Data Protection Policy

Team ML70

Version 1.0, 1 Jan 2022

Confidential – Internal and Restricted External Use Only

AceHawk Aerospace LTD
E.O.C. Teesside International Airport, Tees Valley, Darlington, England, DL2 1LU

Data Protection Policy

1. Purpose

Team ML70 (“the Company”) may have to collect and use information about customers, suppliers, business contacts, employees and other individuals (“data subjects”) with whom we work. This personal information must be handled and dealt with properly, regardless of how it is collected, whether it be on paper, in computer records or recorded by any other means.

The Company regards the lawful and correct treatment of personal information as very important to our successful operation and to maintaining confidence between us and those with whom we carry out business. We will ensure that we treat personal information lawfully and correctly. To this end we fully endorse and adhere to the principles of Data Protection Law.

This policy describes how this Personal Data must be collected, handled and stored to meet the Company’s data protection standards – and to comply with the law.

This data protection policy aims to ensure that the Company:

· Complies with data protection law and follows best practice.

· Protects the rights of team members, customers, and partners.

· Is open about how it stores and processes individuals’ data.

· Protects itself from the risks of a data breach.

2. Definitions

Consent: the consent of the data subject which must be a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of Personal Data relating to them.

Data Controller: the person that decides how and why to collect and use the data. This will usually be an organisation, but can be an individual (eg a sole trader). If you are an employee acting on behalf of your employer, the employer would be the Data Controller. The Data Controller must make sure that the processing of that data complies with data protection law. (Source ico.org.uk)

Data privacy and data protection: both terms have the same meaning in this Policy.

Data Processor: a separate person or organisation (not an employee) who processes data on behalf of the controller and in accordance with their instructions. Data Processors have some direct legal obligations, but these are more limited than the Dat Controller’s obligations. (Source ico.org.uk)

Data Protection Law: all legislation and regulations in force from time to time regulating the use of Personal Data and the privacy of electronic communications including, but not limited to, EU Regulation 2016/679 General Data Protection Regulation (“GDPR”), the Data Protection Act 2018, and any successor legislation or other directly applicable EU regulation relating to data protection and privacy for as long as, and to the extent that, EU law has legal effect in the UK).

Data Subject: a living, identified, or identifiable natural person about whom the Company holds Personal Data.

Criminal offence data: data which relates to an individual’s criminal convictions and offences.

Data Processing: any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. A Data Processor will only carry out processing to the direct instruction of a Data Controller (i.e. processing will not include decision- making).

Encryption or encrypted data: The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text;

GDPR: the General Data Protection Regulation (the “GDPR”) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of Personal Data outside the EU and EEA areas. The primary aim of the “GDPR” is to give control to individuals over their Personal Data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

ICO: the supervisory authority for data protection in the UK.

Personal Data: means any information relating to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.

‘Personal Data Breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration,

unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

PII (Personally Identifiable Information): any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for deanonymizing previously anonymous data can be considered PII.

Processing: any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

Pseudonymisation: the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data is not attributed to an identified or identifiable natural person.

Special Categories of Personal Data: data which relates to an individual’s health, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).

Third party: a natural or legal person, public authority, agency or body other than the data subject, Controller, and persons under the direct authority of the Controller.

3. Scope

The procedures and principles set out herein must be followed at all times by the Company and all its employees, agents, contractors, consultants, temporary staff, casual or agency staff, or other suppliers or data processors (hereafter referred to as “Staff”) working for or on behalf of the Company.

This Policy relates to all formats of data including Personal Data and sensitive Personal Data (known as “special category” under the “GDPR”) collected, held, and processed by the Company.

Any agreements with third-party vendors will be compliant with the “GDPR” and contain appropriate language that protects Personal Data.

Successful data protection and information security requires a collective effort. Every individual Staff member has some responsibility for ensuring data is collected, stored and handled appropriately.

4. Data Protection Principles

What is Data Protection?

“Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.” (Source ICO)

The UK data protection regime is set out in the DPA 2018 and the “GDPR” (which also forms part of UK law).

Under the “GDPR”, all Personal Data obtained and held by us will be:

· processed lawfully in a fair and transparent manner.

