Data Protection Policy

1. Introduction

This Data Protection Policy outlines how John and Van Services Ltd (“the Company”) collects, uses, stores, and protects personal data in compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.

2. Scope

This policy applies to all employees, contractors, and third parties who handle personal data on behalf of the Company. It covers all personal data processed by the Company, whether in electronic or physical form.

3. Data Protection Principles

The Company is committed to processing data in accordance with its responsibilities under the GDPR. Article 5 of the GDPR requires that personal data shall be:

  1. Processed lawfully, fairly, and in a transparent manner in relation to individuals.
  2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date.
  5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Processed in a manner that ensures appropriate security of the personal data.

4. Lawful, Fair, and Transparent Processing

The Company will ensure that data is processed lawfully, fairly, and in a transparent manner, without adversely affecting the rights of the data subject. This means that the Company will only collect and process personal data where:

  • The data subject has given consent to the processing.
  • The processing is necessary for the performance of a contract with the data subject.
  • The processing is necessary for compliance with a legal obligation.
  • The processing is necessary to protect the vital interests of the data subject or another person.
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  • The processing is necessary for the purposes of legitimate interests pursued by the Company or a third party, except where such interests are overridden by the rights and freedoms of the data subject.

5. Data Collection

Personal data must be collected and processed according to legal guidelines. Employees are required to ensure that any data collected is necessary for the specified purpose and that the data subject is informed of the purpose and their rights.

6. Data Security

The Company shall implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. This includes:

  • Ensuring the confidentiality, integrity, and availability of personal data.
  • Regularly assessing and evaluating the effectiveness of technical and organizational measures to ensure data security.

7. Data Subject Rights

Data subjects have the following rights regarding their personal data:

  • Right to access: Data subjects can request access to their personal data.
  • Right to rectification: Data subjects can request correction of inaccurate or incomplete data.
  • Right to erasure: Data subjects can request the deletion of their personal data.
  • Right to restrict processing: Data subjects can request the restriction of processing.
  • Right to data portability: Data subjects can request the transfer of their data to another organization.
  • Right to object: Data subjects can object to the processing of their data.

8. Data Breach Notification

In the case of a data breach, the Company will follow the procedures outlined in its Data Breach Response Plan, including notifying the relevant supervisory authority and, where required, the data subjects affected.

9. Data Retention

Personal data shall be retained only as long as necessary for the purpose it was collected. The Company will implement procedures to ensure data is regularly reviewed and securely deleted when no longer needed.

10. Third-Party Processors

The Company will ensure that any third parties engaged to process personal data on its behalf comply with this policy and have adequate measures in place to protect data.

11. Responsibilities

  • Data Protection Officer (DPO): The DPO is responsible for overseeing the implementation of this policy, providing training, and conducting regular audits.
  • Employees: All employees must adhere to this policy and report any data protection concerns to the DPO.

12. Training

The Company will provide regular training to employees to ensure they understand their responsibilities under this policy and relevant data protection laws.

13. Policy Review

This policy will be reviewed annually and updated as necessary to ensure compliance with data protection laws.