Glasscare™ LIMTED – DATA PROTECTION POLICY

Welcome to the glasscare® Data Protection Policy. Here you can find all you need to understand what glasscare® needs and expects of you, our suppliers and customers, with regard to data protection compliance. You can also find references to various other glasscare® data protection-related documents and policies. This Policy will be updated regularly to reflect changes in the law but also any changes to our practices at glasscare®.

glasscare® takes the protection of personal data very seriously. It is essential to our organisation that we are transparent in the way we use personal data and do so in a way that complies with the law and, of course, is aligned with our Group’s purpose. With the implementation of the GDPR (‘EU General Data Protection Regulation’) in May 2018, and the world becoming ever more digital, the spotlight on data protection and the expectations on businesses to take steps to protect personal data have increased significantly and are expected to continue to do so.

If you have any queries about any of the information found in this Policy or in any related documents, please do not hesitate to contact Graham Clarke or a member of the management team.

2. DATA PROTECTION @ glasscare® (AN OVERVIEW)

This Policy other relevant documents will be supplemented and amended as necessary over time as the law and our business evolves and to support those of you in roles with significant exposure to data protection issues. In addition to this Policy, you will be  provided or have access to other relevant documents via other channels (for example, you will have separately been provided with a copy of the glasscare® Employee Privacy Notice,
setting out how glasscare® will use (or ‘process’) the personal data it holds on you). Please note that your compliance with the standards described in this Policy is mandatory and any breach may result in glasscare® taking disciplinary action against you.

3. THE GDPR AND OUR NEED TO COMPLY WITH IT

The GDPR was established to provide a relevant law for the protection of personal data as a result of the ever-evolving digital economy and the way that personal data is used in many aspects of life. It also looks at the security measures glasscare® has in place as an organisation and strengthens the protections available for individuals in light of the value of personal data.

Version 1 5 30th January 2025

The correct and lawful treatment of personal data will maintain confidence in glasscare® and will provide a framework for successful business operations. glasscare™ aspires to implement best practice with regard to data protection.

The consequences of getting it wrong are a significant risk to glasscare®’s business. In a  worst-case scenario, failure to comply with the GDPR may expose glasscare™ to large fines of up to 4% of worldwide annual group turnover. This alone means it is vital to glasscare® to ensure it complies with the GDPR and that you are aware of what is potentially at stake.

4. MEANING OF ‘PERSONAL DATA

Data protection law relates to personal data. Personal data is any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other data we possess or can reasonably access. For example, names and contact details are all personal data, and it may be that some other data is also personal data in less obvious circumstances (e.g. part of a post code could be personal data if it is possible to identify an individual from it). Personal data excludes anonymous data or data that has had the identity of an individual permanently removed.

We also refer to processing of personal data in this Policy and in our various documents. Processing refers to any activity which involves the use of personal data and includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.

5. CORE PRINCIPLES OF THE GDPR

Organisations must comply with the core principles of the GDPR which are:

  • Personal data must be processed lawfully, fairly and in a transparent manner.
  • Personal data must be collected only for specified, explicit and legitimate purposes.
  • Personal data must be adequate, relevant and limited to what is necessary in relation to the
    purposes for which it is processed.
  • Personal data must be accurate and where necessary kept up to date.

Version 1 6 30th January 2025

  • Personal data must not be kept in a form which permits identification of individuals for longer than
    is necessary for the purposes for which the data is processed.
  • Personal data must be processed in a manner that ensures its security using appropriate technical
    and organisational measures to protect against unauthorised or unlawful processing and against
    accidental loss, destruction or damage.
  • Personal data must not be transferred to another country without appropriate safeguards being
    in place.
  • Personal data must be made available to individuals and individuals are allowed to exercise
    certain rights in relation to their personal data.

6. QUESTIONS YOU SHOULD ASK YOURSELF WHEN USING PERSONAL DATA OF
OTHER INDIVIDUAL(S)

When you do anything in relation to personal data (including even when you just receive it
into your inbox), please consider the following:

  • Who has sent me the personal data?
  • Should I have been sent the personal data?
  • Do I actually need the personal data to perform my role?
  • Am I sending the personal data to: (i) anyone within glasscare™; (ii) anyone outside of glasscare™?
  • How am I going to store the personal data or will I delete it once I have used it?

In each case, if you are unsure whether you should be using any personal data you have received (or whether you should have received it in the first place), or the answer to any of the questions above, then please contact a member of the management team who will liaise with you and any other members of your team as appropriate.

7. DATA PROTECTION IMPACT ASSESSMENTS

Where, as part of any new project or initiative, it is proposed that glasscare™ will carry out processing of personal data that is particularly high risk (such as, for example, processing of Version 1 7 30th January 2025 large volumes of health data) it may be appropriate for glasscare™ to carry out a formal Data
Protection Impact Assessment and retain a record of the same.

8. SHARING PERSONAL DATA WITH THIRD PARTIES (INCLUDING SUPPLIERS)

Generally, glasscare® is not allowed to share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the personal data we hold with third parties, such as our service providers if:

  • they have a need to know the information for the purposes of providing the contracted services;
  • the third party has agreed to comply with the required data security standards, policies and
    procedures and put adequate security measures in place; and
  • a fully executed written contract that contains GDPR approved third party clauses has been
    obtained.