· collected for specific, explicit, and legitimate purposes;

· relevant and limited to what is necessary;

· kept accurate and up to date;

· retained for no longer than necessary;

· protected and processed in a secure manner; and

· transferred internationally with respect to the “GDPR” and other relevant legislation.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

The Rights of Data Subjects

Under the “GDPR” under certain circumstances data subjects have the right to:

· Be informed about the Personal Data we hold on them and what we do with it. Data subjects can submit a Data Subject Access Request (SAR), in response to which we are obliged to provide a copy of the Personal Data we hold about the subject.

· Request inaccuracies in the data we hold are corrected. This is also known as ‘rectification’.

· Request data is deleted, for example, where there is no reasonable reason for the Company retaining the data. This is also known as ‘erasure’.

· Restrict the processing of the data.

· Transfer the data we hold on you to another party. This is known as ‘portability’.

· Object to the inclusion of any information.

· Regulate any automated decision-making and profiling of Personal Data.

5. Policy Statement

The Company aims to preserve confidentiality, integrity and availability of information held.

To achieve this the Company has an Information Security Management System in place that supports the Company’s commitment to data protection. Further information can be found in the Company’s Information Security Management Policy.

All Staff working on behalf of the Company handling Personal Data will be appropriately trained to do so. Data protection and information security is not solely a task for the Technology team. All Staff must understand the risks faced and policies in place to keep all Company’s information including PII as safe as possible.

Only Staff that need access to, and use of, Personal Data in order to carry out their assigned duties correctly shall have access to Personal Data held by the Company. Access to data is granted on a “least required access” principle. Further information can be obtained in the Company’s Access Control Policy.

Personal data shall only be shared in the ways described with the relevant data subjects and, if required, consent shall be obtained from data subjects prior to sharing their Personal Data.

All Staff handling Personal Data must be appropriately supervised.

All Staff handling Personal Data are encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to Personal Data, whether in the workplace or otherwise.

All Company policies that provide rules and guidelines on collecting, storing and processing Personal Data are

regularly reviewed. The review frequency is detailed within each policy.

The Company will maintain a record of all Personal Data collection, processing and storage.

Data subjects will be kept informed about the data the Company holds about them.

The Company will keep the data subject informed by sharing privacy policies also known as fair processing notices, for example, Staff will be provided with a Staff/Employee Privacy Policy and users of the Company’s website will be provided with a Website Privacy Policy. The privacy policy must include relevant Company contact details and outline exactly when different categories of Personal Data are being collected and the legal basis for processing the data.

The Company requires prior consent to be obtained from data subjects before electronic data marketing such as emails are sent. Data subjects will be given the option to opt out of any further direct marketing.

All data including Personal Data stored by the Company will be reviewed periodically to ensure it is still required. Further details are outlined in the Company’s Records and Information Management Policy.

All Staff handling Personal Data are in scope of this policy and are therefore bound to handle Personal Data in accordance with this policy and the principles of Data Protection Law.

6. How we will use Personal Data

6.1. Processing in a fair and transparent manner

The Company acknowledges that Personal Data processing may only be carried out where a lawful basis for that processing exists. The Company will ensure that appropriate lawful basis (or bases) have been identified before processing occurs. Lawful basis includes but is not limited to the data subject giving consent. If consent is relied upon as the lawful basis, the consent must be a clear indication by the data subject that they agree. Data subjects are free to withdraw consent at any time and their request should be actioned promptly.

The Company will consider how the processing may affect the individuals concerned and will only handle people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified.

Contact for further guidance and details on the lawful basis for processing Personal Data.

6.2. Specific, explicit and legitimate purposes

The Company only collects, processes and holds Personal Data for specific, explicit and legitimate purposes. The Personal data collected from Data Subjects and third parties is detailed in privacy policies or notices that are shared with the respective data subjects.

6.3. Relevant and limited to what is necessary

The Company will only collect and process Personal Data for the specific purpose or purposes disclosed to Data Subjects. Personal data held by the Company cannot be processed for any unrelated reasons.

6.4. Excessive Personal Data must not be collected

Staff may only collect Personal Data to the extent required for the performance of their job duties.

6.5. Kept accurate and up to date

The Company is committed to data only being retained when there is a business need to do so. When Personal Data is no longer required it will be securely disposed of in a timely manner. This is outlined in the Company’s Records and Information Management Policy.

6.6. Retained for no longer than necessary

6.7. Protected and processed in a secure manner

Confidential information and sensitive materials must be stored away and out of sight when they are not in use or when the workspace is vacant. Wherever possible, documents should be viewed, shared and managed electronically since this is more secure and environmentally friendly. This is outlined in the Company’s Clear Desk and Clear Screen Policy.

