Data Protection Policy

Introduction


Purpose


Vulcan Engineering Limited is committed to being transparent about how it collects and uses the personal data of its workforce and to meeting its data protection obligations. This policy sets out the organisation's commitment to data protection, as well as individual rights and obligations in relation to personal data.

This policy applies to the personal data of job applicants, employees, workers, contractors, volunteers, interns, apprentices, former employees, clients, or other personal data processed for business purposes.

Vulcan Engineering Limited has appointed the Governance Committee to oversee data protection compliance within the organisation. They can be contacted at louise.ebdon@vulcan-eng.com. Questions about this policy or requests for further information should be directed to them.

Definitions

  • Personal data: Any information that relates to an individual who can be identified from that information.
  • Processing: Any use of data, including collecting, storing, amending, disclosing, or destroying it.
  • Special categories of personal data: Information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, and biometric data.
  • Criminal records data: Information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

Data Protection Principles

Vulcan Engineering Limited processes personal data in accordance with the following principles:

  • Processes personal data lawfully, fairly, and transparently.
  • Collects personal data for specified, explicit, and legitimate purposes.
  • Processes data only where it is adequate, relevant, and limited to what is necessary for processing purposes.
  • Ensures that personal data is accurate and takes reasonable steps to rectify or delete inaccurate data promptly.
  • Retains personal data in line with the Data Retention Policy.
  • Implements appropriate security measures to protect data against unauthorised processing, loss, destruction, or damage.

The organisation provides clear reasons for processing personal data, including its use and legal basis, in its privacy notices.

Special categories of personal data or criminal records data are processed in accordance with statutory obligations.

Individual Rights

Subject Access Requests

Individuals can request access to their personal data by submitting a Subject Access Request (SAR). Upon request, the organisation will provide:

  • Details on whether data is processed, why, the categories involved, and the source (if not collected from the individual).
  • Information about recipients of the data, including those outside the EEA, and any safeguards.
  • Retention periods for the data.
  • Rights to rectify, erase, restrict processing, or object to processing.
  • The right to complain to the Information Commissioner.
  • Information on automated decision-making, if applicable.

Requests should be submitted to the HR Executive at louise.ebdon@vulcan-eng.com. Proof of identification may be required.

The organisation will respond within one month, with the possibility of extending to three months for large or complex requests. In such cases, individuals will be notified within the first month.

If a request is deemed manifestly unfounded or excessive, the organisation may decline to comply or charge a fee based on administrative costs.

Other Rights

Individuals also have the right to:

  • Rectify inaccurate data.
  • Request the organisation to stop processing or erase data no longer needed.
  • Object to processing where their interests outweigh the organisation’s legitimate interests.
  • Stop processing data if it is unlawful.
  • Suspend processing during disputes about accuracy or legitimacy.

Requests for these actions should be sent to the HR Executive.

Data Security

Vulcan Engineering Limited employs internal policies and controls to protect personal data, including measures to prevent:

  • Loss or accidental destruction.
  • Misuse or unauthorised disclosure.

Employees must:

  • Access only authorised data for specific purposes.
  • Keep data secure (e.g., password-protect systems, follow secure storage and destruction rules).
  • Avoid storing personal data on local or personal devices.

Failure to observe these requirements may result in disciplinary action, including gross misconduct for deliberate breaches.

Impact Assessments

When data processing poses risks to privacy, the organisation will conduct a Data Protection Impact Assessment (DPIA). This will evaluate:

  • Processing purposes.
  • Associated risks.
  • Mitigation measures to address those risks.

Data Breaches

The organisation will report data breaches posing risks to individuals’ rights to the Information Commissioner within 72 hours of discovery.

If a breach presents a high risk to individuals’ rights, they will be informed about the breach, its consequences, and any mitigation measures.

International Data Transfers

Personal data may be transferred outside the EEA under GDPR guidelines, such as the EU-US Privacy Shield, ensuring compliance with all GDPR rules and policies.

Individual Responsibilities

Employees, contractors, and others with access to personal data must:

  • Keep personal data up to date.
  • Access only authorised data and for legitimate purposes.
  • Keep data secure and comply with organisational protocols.

Training

The organisation provides data protection training during employee induction and at regular intervals thereafter.

Additional training is provided to individuals with regular access to personal data or responsibilities related to this policy.

For further information, visit:
UK/World: +44 (0) 114 249 3333 | USA: +1 952 955 8800 | www.vulcanseals.com | contact@vulcanseals.com

Embrace Excellence - Vulcan Service, Quality, and Value