Data Protection Policy
1.0 Principles
In order to operate effectively and fulfil its legal obligations, A&G Travel Group needs to collect, maintain and use certain personal information about current, past and prospective employees, clients, suppliers and other individuals with whom it has dealings. All such personal information, whether held on computer, paper or other media, will be obtained, handled, processed, transported and stored lawfully and correctly, in accordance with the safeguards contained in the General Data Protection Regulations and the Data Protection Act 2018 (GDPR).
A&G Travel Group is committed to the eight principles of data protection as detailed in the GDPR. These principles require that personal information must:
1.1 be fairly and lawfully processed and not processed unless specific conditions are met;
1.2 be obtained for one or more specified, lawful purposes and not processed in any manner incompatible with those purposes;
1.3 be adequate, relevant and not excessive for those purposes;
1.4 be accurate and, where necessary, kept up to date;
1.5 not be kept for longer than is necessary;
1.6 be processed in accordance with the data subject’s rights under the GDPR;
1.7 be kept secure form unauthorised or unlawful processing and protected against accidental loss, destruction or damage; and
1.8 not be transferred to countries outside the European Economic Area (EEA) unless the country or territory ensures adequate protection for the rights and freedoms of the data subjects.
2.0 Compliance
- observe fully all conditions regarding the fair collection and use of personal information;
- meet its legal obligations to specify the purpose for which information is used;
- collect and process appropriate personal information only to the extent that it is needed to fulfil operational needs or to comply with legal obligations;
- ensure the quality of the personal information used;
- apply strict checks to determine the length of time personal information is held;
- ensure that individuals about whom information is held are able to exercise their rights under the GDPR, including the right to be informed that processing is taking place, the right of access to their own personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase incorrect information;
- take appropriate technical and organisational security measures to safeguard personal information; and
- ensure that personal information is not transferred outside the EEA without suitable safeguards.
3.0 Responsibilities
Overall responsibility for ensuring that the Company complies with its data protection obligations rests with the Directors.
It is the responsibility of all employees to ensure that personal information provided to the Company, for example current address, is accurate and up to date. To this end employees are required to inform the Company immediately when changes occur.
Employees whose role involves the collection, maintenance and processing of personal information about other employees, clients, suppliers or any other individuals with whom the Company has dealings are responsible for following the Company’s rules on good data protection practice as notified from time to time by the Directors.
4.0 Information about employees
A&G Travel Group holds some personal information about its employees and this information is used for payroll and administrative purposes.
5.0 Access to information
Anyone who is the subject of personal information held by the Company has the right to make a subject access request. Employees who wish to exercise this right should write to the Directors. If, as the result of a subject access request, any personal information is found to be incorrect it will be amended. The Company will deal promptly with subject access requests and will normally respond within one month. If there is a reason for delay, the person making the request will be informed accordingly.
6.0 IT communications and monitoring
A&G Travel Group provides employees with access to various computer facilities for work and communication purposes. In order to ensure compliance with all applicable laws in relation to data protection, information security and compliance monitoring, the Company has adopted an IT communications and monitoring policy, which should be read in conjunction with this data protection policy.
7.0 Breach of the policy
Breach of this policy will be regarded as a disciplinary offence and will be dealt with under the Company’s formal discipline procedure.
Employees who consider that there has been a breach of this policy in relation to personal information about them held by the Company should raise the matter via the Company’s formal grievance procedure.