The Company shall ensure that the policies and procedures in place to protect the Company’s data are maintained, reviewed and remain fit for purpose.

7. Data Protection by design

From the outset of a project and throughout the software development lifecycle (SDLC) data privacy and information security are considered. The Company’s SDLC policy details the steps that must be undertaken.

Information security is baked into the Company’s processes and procedures. The framework in place is underpinned by a number of policies.

These policies include but are not limited to:

· Information Security Management Policy – outlines the principles, processes and controls for the Company’s information security.

· Information Classification Policy – ensuring the Company’s data is classified in such a way that it receives the appropriate level of protection.

· Access Control Policy – outlines who can access the Company’s information and how that access is managed.

· Password Policy – conveys the need for well thought out password protection and the risks associated with poor password management and selection.

· Mobile Device Policy – communicates the acceptable use of mobile devices, such as mobile phones and the data security practices that need to be followed.

· Physical Security Policy – details the controls that must be in place to protect the Company’s Staff, data and other resources.

· Records and Information Management Policy – defines how the Company manages its data from creation through to destruction.

· Application and Network Security Policy – outlines the processes and procedures that need to be maintained to protect the Company’s data from cyber attackers.

8. Disclosing and transferring data

8.1. Disclosing data for other reasons

In certain circumstances, “GDPR” allows Personal Data to be disclosed to law enforcement agencies without the consent of the data subject, for example, information may be exchanged with third party companies or organisations in order to prevent fraud or reduce credit risk.

Subject to verification that the request is legitimate, the Company will disclose the requested data. If the Company sells or purchases any business or assets it may authorise the disclosure of Personal Data (including, without limitation, Client Data) to prospective sellers or buyers, for example, if the Company is acquired the Personal Data may be transferred to the buying firm.

9. Sensitive Personal Data

Before processing any sensitive Personal Data, Staff must gain approval from

10. Data impact assessments

The Company shall carry out data protection impact assessments for new uses of Personal Data which are likely to result in a high risk to the rights and freedoms of data subjects. This will include considering:

· The purpose for which the activity is carried out.

· The type of Personal Data that will be collected, held and processed.

· The risks for individuals and the measures that can be taken to mitigate those risks.

11. Keeping Data Subjects informed

Data subjects have the right to be informed about the Personal Data we hold on them and what we do with it.

Data subjects can submit a Data Subject Access Request (SAR), in response to which we are obliged to provide a copy of the Personal Data we hold about the subject.

11.1. Subject access requests

Individuals who are the subject of Personal Data held by the Company are entitled to be informed about the Personal Data the Company holds on them and what we do with it. Data subjects can submit a Data Subject Access Request (SAR), in response to which we are obliged to provide a copy of the Personal Data we hold about the subject.

Subject access requests from individuals should be addressed to Darren Wade.

They should be sent to the following email address: privacy@acehawkaerospace.com

The Company will aim to provide the relevant data as soon as practically possible and normally within one month of receipt. In exceptional circumstances, this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.

The Company will always verify the identity of anyone making a subject access request before handing over any information.

The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

12. Data breach notification

If Staff become aware of or suspect that a Personal Data breach has occurred, they should report it as soon as practically possible to Darren Wade .

The Company’s Data Breach Incident Management Policy should be followed.

Where appropriate the Company will ensure external stakeholders and the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

13. Policy Governance

Responsibility for the Data Protection Policy rests with Darren Wade. Duties include, but are not limited to:

Ensuring that all staff in scope and appropriate external parties have read and confirmed their acceptance of the latest version of this policy

Monitoring for legal, regulatory or industry best practice developments in relation to this policy

Coordinate with senior management, IT, and legal counsel to communicate and review issues related to this policy

Review and update this policy at least every 12 months, in order that it remains fit for purpose.

Exceptions to this policy shall be allowed only if previously approved by Darren Wade.

This policy has been approved by senior management and is effective from 01-Jan-2022.

14. Framework References

Reference Control

A.13.2.1 Information transfer policies and procedures

A.13.2.2 Agreements on information transfer

A.15.1.1 Information security policy for supplier relationships

A.15.1.2 Addressing security within supplier agreements

A.15.1.3 Information and communication technology supply chain

A.18.1.4 Privacy and protection of personally identifiable information