Data Protection Policy
About This Policy
During the activities of Inno Group Ltd’s (we, our, us) business, we collect, store and process Personal Data about our customers, suppliers, service suppliers, sub-contractors, our current and former employees, job applicants, visitors to our websites and others. We understand that the correct and legal processing of this data will maintain confidence in us and will provide for prosperous company operations.
Purpose
This policy outlines our dedication to adopting the right practices when processing Personal Data which we collect or is given to us, to ensure we collect, manage, process, transfer, store and file Personal Data in compliance with the current legislation, including General Data Protection Regulation (679/2016/EU) and the Data Protection Act 1998, the “legislation”. Depending on the circumstances, there will be occasions when Inno Group Ltd serves as the Data Controller or the Data Processor or both. Data users are required to adhere to this policy.
Inno Group Ltd’s Data Protection Champion is responsible for giving advice and guidance to ensure we comply with the legislation and this policy. Any inquiries or concerns about this policy should be addressed to the Data Protection Champion in the first instance at GDPR@innogroupltd.com
Definitions and Terms
The words and phrases employed in this policy have the following meanings:
- Data Subjects means the people to which the Personal Data we hold correlates.
- Personal Data means data correlating to an individual who can be identified (directly or indirectly) from that data. This Personal Data may be factual (for instance, a name, address or date of birth), or it can be an assumption about that person, their activities and behaviour.
- Data Controllers indicates the people who or organisations which decide the reasons for, and the way that, any Personal Data is handled and processed. They are responsible for ascertaining systems and policies in accordance with the Act.
- Data Processors means any individual, other than an employee of the Data Controller, that processes or prepares the Personal Data on behalf of the Data Controller and can include any individual or organisations that may process Personal Data on our behalf and on our instructions. Data Controllers may include suppliers who manage personal data for us or on our behalf.
- Processing means any activity that includes the use of Personal Data. It includes collecting, recording or storing the data or carrying out any action or set of formulae on the data, including arranging, organising, amending, retrieving, utilising, disclosing, deleting or destroying the data. Processing additionally includes transferring Personal Data to external third parties.
- Sensitive Personal Data indicates personal information about an individual’s racial or ethnic origin, their political opinions, their religious or any similar beliefs, their trade union memberships or non-memberships, information about their genetics, their biometric data (where used for the purposes of identification) and any information regarding an individual’s mental or physical health and their respective conditions, and individuals sexual life, orientation or preferences, or concerning the commission of, or proceedings for, any offence committed or allegedly committed by that individual, the conclusion of such proceedings, or the judgment of any court in such proceedings.
Sensitive personal data may only be processed under stringent conditions, including a stipulation requiring the express permission of the person concerned.
Data Protection Principles
We are dedicated to ensuring that whilst processing Personal Data, we adhere to the following principles that Personal Data is:
- processed in a fair way and in accordance with the law;
- processed for a legitimate and lawful purpose and not processed in any way which is not compatible with that legitimate reason;
- adequate, relevant and is not excessive for the purpose;
- correct and up to date and reasonable steps are taken to make sure that incorrect Personal Data is deleted or corrected and amended without undue delay;
- is not kept for longer than necessary for the purpose for which the Personal Data is processed; and
- stored securely using appropriate organisational and technical measures and is guarded against unlawful or unauthorised processing.
Lawful and Fair Processing
The legislation is not meant to stop the processing of Personal Data but to make sure that it is done in a fair way without adversely affecting the rights and liberties of the Data Subject.
In order to process Personal Data legally, it must be processed on the basis of one of the legitimate and legal grounds given by the legislation as determined by the Data Controller.
This includes, amongst other things, the Data Subject’s permission to the processing, or that the processing is essential for the fulfilment of a contract with the Data Subject, for the compliance with a legal responsibility to which the Data Controller is subject, or for the legitimate business interest of the Data Controller or the party individual or to whom the information is disclosed.
When Sensitive Personal Data is being processed, further conditions must be met. While processing Personal Data as Data Controllers in the course of our business, we will make sure that those conditions are met.
Processing for Limited Purposes
We shall only process Personal Data for a specific purpose. We shall notify the Data Subject of those purposes when the Personal Data is first collected or as soon as practicable thereafter.
Informing Data Subjects
When we collect Personal Data directly from the Data Subject, we shall tell them about:
- the intended reason or purposes for processing that Personal Data;
- the types of third parties we may share or disclose the Personal Data;
- the means with which Data Subjects are able to restrict our use of their Personal Data, and;
- how they can restrict the disclosure of the Personal Data.
