You must read this privacy notice carefully and we recommend that you print and retain a copy for your future reference. By accessing, browsing or otherwise using this website, you confirm that you have read, understood and agree to this privacy notice in its entirety. If you do not agree to this privacy notice in its entirety, you must not use this website.

Privacy Notice

Retail Manager Solutions Limited (RMS)

1. Introduction

1.1 RMS takes your privacy seriously and is committed to compliance with the GDPR and Data Protection laws. In this Privacy Notice you can find out about your privacy rights and how we collect, use, share and secure your personal identifiable information (personal information). This includes the personal identifiable information we already hold about you now and the further personal identifiable information we might collect about you, either from you or from a third party.

1.2 This Notice sets out our commitments to you and our clients to whom we process personal information on their behalf and under their instructions to be compliant with the Data Protection Laws in the countries in which we operate. It explains how we collect, use, store, share and secure your personal information and how we comply based on our relationships and processing operations with individual’s personal information in delivering our products and services.

1.3 This Privacy Notice is a public document available when RMS obtain and use your personal identifiable information. It explains how we as a data controller for our own recruitment, employee, accounting and marketing purposes and how we as an appointed data processor for our clients provide software solutions to enable them to process and manage their services and the personal information regarding individuals contained within these solutions will be managed in line with the Data Protection Laws. In both circumstances we obtain and process individual’s personal identifiable information in order to conduct our normal business operations and to deliver products and services to our current and prospective clients.

1.4 The difference between a data controller and data processor is important. You have certain rights in relation to your personal information, for example the right to be provided with the personal information held about you and details of its use and the right to have certain of your personal information either erased or anonymised, commonly referred to as the right to be forgotten (see below to see what rights you have). These rights can only be exercised against a data controller of your information. We will be a:

– Data controller of our own applicants, employees and individuals to whom we carry out direct marketing operations.
– Data processor for a data controller (our clients), holding and processing your personal information under their instructions.

1.5 RMS operating as a data processor: we would only act on the instructions of our clients as data controllers when you exercise your rights. When informed we will co-operate fully and in a timely manner to ensure our clients as data controllers can respond to you in line with the Data Protection Laws in the UK and under the General Data Protection Regulation, (GDPR). Our client as the data controller will supply you with a privacy notice at the first point of contact with you and as part of this they will inform you we are one of their third-party suppliers and as such we act as a data processor.

1.6 RMS operating as a data controller: we will make the determination on how we will obtain, use, store, share and secure your personal information either as an applicant as part of our recruitment process, employee, visitor to our website and/or as part of our marketing operations with individuals and with our current and prospective business clients. As a data controller we will supply you with a privacy notice at the first point of contact with you. This notice constitutes our privacy notice and provides you with details on how we will process your personal information.

1.7 As a data controller we will only provide this privacy notice to you once, generally at the start of our relationship with you. However, if the applicable privacy notice is updated substantially, then we may provide you with details of the updated version. You are encouraged to check regularly for updates.

1.8 As we hold and process a volume of individual’s personal information and special categories of information for our clients (data controllers) as part of our core activities, While RMS is not required to have a Data Protection Officer under GDPR, we have a standing working committee dedicated to data protection compliance and issues,  whose details are below and you can contact them if you have questions about your data, data protection, your rights or make a complaint:

By post: 
Information Rights Manager
Retail Manager Solutions Limited
Castle Malwood
Minstead
Hampshire
SO43 7PE

By email: DP@retail-manager.com

By phone: 02380 816000

2. Who we are

2.1 Where we refer to ‘we’ or ‘us’ in this Privacy Notice, we are referring to RMS responsible for the collection, processing, storage and safe keeping of any personal and special categories of information you provide us with as part of your relationship with us. Where we are a data controller the information you provide will be managed in accordance with the Data Protection Act 2018 and General Data Protection Regulation (GDPR). We are registered as Data Controller with the Information Commissioners Office under the registration number: Z1708844

2.2 RMS provides and sells products and services in the form of software solutions to our clients where we process personal information relating to their customers (data subjects). Therefore, as a data processor for our clients we have entered into contractual obligations in regards to data protection. The products and services we provide are:

• Unified Comms from version 1.0;
• Operations Director and People from version 4.0;

We also host our client’s information in a secure manner in compliance with the law.

3. Your privacy rights
3.1 From the 25 May 2018 you have eight rights relating to the use and storage of your personal identifiable information. A Data Controller must comply with these rights and they are:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision making and profiling.

For further information as to your rights, please refer to Appendix A to this Notice – Individual’s Rights Explained

3.2 In brief, you have the right to be informed who is obtaining and using your personal identifiable information, how this information will be retained, shared and secured and what lawful grounds will be used to obtain and use your personal identifiable information. You can view the lawful grounds we will rely on as a Data Controller at Appendix B to this Notice – Lawful Basis Processing. You have the right to object to how we use your personal identifiable information in certain circumstances. You also have the right to obtain a copy of the personal identifiable information we hold about you.

3.3 In addition, you can ask RMS to correct inaccuracies, delete or restrict personal identifiable information or to ask for some of your personal identifiable information to be provided to someone else. You can make a complaint if you feel RMS is using your personal identifiable information unlawfully and/or holding inaccurate, inadequate or irrelevant personal identifiable information which if used may have a detrimental impact on you and/or has an impact on your rights.

3.4 You can also make a complaint to the data protection supervisory authority. In the UK, this is the Information Commissioner’s Office, at https://ico.org.uk. You can view other supervisory authorities and details of countries where your personal identifiable information is held and processed by RMS here:

Microsoft (infrastructure/software):
https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
AWS (infrastructure): https://aws.amazon.com/compliance/gdpr-center/
Twilio (discussion/conferencing): https://www.twilio.com/gdpr
SendGrid (mailing service): https://sendgrid.com/policies/tos/

3.5 To make enquires for further information about exercising any of your rights in this Privacy Notice, please contact our DPO, the details for which are as stated above.

4. What Kinds of Personal Identifiable Information do we use?

4.1 We use a variety of personal identifiable information depending on the services we deliver to you. For all services, we may need to use the following information about you:

Personal Information
• Contact details – name, address, email, home and mobile telephone numbers;
• Age – date of birth;
• Identification – information to allow us to check your identity;
• Photograph – information to record your identity;
• Online computer identification (IP address) – information recorded when you engage with us by email;
• National Insurance numbers – information to carry out functions such as payroll and/or supporting people contracts;
• Next of kin
• Marital Status
• Occupation
• Reference Numbers (e.g. passport) where your personal information appears

There are other types of personal information which we collect for the purposes of our relationship with you either as you have engaged with our products or services or that of our clients. The personal information we hold are:

Special Information
• Health – to support our Health and Safety operations in the work place;
• Race – optional, and solely to support our equality monitoring purposes;
• Ethnic origin – optional, and solely to support our equality monitoring purposes;

There are other types of special information which we do not collect but are deemed important under the law:

• trade union membership;
• biometrics (where used for ID purposes).

We also act as a data processor with our clients where we have entered into a contract to deliver software services and platforms which hold individuals personal and special information. It will be the responsibility of our clients, as the Data Controllers, to issue a privacy notice and we will co-operate in the process outlined in such notice.

4.4 Sometimes where we ask for your personal identifiable information to enter into a contract/agreement with you, for example in relation to our relationship with you in the performance of a contract with you or as we have a legal or regulatory duty. It could be a simple process of attaching a cookie to enable a transaction to take place. We will not be able to provide some of our services or products without this information.

4.5 We collect and use your information as part of our recruitment process and we would be required, where the role requires, to collect and process your personal and special information when you submit an application or CV to work for RMS. We will use your personal information for the purpose of the application process and to produce and monitor recruitment statistics. Your personal information as detailed in 4.1 will be used in regards to your employment within RMS to carry out work duties and for purposes of payroll.

5. How We Gather Your Personal Identifiable Information

5.1 We obtain personal identifiable information by various means; this can be by an application form, face to face, email, telephone, correspondence and/or by receiving this information from others, for example: an authorised person representing you, police, health or social care agencies. We can also receive information about you from other people who know you and/or are linked to you, for example: nominated person to act on your behalf, a nominated ‘Responsible’ person for a child or your legal representative.

5.2 Some further examples of how we may gather your personal identifiable information are set out below:

• directly from you, for example: when you fill out our application form for a job;
• from monitoring or recording calls as part of quality and complaints monitoring: we record these calls for training and to ensure the safety of our staff;
• from monitoring your use of our website; and
• from information shared by your previous employer with your consent.

