DATA PROTECTION POLICY

The personal data we collect should be adequate, relevant and limited to what is necessary for our purposes. This means we only collect from:

• Customers and potential customers:
  Name and address (email and/or physical address)
  Phone number
  Class Registers where reporting is required


• Suppliers, and third parties who provide us with goods and services:
  name, address, bank details plus copies of contracts entered into by them with us and relevant correspondence with them.


• Directors and employees
  name, address, contract details, date of birth and related material as well as any appraisals and/or correspondence with them and related documents – e.g. references from a third party.

We should take appropriate steps to ensure that all personal data is accurate, accessible (subject to password and authority level controls), complete and compliant with our legal duties.

Sensitive Data includes racial or ethnic origin, trade union membership or political affiliation, data concerning health and sexual orientation. Explicit consent from the individual is needed to process this data unless it is necessary for carrying out specific legitimate tasks. But in all cases great care should be taken to see that the data is kept secure.

As a company we will avoid collecting sensitive data except when considered appropriate or necessary. And if we undertake any surveys that include questions relating to any of these sensitive subjects, all data must be anonymised once it has been collected – e.g. we will keep the numbers but not the names of the individuals.

Personal data relating to customers, leads and staff is stored on our CRM system on a secure server in The Netherlands. We also store data from our website, this is stored on a secure server in England.

Some personal data is also held on our head office computer and on our email system and accessed by authorised users only.

Personal data of employees and of third parties with contractual arrangements with the Company and related correspondence is held on personal computers at our head office.

All pcs and laptops must be password protected with acceptable levels of anti-malware controls. We arrange reviews and updates of our security as appropriate.

Paper records are confined primarily to signed contracts with suppliers and consultants and other third parties. These are kept secure in our head office.

As far as possible, personal data should be stored electronically and not in hard copy paper form.

The Company operates a ‘clean desk policy’ and no personal data should be left on desks or accessible on unattended pcs or laptops.

Some personal data we obtain is processed or held by third parties – in particular:

• Data relating to customers is obtained and processed by PayPal/Worldpay etc. (who process all online payments)

We undertake due diligence to check that these organisations are competent to deal with personal data and comply with the data protection regulations.

We need agreements with all data processors. These need to be checked for compliance with the law and for acceptability for our organisation before being signed. This will be dealt with at Board level.

We only keep and process data that is necessary for legal and contractual reasons for as long as necessary. Generally, this means:

Feedback forms will normally be destroyed once the data has been collated and anonymised Other personal data not specified in this section will be destroyed as soon as it is no longer of relevance to our activities.

A review of this policy and of personal data will be conducted no less often than yearly and data that is no longer relevant will be destroyed.

• In the case of customers, for 6 full tax years from the date of purchase, and thereafter until the individual withdraws consent to receiving information from us
• Where the data relates to a contract we have with the individual, for the duration of the contract plus 6 years limitation period,
• Where individuals have agreed to receive newsletters etc., until they unsubscribe or withdraw their consent

We may retain data indefinitely in a form that does not include the identity of any individuals – e.g. records of sales of different products, or geographical location of customers - once it has been anonymised or pseudonymised.

Personal data stored in digital or electronic form will be removed when it is no longer required in a manner that makes it irrecoverable, as far as reasonably practicable.

Personal data in hard copy form that is no longer required will be destroyed by shredding at our premises only.

Personal data stored in digital or electronic form will be removed when it is no longer required in a manner that makes it irrecoverable, as far as reasonably practicable.

Personal data in hard copy form that is no longer required will be destroyed by shredding at our premises only.

Information to be provided to the individual

When obtaining personal data, it is necessary for us to provide:

• Our name and contact details
• The reasons for processing and the legal basis for it
• Who will be receiving the data (if relevant)
• How long we will keep the data
• Information on the individual’s right to access, rectify or require deletion of the information we hold and
• The right to lodge a complaint with the ICO
• Contact details of the data protection officer (if relevant)

We do this online via our Privacy Notice and by asking the individual to consent to our processing their data as they go through any procedure on our website.

In the case of offline sales or dealings with third party individuals, the same or similar and relevant information should be provided, and a consent form signed if we are to maintain contact with them.

Also, when we do not receive personal data from the individual concerned but from another source, we should give this information to the individual whose data we receive. But we must not provide them with information if that would be in breach of a confidentiality obligation.

If an individual requests information on what personal data we hold on them, we should provide that information within 30 days of the request. This is known as a ‘subject access request’. We will usually require the request in writing and we should take steps to verify that the request is coming from the person he/she claims to be.

If requested by an individual to erase their personal data, we should comply with that request without undue delay. However, if we are required for legal reasons to retain the information (e.g. for tax reasons or because litigation is threatened or in progress), we should inform the individual what data we consider it is necessary to retain for legitimate reasons and only erase it when we consider it is safe to do so.

If consent for retaining personal data is withheld, we should erase the data, subject to the legal points in the previous paragraph. No fee will be charged to an individual for providing/rectifying or erasing personal data. However, if anyone makes repeated requests for personal data we may require a £10 fee before providing it.

Any breach of security is a serious matter and any data breach may need to be reported to the police and the ICO.

If a data breach is detected, the IT Manager/Managing Director etc. should immediately be informed. The Managing Director will be consulted as soon as possible, and will monitor all actions to be taken by way of reporting the breach to the police and/or Information Commissioner and overcoming the problems that arise.

All personnel having access to personal data will be given a training session on the GDPR and our Data Protection arrangements.

This Policy will be subject to regular review, not less frequently than once a year. That review will include all aspects of the policy and how it is working in practice.