In conducting its business, Jigowatt by necessity is required to collect and use personal data relating to its employees. Jigowatt also stores personal data files on behalf of its clients, and processes these in accordance only with its clients’ instructions.
The applicable Data Protection law is EU Regulation 2016/679 =, which is known as the EU General Data Protection Regulation – hereafter “the GDPR”. At the same time as the GDPR, in the UK, the Data Protection Act 2018 came into force. This defers entirely to the GDPR for all activity within the GDPR’s scope, but is necessary in order to implement the UK-specific aspects. For example, the 2018 Act updates provisions for the UK’s Data Protection Supervisory Authority, the Information Commissioner’s Office (ICO). It also extends a broadly equivalent regime in the UK to policy areas not within the GDPR’s scope e.g. law enforcement, intelligence services. For this Jigowatt Policy, the term ‘GDPR’ is used to apply to the entire body of applicable Data Protection law.
This GDPR lays down strict procedures for the collection, storage, dissemination and usage of personal data. Its aim is to safeguard an individual’s rights of privacy, by ensuring that the person about whom personal data is being collected is aware of the activity, what information is being gathered, and, where appropriate, consents to its collection and the purpose(s) of its use. The GDPR also lays down strict guidelines for the safeguarding of any data collected, as well as disclosure of the data to any third party, and for its subsequent disposal.
The types of business activities that Jigowatt engages in i.e. in relation to the collection, storage, dissemination and usage of personal data, mean that the Jigowatt is defined under the GDPR as a “Processor” (hereafter “Data Processor”). The GDPR makes it clear that a Data Processor carries out its functions in relation to personal data “only on documented instructions from the controller” (GDPR Article 28).
In the Jigowatt case, the “controller” (hereafter the “Data Controller”) is ‘the client’, because it is the client who defines the purpose and legal basis for collecting and processing personal data. The main caveat here is that Jigowatt may at some point(s) be obliged to act independently in order to comply with a separate applicable law. If such a case arises, Jigowatt is obliged to inform the respective Data Controller of its action(s).
As a Data Processor, Jigowatt can decide, within the terms of the agreement/contract with the Data Controller:
The Jigowatt Data Privacy Manager is responsible for the monitoring and implementation of this policy. If you have any questions about the content of this policy or other comments, you should contact John Conmy, Jigowatt Data Privacy Manager.
4 Office Village, Forder Way, Cygnet Park,
Tel: 01733 267775
Jigowatt is registered with the Information Commissioner’s Office ZA297127
Jigowatt pledges to be GDPR-compliant, whilst recognising that GDPR-compliance is not a standard. Rather it is an ongoing process, which requires that Jigowatt be accountable for ensuring that ‘appropriate technical and organisational measures’ are implemented and maintained, and that policies and procedures are in place, up-to-date and embedded in the organisation. In all of its day-to-day operations where personal data is collected and processed, Jigowatt will ensure that it abides by the GDPR, notably in relation to the data privacy rights of individuals, as outlined in the GDPR, and overall in terms of adhering as closely as possible to the GDPR’s ‘Six Principles’.
Jigowatt expects all employees to adhere to this Data Protection policy and the procedures designed to ensure compliance with the GDPR. Given the potentially severe consequences to Jigowatt of non-compliance with the GDPR, it is Jigowatt’s policy to regard any willful breach of the organisation’s Data Protection Policy, and the procedures designed to comply with the GDPR, as an act of gross misconduct. If proved, this could result in instant dismissal for the employee(s) involved.
The policy covers data stored on all data storage systems, including portable storage devices and all manual-filing systems, and all locations at which employees undertake work on behalf of Jigowatt e.g. when working from home or any other remote location.
This policy adheres to the ‘checklist’ set out by the ICO, and the proposals as detailed in the Jigowatt ICO Data Protection Register entry.
This document outlines the policy and procedures adopted by Jigowatt to handle all personal data within the organisation. The dissemination and updating of the policy is the responsibility of the Data Privacy Manager, who will review the policy with respect to changes in Data Protection legislation. All employees will be expected to adhere to the policy and procedures and to seek advice and clarification on any issues that may arise.
Jigowatt accepts that Andy Donovan (Jigowatt Director) has ultimate accountability for implementing the policy, but all employees have an essential and individual responsibility in implementing and maintaining Jigowatt’s legal compliance with the GDPR. As a minimum, all employees must adhere to the policy, as set out in this document, and make known to Andy Donovan and/or the Data Privacy Manager any issues affecting the security of personal information.