6. How We Lawfully Use Your Personal Information

6.1 When you apply to work for RMS, we will need to obtain your name, contact details, date of birth, your current and previous countries of residence/citizenship, and a copy of identification documents (such as passport, home office residence papers and driving license) where we are required to for the right to work in the country.

6.2 We will from time to time share information with third party suppliers (data processors) to carry out functions on our behalf, for example to a payroll company to deliver you your salary each month. When sharing your information, we will have applicable contractual clauses applied where all of these recipients will demonstrate compliance with data protection laws and your rights.

6.3 There are some cases when we will share your information where it is necessary for legitimate business purposes. This will be to ensure that your needs are met and to also meet the health and safety obligations we have as an employer when delivering a service. This may include sharing information with other partnering organisations and our contractors and partners:
• In order to carry out our contractual obligations; and
• So that third parties can carry out our duties/functions/events on our behalf

You can see the categories of third party contractors and sub-contractors we use here:
Microsoft (infrastructure/software): https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
AWS (infrastructure): https://aws.amazon.com/compliance/gdpr-center/
Twilio (discussion/conferencing): https://www.twilio.com/gdpr
SendGrid (mailing service): https://sendgrid.com/policies/tos/
Staff Payroll: https://www.star-payroll.com/

7. Automated decision making

7.1 We do not carry out any automated decision making as part of our processing operations as a data controller. When delivering software services as a product this processing may take place and it will be our client who is the data controller to inform individuals of the processing operations and individuals rights.

8. Our Legal Basis For Using Your Personal Identifiable Information

8.1 We only use your personal identifiable information where that is permitted by the laws that protect your privacy rights. This will be where:
• we need to use the information to perform a contract or enter into a contract with you;
• we need to use the information to comply with our legal obligations;
• we need to use the information for our data controllers legitimate interests

When we consider using your information for the last purpose stated above we will consider if it is fair to use the personal identifiable information either in our interests or someone else’s interests, and only where there is no disadvantage to you – this can include where it is in our interests to contact you about like for like products or services from RMS to a business and RMS to a person. Where we carry out direct marketing operations with businesses we will carry out a marketing assessment to market to you or collaborate with others to improve our services. Where we need to seek your consent, we will (if consent is needed).

8.2 Where we have your consent, you have the right to withdraw it. We will let you know how to do that at the time we gather your consent. See section 12 Keeping You Up to Date, paragraph 12.1 for details about how to withdraw your consent to marketing.

8.3 Special protection is given to certain kinds of personal information that is particularly sensitive. This is information about your health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation, genetic or biometric identifiers, trade union membership. We will only use this kind of personal information where:
• we have a legal obligation to do so (for example to protect vulnerable people);
• it is necessary for us to do so to protect your vital interests (for example if you have a severe and immediate medical need whilst on our premises);
• it is in the substantial public interest;
• it is necessary for the prevention or detection of crime;
• it is necessary for insurance purposes; or
• you have specifically given us ‘affirmative’ consent to use the information.

9. Sharing Your Personal Information or Getting Your Personal Identifiable Information from Others

9.1 Our clients in the use of our software products may supply personal identifiable information or special information. We receive this as we are a data processor and we shall follow the instructions of our clients as data controllers in the hosting of this information and the security to which the information will be retained under.

10. Transfers outside the UK

10.1 We may need to transfer your information outside the UK to Australia (where RMS have a branch office) and to service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not provide the same level of protection as those in the European Economic Area. When transferring data we will ensure that your personal information is only used in accordance with this privacy notice and applicable data protection laws and is respected and kept secure and where a third party processes your data on our behalf we will put in place appropriate safeguards as required under data protection laws.

10.2 Our directors and other individuals working for RMS may, in limited circumstances, access personal information outside of the UK and European Union, e.g. if they are on holiday or working abroad outside of the UK or European Union. If they do so they will be using our security measures and will be subject to their arrangements with us which are subject to English Law, in line with the GDPR and the same legal protections that would apply to accessing personal data within the UK.

10.3 Where we transfer your data outside of the UK, the RMS Solutions and environments will provide for the best security and availability practices including dual data-centre usage as a minimum to ensure constant availability of access to data; Firewalling controls; Anti-Virus/Malware services; IPS/IDS servicing; 24-hour systems’ monitoring and alerting functions; obfuscation/encryption of any sensitive data; encryption of all traffic between systems, including to the client’s system; encryption at rest; authentication options for password controls and complexity; authorisation levels with no access by default and least required level access provision. In addition, RMS support personnel follow security training, policies and procedures, and additionally will not have direct access to view or extract client sensitive data direct from data sources.

11. How Long We Keep Your Personal Information For?

11.1 How long we keep your personal information for depends on the services we deliver to you.
We will never retain your personal identifiable information for any longer than is necessary
for the purposes for which we need to use it.

12 Keeping You Up To Date

12.1 We will communicate with you about products and services we are delivering using any contact details you have given us – for example by post, email, text message, social media, and notifications on our ‘App’ or website. Where you have given us consent to receive marketing, you can withdraw consent, and update your marketing preferences by contacting us directly contact@retail-manager.com. Visit our website at www.retail-manager.com.

13. Your online activities

13.1 We use cookies, which are small data files which are placed on your computer or other device by our website, and which collect certain personal data about you. This enables us to tailor our product and service offering (including our website) to provide you with products and services which are more relevant to your company’s requirements, if you have given consent.

13.2 RMS may also collect information about usage of this website. We use this information either to respond to a specific request or to help us understand how the website is used. We may analyse information collected to help develop our business and improve the services we provide. We may also use this information to contact you for opinions on our services or to notify you from time to time about changes to our business or updates to the website.

13.3 You may change your website browser settings to reject cookies, although please note that if you do this it may impair the functionality of our website or of other websites.

14. Confidentiality and security

14.1 We have implemented security policies, rules and technical measures to protect individual’s personal information that we have under our control from:
• Unauthorised access
• Improper use or disclosure
• Unauthorised modification
• Unlawful destruction or accidental loss

14.2 All our employees, representatives, board members and third-party contractors (data processors) which we engage, who have access to, and are associated with the processing of your personal information, are obliged to respect the confidentiality and only process the information based on our instructions. We ensure that your personal information will not be disclosed until all security assurances have been documents.

15. RMS Commercial and Employee Information

15.1 When someone visits our website we will collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does at times identify a person who contacts us about a product. We do not make any attempt to find out the identities of those visiting our websites as a routine search. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

15.2 Except as set out in this privacy statement, we will not disclose, sell or rent your personal data to any third party. If you do consent but later change your mind, you may contact us and we will cease any such activity. In the event that a third party acquires all or part of our business and/or assets, we may disclose your personal data to that third party in connection with the acquisition, but only where lawful and compliant with the Data Protection Act 2018 and General Data Protection Regulation (GDPR) and the relevant UK data protection legislation. We may also disclose your personal data where necessary to comply with applicable law or an order of a governmental or law enforcement body.

APPENDIX A

YOU’RE RIGHTS IN RELATION TO YOUR PERSONAL INFORMATION

In responding to your rights, we will need to obtain the following information:

1. Proof of your identification
2. Enough information from you to locate the information

A. The right to be informed about how your personal information is being used:

We shall supply and keep updated our privacy notices to you as a visitor to our website, current or former employee and/or an applicant applying for a job with RMS. We shall detail:

1. Who we are 
2. What information we collect, use, share, store and how long we will retain your information 
3. The lawful grounds we have applied to process your information and when we need consent 
4. How we will keep your information secure 
5. How we will keep your information safe when we transfer it outside the UK
6. The likely recipients to whom we may share your information with 
7. How you can exercise your rights and object to processing 
8. The source of the information 
9. How to make a complaint to us as the Data Controller and the Supervisory Authority (Information Commissioner’s Office)

B. The right to access the personal information we hold about you:

We will need to obtain the following information when processing your request for a copy of your personal information:

1. Proof of your identification 
2. Enough information from you to locate the information
3. Authority to act form if you have engaged a representative to act on your behalf

Once point 1 and 2 are completed we have one month to respond with a copy of your information by electronic or paper-based means whichever is applicable in the circumstances. There is no charge, but we may as detailed under the law:

a) Refuse a request if it is deemed manifestly unfounded or excessive
b) Refused a repeat request for information again based on the above point, however if the information has changed since our last request and enough time has passed we will process the request based on point 1 and 2 above.

For RMS customers, a Subject Access Request (SAR) can be raised on the RMS support system by the customer’s/client authorised personnel, for actioning by RMS.

