HOW WE RESPECT AND CARE FOR YOUR INFORMATION
GENERAL STATEMENT ON DATA PROTECTION
Affordable Granite holds personal data (name, address, phone numbers and email) necessary in quoting for and carrying out solid stone worktop installations. The general basis for collection and processing such data is performance of a contract, or the establishment of such a contract, to which the data subject is a party, and Affordable Granite is another party. Requesting a quotation, or ordering stone from us, constitutes consent for your data to be used and implies acceptance of our Data Protection Policy as set out in this Privacy Notice.
The name and contact information of customers, together with the details of their installations, are held indefinitely. Such information is often useful when customers wish to add to or alter their worktops in any way. All data held in this way will be deleted immediately on request.
AFFORDABLE GRANITE SURREY LTD. PRIVACY NOTICE STATEMENTS
Policy Owner: Andy Phillips, Managing Director
Affordable Granite Surrey Ltd, trading as Affordable Granite (We/The Company)
1. Our Intent
We are committed to safeguarding the privacy of our employees and customers. The Company will only use the information that we collect about them lawfully and in accordance with the Data Protection Act 1988 and subsequent relevant Laws and Acts, including the new British Data Protection Bill and the European General Data Protection Regulation (GDPR) 2018.
2. Changes to Data Protection Legislation
This privacy statement is intended to comply with the new Data Protection Bill (the Act), and GDPR. As legislation changes, so this statement is expected to evolve over time.
3. Data Controller and Data Protection Officer
Due to the size of the company, there is no specific Data Protection Officer – responsibility for data and Data Protection lies with the Managing Director.
4. Purpose of Processing Personal Data
For EMPLOYEES: we collect and hold Personal Data to comply with Employment law and the regulations of HMRC regarding PAYE payroll. Personal data about employees’ families and dependents may also be held for the Pensions Provider and Company Healthcare Plan. Employee Personal Data is covered by other policies.
For CUSTOMERS: we collect and store personal data only to support the process of quoting for, supplying and after-care support for installations of products that we sell in line with our lawful business.
5. Lawful Basis for Holding and Processing Customers’ Personal Data
CONSENT: Giving us your personal information (whether by use of an online form, an enquiry by email, online-chat, letter or phone call, or face to face during a visit) implies your consent for us to retain and process that data in accordance with the policies outlined in this document.
6. Categories of Personal Data Held and Format of Data Retention
The basic categories of personal data we will collect about you and generally hold in both paper and digital forms include your:
a. FULL NAME: your first name and surname
b. ADDRESSES: Postal Address for installation (and additional address for invoicing if different)
c. E-MAIL: Email Address(es)
d. PHONE: Mobile, home and work phone numbers
e. TRADESPEOPLE: The name and phone number of people you employ with whom we may need to liaise: builders, joiners, kitchen fitters, designers or any other representative you authorise.
f. PRODUCTS: Information about products for which we have quoted or sold to you.
g. CONVERSATIONS: Summaries of discussions you have with us about our products and services.
Additional information held in electronic form only:
h. E-MAILS: The secondary information attached to all emails (sending IP address etc) is retained electronically with your email.
i. WEBSITE COOKIES: Your IP address and other geographical information supplied by your ISP via cookies during web browsing may be used anonymously during optimisation of our website. This information is held by Google Analytics and is seen in summarised form by ourselves and our third-party SEO company. At no point is this anonymised data linked to your other personal details. For further policy specifically on cookies, please see here.
Additional information held in paper form only:
j. PAPER SLIPS FROM CARD PAYMENTS: Card slips include the card number and expiry date but not the CVV code, and are retained during accounts processing. They are destroyed within one month. Our process for management and security of this process is according to PCI rules.
