PRIVACY INFORMATION & GDPR POLICY SUMMARY
The General Data Protection Regulation (GDPR) is applicable from 25 May 2018, and supersedes the UK Data Protection Act 1998 (DPA).
To contact Valvona & Crolla regarding privacy or GDPR, email firstname.lastname@example.org where we will answer your query within 72 hours.
Our Data Protection Officer is Francesca Mackie.
Customer information is stored if you have placed an order with us, and we have your details in order to process and dispatch your order. This information will be stored for 7 years in line with HMRC requirements, then will be safely and confidentially destroyed after this time.
We may hold your e-mail address only if you have subscribed to our mailing list in order to receive updates of new products, events or exclusive offers. If you wish to unsubscribe from our mailing list, we will remove your details within 72 hours.
We will NEVER use personal information from a third party.
We will NEVER give your information to a third party.
You can withdraw your consent to receive emails from us at any time by clicking “Unsubscribe” on any of our customer emails, or log in to your online customer account to unsubscribe. We will action this within 72 hours.
PRIVACY INFORMATION & GDPR POLICY DETAIL
WHAT PERSONAL INFORMATION WE HOLD
- Retail customers: Name, address, phone number, e-mail
- Email List: Name and email
Where does this information come from?
- Any customer information we hold has been freely given to Valvona & Crolla by the customer
- We do not use customer information from third parties
- We do not give customer information to third parties
LAWFUL BASIS (legitimate interests) FOR HOLDING CUSTOMER INFORMATION
- Retail customers: processing orders at their request and retaining sales information as legally required by HMRC
- Email List: updating with new products, events and offers at their request
Customers must request to be added to our electronic mailing list. We hold consent in electronic format detailing the date of consent and their name and email address. Alternatively, there is paper consent which is filed and stored in our accounts office.
We do not gather data from any other sources or without customer consent.
Customers can easily withdraw their consent by unsubscribing from the email. We record an electronic copy of this request and implement within 72 hours.
Our GDPR Policy information is accessible on our Website. We are able to respond to customer requests to have their data changed or removed within 72 hours of the request being made. We hold a record of customers wishing to have their data removed or updated, and that this process has been completed. If the information is held in paper format it is shredded and disposed of securely.
We annually assess our held data at the end of each financial year. Paper information which is older than 7 years and no longer required to be kept by HMRC is shredded and disposed of securely. Electronic information held that is no longer in use is deleted permanently.
REVIEW & ACCOUNTABILITY
Our GDPR policy is reviewed annually at our financial year end, when we also review all our data, and whether it is still applicable to be kept, or should be securely destroyed.
All staff are trained on our GDPR policy, and are contractually bound to it.
LEAD DATA PROTECTION OFFICER
Francesca Mackie - Company Director & Lead DPO with Overall responsibility
Our internal IT systems are managed by Tabard IT who ensure that we have appropriate and uptodate firewall, and antivirus software. They perform reviews our systems, and ensure that our IT is not susceptible to external infiltration.
Any security breach, if it were to occur, would be reported to the ICO upon detection (within 24 hours). It would also be reported to Tabard IT to assess how the breach occurred, and ensure it could not happen again. Customer information processing would be halted until the situation had been rectified. We would also take advise from the ICO on how to inform the individual, and any further action required.