The General Data Protection Regulation or GDPR.
On the 25th May 2018 the new data law applies to all data containing personal or sensitive information. This policy is provided to explain how we process that data and when whether there is a lawful or business interest for us to do so.
We process your data in accordance with the Data Protection Act (prior to 25th May 2018) and the GDPR (25th May 2018 onwards) under UK Law.
In this policy we will explain the following:-
- a) Why we request data and what data we are willing to accept.
- b) How long we retain this data and whether there is a legal requirement or business requirement for us to retain that data for that duration.
- c) If data is disclosed to a 3rd party.
- d) How you can find out what data we hold about you and your right to request erasure or restricted processing where data is not held and processed as a requirement by UK Law or a UK regulatory requirement or we do not have a legimate reason for processing the data.
Your Data Safe in our Hands.
Strictly no special or sensitive data (special and sensitive data as outlined in the GDPR) will be requested or should be submitted, emailed or transmitted to us via email or any other contact method.
We want you to feel secure when visiting our website, or submitting form data or sending us emails, or contacting us by phone and we are committed to respecting your privacy and complying with the GDPR. Below we give an overview of how we do that.
GDPR - 25th May 2018
We comply with the GDPR in all aspects.
and the principals of Article 5.
- a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
What are the lawful bases for processing?
Lawful bases for processing in Article 6 of the regulation .
- a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose;
- b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract;
- c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations);
- d) Vital interests: the processing is necessary to protect someone’s life;
- e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; and
The lawful basis for processing data can also affect which rights are available to individuals.
1: Data we collect from our website or email:
- a) Online Server access logs: When you access our web servers they log certain information about your visit. This recognisable data contains your external internet I.P address, specific device and browser information. This data is used solely for fraud detection, to detect malicious attacks, detecting unauthorised access and for maintaining the general security and traffic management of our systems. Based upon this information certain IP addresses or IP address ranges that overuse bandwidth or cause a security concern will at our discretion be banned/blocked from connecting to our online servers. Those IP addresses will be stored and processed for a period of 5 years, but reviewed annually to see if any IP addresses no longer pose an issue to our data, systems and networks. All other daily access log data will be erased within 365 days from that IP's daily connection.
- c) Contact Data: We also collect data when you submit it to us. For example, you may phone or email us by using a link from our website or use a website form or our email addresses to submit your information to make an enquiry, support request or order a new or renew a service we deliver to your business.
2: Data Processing & Retention:
This data processing and retention policy is provided to demonstrate the retention period of data, when that data is sent to us via our online websites, 3rd party websites, social media or via direct or indirect email communications. This policy is subject to change when either required by UK law or to better align our data processing, archiving and retention policy in accordance with UK regulation, legal requirements or lawful business requirements.
- a) Our Business ~ Enquiries not resulting in a purchase, 6+1 years
- b) Our Business ~ Bookings or Order Cancellations, 5 years
- c) Companies Act/HMRC ~ Refunds or Credit Notes, 6+1 years
- d) Our Business ~ Threat or Potential of Legal Action, 15 years
- e) Our Business ~ Other data not covered by UK regulations/law, 3 years
- f) Companies Act/HMRC ~ sales/purchasing/cash/payments data for 6+1 years.
- g) Taxes Management Act ~ Payroll for 6+1
- h) The Reporting of Injuries 1995 ~ Accident Incidents 3 years past date
- i) Discrimination Acts/Race Relations ~ job application unsuccessful, 6 months
- j) SSP Regulation ~ Sickness, 3 years after end of tax year
- k) Limitations Act 1960 ~ Leases, fifteen years after expiry
- l) DPA ~ Pension Scheme, 6 years after death
- m) DPA ~ Insurance records, 3 years post lapse
- n) Employers Liability regulation ~ insurance certificates 40 years
- o) DPA ~ Claims Correspondence, 3 years after settlement
- p) Companies Act ~ Health and Safety permanent
The Data We Process
- a) Process Orders and Cancellations
- b) Providing Customer or potential customer Support
- c) For Invoicing and Receiving Payments
- d) Complying with purchasing Terms and Condtions
- e) Complying with Service/Product T&C's, Acceptable Use and other policies
- f) Create Marketing for those who request it
- g) Send security warnings when required
- h) Detect Fraud
- i) Provide any information you request from us
- j) Provide information regarding any contractual changes
3: Sharing Data.
- b) Ordering a 3rd Party delivered product/service from us: Where we deliver a product or service to our customers that is supplied by another company, we will share your order data with that company
- c) Where required we may need to share invoices and contracts with our accountants or solicitors to comply with a legal obligation or our business requirement
- d) Where required we may need to share communications, invoices and contracts with our insurers should there be a legal or business requirement to do so
4: Access to Data/Information we hold about you.
- a) You are entitled to know whether we hold information about you and if we do, to have access to that information and require it to be corrected if it is inaccurate.
- b) You can also request that any data we have be erased or have a restricted processing policy place upon it, unless there is a legal requirement or business reasons why it cannot be, in which case we will offer a full explanation for any rejection for that request.
- c) You can do this by contacting us via email through our website and addressing the subject and/or body to "The Data Protection Officer". Your data is kept secure as required by the data protection act (GDPR).
We take appropriate steps to maintain the security of your Online data when it is stored in the Cloud.
- a) Hosting for this website is located within a secure Data Centre inside of the European Economic Area (EEA), monitored by CCTV, and accessible only be approved personnel with specific security privileges based upon the data centre requirements.
- b) The information contained within our hosting space and associated hosting services are secured with appropriate firewall policies and security permissions as well as authentication levels of access.
- c) Emails can also be received or sent using secure connections.
- d) Where we request card payments online, an appropriate payment taking service and/or Gateway provider with a compliant pci-dss compliancy level required by the credit and debit card companies, will take card payments on our behalf.
- e) Where we request card payments via Chip and Pin or Payment Card Not Present payments, we are pci-dss certified and undertake regular quarterly scanning as required by the Debit and Card companies PCI-DSS compliancy requirements.
- f) We take appropriate steps to maintain the security of your Offline data stored within our own local storage solutions.
The open nature of the internet means that your data may flow over networks without security measures and may be accessed and used by people other than those for whom the data is intended.
Our intention is that this should not happen and we provide a secure website connection facility for all data requested via our website or booking/order/payment processing sites.
No Tracking Analytics - for our online visitor's piece of mind
UK websites often use implied consent to execute free 3rd party tracking and analytics code to record their visitor's movements and even their purchases. It is the website owner's responsibility where tracking/analytics are installed and executed to inform the visitor how their business and the 3rd party tracking/analytics company will use your data.
7: If you do not want to be tracked on the Internet by other 3rd party website analytics and tracking services!
The majority of EU and worldwide websites track your visits and even purchases online using 3rd party tracking services, these providers may also use that data for their own needs or share that data with others.
The new Mozilla v58 browser can block tracking analytics, not using a "Do Not Track" which websites ignore, but by blocking the website tracking/analytics code so it is not executed.
Settings / Options / Privacy & Security / Tracking Protection.
This will block one of the widest used free 3rd & 1st party analytics provider, Google Analytics.