If we receive Personal Data regarding a Data Subject from external or other sources, we will give the Data Subject this information as soon as practicable thereafter if we plan to retain that data
We shall also notify Data Subjects whose Personal Data we process that we are the Data Controller with respect to that data.
Sufficient, appropriate and non-excessive processing
We exclusively collect Personal Data to the degree that it is needed for the specific purposes notified to the Data Subject.
Accurate Data
We ensure that the Personal Data we retain is correct and up to date. We verify the accuracy of any Personal Data at the point of collection and at regular intervals thereafter. Inno Group Ltd takes reasonable measures to destroy or amend incorrect or out-of-date data or data that is no longer needed.
Time Processing
We do not hold Personal Data longer than is required for the purpose or objectives for which it was gathered. We will take all feasible steps to destroy or delete all data which is no longer needed from our systems.
Processing Data in Line with the Data Subjects Rights
Inno Group Ltd processes all Personal Data in accordance with Data Subjects’ rights, in particular, their right to:
- request access to any data retained about them;
- stop the processing or use of their data for direct marketing objectives;
- ask to have incorrect data corrected; and
- stop processing that is expected to cause damage or distress to anyone else, themselves or themselves.
Data Security
We take the proper security measures against illegal or unauthorised processing and handling of Personal Data and against accidental damage to or loss of Personal Data.
We put in position methods and technologies to maintain the safety of all Personal Data from the point of collecting the data to the point of disposal. Personal Data will only be assigned to a data processor if he agrees to comply with those methods and policies or if he/she puts in place sufficient measures him/herself.
We maintain data security by guarding the confidentiality, integrity and availability of Personal Data, described as follows:
- confidentiality means that only individuals who are permitted to use the data can access it.
- integrity means that Personal Data should be accurately correct and suitable for the purposes for which it is being processed.
- availability means that approved and/or authorised users should be able to have access to the information if they need it for permitted purposes.
Personal Data shall not, therefore, be stored on individual Team Member’s PC’s, but rather on Inno Group Ltd’s Google Drive WorkSpace account due to its verification of security, privacy, and compliance controls. Google Workspace and Google Cloud Platform undergo several independent third-party audits on a regular basis to provide security assurance and hold the following certifications:
- ISO/IEC 27001 (Information Security Management)
- ISO/IEC 27017 (Cloud Security)
- ISO/IEC 27018 (Cloud Privacy)
- ISO/IEC 27701 (Privacy Information Management)
- SSAE18/ISAE 3402 (SOC 2/3)
Transferring Personal Data Outside the EEA
We may transfer any Personal Data we keep to a country outside the European Economic Area, the “EEA”, if one or more of the following circumstances apply:
- the location/country in which the Personal Data is assigned assures an adequate level of protection and security for the Data Subjects’ rights and liberties; or
- the Data Subject has provided their consent; or
- the transfer is necessary to preserve the vital interests of the Data Subject, or for a purpose set out in the law, including the execution of a contract between Inno Group Ltd and the Data Subject, or ;
- the transfer is lawfully required to exercise or defend against legal claims, or required on the grounds of important public interest, or for the establishment; or
- the transfer is allowed by the applicable data protection authority where we have adduced adequate safeguards with respect to the security of the Data Subjects’ privacy, their basic rights and freedoms, and the application of these rights.
Personal Data may additionally be handled by personnel serving outside the EEA who work for Inno Group Ltd or one of our suppliers. If this occurs, we examine that supplier’s data protection policy, methods and procedures.
Sharing and Disclosure of Personal Data
Inno Group Ltd may share Personal Data we keep with any members of our organisation, which indicates our subsidiaries (if any/applicable), our ultimate holding company(if any/applicable) and its subsidiaries (if any/applicable).
We may also reveal Personal Data we keep to external third parties:
- in the case that we were to buy or sell any assets or business, in which instance we may share Personal Data we carry to the proposed seller or buyer of such corporation or assets.
- if we or a substantial amount of our assets are procured by an external third party, in which event Personal Data we hold will be one of the transferred assets sold.
- if we are under a duty to disclose or share a Data Subject’s Personal Data to comply with a lawful obligation, or to implement or apply any contract with the Data Subject or additional agreements; or to preserve our rights, property, or safety of our employees, customers, or others. This entails the exchange of data with other businesses and organisations for the purposes of fraud protection and credit risk reduction.
Dealing with Data Subject Access Requests
Data Subjects are required to make a formal request for data we retain about them. This request must be made to us in writing.
Changes to This Policy
We maintain the right to amend this policy at any given time.