C. The right to request the correction of inaccurate personal information we hold about you:

It is important you keep us informed of any changes regarding your information which you have supplied us. You have the right to request your information to be rectified if it inaccurate or incomplete or you can ask us to add more details to the information to make it correct. To activate this right you need to:

1. Detail clearly what you believe to be inaccurate or incomplete
2. Explain how you would like us to correct this information 
3. Supply evidence of the inaccuracies

The request can be received by telephone, (verbal); however, we recommend you follow this in writing as it allows you the opportunity to explain and give examples/evidence why your information is inaccurate or incomplete and what your desired outcome is. For RMS customers, a Subject Access Rectification (SARE) can be raised on the RMS support system by the customer’s/client authorised personnel, for actioning by RMS

Once we receive your request we will:

a) Review the request and carry out an assessment of the information
b) If the information is inaccurate or incomplete we will make the necessary changes (e.g. corrected, deleted or added information). We will contact you via our support process in writing within once month of receiving your request confirming our actions, or

D. The right to request erasure of your personal information:

You can contact us to request the deletion of your information in certain circumstances; if you want to have your information erased you need to detail clearly what you want erased.

The request can be received by telephone (verbal), which should be followed up in writing as it allows you the opportunity to explain and give examples what information we hold which you want erased. For RMS customers, a Subject Access Erasure (SAE) can be raised on the RMS support system by the customer’s authorised personnel, for actioning by RMS.

Once we received your request we will:

a) Review your request and if the information is not required for one of the purposes detailed in point c, we will erase the information.
b) Where your information which we have agreed to erase is held on public online environment (e.g. social networks, forums, websites) which we have posted, then we will take reasonable steps to inform these ‘Information Societies’ about the erasure and request the remove this. This is called the ‘Right to be Forgotten’.
c) When we carry out this process we will contact any likely recipients which may hold this information and request them to erase the information. We shall keep a record of this request and our action. In the circumstances where we do not agree to erase your information, we will detail in writing the reasons why. These could be based on the reasons above and/or as the information falls into the criteria of the freedom of expression and that includes journalism, academic, artistic and literary purposes. Where there is a requirement to retain information is needed to be retained for public health reasons or the information is necessary for establishing or exercising / defending legal claims. In limited circumstances it could be refused on the basis of prejudice, scientific or historical research or archiving that is in the public interest. We may refuse the request if it is deemed manifestly unfounded or excessive.

E. The right to restrict processing of your personal information:

You can contact and ask us to stop processing your information if you are concerned about the accuracy of the information we hold and use. In certain circumstances you can also ask us not to delete your information from our records. This right is closely linked with the right of accuracy and the right to object. You can ask us to temporarily limit the use of the information if your disputing our decision on the accuracy of your information or an objection on how we use your information. You can also ask us to limit the use of the information rather than delete it if you feel we have unlawfully used your information we no longer need the information but you want us to keep it in order to create, exercise or defend a legal claim. If you want to have your information restricted you need to detail clearly what information you want us to stop processing.

Once we receive your request we will:

a) Consider the request and take appropriate steps to restrict the use of your information as we agree with your objection. We could temporarily move your information to another system, make it unavailable to users, or remove it from a website, if it has been published in the public domain. Where we have shared the information, which is restricted with recipients where it is proportionate to do so, we will contact them asking them to restrict the information in question. We will hold the restricted data securely and shall not use it further unless:
i) we have your consent,
ii) it is needed for legal claims,
iii) to protect a person’s rights, or
iv) it is in the public interest.
b) If we have applied restrictions on the information during our assessment once this is concluded, we may lift the restriction. We shall inform you in writing of this decision.

The request can be received by telephone, (verbal); however we recommend you follow this in writing as it allows you the opportunity to explain and give examples what information we hold which you want us to stop processing.

If we do not agree with your request to restrict your information we will contact, you in writing within one month of receiving your request confirming the reasons why. If the restriction impacts on our duty to carry out our duties under a contract with you or our legal or regulatory obligations, we may not be able to agree with your request.

F. The right to object to the processing of your personal information:

You can object to your information being used for direct marketing , this is an absolute right and one which we feel strongly about, we will only market businesses and/or people if they have consented and/or we are delivering like for like products and services which you have previously engaged to receive. You can object at any time and withdraw your consent free of charge – click here to unsubscribe. You can ask us some questions to help you decide if you want to object to how we use your information, this is because you can only object to the use of your information when we are using it for:

• To carry out a task in the public interest
• For our legitimate interests
• Scientific or historical research, or statistical purposes, or
• Direct marketing.

The above four areas are the only areas you have a right to object to. If you want to object to how we use your information is used the above circumstances you need to:

1. Detail clearly what to object to and why we should stop processing this information.
2. If you want to object to direct marketing you can simply unsubscribe by clicking here: Unsubscribe.

Once we receive your request we will:

a) Consider the request and take appropriate steps to assess your objection and where the grounds are established and agreed upon we will stop using your information.
b) Where we have shared the information with recipients and where it is proportionate we will contact them asking them stop using your information.

The request can be received by telephone, (verbal); however, we recommend you follow this in writing as it allows you the opportunity to explain and give examples what information we hold which you want us to stop processing.

If we do not agree with your objection we will contact, you in writing within one month of receiving your request confirming the reasons why. The type of circumstances where we may not agree with your objection are:

• When we deem the request to be manifestly unfounded or excessive;
• If your request is repetitive; or
• If the objection impacts on our duty to carry out our duties under a contract with you or our legal or regulatory obligations.

However, we will note your objection and supply you details of how to complain to the Supervisory Authority (Information Commissioner’s Office).

G. The right to request that we transfer elements of your data “Portability”

You can request us in certain limited circumstances to transfer elements of your information to another organisation in a way that is accessible and machine-readable, for example by supply sets of your information in an excel form. This right only applies to information held electronically, and where you have provided the information. This does not apply to information you have typed in for example your username and email address. Its focus is on the type of information we have gathered from our monitoring activities on how you have used a devise or service on a website, search usage history, traffic and location of information. You can make a portability request when we rely:

• On your consent to use your information
• As part of a contract with have with you If you want to request your data to be transferred, you need to detail precisely what information you require to be transferred.

Once we receive your request we will:

a) Consider the request and take appropriate steps to assess your request.

The request can be received by telephone, (verbal) but should be followed up in writing as it allows you the opportunity to explain and give examples what information you want transferred and to whom. For RMS customers, a Subject Access Portability (SAP) can be raised on the RMS support system by the customer’s authorised personnel, for actioning by RMS

If we do not agree with your request we will contact you in writing within one month of receiving your request confirming the reasons why. The type of circumstance’s where we may not agree with your objection are:

• When we deem the request to be manifestly unfounded or excessive
• If your request is repetitive If the objection impacts on our duty to carry out our duties under a contract with you or our legal or regulatory obligations we may not be able to agree with your request.

H. The right to object to certain automated decision making:

When decisions are made about you without people being involved, this is referred to as ‘automated decision making’. You have the right to prevent automated processing when it falls into the following two grounds:

• Automated individual decision-making
• Profiling

This could be when we have carried out an aptitude test using a pre-programmed algorithms and criteria and/or where we have had to carry out a credit reference check as part of our contract and anti-money laundering purposes when we enter into a contract with a client / person. Profiling could relate to processing information for the performance at work, economic situation, health or personal preferences and interests. It could also relate to our marketing operations and these processes can be carried out by electronic means, internet searches, social networks, mobile phones or lifestyle information.

We will only make decisions solely on automated processing if the decision affects a person’s legal rights if it is necessary for the purposes of a contract, or to meet a legal obligation and where we have your consent. We will always inform you why a decision was made and the manner in which it was reached.

Once we receive your request we will consider the request and take appropriate steps to assess your request and reach a decision.

The request can be received by telephone, (verbal); however, we recommend you follow this in writing as it allows you the opportunity to explain and give examples what information you want transferred and to whom.

If we do not agree with your request, we will contact you in writing within one month of receiving your request confirming the reasons why. The type of circumstances where we may not agree with your objection are:

• When we deem the request to be manifestly unfounded or excessive
• If your request is repetitive
• If the objection impacts on our duty to carry out our duties under a contract with you or our legal or regulatory obligations, we may not be able to agree with your request.

Our Response to you

Normally we will respond to you within one month of receiving your request.

As a data controller the law permits us to extend the time to supply the information requested from one month to three months from the date your request is deemed valid. We will only consider extending the period in which we must respond if your request is complex or you make more than one request.