Each employee is responsible for implementing the policy in their area, for ensuring that its principles and requirements are complied with at all times, and for delivering the following points:
3.2 Terminology used in this document
Data Controller: The Data Controller determines the purpose(s) for collection and processing of personal data, the types of data and the legal basis (as listed under Article 6, GDPR) for that processing
Data Processor: A Data Processor is responsible for processing personal data, but only on the explicit written instructions of a Data Controller.
Data Processing: Any action relating to personal data held e.g. the electronic or manual ordering, storing, adding, amending, copying, manipulating, reporting, printing or retrieving personal information held electronically or in a manual paper filing system
Personal Data (Personal Information): any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. applicable to a single individual or can be linked either directly or indirectly to an individual
Data Subject: The individual (‘natural person’ is the legal term) whose personal data/information is being processed
ICO: UK Information Commissioners Office, the independent authority that acts as the Data protection ’supervisory authority’ in the UK, and advises on, upholds and issues guidance for the GDPR, the 2018 UK Data Protection Act, and all other applicable laws.
3.3 The GDPR Principles
Jigowatt shall, as far as reasonably practicable within its function as a Data Processor, ensure that it handles all personal data according to the GDPR’s ‘Six Principles’, as follows
All personal data held by Jigowatt is:
Jigowatt will therefore ensure, as far as is possible in its role as Data Processor, that appropriate measures are taken through the management and strict application of criteria and controls by:
3.4 Responsibilities of Jigowatt employees
It is the responsibility of Andy Donovan (Jigowatt Director) to:
It is the responsibility of employees to:
All the above applies to all work carried out for Jigowatt i.e. be it from a Jigowatt office, from the employee’s home or from any other location remote from colleagues, infrastructure or other Jigowatt IT or other assets or systems.
3.5 Rights of Access to Information
Individuals have a right of access to information held about them by Jigowatt. As Jigowatt acts only on behalf of its clients, any request should be passed on to the client (as Data Controller) who, in conjunction with Jigowatt, will check the validity of the claim and initiate the data collection process.
Upon receipt of a request and/or instruction from a Data Controller, or direct from a Data Subject or their legal representative, Jigowatt will contact the individual making the request to clarify the following:
The one-month working period will start on the agreement date, or when fee paid, if such a fee is required.
3.6 External Services Compliance: Third Party
Any vendor performing updates, maintenance, installation or reviews of the computer network system, either internally or through a remote connection, must demonstrate to the Data Controller and to Jigowatt, as the Data Processor, that they adhere to the Data Protection principles set out in this document. The Data Controller or Jigowatt may request a copy of the vendor’s Data Protection policy before any work is carried out, and may refuse access to the network if the vendor does not satisfy the requirements of this policy and its procedures.
3.7 Data Accuracy
In conjunction with the Data Controller, Jigowatt will take all reasonable steps to ensure that all personal data held in relation to clients, clients’ own customers and Jigowatt’s employees is accurate and up to date.
Individuals must notify the Data Controller and/or Jigowatt of any changes to information held about them; individuals have the right to request that inaccurate information be corrected or deleted.
3.8. General Data Storage/Information Security
Jigowatt outsources IT services to a company that ensures all data is backed up appropriately, passwords are changed regularly and systems are securely managed.
When data is stored electronically, it must be protected from unauthorised access and accidental deletion.
When data is stored on paper, it should be stored in a secure place where unauthorised people cannot access or see it.
When not required, the paper or files should be kept in a locked drawer or filing cabinet and should be shredded when no longer needed.
Only those individual employees and/or third parties with a need to access personal data will be authorised to have access. Employees should always make sure paper and printouts are not left where unauthorised people could see them. Access to personal information should be regularly reviewed to ensure that information is accessible to authorised employees only.
Personal data will only be kept as long as it is necessary for the stated purpose(s), and all data will be safely and securely destroyed when it is no longer needed. Employees should follow Jigowatt’s data retention policy.
Personal data is not currently passed on to any other organisation for them to undertake direct marketing. As a Data Processor, Jigowatt only acts on the instructions of its clients.
For further information on UK Data Protection/Privacy law, notably the implementation and guidance on the GDPR, see the website of the UK Information Commissioner (ICO).