At Almaas Diamonds, we are very serious about privacy and won’t spam our clients or ruin any surprises for them. We are committed to protecting the private information our clients provide us with. In continuation of our Terms & Conditions policy, our Privacy Policy also informs you about what happens with the information you provide us, why we collect the information, how we use the data collected and how we will store it.
Collection of the personal information
For the business process to function smoothly, Almaas Diamonds needs to gather and use certain information regarding individuals. This information collecting will include clients, suppliers, other business contacts, employees, prospective employees, and other people we have a relationship with may need to contact or need to deal with.
This policy will describe how personal data gets collected, processed, transferred, handled and stored to ensure that the requirements of the data protection law, especially GDPR or General Data Protection Regulation, are met. We recognise that not only should we comply with the principles of fair processing of personal data, we should also have the capacity to demonstrate that we have done so. The procedures and principles explained below should be followed at all times by the organisation, its employees and everyone within its scope, as mentioned below.
Why this policy exists?
This Privacy Policy provides help and guidance for our staff and managers to:
-
Comply with data protection law and following good practices
-
Protect the rights of the staff, clients and business contacts
-
Be open about how we are using the personal data and how we store it
-
Protect Almaas Diamonds against the risks of inadvertent and intentional data breaches
Scope of the policy
This policy applies to all the employees, contractors who have access to any of our files and/or computer systems. Collectively these individuals are hereafter will be referred to as “users”. All the users will have the responsibility to comply with the terms of this Privacy Policy.
Data protection law (GDPR)
GDPR, or General Data Protection Regulation, is the policy that overlooks and regulates how an organisation should collect, handle, and store personal data. Before launching into a detailed description, it is crucial to know what is considered as personal data. In definition, personal data stands for any information that relates to an identified or identifiable living individual. It is information that enables an individual to be identified, directly or indirectly, and may include details like their name, address, telephone number, email address, age, location data, online and biometric identifiers.
What does the law state?
The GDPR contains several key principles that apply to the collection and processing of personal data, which will underpin everything that follows. The key principles are mentioned and explained below, and they are:
Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation
Personal data is to be collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with the said purposes.
Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are being processed.
Accuracy
Personal data is to be accurate and kept up to date, as per requirement.
Storage limitation
Personal data shall be kept in a form that allows identification of data subjects no longer necessary for the purposes for which the personal data will be processed.
Integrity and confidentiality
Personal data should be processed in a manner that will ensure appropriate security of the personal data, which will include protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
The controller will be responsible for and be able to demonstrate compliance with the GDPR.
Key responsibilities
The Directors are ultimately collectively responsible for ensuring that Almaas Diamonds meets its legal obligations and that this Policy is followed.
The Data Protection Officer is responsible for
-
Keeping the senior Leadership Team updated about data protection responsibilities, risks and issues
-
Reviewing all data protection procedures and related policies, in line with an agreed-upon schedule
-
Arranging relevant data protection training
-
Handling data protection queries from staff and contractors
-
Dealing with requests from anyone whose data we hold for access to that data
-
Checking and approving contracts and agreements with third parties that may handle the personal data we have to handle
-
Ensuring that all the policies on processing, retention, storage and deletion of data will be adhered to and relevant documentation will be maintained for evidence compliance
The IT manager is responsible for
-
Ensuring that all systems, services and equipment used for storing the data meet acceptable security standards
-
Performing regular checks to ensure that security hardware and software is functioning properly
-
Evaluating any third-party services Almaas Diamonds is considering using to store or process data, such as cloud computing service
The Marketing Director is responsible for
-
Approving any data protection statements attached to communications such as emails and letters
-
Where necessary working with other staff to ensure marketing initiatives are compliant with data protection principles
-
Ensuring that records of consents and withdrawal of consents to marketing are maintained
Lawful, fair and transparent data processing
We are responsible for ensuring that any personal data we hold is processed in accordance with the principles mentioned above. We are permitted to process data whereof the following legal bases applies:
-
The data subject has given their consent
-
The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering a contract with them
-
The processing is necessary for compliance with a legal obligation to which the data controller is subject
-
The processing is necessary to protect the vital interests of the data subject of another natural person. An example of this might be where we pass on information to the next of kin of an employee who has been gravely ill
Other personal data
Almaas Diamonds will adhere to the following principles:
-
Almaas Diamonds collects and processes the personal data set out in H01 – H05 below, and this includes:
-
Personal data that has been obtained directly from customers
-
Personal data that has been obtained from staff
-
Personal data that has been obtained from suppliers
-
Almaas Diamonds only collects, processes, and holds personal data for the specific purposes set out in H01 – H05 below
-
We keep the data subjects informed of the purpose for which we process their personal data
-
Where personal data will be disclosed to third parties, we will only do so where we are legally required to do so, e.g. to HMRC or to money laundering authorities. We do not share with third-party organisations for marketing purposes
-
We will collect and process personal data for and to the extent necessary for those specified purposes
-
In respect of personal data that we collect and process, we will
-
Keep it accurate and up to date
-
Grant the data subject the right to rectify any inaccurate data in accordance with their right to do so
-
Regularly check the data and ensure that all reasonable steps are taken to rectify or delete any mistakes or inaccuracies as appropriate promptly
-
Not store the personal data any longer than is necessary, bearing in mind the purposes for which it was collected in the first place
-
Take all reasonable steps to delete or dispose of any data which is no longer required promptly
-
Take measures to ensure that the security of the data is in line with the measures set out below
Accountability and record-keeping
Almaas Diamonds will keep internal electronic records of all personal data collection, holding and processing, and this will incorporate the following:
-
Name and details of employees, customers and suppliers
-
The purposes for which Almaas Diamonds collects, hold and processes the personal data
-
Details of the categories of personal data collected, help by Almaas Diamonds and the categories of data subject to which the data relates
-
Details of the retention policy
-
Detailed descriptions of all technical and organisational measures taken by Almaas Diamonds to ensure the security of personal data
Privacy by design – data impact assessments
A part of our duty is to ensure that in the planning of new processes or procedures that involve the use of personal data, we consider the impact of the change and ensure that we have fully considered and complied with our obligations under the GDPR. We will always ensure that all such changes are designed and implemented in accordance with the Regulation and that the DPO is consulted, and their recommendations are taken into account in the planning and introduction of such changes.