If the request is deemed to be manifestly unfounded or excessive, we have a right to charge a fee according to the law, and the fee will be based on administration charges only, (cost to prepare, respond and provide written evidence of our decision).

If we do not agree with your request in relation to any of the above, we will contact you in writing within one month of receiving your request confirming:

– We have acted on your requests and have processed the request in line with your rights and the law; and
– The reasons why we have refused your request and the basis we have relied on.

If you are unhappy with our decision you can raise a complaint with the Supervisory Authority (Information Commissioner’s Office).

APPENDIX B

GDPR Lawful Basis Processing

Under the General Data Protection Regulation (GDPR) there are 6 lawful bases in which a data controller can process the personal data of data subjects (customers, staff, contractors, etc.). A data controller should firstly establish grounds to process data under grounds 2 to 5 for personal and if processing special categories of data (e.g. sexuality, religion) then a further ground set down in Article 9. Under Article 6 the lawful grounds are:

1. Consent:

The differences for consent between the Data Protection Act 1998, definition:

“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”

The GDPR’s definition:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

There is a higher bar for consent with the GDPR, the idea is that the data subject is fully aware of what they are potentially signing up for and is given a choice as to accept or refuse to give their consent. If they have given their consent they need to be able to withdraw the consent at any time and you need to inform them how, with no cost to them.

The data subject has to be aware exactly what they are signing up to, in a clear and concise format and if the service is being directed at children it needs to be in a format that the child can understand. These notices can either be in written or verbal, such as a video.

The data controller needs to have mechanisms in place to record when consent has been obtained as well as when it has been withdrawn and their systems need to ensure that only the data subjects who have given consent are contacted and once they withdraw the system needs to ensure they are not contacted.

2. Contract:

There needs to be a supply of goods or services that have been requested by the individual or to fulfil obligations under an employment contract. This also applies to any steps necessary to enter into the contract, e.g. the application stages before employment.

While this will normally be the basis of why data is being collected it is still worth looking over what information is collected at the various stages of the process, splitting up the processes and going through each field on an application form and asking the question why is this data necessary? If the data controller cannot justify why they are collecting, then it maybe that the data is not necessary and maybe excessive and therefore may not be required.

It could when looking through the different stages of a process that the data controller may move some of the collection carried out to a later stage in the process e.g. asking all applicants for a job to provide details of their qualifications and taking copies of passports. It maybe that just ensuring a record that these items have been seen would be sufficient rather than holding data for all applicants when you are only going to appoint one person. The data could be asked for again during the notice period or when contracts are signed.

3. Legal obligation:

This is where the data controller is processing data as it is required by law either in the UK or EU to process the data, this does not include any contractual obligations.

4. Vital interests:

The data controller can process personal data if by doing so protects someone’s life. This can be either the data subject or someone else.

5. A public task:

If the data controller is processing data which is in the public interest – and they have a legal basis for processing the data under UK law then this is lawful. It is deemed that any public body, Local Authority, National Health, any company governed under the Freedom of Information could use this legal basis for most if not all of their processing.

6. Legitimate interest:

If the data controller is a private sector organisation, they will be able to process the data without the consent of the data subject if they have a genuine and legitimate reason, which also includes any commercial benefit. This would not be the case if there was potential to harm the data subject’s rights or interests.

Data controllers can consider this basis where consent would deem to be inappropriate or is seen to be manifestly unfounded. The data controller can continue to process their data even without the consent of the data subject/s. The data controller would still need to ensure there is no unwarranted impact on the data subjects and that the processing is still under the principles fair, transparent and accountable.

Special Categories of Data:

As with the present law, the Data Protection Act 2018, to process sensitive data, under the GDPR this is now known as Special Categories of Data, the data controller still needs to satisfy a lawful basis for collecting personal data, Article 6 of the GDPR, these are listed above 1-6, and will need to satisfy a further condition to process this type of data, Article 9. This is because special category data is more sensitive, and so needs more protection. For example, information about an individual’s:

• race;
• ethnic origin;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics (where used for ID purposes);
• health;
• sex life; or
• sexual orientation.

The conditions for processing special category data are listed in Article 9(2) of the GDPR:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Processing children’s data

Under the GDPR any data controller who is using social information services (e.g. Facebook, media etc.) and their target audience are children, under the age of 13 in the UK Data Protection Act 2018, will need to verify the age of the child and will need parental consent if the child is under 13. The data controller needs to verify the person giving consent of behalf of a child has the legal right to do so, by using available technology.

Any notices need to be made age appropriate when engaging children so that they are clear on what the data controller is offering and what they are consenting to.

There are exceptions although they are limited when dealing with children’s data and they will normally be around safeguarding the child, for example consent would not be asked if there was a concern of abuse within the home, either from the child or the parent/guardian.

The Organisation may be holding a fun day and employ a photographer who will need to present anyone they are photographing a consent form if the photograph puts that person as the focus (e.g. they are the only one in the photograph). If the image is a ‘wide public shot’ then there is no expectation of privacy.

There is no age limit for such activities however if they are relying on consent then the data subject will need to understand the form they are signing and it up to the data controller to ensure this is the case. The data controller will also need to ensure that the person who is offering to sign a consent notice on behalf of a child has a legal right to do so.

A PDF Download of this document is available RMS Privacy Notice

This Statement sets out the position of Retail Manager Solutions Limited (“RMS”) with regard to issues relating to anti-bribery and corruption within the business activities of RMS.

Introduction

The Bribery Act 2010, which is effective from 1 July 2011, represents the largest change in UK law in the area of anti-corruption and bribery involving commercial organisations for many generations and is the most far-reaching in its effect and implementation than any other similar legislation in the world.

Penalties can be severe with fines for companies running into millions of pounds, together with fines and imprisonment of up to 10 years for individuals. In addition any arrangements which are deemed illegal (including contracts) are unenforceable.

The Six Principles of the Bribery Act

The Ministry of Justice identified six key principles to aid the prevention of bribery.

The six key principles are:

Proportionate procedures. A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced.

Top-level commitment. The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.

Risk assessment. The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.

Due diligence. The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.

Communication (including training). The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it faces.

Monitoring and review. The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.

RMS and The Bribery Act

The Board of Directors of RMS is committed to zero tolerance of any act, or attempt, of bribery and to implementing a policy and procedures which are proportionate to the business of RMS to ensure compliance with the Bribery Act. RMS adopts the six principles enshrined in the Bribery Act 2010.

Policy and Procedures

RMS’s Anti-bribery policy:

• conveys the Board’s unequivocal anti-bribery stance; is clear about what bribery is and how it might manifest itself in the business of RMS;
• states who is responsible for what in terms of specific areas of policy and implementation;
• addresses all of the key bribery risks identified at the risk assessment stage;
• gives guidance as to how those business activities which give rise to bribery risk are to be conducted;
• supports employees in knowing what to do, or where to turn in cases of doubt.

RMS’s Anti-bribery procedures (processes and controls) are:

• designed to support effective implementation of policies and mitigation of identified risks;
• designed to support a range of both preventive and detective controls;
• focused on key risk areas;
• risk-based and proportionate, rather than treating all transactions, activities or business relationships the same way;
• as far as possible, built into existing processes and controls for the sake of efficiency and quick user-acceptability; and
• aimed to make anti-bribery compliance part of “business as usual”, rather than a stand-alone project.

Risk Assessment

Effective risk assessment lies at the very core of the success or failure of the RMS Anti-Bribery Policy. Risk identification pinpoints the specific areas in which RMS faces bribery and corruption risks and allows us to better evaluate and mitigate these risks. Management must assess the vulnerability of each business unit to these risks on an ongoing basis, subject to review by the Board of Directors.

Where Do the Bribery and Corruption Risks Typically Arise for RMS?

Bribery and corruption risks typically fall within the following categories:

A. Use of Business Partners

The definition of a business partner is broad, and could include agents, contractors, distributors, joint venture partners or solution partners who act on behalf of RMS. Whilst the use of business partners can help RMS achieve its business objectives, RMS recognises that there is a need to be aware that these arrangements can potentially present RMS with significant risks.

Risk can be identified where a business partner conducts activities on RMS’ behalf, so that the result of their actions can be seen as benefiting RMS. Business partners who act on RMS’ behalf will be advised of the existence of and operate at all times in accordance with the RMS Anti-Bribery Policy. Management is responsible for the due diligence and evaluation of each relationship and determining whether or not it falls into this category.

