top of page

Privacy Policy & GDPR Compliance

Finox is committed to ensuring that personal data handled by us is processed in accordance with applicable legal standards of data protection and security. This policy outlines our approach to processing, handling, and securing personal data in line with the UK General Data Protection Regulation (UK GDPR) and other relevant laws.

For the purposes of data protection laws, Finox is the data controller. This means we determine the purposes for which, and the manner in which, personal data is processed.

Purpose of This Policy

The purpose of this policy is to:

  • Inform staff, customers, suppliers, and other stakeholders about the personal data we collect, process, and store.

  • Set out the principles and legal conditions for collecting, handling, and storing personal data.

  • Ensure that all Finox staff understand their roles and responsibilities in relation to data protection and security.

This policy is a statement of principles and does not form part of any employee’s contract of employment. Finox reserves the right to amend this policy at any time.

 

Definitions

  • Personal Data: Any information that identifies a natural, living individual, either on its own or when combined with other information.

  • Data Controller: The entity that determines the purposes and means of processing personal data (Finox).

  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or destruction.

  • Special Categories of Personal Data: Data relating to racial/ethnic origin, political opinions, religious beliefs, health, sexual orientation, or biometric data.

  • Criminal Records Data: Information about an individual’s criminal convictions and offences.

 

Data Protection Principles

 

We are committed to processing personal data in line with the following principles:

1. Lawfulness, Fairness, and Transparency

  • Personal data will be processed lawfully, fairly, and in a transparent manner.

  • We will always have a legal basis for processing data, such as contract performance, legal obligation, or legitimate interests.

2. Purpose Limitation

  • Personal data will only be collected for specified, explicit, and legitimate purposes.

  • Data collected for one purpose will not be used for another without informing the data subject.

3. Data Minimisation

  • Personal data will only be processed where it is adequate, relevant, and limited to what is necessary.

4. Accuracy

  • We will take reasonable steps to ensure personal data is accurate and kept up to date.

5. Storage Limitation

  • Personal data will not be retained longer than necessary for the purpose for which it is processed.

6. Security

  • Appropriate technical and organisational measures will be implemented to protect personal data from unauthorised access, accidental loss, or destruction.

 

Types of Personal Data We Collect

 

Finox may collect, store, and process the following types of personal data:

  • Employee Data: Name, contact information, qualifications, payroll information, performance records, and sickness records.

  • Customer Data: Contact details, business information, and financial details.

  • Supplier Data: Business contact details and payment information.

  • Special Categories of Data: Health information (e.g., for absence management) or other sensitive data with explicit consent or as required by law.

Individual Rights

 

Under data protection laws, individuals have the following rights regarding their personal data:

1. Right to Access

  • Request details of personal data we hold, why it is processed, and who it is shared with.

2. Right to Rectification

  • Correct inaccuracies or incomplete data.

3. Right to Erasure (“Right to be Forgotten”)

  • Request deletion of personal data where it is no longer necessary.

4. Right to Restrict Processing

  • Request the restriction of data processing in certain circumstances.

5. Right to Data Portability

  • Obtain and reuse personal data across different services.

6. Right to Object

  • Object to data processing based on legitimate interests or for direct marketing purposes.

 

Data Security

 

Finox employs the following measures to secure personal data:

  • Data is encrypted, pseudonymised, or password-protected where appropriate.

  • Physical files are stored securely in locked locations.

  • Digital data is stored on secure servers with controlled access.

  • Regular staff training on data security and GDPR compliance.

 

Staff Responsibilities

All employees must:

  • Handle personal data in line with this policy.

  • Report any data breaches or suspected breaches to the Data Protection Officer (DPO).

 

Retention of Data

 

Personal data will only be retained for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods are outlined in our Data Retention Policy.

 

Data Breaches

 

If a data breach occurs, Finox will:

  • Notify the Information Commissioner’s Office (ICO) within 72 hours if the breach poses a risk to individuals.

  • Inform affected individuals promptly if there is a high risk to their rights or freedoms.

Contact Information and Subject Access Requests

 

For questions, concerns, or to exercise your data protection rights, contact us at:

Email: info@finox.co.uk

Address: 

47 North Rd

Cardiff CF10 3DX, UK

 

Updates to This Policy

 

This policy may be updated from time to time. All changes will be communicated to staff and other stakeholders.

bottom of page