In any situation where new technologies are being deployed, and the processing of the personal data is likely to result in a high risk to the data subject’s rights and freedoms under the Regulation, we will carry out a Data Impact Assessment, overseen by the DPO. This will deal with:
-
The types of personal data that will be collected held and processed
-
The purpose for which it is to be used
-
The Firm’s objectives in processing this data and making this innovation
-
How the personal data is to be used
-
Why we will need the data and how the collection of the data is proportionate to our need for it
-
What are the risks for the data subjects
-
What risks does the Firm run, and
-
What measures are we proposing to minimise and protect the data and people against the risks
Providing information on data subjects
We are required to ensure that, when we collect and process the personal data, the data subject is aware of the purposes for which this is being done and what is happening to the data. We, therefore, will ensure that the following principles are followed:
-
Where we collect personal data directly from the data subject, we will inform them of the purposes for which it is being collected, if requested
-
All data subjects will be provided with the following information:
-
Details of Almaas Diamonds, including the name of the DPO
-
Why the data is being collected and processed and the legal basis for this
-
Details of data retention if requested
-
Details of the subject’s rights
-
Under GDPR
-
To withdraw consent to the processing at any time
-
To complain to the Information Commissioner’s Office or ICO
-
Details of any legal or contractual requirement which means that Almaas Diamonds needs to collect this information and process it
-
Details of any automated decision making or profiling that will take place using personal data, how the decisions will be made and their consequences
Data subject access
“Subject Access Requests” or SARs can be made by data subject where an organisation holds personal data about them. This can be done at any time, and the requests are made in order for the data subject to find out what data is being held and what is being done with it:
-
Such requests need to be made by the data subject in writing
-
They should be addressed to the DPO, who will be dealing with the request
-
Almaas Diamonds will usually respond to the requests within one month, but we may see to extend the time of the response to a further two months if it is a complex request or there are multiple requests. In that situation, the data subject will be informed accordingly.
-
Almaas Diamonds will not charge the data subject any fee for responding to the SAR unless the subject asks for multiple copies of the data already supplied or unless the request is manifestly unfounded or excessive.
Rectification of personal data
Where a data subject informs us that the data we are holding about them is inaccurate or incomplete and requests that it gets corrected, we will rectify the information and inform the data subject that we have done so within one month of the request. Again, for the complex case, we may extend the response period and change happening by up to two months.
Where the incorrect data is held by third parties to which it has been disclosed, we will ensure that they are informed and the data they hold is rectified.
Erasure of personal data
Data subjects have a right to require the Firm to erase personal data held about them when:
-
The Firm no longer needs the data it is holding for the purposes for which it was originally collected
-
The data subject wishes to withdraw their consent from the Firm holding and processing the data
-
The data subject objects to the Firm holding and processing the data, and there is no overriding legitimate interest that allows us to continue to do so
-
The personal data has been processed unlawfully
-
The personal data needs to be erased in order for the Firm to comply with a particular legal obligation
Where we are obliged to do so, we will erase the information and inform the data subject that we have done so within one month of the request. If the case is complex, we may extend the period of taking action by up to two months and again, where the data is held by third parties to who is has been disclosed, we will ensure that they are informed, and the data they hold is erased.
Restriction of personal data processing
Data subject have a right to request that the Firm ceases to process any personal data that we are holding about them. If that takes place, we will only retain whatever personal data we need to ensure that no further processing occurs.