Where risk regarding a business partner arrangement has been identified the Board will:

• Evaluate the background, experience, and reputation of the business partner;
• Understand the services to be provided, and methods of compensation and payment;
• Evaluate the business rationale for engaging the business partner;
• Take reasonable steps to monitor the transactions of business partners appropriately; and
• Ensure there is a written agreement in place which acknowledges the business partner’s understanding and compliance with this policy.

RMS accepts that it is ultimately responsible for ensuring that business partners who act on its behalf are compliant with this policy as well as any local laws. Ignorance or “turning a blind eye” is not an excuse.

B. Gifts, Entertainment and Hospitality

Gifts, entertainment and hospitality include, without limitation, the receipt or offer of gifts, meals or tokens of appreciation and gratitude, or invitations to events, functions, or other social gatherings, in connection with matters related to our business. These activities are acceptable provided they fall within reasonable bounds of value and occurrence.

How to evaluate what is ‘acceptable’:

First RMS considers the following:

• What is the intent – is it to build a relationship or is it something else?
• How would this look if these details were on the front of a newspaper?
• What if the situation were to be reversed – would there be a double standard?

Never acceptable

Circumstances which are never permissible include examples that involve:

• A “quid pro quo” (offered for something in return)
• Gifts in the form of cash/or cash equivalent vouchers
• Entertainment of a sexual or similarly inappropriate nature

Usually acceptable

Possible circumstances that are usually acceptable include:

• Modest/occasional meals with someone with whom we do business
• Occasional attendance at ordinary sports, theatre and other cultural events
• Gifts of nominal value, such as pens, or small promotional items

Transparency is key

Any form of gift, entertainment or hospitality given, received or offered will be appropriately recorded in a register held by the Finance Manager.

C. Facilitation Payments

The UK Bribery Act 2010 makes no distinction between facilitation payments and bribes. Not with standing that in many countries it is customary business practice to make payments or gifts of small value to junior government officials in order to speed up or facilitate a routine action or process, such facilitation payments are against the RMS Anti-Bribery Policy. The Board of RMS takes the view that they are illegal within the UK as well as within any country in which RMS, or its business partners, operate.

Effective Implementation

Law enforcement and regulators in the UK and elsewhere are consistent in their clear statements that they will not accept purely “paper-based” anti-bribery compliance programmes.

Such programmes must work in practice and therefore effective implementation is the key to success. RMS believes that the overarching implementation challenge arises from the fact that successful anti-bribery compliance is all about culture and behaviour.

Fundamentally, most people want to do the right thing and have a pretty good instinct about what that is, but they can be led astray or merely distracted by lack of awareness or competing demands.

Key areas of challenge in implementation include:

Communication. Getting the messages right; delivering the messages in different ways to refresh and reinforce; raising awareness; delivering suitably targeted training; reinforcing top level commitment.

Governance and accountability. Being clear about who is responsible for what: ensuring clear ownership of the compliance programme; being clear that RMS management is accountable for implementation.

Ingraining anti-bribery compliance. Helping employees develop the right instincts: to know what to do or where to turn in cases of difficulty or uncertainty.

Management of third parties supplying services on behalf of RMS. Incorporating terms and conditions into contracts with suppliers and contractors to ensure their compliance with the RMS Anti-Bribery Policy and the ability for RMS to audit, monitor and review the third party performance of services on behalf of RMS.

Accurate Books and Record-Keeping. RMS ensures that accurate books, records and financial reporting are kept and for significant business partners working on behalf of RMS. RMS books, records and overall financial reporting must also be transparent. That is, they must accurately reflect each of the underlying transactions.

Monitoring and Review

Effective monitoring and review is critical to the long-term sustainability of RMS’ anti-bribery programme and to its ability to demonstrate adequate operating procedures.

Monitoring is a key element of internal control and only by monitoring key information, such as bribery risk indicators, relevant indicative data, and performance of procedures and controls will RMS be able to ensure anti-bribery policies are being effectively and consistently implemented and kept up-to-date to address the latest risk position.

A clear reporting structure and allocation of responsibilities (including oversight at Board level, compliance monitoring and day-to-day responsibility for being compliant) are important in achieving adequate oversight and governance.

It is important to ensure information reported is as robust as possible and can be gathered and reported in an efficient manner. A good reporting process will also enable continuous improvements to be made, making the anti-bribery control environment in RMS more robust and more efficient.

Conclusion

It is the ultimate responsibility of the Board of RMS routinely to review and reinforce the RMS Anti-Bribery Policy and its underlying principles and guidelines and to ensure it is implemented throughout the Company, its employees, its agent, contractors, distributors and other business partners.

RMS is working to reduce the environmental impact in the way we and our customers work.

RMS take environmental responsibilities very seriously. The conduct of business is ever mindful of the impact to the environment, ensuring that our carbon footprint in terms of consumption and emissions are kept to a minimum. RMS heavily use technology to minimise our impact on the environment and have reduced our estimated carbon footprint to approximately 88 tonnes per year. A current project to heat our HQ with Geothermal energy is underway.

Our biggest success has been the removal of our in-house computer room and associated air conditioning and moving almost all of our servers into the cloud. By this action we have removed over 436,800 kWh of power requirement from the UK and moved it to locations around the globe with lower energy costs powered by renewable sources such as hydro electric. That is an astounding 327 tons of C02 every year and 1,638 trees required per annum to offset the effect!

We pride ourselves on helping our clients to minimise their impact on the environment. One such example is Peacocks who removed nearly 3,000,000 pieces of paper from their business.

Talk to us to find out how we can minimise your environmental impact through the use of our solutions.

Paper is an important medium for communicating information to stores. There will always be a need for paper documents – just not as many as are currently produced in an average retail operation. The difficulty of knowing which stores have which store fit out and which display options means that promotion and seasonal instructions tend to include all possible permutations – making the package of paper both very bulky and also very complex. Some paper information is simply not effective. Forms that need completion at store – such as special product orders or payroll information – can be completed and filed online or printed on demand at the store, saving the printing and storage of order pads and other multi-part printed documents.

Some more facts

The Body Shop were able to sell two photocopiers and reduced the paper purchased for store communications by 70% and experienced a number of ‘post-free weeks’ when no paper had been posted to any of their 320 stores!

New Look saw printing, collation and distribution costs fall by 30% as instantaneous electronic distribution kicked in.

Peacocks internal print, copy and distribution costs have dropped by 70%.

Please contact us to find out how we can minimise your environmental impact by using our technology solutions.

This Statement sets out the position of Retail Manager Solutions Limited (“RMS”) with regard to The General Data Protection Regulation (GDPR) – Published January 11th 2018, last updated May 2019

1.   Overview

The purpose of this document is to give an overview of how the software products of Retail Manager Solutions Limited (RMS) will assist customers with their compliance with the GDPR.

Release versions as recommended by RMS for GDPR compliancy will be a prerequisite to RMS accepting its joint data processor liability under the new regulations.

The document will cover the 8 rights of the individual within the act and how the products will aid with compliance in these areas.

This document will also provide examples of personal and sensitive data that RMS may hold within standard fields in the system.

Wherever possible RMS will provide the full ability for the client to self-service the amending, retrieval or removal of data as required by GDPR.

Within this document we will refer to the ‘client’ as being any person associated or an authenticated physical user of the RMS solutions.

A major point that should be made is that GDPR and security compliancy is a shared responsibility between RMS and the clients.

 

2.   Personal and Sensitive Data – Statutory Definitions

Examples of personal data

Names
Addresses
Date of Birth
National Insurance Number
Gender
Next-of-kin details
Image	E.g. digitalised photo of the user
Warnings
Notes/Comments	Ad-hoc personal comments that may be entered
Forms	Customers need to consider non-standard fields stored in Forms created/customised by the client
Extra Client Fields	Customers need to consider sensitive data that may be stored in Extra Data fields created/customised by the client

 

Examples of Sensitive Data

Ethnic Origin
Sexuality
Religion
Bank Account details
Medical details	Communication preferences, impairments etc
Criminal history
Social Work
Eligibility to work details
Notes/Comments	Ad-hoc personal comments that may be entered
Forms	Customers need to consider non-standard fields stored in Forms created/customised by the client
Extra Client Fields	Customers need to consider sensitive data that may be stored in Extra Data fields created/customised by the client

Customers Data Controller Statement should say why the data is captured, what the purpose is for and how long it is retained. This is to comply with the parts of the regulations that state that data is collected lawfully, fairly and in a transparent manner.  In reality, this will require each customer to perform a privacy impact assessment on personal and sensitive data that it collects and processes. There is guidance on the ICO website regarding performing privacy impact assessments.  The statement must also show how the data is kept up to date and is accurate and is only held for the period where it is relevant. How the data is stored, secured and monitored for unauthorised access should also be detailed.

