why we are processing the data. It must also explain how, when and for how long we propose to process the data subjects personal information. We need to include information around the data subjects’ rights and most importantly, the notice should also explain how we will keep the information secure and protected against unauthorised use.

Where you intend to collect data indirectly from a third party or a public source (i.e. electoral register), you must ensure that a privacy notice is issued to the data subject within a reasonable of period of obtaining the personal data and no later than one month; if the data is used to communicate with the individual, at the latest, when the first communication takes place; or if disclosure to someone else is envisaged, at the latest, when the data is disclosed.

You must only use data collected indirectly if you have evidence that it has been collected in accordance with the GDPR principles.

In all circumstances you must check that you are using an up to date version of the Company’s privacy notice and it is being used in accordance with the Company’s guidelines.

Purpose Limitation

  • The purpose for which the personal information is collected must be specific, explicit and legitimate.

When you collect personal information you will set out in the privacy notice how that information will be used. If it becomes necessary to use that information for a reason other than the reason which you have previously identified you must usually stop processing that information. However, in limited circumstances you can continue to process the information provided that your new reason for processing the personal information remains compatible with your original lawful purpose (unless your original lawful basis was consent).

Adequate and relevant

  • The collected personal data must be adequate and relevant to meet the identified purpose.

You must only process personal data where you have been authorised to do so because it relates to your work or you have been delegated temporary responsibility to process the information. You must not collect, store or use unnecessary personal data and you must ensure that personal data is deleted, erased or removed within the Company’s retention guidelines. You must not process or use personal data for non-work related purposes.

The Company will review its records and in particular employees’ personnel files on a regular basis to ensure they do not contain a backlog of out-of-date or irrelevant information and to check there are lawful reasons requiring information to continue to be held.

Kept for longer than is necessary

  • The personal data should not be kept in a form which permits identification of a data subject for longer than is necessary for the purposes for which it is used.

Kept confidential and secure

  • The personal data must be kept confidential and secure and only processed by authorised personnel.

Transfer to another country

  • Transfer of personal data to countries or organisations outside of the EEA should not be necessary, however if necessary it should only take place if appropriate measures are in place to protect the security of that data.

The data subject rights

  • The data subject must be permitted to exercise their rights in relation to their personal data. 

Under the GDPR, subject to certain legal limitations, data subjects have available a number of legal rights regarding how their personal data is processed. At any time a data subject can request that the Company should take any of the following actions, subject to certain legal limitations, with regard to their personal data:

  • Allow access to the personal data
  • Request corrections to be made to data
  • Request erasure of data
  • Object to the processing of data
  • Request that processing restrictions be put in place
  • Request a transfer of personal data
  • Object to automated decision making
  • Right to be notified of a data security breach

There are different rules and timeframes that apply to each of these rights. You must follow the Company’s policies and procedures whenever you process or receive a request in relation to any of the above rights.

Be aware that those seeking information sometimes use deception in order to gain access to it.

Action to be taken in the event of a data protection breach

A personal data breach will arise whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on a data subject.

A security incident or breach, should be reported to Head Office.

Sharing personal data

We may share personal data internally as is necessary. You must always ensure that personal data is only shared with authorised persons and is shared in accordance with the purposes of servicing the appropriate custsomer. It is not expected that information should be shared with third parties, however extra care and security must be taken when sharing special categories of data or transferring data outside of the Company to a third party.

Direct Marketing

We are subject to specific rules under the GDPR in relation to marketing our services. Data subjects have the right to reject direct marketing and we must ensure that data subjects are given this option at first point of contact. When a data subject exercises their right to reject marketing you must desist immediately from sending further communications.

Complaints 

If you believe that this policy has been breached by a colleague or to exercise all relevant rights, queries or complaints please in the first instance contact Head Office.

Changes to this policy

We reserve the right to change this policy at any time so please always check this document regularly to ensure you are following the correct procedures.