The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in recent history, replacing that of the 1995 EU Data Protection Directive (European Directive 95/46/EC). It aims to support the rights individuals have on data about themselves which is collected and stored. It also aims to detect, identify and mitigate against data breaches or leaks for all companies in the EU, as well as enforcing reporting on these issues. This aims to create one uniform policy across the EU regardless of whether the UK is part of the European Union. Any business that deals with EU nationals and business alongside their data must comply with the legislation.
Acre Resources LTD (The Company) aims to comply with the applicable GDPR regulations as a data processor and controller. Working alongside its employees, clients, candidates and suppliers it will comply when the GDPR legislation takes effect on 25th May 2018.
Acre Resources LTD (The Company) uses Third Party suppliers and software to process, control and manage data. These systems have been audited in line with GDPR commitments and outlined below. In the context of this statement, data subject refers to the person or entity submitting data and can include employees, candidates, clients and other individuals or organisations that Acre Resources LTD (The Company) work with.
Acre Resources LTD advertise opportunities and placements publicly and people submit their information freely. Data collection and processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. The Contract a data subject enters will entail Acre Resources LTD (The Company) Terms and Conditions which is made available to them in both the signed contract, on the website and by request. The Company also have a disclaimer on all job advertisements that data submitted can be used for both current and future opportunities. By submitting data, the data subject agrees that this data can be processed and stored. We would obtain consent to process and store personal data including but not limited to; name, email and mobile number. This data is necessary to ensure the data subject is suitable for engagement including but not limited to, placements Acre Resources LTD (The Company) advertise, business opportunities with Acre Resources LTD (The Company) and other reasons for communication. Acre Resources LTD (The Company) reserve the right to contact data subjects who have submitted this data both upon submission and in the future to ensure data is accurate.
Acre Resources LTD (The Company) would keep data on file for a period of 7 years unless otherwise stipulated. Data would be hard erased after this time unless the data subject requests otherwise. Data subjects have the right to request personal data on them in a portable format. Data subjects must request their data by phone, email or letter stipulating what data they would like to access to, and this will be processed within 48 hours. We would send confirmation of this either by email or letter (whichever is most appropriate). If data has been deleted, erased or otherwise irretrievable the subject will also be informed of this.
Acre Resources LTD (The Company) aims to keep data on file for a period of 7 years unless otherwise stipulated. Data would be hard erased after this time unless the subject of the data requests otherwise or has been engaged with during this time and data on them is necessary for archiving purposes in the public interest. Subjects of data have the right to be forgotten and erased from records upon request. Subjects must request their data by phone, email or letter stipulating what data they would like erased and this will be processed within 48 hours. We would send confirmation of this either by email or letter.
GDPR pertains to certain requirements on data controllers for the portability of personal data. The data stored on our ATS and database is controlled by the Acre Resources LTD (The Company). This can be made available to you via a Subject Access Request.
Reporting data breach
As per the GDPR guidelines we must report a data breach within 72 hours after becoming aware of the breach, unless the breach itself is low risk. This is to be reported to the top authorities which would be ICO (Information Commissioner’s Office) and the Data Protection Act Submission Form. This can be found here via this link or by using this security breach notification form (link here) or by reporting by phone on 0303 123 1113. Once a data breach or leak has been detected than it would be reported to this authority. A data breach or leak includes but is not limited to, a lost USB stick, loss or theft of portable devices or data sent to the wrong person.
Internal Policies for GDPR
Acre Resources LTD (The Company) execute a stringent security and access policy for employees that safeguards data and protects the integrity of data. The Company also ensure this doesn’t impact business function and data subject or data subject experiences. Acre Resources LTD (The Company) have a data security policy, confidentially policy, a password policy and a policy to target Bring Your Own Devices (BYOD) in the workplace. Acre Resources LTD (The Company) permit the portability of data on mobile devices like mobiles or laptops, as well as advocating home working, under restriction and/ or limitations. This is also for the benefit of data subjects. Access to this data can be terminated or limited as and when necessary to prevent data breaches or leaks. Every reasonable step is taken to ensure that Acre Resources LTD (The Company) data accessed outside the network is secure. These policies aim to mitigate any instance of data breach or leaks and employees are trained in maintaining data security.
IT policies for GDPR
Acre Resources LTD (The Company) outsource their IT system maintenance and management to a Third-Party. This Third-Party supplier are responsible for safeguarding the network and terminals with access to the network. They would manage the anti-virus on the machines and security updates to mitigate against data breaches and leaks. To further this they are also responsible for employee accessibility in granting, limiting or terminating this where necessary. The data this Third Party collects on employees is limited within the organisation and is also bound by data privacy and confidentiality clauses.
Acre Resources LTD (The Company) ATS and Database
Acre Resources LTD (The Company) use a dependable and resilient ATS system for data processing. As a data controller we rely on compliant systems and our ATS System and Database is SOC 1 audited. It is a software-as-a-service (SaaS) company which employs a SSAE 16/18 framework to provide security reviews. To further this the ATS and database undertakes an independent third party annual SOC 1, Type 2 audit that reviews its internal controls and processes. The audit covers internal governance, production operations, change management, data backups, and software development processes. These evaluations determine they have the appropriate controls and processes in place which are actively functioning in accordance with related standards.
International data transfers: our ATS and database complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. It has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
Acre Resources LTD (The Company) Database Reporting
Acre Resources LTD (The Company) use a reporting system which relays information from our database, but itself, doesn’t host any personal or sensitive data. The access to this can also be terminated and limited where necessary.
Acre Resources LTD (The Company) aim to deliver great service, connecting innovative organisations and talented people in sustainability, health & safety, corporate responsibility and energy markets. We want to gain the trust of our employees, data subjects and data subjects and aspire to treat data collected on them with integrity and respect. We would continue to improve and change operations where necessary to comply with new legislation. Internally Acre Resources LTD (The Company) review the systems in place and aim to improve this continuously. This statement aims to outlines Acre Resources LTD (The Company) GDPR strategy and policies surrounding data control and processing.
This document is provided as of January 2018, for informational purposes to explain Acre Resources LTD (The Company) stance on GDPR legislation and compliance. It is subject to change or removal without notice.