For personal data, the following legal gateways are valid.

• Consent
• Necessary in relation to the processing of a contract
• Legal obligation
• Vital interest – a matter of life and death
• Justice, Government, Statutory
• Legitimate interest

For sensitive data, the following are also valid.

• Consent
• Employment law
• Vital interest
• Legal proceedings, Legal advice or defending legal rights
• Administering justice
• Medical Reasons
• Equal opportunity monitoring with safeguards
• Crime prevention / malpractice

 

3.   The Eight Rights of The Act

 

3.1  The Right to Be Informed

As a Data Controller, you should inform the client of the types of data that you are capturing, why you are capturing it and how long it is retained. It is also necessary to inform the client regarding how data is shared with other systems and why.

RMS Products and Services

• Metro comprising the following:

 

3.2  The Right to Access

To comply with the Subject Access Request element of the regulations RMS will provide the client with full access to the client’s data through the solution. This may be as an individual self-service portal as a standard, or requested through the client’s internal support mechanisms. The RMS solutions have the ability for the customer to individually/group authorise the various areas of their solutions depending on their requirements. Where the customer utilises central operations to provide the function to clients, then the customer should create a Subject Access Report as a contact management record against the client with a defined set of actions and outcomes that allow reporting on the requests and their status. If self-service does not meet any of the requirements for the right to access for the client for any reason, then a Subject Access Request (SAR) will be able to be raised on the RMS support system by the customer’s authorised personnel, for actioning by RMS.

 

3.3  The Right to Erasure

Following on from a Subject Access Report a client may request all or partial erasure of data. The erasure request should be created as a contact management record against an individual with a defined set of actions and outcomes that allow reporting on the requests and their status. It is suggested that a before and after Subject Access Report are provided as proof of the removal along with a confirmation letter stating the outcome of the process. If self-service does not meet any of the requirements for the right to erasure for the client for any reason, then a Subject Access Erasure (SAE) will be able to be raised on the RMS support system by the customer’s authorised personnel, for actioning by RMS.

 

3.4  The Right to Rectification

Following on from a Subject Access Report a client may request all or partial rectification of data. The rectification request should be created as a contact management record against the client with a defined set of actions and outcomes that allow reporting on the requests and their status. It is suggested that a before and after Subject Access Report are provided as proof of the rectification along with a confirmation letter stating the outcome of the process. If self-service does not meet any of the requirements for the right to rectification for the client for any reason, then a Subject Access Rectification (SARE) will be able to be raised on the RMS support system by the customer’s authorised personnel, for actioning by RMS.

 

3.5  The Right to Object

Following on from a Subject Access Report a client may object to certain aspects of processing. The request should be created as a contact management record against the individual with a defined set of actions and outcomes that allow reporting on the requests and their status.

It is suggested that the individual is sent a confirmation letter stating the outcome of the process.

 

3.6  The Right to Restrict Processing

Following on from a Subject Access Report a client may object to certain aspects of processing. The request should be created as a contact management record against the individual with a defined set of actions and outcomes that allow reporting on the requests and their status.

It is suggested that the individual is sent a confirmation letter stating the outcome of the process.

 

3.7  The Right to Portability

A client may request an export of their data in a recognisable format. The request should be created as a contact management record against the client with a defined set of actions and outcomes that allow reporting on the requests and their status. It is suggested an export is provided of the data along with a confirmation letter stating the outcome of the process. If the client has requested erasure of their data then a confirmation certificate should also be provided. If self-service does not meet any of the requirements for the right to portability for the client for any reason, then a Subject Access Portability (SAP) will be able to be raised on the RMS support system by the customer’s authorised personnel, for actioning by RMS.

 

3.8  The Right to Manual Processing

Following on from a Subject Access Report a client may request manual intervention in a process. The request should be created as a contact management record against the client with a defined set of actions and outcomes that allow reporting on the requests and their status.

It is suggested that the client is provided with a confirmation letter stating the outcome of the process.

 

4.   How the data is retained and removed

This section relates to the data minimisation by implementing a retention policy on key records and fields.

The aim of Data Archiving is to aid compliance with the Data Retention Polices as set out in the regulations.

Minimisation of all data accessible to users is provided as a facility (based on individual or group authorisation) to all customers; it is the responsibility of the customer to inform RMS when permanent or hard deletion of inaccessible data is further required.

RMS operates a 30-day data backup retention period only.

 

5.   Consent Management

A new section of a client’s personal records should be introduced where consent for processing can be managed. This will require new fields that describe the type of usage of the data, the type of data being processed, the legal gateway being used to justify the usage and the start and end period of the consent. Where restrictions or objections to processing are deemed appropriate to interfaces then the consent records should be checked to prevent export of any said data.

RMS will assume that if a client is provided by the customer with an authorised user logon details, that the client has provided consent to the usage and any data processing with the RMS solutions.

 

6.   How the Data is Secured

The RMS Metro implements the best practice with a layered and organised structure to provide Privacy by Design.

The RMS Solutions and environments will provide for the best security and availability practices including dual data-centre usage as a minimum to ensure constant availability of access to data; Firewalling controls; Anti-Virus/Malware services; IPS/IDS servicing; 24-hour systems’ monitoring and alerting functions; obfuscation/encryption of any sensitive data; encryption of all traffic between systems, including to the client’s system; encryption at rest; authentication options for password controls and complexity; authorisation levels with no access by default and least required level access provision. In addition, RMS support personnel follow security training, policies and procedures, and additionally will not have direct access to view or extract client sensitive data direct from data sources.

 

7.   Prerequisites

Software Versions applicable:

All versions of Unified Comms from version 1;

All vesions of Operations Director and People from version 4; and

Active RMS support/helpdesk services contract in-situ.

Other Recommendations from Retail Manager Solutions:

Review of Metro access granted to staff/work groups.

Microsoft security updates are implemented on all machines.

Device security updates are implemented.

Anti-virus and malware software is implemented and up to date.

Device management software for mobile devices are implemented and up to date.

Customer should review any third-party software that they directly contract to. Within the current RMS Solutions, specific customers utilise such as Bank or Address Validation software and Yapster.

RMS direct Partners:

GDPR statements and policies can be found for the partners RMS utilises for the Metro solutions at:

Microsoft (infrastructure/software): https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

AWS (infrastructure): https://aws.amazon.com/compliance/gdpr-center/

Twilio (discussion/conferencing): https://www.twilio.com/gdpr

SendGrid (mailing service): https://sendgrid.com/policies/tos/

 

8.   Summary

RMS products implements the following items of the act in the ways described in the individual sections which in summary are,

• The 8 rights of the individual in the act will be managed through by the customer and where applicable RMS, actions and outcomes with the ability of RMS support. Specific actions will need to be taken dependent on the rights being invoked.
• As part of the Metro platform RMS provides a tick box to implied consent as part of the first log on access to the system and for password reset screen. This includes a renewal automatic at first logon and customisable customer privacy statement. If the authenticated user does not tick the box then the client will not be able to access the system.  An exportable log is available for all password changes/renewals.
• Privacy by design is implemented by the current Metro functions audit, encryption and redaction functions and workgroup functions in Metro
• Data minimisation is implemented by the current Metro functions and specific retention policies.
• Other recommendations regarding general security requirements.

 

Further reading:

UK Information Commissioner’s Office(ICO): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

EU Commission: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

This Statement sets out the Company position of Retail Manager Solutions Limited (“RMS”) with regard to The General Data Protection Regulation (GDPR) – Published February 21st, 2018, last updated May 2019

Confidentiality 

Retail Manager Solutions Limited (RMS) is committed to maintaining the highest degree of integrity in all our dealings with potential, current and past clients of RMS, both in terms of normal commercial confidentiality and the protection of all personal information received in the course of providing the business products and services provided by RMS.

RMS extends the same standards to all of our clients, suppliers and associates. We will comply with the legislative requirements with regard to confidentially and data protection and will ensure all our sub-contractors and third party suppliers (Sub Data Processors) agree and adopt our non-disclosure agreement and conditions for operating and processing our client data.  

Ethics

We conduct our own services honestly and honourably and expect our clients (Data Controllers) and Sub Data Processors to do the same. Our advice, strategic assistance and the methods imparted through our services take proper account of ethical considerations.

