Home page » Data Protection

Data Protection

General Data Protection Regulation (GDPR)
E. FLAHAVAN & SONS LTD respect personal privacy and are committed to adhering to the applicable privacy and data protection laws and business guidelines.   This internal privacy and data protection policy ("Privacy and Data Protection Policy") describe how E. FLAHAVAN & SONS LTD handles the information collected and provided to us.  This policy also outlines the procedures for securing and managing personal data relevant to the business with specific observance of the General Data Protection Regulation (“GDPR”) of the European Union. 
  1. SCOPE
This Policy applies to all E. FLAHAVAN & SONS LTD business units and all employees, employed in all business units.
  1. EU General Data Protection Regulation
The Company is subject to the 1995 European Union (“EU”) Directive on Data Protection (“1995 Data Protection Directive”), which requires EU member states to impose minimum restrictions on the collection and use of personal data. The EU member state regulations establish several obligations that organisations must follow with respect to use of personal data, including a prohibition on the transfer of personal information from the EU to other countries whose laws do not protect personal data to an adequate level of privacy or security. 
The GDPR comes into effect in 2018 and extends the scope of the EU data protection law to all companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU.   It imposes a strict data protection compliance regime with severe penalties, e.g. up to 4% Group worldwide turnover or €20 million for breaches or 2% Group worldwide turnover for lack of documentation, and includes new rights such as the “portability” of personal data. 
“Data Protection” is defined as the protection of Personal Data relating to any living individual (“Data Subject”) whilst in the possession of an organisation (“Data Controller”). There are multiple legal and business requirements to keep this data ‘safe, secure and accurate’.
"Personal Data" means data relating to any living individual which is capable of being used to identify that specific Data Subject. Two pieces of non-personal data, when put together, may also become personal data, if it can lead to the identification of any Data Subject.   Personal Data may comprise special / financial data, e.g. bank account details, passwords, or information relating to age, sex, race, religion, disability, sexual orientation, trade union membership. 
“Data Breach” occurs when personal data leaves the (direct or indirect) control of the Data Controller, e.g. lost / stolen laptop, phone or other electronic device, e-mail sent to incorrect person, unauthorised disclosure of database containing personal information, loss of data by authorised contractor, misplaced paperwork.
“Data Processor” is any person that uses the personal data under the control of a Data Controllers for any reason, e.g. hold, use, amend, delete. 
Personal data should not be transferred out of the country of origin unless the receiving country or organisation can ensure an adequate level of protection for the data. The Data Controller remains legally responsible for the data, at all times. 
Principles of Data Protection
  1. Obtain and process the information fairly;
  2. Keep it only for one or more specified and lawful purposes;
  3. Process it only in ways compatible with the purposes for which it was initially obtained;
  4. Keep it safe and secure, applying security measures against unauthorised access, alteration, disclosure or destruction of data;
  5. Keep it accurate, complete and up-to-date;
  6. Ensure that it is adequate, relevant and not excessive;
  7. Retain it no longer than is necessary for the specified purpose; and
  8. Give a copy of all personal data held, to the individual, upon request.
5.1 Personal Data must be kept: a) Safe; b) Secure; and c) Accurate.
  1. Safe = IT security, databases and electronic devices password protected and encryptions on all data (where possible) – secure from unauthorised access, disclosure or destruction.
  2. Secure = what was the purpose of originally collecting the data? Is that purpose still relevant? Is the personal data in current usage by the company? Has the individual given permission to the company to continue holding the personal data? Is it capable of being searched, retrieved and amended / deleted, if required?
  3. Accurate = up to date and in order, across all databases. 
5.2 E. FLAHAVAN & SONS LTD employees may report any violations or direct questions regarding the policy to:
This policy may be amended at any time. We encourage you to regularly check this policy for any updates and changes. Any breach of this policy will be taken seriously and may result in disciplinary action up to and including termination of employment.