Data Protection

The Company complies with the requirements of Data Protection legislation. Under the legislation, employees have certain rights regarding the processing of personal data.

Viessmann is registered under the Data Protection Act 1998 and fulfils its obligations to comply with the 8 Principles of the Act which are intended to protect the rights of the individuals about whom the Company records personal data.

The Company is committed to upholding the Data Protection Principles in the interests of protecting personal data from being collected or processed inappropriately. Strict confidentiality and security is required from employees involved in processing personal data, or those who have any access to any file which contains personal data.

Principles of the Data Protection Act

  1. The Data should be collected and processed fairly and lawfully
  2. Collected for justified reasons and specified purposes. These should be communicated in advance to the data subjects concerned unless otherwise instructed
  3. Personal data held for any purpose should be adequate, relevant and not excessive in relation to that purpose
  4. Personal data shall be accurate and, where necessary, kept up to date
  5. Personal data processed for any purpose shall not be kept longer than is necessary for that purpose
  6. Personal data shall be processed in accordance with the rights of data subjects
  7. Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of personal data, and against accidental loss or destruction of personal data
  8. Personal data shall not be transferred to a country outside the EEA unless that country ensures an adequate level of protection in respect of the processing of personal data

Terms used under the Data Protection Act

Data Controller - this is the person who either jointly or alone determines the purposes for which personal data can be processed. This term comprises not only individuals but also companies and other corporate and unincorporated bodies of persons.

Data User - this includes employees and is any person who has access to any manual or computerised file that contains personal data. Every data user has a responsibility to comply with the principles of the Data Protection Act and failure to do so will result in disciplinary action in accordance with the Company’s disciplinary policy

It is important data users comply with the Principles of the Act and follow the guidelines set out below. Data means information which is: -

  • processed by computer
  • recorded with the intention that it should be processed by computer
  • recorded as part of a relevant filing system which includes paper systems
  • and forms part of an accessible record

Personal data means data relating to a living individual who can be identified. Personal data relates to employees, suppliers and clients and is information recorded on a computer or in a paper record. Sometimes this person is not named but can still be identified by an account code, payroll number etc. Personal data also includes any expression of opinion about the individual and information regarding the intentions of the Data Controller/User toward the individual. Care should be taken that all written expressions of opinion are factual and accurate, do not contain subjective views and/or opinions and are strictly in relation to the business being conducted.

Data subject means the individual who is the subject of personal data. Processing in relation to information or data means: -

  • obtaining
  • recording, or
  • holding the information or data

This includes: -

  • obtaining or recording the information to be contained in the data
  • carrying out any operation on the information or data

To include: -

  • organisation, adaptation, alteration of the information or data
  • retrieval, consultation or use of the information or data
  • disclosure (in any format) of the information or data
  • alignment, combination, blocking, erasure or destruction of the information or data

All data users should be aware that when handling and processing personal data the information is relevant, adequate and not excessive to the purpose. Personal data should, at all times, be accurate and up to date.

Third party means any person other than: -

  • the data subject
  • the data controller or data user
  • any other person authorised to process data for the data controller

Third party information is not accessible on request, other than by the third party. For example, there is no legal right to have sight of references nor is there any right to have disclosed to you the birth date of another person without their express permission to do so.

Sensitive information - special rules apply to personal data of a sensitive nature relating to: -

  • racial or ethnic origin
  • political opinions
  • religious beliefs or other beliefs of a similar nature
  • trade union membership
  • physical or mental health or condition
  • sexual life
  • criminal offences, alleged offences or convictions
  • children

When personal data is processed a number of conditions must be met: -

  • the individual must give explicit consent to the processing or the processing is necessary to carry out a right or obligation imposed by law, or in the case of racial or ethnic origin, processing is necessary for the purpose of monitoring equal opportunities and is carried out with appropriate safeguards

The collection, storage and processing of sensitive information requires particular attention and if in any doubt please refer to the Managing Director.

The Data Protection Act can apply to computerised and manual records, photographs, CCTV footage, mainframes, laptops, organisers, tablets, smart phones, audio and video systems, telephone logging/surveillance systems, microfiche and microfilm etc.

Subject Access Requests

  • Individuals have the right to enquire from the Data Controller what information is held about them on computer or paper records. All such requests should be made in writing to the Managing Director, who will action the request
  • The Company will respond to a subject access request within one month of receiving it. However, the one month period does not start until receipt of the following:-


  • information reasonably required to identify the data subject
  • information reasonable required to locate the data
  • any consent required from other individuals

If you fail to provide the above information the Company need not comply with the request

  • The Company will reply to a subject access request even if no data is held on the individual or the personal data is covered by one of the subject access exemptions. Information relating to pensions, payroll or accounts may only be disclosed to the individual to whom that information relates
  • Upon receipt of a subject access request, the Managing Director will ask the relevant data user to provide the information for the individual. This need not necessarily be in form of a print-out but must be clear and legible

10 May 2017