Duty of Care

Through our actions and advice, we will always try to conform to relevant law and RMS believes that all businesses and organisations, including our own business, have a duty of care to avoid causing any adverse effect on the rights and freedoms of individuals.

Terms and Conditions 

Our contract and/or terms and conditions of engagement will usually be in the form of a detailed proposal, including aims, activities, costs, timescales and deliverables. They are supported by our General Data Protection Regulation (GDPR) statement of intent (see below) in respect of our processing activities as a Data Processor / Sub Data Processor under the GDPR.

The quality of our products and services and the value of our service to our clients are paramount to us and RMS will always strive to meet our clients’ contractual requirements. We shall ensure a compliance review is carried out against our own processing activities as a Data Processor / Sub Data Processor when supplying software products service solutions to our clients and ensure that all our Sub Data Processors do the same.

Intellectual Property & Moral Rights 

RMS retains the moral rights in, and ownership of, all intellectual property that we create unless agreed otherwise in advance with our clients. In return we respect the moral and intellectual copyright vested in our clients’ intellectual property. Our suppliers are under strict terms of confidentiality not to disclose, disseminate and/or inform any third party about RMS’ clients, business or individual (data subjects) personal identifiable information.  

Quality Assurance 

RMS maintains the quality of what we do through constant ongoing review with our clients, of all aims, activities, outcomes and the cost-effectiveness of every activity. We encourage regular review meetings and provide regular progress reports on the services we are engaged to deliver.    

Professional Conduct 

RMS endeavours to conduct all of our activities with professionalism and integrity. We take great care to be completely objective in the judgement and any recommendations that are proposed, so that issues are never influenced by anything other than the best and proper interests of our clients.  

Diversity, Equality & Discrimination 

RMS always strives to be fair and objective in our advice and actions. We practice compliance with all forms of discrimination legislation, and actively promote policies and procedures to ensure that no person is ever disadvantaged by reason of their racial or ethnic origin, or on grounds of gender, sexual orientation (including gender reassignment), marital status, age, nationality, religion or belief or disability or any action which may constitute harassment of any kind.

General Data Protection Regulation Statement 

This ‘position statement’ sets down our approach with regard to compliance with our obligations under GDPR in relation to:

• our products , services and data storage;
• as a Data Processor on behalf of our customers; and
• as a Data Controller for the purposes of:
  • processing our employee data for our own accounts and purposes; and
  • promoting our products and services through marketing.

 

The role of the Data Processor is the processing of the data under the instructions of the Data Controller, (our clients). Under the GDPR, RMS will:

• Provide software solutions which allow our clients, as Data Controllers, to process and store the Personal Identifiable Information (PII) of their data subjects.

• As a Data Processor, embed in our approach the principles of the “Privacy by Design” (PBD) requirement when creating, designing a new, or maintaining an existing, software and/or storage solution.
• If the software or services is used for the handling of PII, ensure it will follow the principles of PBD.

 

Privacy by Design and Software and Service Development Life Cycle

As a software and service provider RMS, as a Data Processor, supports PBD principles in delivery of a solution, whether it be out-of-the-box or is uniquely configured or a customised solution.   The software and services provided by RMS will follow our own software and Service Development Life Cycle (SDLC) and corresponding IT development processes to cover the lifecycle of an information system which holds PII:

1. Plan;
2. Design;
3. Build;
4. Test;
5. Rollout; and
6. Maintain

RMS is fully aware that as a Data Processor we need to support our clients as Data Controllers. There are key areas of data management and protection relevant to the GDPR Articles and Recitals which influence the SDLC’s functional and technical planning requirements in regard to adopting a PBD approach when implementing data protection into the system and organisation as a legal requirement. 

We understand under Article 25-1/3 our clients, as Data Controllers, shall determine the means of processing as well as the risks of varying likelihood and severity for the rights and freedoms of an individual and in doing so they need to implement appropriate technical and organisational measures for security when it relates to PII as much as for pseudonymisation data sets. 

Under Recital 78 our clients, as Data Controllers, will be required to demonstrate compliance to adopt and implement measures which meet the Principles of data protection by design and data protection by default.  Among other things, transparency will need to be demonstrated with regard to functions and to enable the individual (data subject) to monitor the data processing, enabling proper security controls are in place. 

Where developing, designing, selecting and using applications, products and services that are based on the processing of personal data or the processing is necessary to fulfil a task, RMS, as a Data Processor, will take account of both the rights of individuals and the GDPR obligations of their clients as Data Controllers when developing and designing our products, services and applications. This will include performance of Privacy Impact Assessments (PIAs) with regard to our products and services for general application. However clients should note that such PIAs will not be specific to a client’s use of personal data that it may hold as a Data Controller, for which the client alone must perform its own PIA when deploying RMS software and services to comply with Articles 23 and 25.

  Data is secured, and the integrity and confidentiality are maintained, using technical and organisational means under the management of our client as a Data Controller when they position the software solution or product inside their own IT infrastructure. When using RMS data centre or storage services, RMS may use the services of a third party (Microsoft Azure, Amazon Web Services) which is as an EU based company and will act as a Sub Data Processor of RMS. When we use Sub Data Processors, RMS will ensure full compliance required under the GDPR is observed as follows:

 Article 5.1(f)

Personal data will be processed in a manner that ensures appropriate security, protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Using appropriate technical or organisational measures (‘integrity and confidentiality).

 Article 24

To support where applicable the responsibility and liability of a Data Controller in the requirement of responding to any risk or security assessments in regards to the processing of PII in relation to their data subjects. It is understood by RMS that the role of the Data Controller is to ensure appropriate technical and organisational measures are in place to ensure and demonstrate compliance and are regularly reviewed. As referred in Article 42 adherence to approved codes of conduct and/or approved certification mechanisms may be used as an element of demonstrated compliance.  

Article 32-1 (b-d)

It is the Data Controller’s responsibility to i) ensure ongoing confidentially, integrity, availability and resilience of processing systems and services; ii) restore and make available or accessible personal data in a timely manner in the event of a physical or technical incident; and iii) regularly test and evaluate the effectiveness of the technical and organisational measures for security.

 Recital 49

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams, computer security incident response teams, by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the Data Controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.  

RMS will assist their clients if they require a system configuration with regard to data encryption or pseudonymisation.  Article 6 – 4(e) states a Data Controller shall take into account the existence of the appropriate safeguards, which may include encryption and pseudonymisation. Article 32-1(a) states a Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including amongst other things as appropriate for the pseudonymisation and encryption of personal data.

Under GDPR Recital 26 it clearly states the Data Controller needs to abide by the Principles of data protection and that this should apply with regard to PII which has undergone pseudonymisation, where if it is attributed to an individual by the use of connecting information would be considered PII. To ascertain whether means are reasonably likely to be used to identify the individual, account should be taken of all objective factors, such as costs of the amount of time required for identification, taking into consideration the available technologies at the time of the processing and their developments.

 Recital 28 – The application of the pseudonymisation to personal data can reduce the risks to the data subject; explicit introduction of ‘pseudonymisation’ in the GDPR is not intended to preclude any other measures of data protection.

 Recital 29 – The purposes are to create incentives to apply pseudonymisation as a practice when processing PII. The GDPR is implemented in such a way that additional PII to a specific individual (data subject) is kept separately.  The Data Controller processing the PII should indicate the authorised person within the same controller, for example separate departments. The Data Controller should also remove all PII indicators when processing data and ensure no link can be made to reconstitute the data back to an individual (data subject). 

Under the Recital 83, the Data Controller and Data Processor should evaluate the risks inherent in the processing and implement measures to mitigate risks, such as encryption. Appropriate security measures such as confidentiality, to ensure consideration is applied to the risks such as accidental loss, unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may lead to physical, material or non-material damage to an individual(s).

As detailed in Recitals 39 and 58 the principle on transparency makes it clear that our client, as a Data Controller, is required to meet their obligations and RMS shall, as their Data Processor, will assist our client to meet their obligations. 

The products and services which hold and process PII will be required to comply with the GDPR Principles and the rights of individuals (data subjects).

The right to port data is a complex matter, and needs a case by case review, but system holding data would have the ability to allow a Data Controller to make that determination. As much as to meet Article 20  where a Data Controller has to supply an individual with a copy of their data in a structured, commonly used and machine-readable format and the individual has the right to ‘port’ that data without hindrance or delay. An individual has a right to require one Data Controller to transmit the data pertaining to them to another Data Controller where technically feasible. We will assist in supplying secure access or transmission solutions if the data porting applies to data we hold in our hosted environments.  