Objections to personal data processing
Data subjects have the right to object to us processing their personal data based on our legitimate interest or for direct marketing purposes. Where the data subject notifies us of their objection, we will cease such processing immediately unless our legitimate interests override those of the data subject or unless we need to continue to process the data in conducting a legal claim. Where the data subject is objecting to direct marketing, we will cease to use the data for this purpose immediately.
Personal data, collected, held and processed
H01
Type of data: Personal details of employees, such as names, addresses, contact details, age, gender etc
Purpose: The administration of employment contracts
H02
Type of data: Personal details of clients, such as names addressed, contact details
Purpose: To communicate in relation to their purchase of our goods, i.e. specific products queries and collection dates. To market our services to clients, in accordance with the GDPR
H03
Type of data: Education and Training details or our prospective employees, employees and contractors
Purpose: Collected in the course of recruitment with a view to the selection, and maintained to track their career progression
H04
Type of data: Financial Details of employees and contractors, i.e. matters related to income and payroll, tax details, expense claimed, pensions
Purpose: Collected and maintained in order to ensure timely and accurate payment of staff and proper account for tax purposes
H05
Type of data: Personal details of suppliers such as names, addresses, contact details
Purpose: To communicate in relation to our purchase of their goods or services
Data storage and General security
-
All electronic copies of personal data are stored securely using privilege levels and passwords
-
Regular password changes will be enforced, and the number of logins will be restricted
-
Passwords should never be written down or shared between any employees, agents, contractors or other people working on behalf of Almaas Diamonds, no matter what their level of seniority
-
Computer equipment belongings to Almaas Diamonds will be sited in a secure location within the office and in a position where they cannot be viewed by members of the public
-
Computer terminals must not be left unattended and should be logged off at the end of the session
-
Personal data is backed up daily and is sorted offsite and, where appropriate, is encrypted
-
All software is kept up to date, and iSOS will be responsible for ensuring that all security-related updates are installed promptly unless there are valid technical reasons for not doing so
-
No software is installed on the Almaas Diamonds system without the prior approval of the Managing Director
-
Personal data is not to be stored on any mobile device, including but not limited to laptops, tablet computers, smartphones, without prior approval of the DPO and where it is held only in accordance with his/her instructions and limitations
-
Personal data must never be transferred onto an employee’s personal device, and we will never transfer such data onto a device owned by a contractor or agent unless they have agreed to comply fully with the letter and spirits of this Policy and with the GDPR
-
Computer printouts containing personal information is to be destroyed without delay
-
Where personal data should be erased or otherwise disposed of, this will be done in accordance with the Data Regulation Policy
Access to personal data
In relation to accessing personal data:
-
Employees should never access data either on a computer or in a paper form without having the authority to do so
-
Personal data should not be shared informally, and if an employee, agent, contractor or any other third party wants access to the data, it must be formally requested from the DPO
-
Personal data is to be handled with care and not be left unattended or in view of unauthorised employees, contractors, or agents, whether on paper or a screen
-
Where personal data held by Almaas Diamonds is getting used for internal marketing purposes, it is the responsibility of the sales staff to ensure that appropriate consent is obtained beforehand
Organisational measures
The Firm will take the below-mentioned steps in relation to the collection, holding and processing of personal data:
-
All employees, contractors or other parties working on our behalf will be made aware of their individual responsibilities and the responsibilities of the Firm in relation to data privacy and the GDPR, and they will be provided with a copy of this policy for better understanding and convenience
-
In respect of these individuals and of personal data held by Almaas Diamonds,
-
Only those people who need access to particular personal data in order to complete their assigned duties will be granted such access
-
All personnel will be appropriately trained and supervised in handling the personal data
-
All personnel will be encouraged to exercise caution in discussing work-related matters within only the workplace
-
The methods we are employing for collecting, holding and processing data will be evaluated regularly and reviewed, and the personal data held by Almaas Diamonds will be reviewed periodically, as set out in our Data Retention Policy
-
We will be keeping the performance of our contractors under review and, not only will we ensure that they are required to handle personal data in accordance with the GDPR and our Policy, but we will also ensure that they are held to the same standard as our own employees both contractually and in practice
-
Where any contractor fails in their obligations under this Policy, we will ensure that they are required to indemnify us for the costs, losses, damages or claims which may arise as a result
Data breach notification
All personal data breaches should be reported to the DPO immediately.
If such a breach occurs and it is likely to result in a risk to the rights and freedoms of data subjects, e.g. financial loss, breach of confidentiality, damage to the reputation, the DPO needs to ensure that the ICO is informed without any delay and, in any event, within 72 hours of the breach.
Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the DPO also needs to make sure that the data subjects affected by the breach will be informed directly, without any undue delay. The following information should also be provided:
-
The categories and approximate number of data subjects affected
-
The categories and approximate number of personal data records concerned
-
The name and contact details of the Firm’s DPO
-
The likely consequence of the breach happened
-
Details of the measures taken or proposed in order to deal with the consequence of the breach
Implementation of the policy
This Policy is to become effective as of March 2023. No part of the Policy is retrospective in effect and applies to matters occurring on or after the first week of March 2023.