Welcome to the glasscare® Data Protection Policy. Here you can find all you need to understand what glasscare® needs and expects of you, our suppliers and customers, with regard to data protection compliance. You can also find references to various other glasscare® data protection-related documents and policies. This Policy will be updated regularly to reflect changes in the law but also any changes to our practices at glasscare®.
glasscare® takes the protection of personal data very seriously. It is essential to our organisation that we are transparent in the way we use personal data and do so in a way that complies with the law and, of course, is aligned with our Group’s purpose. With the implementation of the GDPR (“EU General Data Protection Regulation”) in May 2018, and the world becoming ever more digital, the spotlight on data protection and the expectations on businesses to take steps to protect personal data have increased significantly and are expected to continue to do so.
If you have any queries about any of the information found in this Policy or in any related documents, please do not hesitate to contact Graham Clarke or a member of the management team.
This Policy and other relevant documents will be supplemented and amended as necessary over time as the law and our business evolves and to support those of you in roles with significant exposure to data protection issues.
In addition to this Policy, you will be provided or have access to other relevant documents via other channels. For example, you will have separately been provided with a copy of the glasscare® Employee Privacy Notice, setting out how glasscare® will use (or “process”) the personal data it holds on you.
Please note that your compliance with the standards described in this Policy is mandatory and any breach may result in glasscare® taking disciplinary action against you.
The GDPR was established to provide a relevant law for the protection of personal data as a result of the ever-evolving digital economy and the way that personal data is used in many aspects of life. It also looks at the security measures glasscare® has in place as an organisation and strengthens the protections available for individuals in light of the value of personal data.
Version 1.5 – 30th January 2025
The correct and lawful treatment of personal data will maintain confidence in glasscare® and will provide a framework for successful business operations. glasscare™ aspires to implement best practice with regard to data protection.
The consequences of getting it wrong are a significant risk to glasscare®’s business. In a worst-case scenario, failure to comply with the GDPR may expose glasscare™ to large fines of up to 4% of worldwide annual group turnover. This alone means it is vital to glasscare® to ensure it complies with the GDPR and that you are aware of what is potentially at stake.
Data protection law relates to personal data. Personal data is any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other data we possess or can reasonably access.
For example, names and contact details are all personal data, and it may be that some other data is also personal data in less obvious circumstances, such as part of a postcode if it is possible to identify an individual from it. Personal data excludes anonymous data or data that has had the identity of an individual permanently removed.
We also refer to processing of personal data in this Policy and in our various documents. Processing refers to any activity which involves the use of personal data and includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.
Organisations must comply with the core principles of the GDPR, which are:
When you do anything in relation to personal data, including when you simply receive it into your inbox, please consider the following:
In each case, if you are unsure whether you should be using any personal data you have received, or whether you should have received it in the first place, or the answer to any of the questions above, then please contact a member of the management team who will liaise with you and any other members of your team as appropriate.
Where, as part of any new project or initiative, it is proposed that glasscare™ will carry out processing of personal data that is particularly high risk, such as processing large volumes of health data, it may be appropriate for glasscare™ to carry out a formal Data Protection Impact Assessment and retain a record of the same.
Generally, glasscare® is not allowed to share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the personal data we hold with third parties, such as our service providers, if:
At glasscare® we will process your personal data for the period of time you work for or with us. We set out how we do this in our privacy notice, which contains details of the purposes for which we use your personal data and the legal basis on which we are entitled to process it.
This helps us comply with our obligation to be transparent to you as employees and contractors in how we process your personal data and gives you details on how you can exercise your rights as individuals in relation to your own personal data.
A copy of the glasscare™ Employee Privacy Notice will have been emailed to you and a further copy is available upon request from the management team.
From time to time glasscare® receives requests from customers, suppliers and various other external individuals in relation to their personal data. These may include requests or notifications where the individual wishes to:
glasscare® needs to consider very carefully how it responds to all of these types of requests as there are potential adverse consequences of an incorrect or delayed response.
In the event that you receive any such request, or any request that appears similar to the above, then please immediately forward the request to Graham Clarke at graham.clarke@glasscare.online who will manage glasscare™’s response within five business days.
A failure by glasscare® to respond to any such request may result in a failure by glasscare™ to comply with the GDPR. Please be aware that some individuals may try to get you to disclose personal data without following due internal process, and for obvious reasons this must not occur.
Personal data must be secured by glasscare® using appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of personal data that we own or maintain on behalf of others and identified risks. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.
You are responsible for protecting the personal data we hold. You must follow all procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction.
You must comply with all applicable aspects of our IT Security Policy.
As part of our review process we have identified the different types of personal data processed by glasscare™. You will be provided with guidance on how long you should keep the personal data that you come into contact with during the performance of your role.
In broad terms glasscare™ should retain data:
glasscare® is required to keep detailed records about the ways in which it processes personal data. These records are owned and maintained by the management team.
In the event that you are involved in a new project or initiative which may involve the processing of personal data by glasscare®, please liaise with Graham Clarke to ensure that glasscare®’s data protection records are updated appropriately.
Version 1.10 – 30th January 2025
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This could be:
It may not necessarily be an actual external loss of data and can be deliberate or accidental.
You may at any time become aware of a personal data breach or that a personal data breach may have happened or is likely to happen in the future. Where this is the case, each glasscare® employee or contractor is required immediately to report the same to Graham Clarke or a member of the management team.
It is particularly important that a personal data breach is considered via appropriate channels as soon as someone within glasscare® becomes aware of it, particularly because glasscare™ may need to notify the Information Commissioner’s Office (ICO) within 72 hours of the personal data breach.
Graham Clarke owns and maintains a personal data breach protocol and record and will manage glasscare®’s response to any personal data breach, in conjunction with you and any other business stakeholders as necessary.
It will be the responsibility of Graham Clarke, DPO, to inform the customers of glasscare® Limited within 24 hours of a potential or confirmed data breach and to provide them with regular updates on actions to confirm and or mitigate the breach.