TERMS AND CONDITIONS UNDER WHICH WE WILL COLLECT AND USE YOUR DATA
We are bound by the General Data Protection Regulation (the Regulation) and the Data Protection Act.
Our obligations extend to any personal data which we hold relating to you. The Regulation defines ‘Personal Data’ as “any information relating to a data subject”. A data subject is the identified or identifiable natural person to whom the personal data relates. In relation to these terms the data subject is ‘you’ the customer.
As Data Controller of your data we must ensure the following as regards your Personal Data.
a. We must process and use your personal data lawfully, fairly and in a transparent manner in relation to you.
b. Personal data must be collected only for specified explicit and legitimate purposes. It will not be further
processed in any manner incompatible with those purposes.
c. Personal data must be adequate, relevant and limited to what is necessary in relation to the purpose for which
it is processed.
d. Personal data must be accurate and where necessary kept up-to-date. Every reasonable step will be taken to
ensure that data which is inaccurate, having regard to the purpose for which it is processed, is erased or
rectified without delay.
e. Personal data must not be kept in a form which permits identification of data subjects for longer than is
necessary for the purpose for which the data is processed.
f. Personal data must be processed in a manner that ensures its appropriate security and with full integrity and
g. We as the Data Controller are responsible for and must be able to demonstrate compliance with these data
WHAT DO WE DO WITH IT?
Access to your personal data will be restricted only to those Directors or members of staff who need to access it for the purposes of running the business, ensuring you are kept up to date with any contract changes, informed of on-going jobs that we are carrying out on your behalf, ensuring you receive up to date product and sales information, updating you on quotations or pricing adjustments or to request payments of outstanding invoices. We will only use your data for legitimate business purposes and we will not sell your data or use any automated process for weighing decisions about you.
We will use your data for collection, recording, organisational purposes, storage, adaption or alteration for record keeping, retrieval, consultation and general use. Also for the purposes of erasure and destruction.
We consider we are justified in processing your personal data for these purposes as necessary for entering into and performing our contract with you as a supplier, it may be necessary for compliance with a legal obligation to which we as your supplier are subject, or it may be necessary to protect the business interests of us as the supplier.
We will not share your data with any third party other than as required by us as a supplier in complying with our statutory or legal obligations under relevant legislation.
Our system ensures:
a. Security of personal data where appropriate.
b. The ability to ensure ongoing confidentiality, integrity and availability and resilience of our processing
systems and services.
c. The ability to restore the availability and access to personal data in a timely manner in the event of a
physical or technical incident.
d. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational
measures for ensuring the security of data processing.
We have therefore addressed the specific risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
Our policy for data retention is as follows:
a. Customer contact (You are the contact point for all enquires for your company). We hold this data for a maximum
time of three (3) years, this is to allow us to comply with any legal or government requirements that affect you
as a customer.
b. Contract contact (You are the contact point for the administration of any contract). We hold this data for a
maximum time of five (5) years, this is to allow us to comply with any legal or government requirements that
affect you as a customer.
c. Accounts contact (You are the contact point for the accounts function of your company). We hold this data for a
maximum time of three (3) years, this is to allow us to comply with any legal or government requirements that
affect you as a customer.
We do our best not to retain personal data in a form that enables our customers to be identified for longer than is necessary to fulfill the purposes for which we collected it in the first place.
PROVISION OF INFORMATION
At any time you can contact us by telephone, e-mail or in writing if you have any concerns about the data which we hold.
The intended purpose and legal basis for processing is in connection with the performance of your employment contract and the protection of the business.
The legitimate interest for which some of your data may be processed is the proper administration of the business and the protection of the business, you and other employees and other third parties with whom the business deals.
The recipients of your personal data will only be those persons entitled and restricted within the business and where required to comply with any regulatory obligation on us as an employer for instance, HMRC.
FAIR AND TRANSPARENT PROCESSING
In the Consent Form we have set out your rights and the fact that you have the right to withdraw your consent at any time. You have the right to lodge a complaint with the Information Commissioner’s Office at any time.
DATA PORTABILITY RIGHT
The right to Data Portability is distinct from the right to access personal data. Your rights to data portability include the right to:
1. Receive a copy of your personal data from us as the Data Controller in a commonly used and machine readable
format and store it for further personal use on a private device.
2. Transmit the personal data to another Data Controller.
3. Have your personal data transmitted directly from one Data Controller (i.e. us) to another where this is
BREACH OF NOTIFICATION RIGHT
When a personal data breach is likely to result in a high risk to your rights we must notify you of the security breach without undue delay.
If we notify you of a personal data breach then we will do so in clear and plain language and include at least the following information:
Name and contact details of the Data Protection Officer or other contact person within our organisation.
The security breach’s likely consequences.
The measures taken to address the security breach including measures to mitigate potential adverse effects.
COMMUNICATING WITH YOU
Where we supply you with information and communicate with you we will do so concisely, transparently, in a way which is easy to understand and easily accessible and in clear plain language.
STEPS WE WILL TAKE AS DATA CONTROLLER TO HELP YOU EXERCISE YOUR DATA SUBJECT RIGHTS
To help satisfy the obligations imposed on us under the Regulation and to help you to exercise your data subject rights, we will take the following steps but not limited to the following:
Implementing internal procedures and protocols to help the exercise of your rights.
To review and revise privacy notices to ensure they comply with the Regulation and our obligations.
Implement internal procedures and protocols for handling and responding to data subject requests in a timely and appropriate manner.
Implement authentication procedures to verify the identity of data subjects making access or other requests.
Develop template response letters.
Develop forms to collect additional information where necessary for preparing data subject request responses.
Create an inventory or log for recording data subject requests and for tracking responses.
Develop interoperable formats and other means that allow data portability.
Consider portals that allow direct data subject access to personal data through user names and passwords.
Our policies, processes and systems respond to any data subject access request, rectification, erasure, restriction of or objecting to processing, or data portability requests from you as a customer but will now allow data of a privileged nature nor data referring to another individual to be changed or deleted.