Record of Processing Activities (ROPA)
WeVee is a data controller as defined by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and as such, we are required to maintain a ROPA.
WeVee processes significant volumes of personal data. Our data processing activities encompass various aspects of our operations, including the EcoMute programme, customer relationship management, marketing, legal compliance, human resources, and supply chain management.
The ROPA details the categories of data subjects and personal data we process, the purpose of the processing, and any recipients with whom the personal data may be shared.
Please see below for further details about our ROPA.
1. Controller Information
Name: WE ARE ELECTRIC LIMITED trading as WeVee
Address: 59-60 Russell Square, London WC1B 4HP
Contact Details: Phone: +44 20 8012 8190
Data Protection Officer (DPO): Paul Fagan, CEO
2. Purposes of Processing
- Provision of EcoMute (salary sacrifice) programme
- Customer relationship management
- Marketing and promotional activities
- Compliance with legal and regulatory obligations
- Employee and HR management
- Supply chain and partner management
3. Categories of Data Subjects
- Employees participating in the EcoMute programme
- Potential and current business clients
- Suppliers and partners
- Employees and contractors of WeVee
4. Categories of Personal Data
- Employees: Name, contact details, payroll information, vehicle details, commuting patterns
- Clients: Business contact information, contract details, communication records
- Suppliers/Partners: Contact information, contractual agreements, payment details
- Marketing: Name, contact details, preferences, engagement history
5. Categories of Recipients
- Internal staff members
- Supply chain leasing partners (e.g., Lex Autolease, Arval, ALD Automotive)
- External service providers (e.g., IT services, marketing agencies)
- Regulatory bodies (if required)
6. Transfers to Third Countries
- Within the EU: Transfers to EU/EEA countries are considered to provide adequate protection under GDPR. No additional safeguards are necessary.
- Outside the EU: WeVee has relationships with institutions and agencies outside of the UK which encourage and facilitate adoption of our EcoMute programme and its global decarbonisation benefits for our customers, including employers and their employees. In addition, WeVee uses employer of record (EOR) services. Where we transfer personal data outside of EU/EEA countries as part of these relationships, we ensure appropriate contracts or other safeguards are in place.:
7. Retention Periods
- Employee data: Duration of employment + 6 years
- Client data: Duration of contract + 6 years
- Supplier/Partner data: Duration of contract + 6 years
- Marketing data: Until consent is withdrawn or data is no longer necessary
8. Technical and Organisational Security Measures
- Data Storage: All personal data is stored in Microsoft Dynamics 365, a secure cloud platform.
- Access Controls: Access to Microsoft Dynamics 365 is controlled via two-factor authentication (2FA), ensuring that only authorised personnel can access the data.
- Encryption: Data is encrypted both in transit and at rest within Microsoft Dynamics 365.
- Regular Audits: Security measures and access controls are regularly audited to ensure compliance with GDPR requirements.
- Pseudonymisation: Personal data is pseudonymised where appropriate to enhance privacy protection.
- Incident Response: Clear procedures are in place to respond to data breaches, including notification of affected individuals and regulatory bodies as required.
9. Data Subject Rights
- Right to access, rectify, or erase personal data
- Right to restrict or object to processing
- Right to data portability
- Right to lodge a complaint with a supervisory authority
10. Automated Decision-Making
WeVee does not engage in automated decision-making processes that produce legal effects or similarly significant impacts on individuals.
11. Legal Basis for Processing
- Consent obtained from data subjects
- Performance of a contract
- Compliance with legal obligations
- Legitimate interests pursued by WeVee, balanced against data subject rights
12. Changes to the ROPA
This ROPA will be reviewed and updated annually or whenever significant changes occur in processing activities.
Approval and Acknowledgement
This Record of Processing Activities has been reviewed and approved by the Data Protection Officer and senior management of WeVee.
Date of Approval: 1st April 2024
Approved by: Paul Fagan, CEO (and Data Protection Officer)