Data Protection Policy (UK GDPR)

1. Introduction

This Data Protection Policy sets out how Samy Groups collects, uses, stores, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The policy applies to all employees, contractors, and users of the Company's CRM Portal, including HR, Store Management, Employee Management, Complaints, Property, and Home Office modules.

2. Purpose of the Policy

• Processes personal data lawfully, fairly, and transparently
• Protects the rights of employees, customers, store managers, contractors, and data subjects
• Stores and handles personal data responsibly
• Reduces risks of data breaches

3. Scope

• All systems in the CRM portal (HR, Employee, Store, Complaints, Property, Home Office)
• All staff who handle or process personal data
• All personal data in manual or digital formats

4. Definitions

Personal Data: Information identifying an individual.
Special Category Data: Sensitive data such as health or biometric information.
Processing: Any operation on personal data.
Data Subject: The individual whose data is processed.
Data Controller: Organisation deciding data use.
Data Processor: Third party processing data on behalf of the Company.

5. Data Protection Principles

1. Lawfulness, fairness, transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

6. Types of Data Collected

HR Module

• Personal details, passport details, right-to-work documents
• Holiday, sickness & performance records

Employee & Store Management

• Attendance, working hours, job roles, contracts
• Store assignments and emergency contact details

Complaints Module

• Complainant details, incident records, evidence

Property Module

• Tenant details, lease documents, inspection notes

Home Office Module

• Visa expiry dates, immigration compliance

7. Legal Basis for Processing

• Contractual necessity
• Legal obligations
• Legitimate interests
• Consent
• Vital interests

8. Data Subject Rights

• Right to be informed
• Right to access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights regarding automated decision-making

9. Data Security

• Password-protected systems, encrypted databases
• Role-based access control (RBAC)
• Secure document transfers and audits
• No unauthorised sharing or storing on personal devices

10. Data Retention

Personal data will be retained only as long as necessary based on legal and operational requirements.

11. Data Sharing

Data may be shared with government bodies, payroll providers, legal advisers, and approved system providers under Data Processing Agreements.

12. Data Breach Procedure

1. Immediate reporting
2. Investigation within 24 hours
3. ICO notification if required
4. Informing affected individuals
5. Recording in breach log

13. International Data Transfers

Transfers outside the UK will only occur where adequate safeguards or adequacy decisions exist.

14. Staff Responsibilities

Employees must follow this policy, complete training, report risks, and only access necessary data.

15. Data Protection Officer (DPO)

The DPO is responsible for compliance, handling requests, and ICO communication.

16. Policy Review

This policy is reviewed annually or when legislation changes.

---

System Security & Liability Disclaimer (UK)

1. No Guarantee of Uninterrupted Service

The Company does not guarantee the system will be error-free, always available, or immune to cyberattacks.

2. Limited Liability for Cybersecurity Incidents

The Company is not liable for malware, hacking, data corruption, data loss, downtime, or third-party failures.

3. User Responsibility

• Maintain confidentiality of login credentials
• Use strong passwords
• Report suspicious activity
• Avoid malicious uploads/downloads
• Use secure and approved devices

4. Third-Party Services

The Company is not responsible for vulnerabilities or failures originating from integrated third-party systems.

5. Force Majeure Events

No liability for events outside Company control such as cyber warfare, outages, natural disasters, or mandated shutdowns.

6. Reporting & Mitigation

The Company will investigate suspected breaches, take corrective steps, and notify affected parties when required.