We understand that our clients, as Data Controllers, have to inform all Data Processors where the individual’s data is processed by IT / Applications / Storage systems that the individual has exercised their right to erasure. Controller and Processor inventories are critical to this right and in doing so RMS will co-operate with our clients to fulfil this obligation. To this aim and under Article 19 our clients, as the Data Controller, will inform us as the Data Processor or Sub Processor where the right to rectification /erasure / restriction have been exercised by the individual. The exemption to this is if it involves disproportionate effort. The Data Controller will inform the individual of all the recipients with whom their data has been shared and under Recital 66, where our Client as the Data Controller have shared individuals PII with RMS, will inform us as the Data Processor that such right has been exercised and the data subject’s PII is to be erased in any links to, or copies or replications of the personal data.   

Data Breaches

For the purposes of processing of PII which may result in a contravention of the GDPR (a data breach), RMS, as the Data Processor, and/or our Sub Data Processors, will determine if i) a breach is likely, and ii)  there is a high risk to processing of the PII in the systems held outside of our clients IT infrastructure (e.g. hosted by our third party Sub Data Processors,) which could put at risk  the rights and freedoms of data subjects, and we will ensure such technical measures are in place to identify, track, assess and report such breaches. We will report all contraventions with regard to data security to our clients as Data Controllers.

Where our client requires us as the Data Processor or our Sub Data Processor to carry out activities which could lead to a contravention of GDPR, we as Data Processor and our Sub Data Processors reserve the right to refuse such processing activities. 

Such security measures and reporting of data breaches will be dealt with in compliance with GDPR and in particular, Articles 33 and 34 and Recitals 85, 86 and 87. This includes addressing the reporting obligations to the individual (data subject) as well as to the Information Authority in the member state where the data is held and processed. 

RMS as a Data Processor

 A Data Processor is defined in Article 4(8) as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controllers. Under the GDPR Recital 81 1-10 (a-h), a Data Controller shall only use Data Processors who provide sufficient guarantees to implement appropriate technical and organisational measures in order that their processing activities will meet the requirements of the Regulation and ensure the protection of individuals rights (data subject).  

Engagement of Sub Data Processors and contractual obligations

It is understood by RMS, as a Data Processor, that we shall not engage a Sub Data Processor without the prior specific or general written authorisation of our clients as Data Controllers. Where RMS and/or the client as a Data Controller require services from a Sub Data Processor, each will consult and require demonstration of compliance under the GDPR by the Sub Data Processor. This will be in writing and each party will demonstrate compliance and record such in the contract and record any intended changes concerning the engagement, replacement or addition of a Sub Data Processor allowing time for the parties to object and/or agree.

A Data Controller will require a full report and set of evidence from the Sub Data Processor with regard to compliance with the GDPR as part of the written notification and will have the right to audit the main Data Processor as much as the Sub Data Processor. It is therefore understood by RMS that the relationship between their clients as Data Controllers and RMS as the Data Processor and our Sub Processors will be governed by a contract or other legislative laws in the EU or as part of UK law that is binding on the Data Processor / Sub Processor. The contract will set out, as a minimum:

• the subject matter,
• duration,
• the nature and purpose of the processing,
• the types of personal and sensitive categories of data; and
• the categories of data subjects.

It will also define and set the obligations and rights of the Data Controller. The contract or other legal agreement shall provide, in particular, that the Data Processor and any Sub Data Processors:

a) only process data on documented instructions from the Data Controller, and do not transfer any personal data to a third country or international organisation, unless required to do so by Union or Member State law to which the Data Processor and/or Sub Data Processors are subject (in these circumstances the Data Processor shall inform the Data Controller of such legal requirement before processing, unless the law prohibits such information on important grounds of public interest);

b) ensure that persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c) take all measures set out in Article 32 Security of personal data;

d) respect the conditions to bring in and use a Sub Data Processor and in doing so will ensure a specific written agreement is in place with the Data Controller and that the Sub Data Processor follows the same contractual conditions and obligations as the main Data Processor and in doing so is liable under the same contractual agreements for any breach of such agreement. Where the Sub Data Processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller. Both Data Processor / Sub Processor shall provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR. The Information Authority (Supervisory Authority) may adopt a standard contractual clause(s) for such purpose as set down in Article 63;

e) assist the Data Controller in a timely manner in all matters pertaining to the response and processing of data with regard to data subjects’ rights;

f) assist the Data Controller by i) ensuring data is kept secure, ii) notifying the Data Controller of any potential or actual breach, and iii) assisting the Data Controller with any information to inform any affected individual;

g) ensure full documentary evidence is in place to show that all data provided to the Data Processor and/or Sub Data Processor has been destroyed, unless Union or Member State Law requires storage of the personal data;

h) allow the Data Controller the right to audit and to evidence compliance with the obligations laid down under the GDPR, including audits by the Data Controller or their chosen authorised agent;

i) work with the Data Controller with regard to any consultation with the Information Authority (Supervisory Authority);

j) are permitted the right to inform the Data Controller if, in their opinion, an instruction from the Data Controller infringes GDPR or other Union or Member State data protection provisions.

RMS as the Data Processor will not make any determination of the use of their clients’ PII as in doing so it would mean we would be considered to be a Data Controller. 

Liability and Right to Compensation

 Under Article 82, the right to compensation, any data subject who has suffered material or non-material damage as a result of a breach of the law shall have the right to receive compensation from the Data Controller and Data Processor for the damage suffered. The Data Processor shall be liable for the damage caused by the processing only where it has not complied with the obligations of the EU GDPR, Union and Member State Law. The Data Processor as much as the Data Controller shall be exempt from liability if they can prove that it is not in any way responsible for the event giving rise to the damage. 

It is understood by RMS that either alone or jointly both the Data Controller and the Data Processor

can be found liable for the entire damage in order to ensure effective compensation of the data subject affected. Where the Data Processor has paid full compensation for the damage suffered, it is entitled to claim back from the Data Controller or other Data Processor that part of the compensation corresponding to their part in the responsibility for the damage (Recital 50).

Legal action via the courts can be pursued by the damaged individual under the law of the Member State. The general conditions to impose fines will be managed by the applicable Information Authority in the country where the data subjects’ data is processed and/or where joint Information Authorities agree which concerned Authority will take the lead.

Other data protection legislation

RMS have also taken note of the UK Digital Economy Act (DEA) as part of their GDPR compliance review and strategy as it covers a variety of different measures, one of which is the requirement to register with the Information Authority which will be based on the volume of data they process and the category of the data. This is yet to be translated by the Information Commissioner’s Office in the UK but it is noted by RMS as a Data Controller processing employee and marketing data.

There are requirements for Data Controllers and Data Processors to ensure effective cyber security controls and awareness are in place. It brings in ‘Directors Responsibility’, which means personal liability of company directors for infringements of the Regulation and the UK Data Protection Act 2018 of which the GDPR will form part.  The DEA brings about the requirement to ensure compliance with the Regulatory Information Sharing Code of Practice with regard to public sector data sharing. RMS will consider this code as part of their GDPR Strategy.     

Special Categories of Personal Data (formally referred to as “sensitive personal data”) needs to be justified for processing without consent for employment and criminal convictions purposes – RMS may process such data for such purpose as an employer, and also as a software and service provider as part of a system which will hold this data.

Age of consent to process children’s data as in the provision of information services (internet/social media/gaming), where it is proposed to be reduced from 16 years under the GDPR to 13 years under the Data Protection Act 2018. Those under 13 will need parental/guardian consent: RMS will require their clients as Data Controllers to confirm consent prior to any processing activity being carried by RMS and our Sub Data Processors. 

We have also taken note of the change in the Data Protection Act 2018 to bring about under English Law the new offences of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data and the altering of records with the intent to prevent disclosure.  

Our Approach 

RMS is working towards a programme of change to implement the GDPR with regard to our products and services. RMS offer a set of software and service systems to the Retail, Health, Leisure, and Hospitality Sectors, and it is acknowledged that some of our solutions hold a volume of personal and special categories of data.

Where our solutions are deployed and sit within our clients’ IT infrastructure, they are protected by and under our clients IT, Information Security and Data Protection compliance controls.  Where our solutions are hosted by RMS we shall comply with this position statement and the provisions of GDPR and the UK Data Protection Act 2018.

While RMS is not required to have a Data Protection Officer under GDPR, we have decided to appoint a standing working committee dedicated to data protection compliance and issues. 

You are also referred to our GDPR product Statement found on the RMS website which gives more details in relation to GDPR compliance and our software products.