MTR processes personal data in relation to its own staff, work-seekers and individual client contacts and is a data controller for the purposes of the Data Protection Laws. The Company is registered with the ICO and its registration number is Z1262934
Data Controller means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Data Processor means an individual or organisation which processes personal data on behalf of the data controller;
The Company may hold personal data on individuals for the following purposes:
The Company will only process personal data where it has a legal basis for doing so.
Company staff are permitted to add, amend or remove personal data from the Company’s database (‘database’ includes paper records or records stored electronically).
All Company staff are responsible for identifying where information is known to be old, inaccurate or out of date or a request for erasure, access, rectification or restriction of processing has been received from the individual. Company staff are also responsible for any request for data portability, objection to processing or where consent to process has been withdrawn and has been received from the individual.
In addition all Company staff should ensure that adequate security measures are in place to limit the risk of personal data breaches. For example:
An individual has the following rights under the Data Protection Laws:
The right to be informed
Any individual whose personal data is processed by the Company will have the right to be informed about such processing. They will have the right to be informed about who, what, where and why the data is processed.
The right to access (‘subject access request’)
Individuals are entitled to obtain access to their personal data on request, free of charge except in certain circumstances.
The right to rectification
An individual has the right to obtain from the Company, rectification of inaccurate or incomplete personal data concerning him or her. The Company must act on this request without undue delay.
The right to erasure (‘right to be forgotten’)
An individual shall have the right to obtain from the Company, acting as data controller, the erasure of personal data concerning him or her without undue delay. The Company will be obliged to erase the individual’s personal data without undue delay.
The right to restrict processing
An individual will have the right to obtain from the Company, acting as a data controller, the restriction of processing his or her personal data.
The right to data portability
An individual has the right to receive any personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller.
The right to object to processing
An individual, has the right to object to their personal data being processed or profiled based on a public interest or a legitimate interest.
Timing and information to be provided to the individual
The Company shall provide information on action taken or not taken with regards to the individual data protection rights without undue delay and in any event within one month of receipt of the request. Where the Company does take action, then it may, where necessary, extend this period by a further two months, taking into account the complexity and number of the requests.
Where requests from an individual the Company can demonstrate are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either:
The Company will need to act on any personal data protection breach it suspects or knows of when acting as either a data controller or a data processor.
Personal data breaches
The Company will take measures to establish whether or not a personal data breach has occurred. The Company will:
The Company will be responsible for alerting the ICO of any personal data breach without undue delay, but no later than 72 hours after having become aware of the Company’s personal data breach.
Where a personal data breach has been identified, The Company will be responsible for informing those individuals effected by the personal data breach without undue delay.
If you wish to get in touch please contact firstname.lastname@example.org
You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.