9. MY PERSONAL DATA AS AN EMPLOYEE OR CONTRACTOR

At glasscare® we will process your personal data for the period of time you work for or with us. We set out how we do this in our privacy notice, which contains details of the purposes for which we use your personal data and the legal basis on which we are entitled to process it. This helps us comply with our obligation to be transparent to you as employees and contractors in how we process your personal data and gives you details on how you can exercise your rights as individuals in relation to your own personal data. A copy of the glasscare™ Employee Privacy Notice will have been emailed to you and a further copy is available upon request from the management team.

10. REQUESTS FROM INDIVIDUALS OUTSIDE OF OUR ORGANISATION ABOUT

THEIR PERSONAL DATA THAT WE MAY HOLD

From time to time glasscare® receives requests from customers, suppliers and various other external individuals in relation to their personal data. These may include requests or notifications, where the individual wishes to:

Version 1 8 30th January 2025

  • withdraw consent to glasscare® processing their personal data;
  • receive certain information about how glasscare™ processes their personal data;
  • access to their personal data that we hold;
  • prevent our use of their personal data for direct marketing purposes;
  • require glasscare® to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed by glasscare™ or to rectify inaccurate data
    or to complete incomplete data;
  • restrict glasscare® processing their personal data in specific circumstances;
  • challenge processing which has been justified on the basis of glasscare™’s legitimate
    interests or in the public interest;
  • request a copy of our intra-group data sharing arrangements;
  • object to decisions based solely on automated processing, including profiling;
  • prevent processing that is likely to cause damage or distress to the individual or anyone
    else;
  • be notified of a personal data breach which is likely to result in high risk to their rights and
    freedoms;
  • make a complaint to the ICO; and
  • in limited circumstances, receive or ask for their personal data to be transferred to a third
    party in a structured, commonly used and machine-readable format.

glasscare® needs to consider very carefully how it responds to all of these types of request as there are potential adverse consequences of an incorrect or delayed response. In the event that you receive any such request (or any request that appears similar to the above) then please immediately forward the request to Graham Clarke at graham.clarke@glasscare®.online who will manage glasscare™’s response within five business days. A failure by glasscare® to respond to any such request may result in a failure by glasscare™ to comply with the GDPR. Please be aware that some individuals may try to get you to disclose personal data without following due internal process, and for obvious reasons this must not occur.

Version 1 9 30th January

11. DATA SECURITY MEASURES

Personal data must be secured by glasscare® using appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of personal data that we own or maintain on behalf of others and identified risks. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.

You are responsible for protecting the personal data we hold. You must follow all procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction.

You must comply with all applicable aspects of our IT Security Policy.
12. HOW LONG SHOULD glasscare® HOLD PERSONAL DATA FOR?

As part of our review process we have identified the different types of personal data processed by glasscare™. You will be provided with guidance on how long you should keep the personal data that you come into contact with during the performance of your role. In broad terms glasscare™ should retain data:

  • For as long as there is a reasonable and legally justifiable business need, such as
    managing our relationships with customers and suppliers;
  • For as long as we provide or receive services and for as long as someone could bring a
    legal or regulatory claim against us or investigation relating to our affairs; and
  • In line with the applicable legal and regulatory retention periods that are prescribed for
    each category/data type.

13. RECORD KEEPING

glasscare® is required to keep detailed records about the ways in which it processes personal data. These records are owned and maintained by the management team. In the event that you are involved in a new project or initiative which may involve the processing of personal data by glasscare®, please liaise with Graham Clarke to ensure that glasscare®’s data protection records are updated appropriately.

Version 1 10 30th January 2025

<hclass=”h3″>14. PERSONAL DATA BREACHES AND OTHER DATA LEAKS

A personal data breach is a breach of security leading to the accidental or unlawfu  destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed. This could be a confidentiality breach (an  unauthorised or accidental disclosure of, or access to, personal data), availability breach (an accidental or unauthorised loss of access to, or destruction of, personal data) or integrity breach (an unauthorised or accidental alteration of personal data), or any combination of these. It may not necessarily be an actual external loss of data and can be deliberate or accidental.

You may at any time become aware of a personal data breach or that a personal data breach may have happened or is likely to happen in the future. Where this is the case, each glasscare® employee or contractor is required immediately to report the same to Graham Clarke or a member of the management team.

It is particularly important that a personal data breach is considered via appropriate channels as soon as someone within glasscare® becomes aware of it, particularly because glasscare™ may need to notify the Information Commissioner’s Office (ICO) within 72 hours of the personal data breach. Graham Clarke owns and maintains a personal data breach protocol and record and will manage glasscare®’s response to any personal data breach, in conjunction with you and any other business stakeholders as necessary.

It will be the responsibility of Graham Clarke, DPO, to inform the customers of glasscare® Limited within 24hrs of a potential or confirmed data breach and to provide them with regular updates on actions to confirm and or mitigate the breach.