Online GDPR Policy – EFurnit Ltd.
DSE (Computer workstation/desk) Assessments
Data Protection Policy – 25 May 2018
This data protection policy relates to EFurnit Ltd.’s online DSE assessments.
Terms used in policy:
- User – anyone who completes our online desk / DSE assessment and submits the data to us.
- Employer / responsible person – The person who we send the pdf assessment reports to in the user’s organisation (this can also be the user themselves).
- Data controller and processor – EFurnit Ltd is responsible for storing and processing the information which users submit during their assessment.
- Data protection officer - Dr Saeid Nik Akhtar (EFurnit Ltd.) is responsible for storing and processing the information which users submit during their assessment.
Information we hold:
Users of our online DSE assessment system provide us with the following data:
- Their name – Forename and Surname
- The name of their employer (either known by arrangement or optional)
- Their email address (optional or not in customised assessment forms)
- Users may also provide information about medical conditions affecting their
- Date on which data was recorded.
- Typeform – the company whose online tool we have out assessments in, also gather the following information which we are able to see.
o Network ID (a randomly-generated string of characters unique to the IP address of the respondent. This Network ID is unique to the IP from which the response was collected. It can be used to detect and filter out duplicates. Note that it is not the actual IP address of the respondent – we do not collect and store that information. If several respondents connect through the same network or WiFi, they’ll have the same generated Network ID. On the other hand, if a single person is filling in your typeforms from different locations (therefore different networks) a different Network ID will be associated with each of their submissions.
o Length of time to complete each assessment.
o Start and finish times of each assessments.
The data that is gathered in our online assessments is adequate, relevant and limited to what is necessary in relation to producing a DSE assessment report for users’ employers.
The data we process comes directly from users of our online assessment forms.
Purposes of gathering the above data:
The data which users provide us with is used to compile a DSE assessment report, which is sent to each user’s employer or person responsible for processing that information. Pdf reports are only generated if there is a contractual agreement between EFurnit Ltd. and the users employer – or if payment is confirmed as having been received from the user for a report to be generated.
The data is gathered to enable your employer to comply with the UK Display Screen Equipment Regulations 1992, which requires that a suitable and sufficient assessment is made of your computer workstation.
EFurnit Ltd. has accredited ergonomics consultants registered with the Chartered Institute of Ergonomics and Human Factors (CIEHF). Our gathering of user data in the online assessments, and generation of pdf reports falls within lawful use of user data.
Users’ consent to our processing of their data will be requested at the start of their online assessment via positive indication. The data we receive includes a record of that consent.
Communicating privacy information
At the start of our online assessment, users are provided with a link to this policy which sets out the privacy of their data. Users are required to confirm that they have reviewed this policy and consent to proceed with providing us with the information requested during the assessment.
The raw data which you provide us with is retained securely online with the assessment hosting company – Typeform. Typeform uses Amazon AWS servers for data storage, which are GDPR compliant – for more information see links below.
Copies of the pdf reports which we generate are stored by us in a secure G Suite folder which only the data controller has access to. Copies may also be held on a secure (password protected) hard drive. We do not put users’ personal information onto memory sticks due to the risk of physical loss that may risk a data breach.
Due to the data being disclosable in legal situations such as regulatory action or civil claims, we retain users’ data for a 40-year period unless we are specifically requested to delete it by both user and employer – we would retain a copy of this joint confirmation for the same period of time. The reason for the length of this retention period is that the data technically relates to potential long-term health effects which may be relevant to legal proceedings.
Individuals’ right under GDPR:
Users have a right to obtain confirmation that their data is being processed.
Any user of our system has the right to ask for any data which we hold relating to them, to be provided to them. We would provide the raw data and the pdf assessment report as requested free of charge in a portable electronic format. In order to release the information safely we would need to confirm that the identity of the person requesting the information matches the user.
Users can request at any time for the data controller to delete any information about them which is held by or on behalf of EFurnit Ltd. Due to the legal status of the data which we hold on behalf of both users and employers, this deletion would need to be by agreement by both parties (see ‘storing data’ section above).
Users have a right to have any inaccurate or incomplete personal data rectified. To do this users should submit a request for the data to be altered or deleted and replaced as applicable.
We will process any requests to exercise individuals’ rights without delay and at the latest within one month of receiving it.
Users should contact firstname.lastname@example.org if they wish to exercise any of their rights under the GDPR.
Confirmation of what we do not do with users data:
We do not pass user information on to anyone other than their employer (which itself is only done if we have positive user consent and by prior agreement with the employer).
We do not use users’ information for any purposes other than generating their pdf assessment report and identifying the reports correctly to/for their employer. We do not use the information users give us for any marketing purposes.
If a data breach occurs:
If we believe or if we are informed by Typeform that any user information that we hold has been accessed by anyone other than the data controller, the user or their employer, we will inform the users’ employer in the first instance and request that information is passed directly on to the users (on the basis that we do not retain any information allowing us to contact users directly).
Contact details if you have any questions:
Registered Data Controller:
Registered data controller with the ICO – Registration reference: ZA256747