7. Sharing of Personal Data with other Individuals or Companies
a. Your data will never be sold to any other person, company or charitable organisation.
b. Your data will never be passed to any other entity for purposes unconnected with the project for which we quote and fulfil our contract with you.
c. Your personal data will not be transferred outside the EUROPEAN ECONOMIC AREA (EEA) except under the exceptional circumstances given in 7.e.ii below and then only with your express consent.
d. Where a contract has been made, the initial consent to use and hold your data IS assumed to cover sharing of information with third-party data processors used by Affordable Granite in administration. (See 8, below)
e. The initial consent to use and hold your data is NOT assumed to cover sharing of data with other persons or companies who are involved in a project for which we are quoting or fulfilling our contract. You will ALWAYS be asked for permission if we need to share your details:
i. during the project – with any designer, builder, plumber, kitchen fitter or other tradesperson with whom we must liaise to fulfil our contract with you.
ii. after the project – rarely, with a third-party supplier. For instance, in a case of a fault becoming apparent in the material supplied, we may need to pass your details to the supplier’s Technical Team. In some rare cases this may involve a supplier outside of the European Economic Area (EEA). This will be made clear when permission is asked.
8. Third Party Processors
Appropriate due diligence will be conducted on Third-Party Data Processors (such as our Bookkeeper and the Accounting System Provider, Xero). We will ensure that the processor has appropriate technical and organisational measures in place to keep data secure; and that the staff who will be engaged in processing personal data on behalf of the company are subject to a duty of confidentiality and are trained in data protection matters. Any agreement with a third-party processor will be supported by an appropriate contract.
9. Sensitive Personal Data
We will never collect or record sensitive personal data (eg. date of birth, or matters of health, ethnicity or religion) about you without your explicit consent and a clear explanation of why it is of use. Such sensitive data will be destroyed once the need expires.
10. Accuracy of Personal Data and Right of Rectification
The information we hold should be accurate and up to date for the duration of quotation and fulfilment of an order. We will not update personal data outside this active engagement period unless we receive specific instruction to do so from an authorised source.
You are entitled to have personal data rectified if it is inaccurate or incomplete. The Company will respond within one month of your request. In the unlikely event the Company does not take action to the request for rectification, we will inform you of your rights to complain or seek judicial remedy.
11. Retention of Personal Data
INFORMATION HELD UNDER CONSENT: We will hold your personal information (correct at the time we fulfilled our contract with you) indefinitely, to allow us to provide support in line with our Lawful Business.
12. Right of Access to Personal Data
DATA SUBJECT’S RIGHT OF ACCESS. You are entitled to access your personal data so that you are aware of and can verify the lawfulness of the processing. This is achieved through the mechanism of a Subject Access Request (SAR) to the Company and you have the right to obtain:
- Confirmation that your data is being processed (held)
- Access to your personal data (a copy) and
- Other supplementary information that corresponds to the information in this privacy notice.
TIMINGS AND FEES: Under GDPR and from 25 May 2018, this information will be provided without charge, without delay and within one month. If an extension is required or requests are considered manifestly unfounded or excessive, in particular because they are repetitive, the Company may choose to charge a reasonable fee taking into account the administrative costs of providing the information; or refuse to respond.
13. Identity Verification
To protect your personal data, the company will seek to check your identity before releasing or deleting any information.
14. Right of Erasure
You may request the deletion of personal data where there is no compelling reason for its continued processing. The Right of Erasure does not provide an absolute “right to be forgotten”. However, you do have the right to have personal data erased and prevent processing in specific circumstances:
a. Where the personal data is no longer necessary in relation to the purpose for which it was originally collected / processed.
b. When you withdraw consent
15. Right to Restrict Processing
Under the Act you have the right to “block” or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, the Company is permitted to store the Personal Data, but not further process it. In this event exactly what is held and why will be explained to you.
16. Right to Data Portability
You may request to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hinderance to usability. The Right to Data Portability only applies:
a. To personal data you have provided to the Company…
b. where the processing is based on your consent or for the performance of a contract and…
c. when processing is carried out by automated means.
In these circumstances we will provide a copy of your data in CSV or PDF format, free of charge, within one month.
17. Automated Decision-Making, Profiling and Mailing
DECISION-MAKING: The Company employs automated decision-making only with respect to the workflow of quotes and contracted services in line with the Lawful business and directly in relation to our commercial and contractual relationship with you.
PROFILING: We do not employ automated conduct profiling of Data Subjects.
MAILING: If you consented to ongoing mailings after purchase we may occasionally send you information directly related to the products you purchased, or seasonal company news. These may be automated, but they do not involve automated decision making or profiling.
Acceptance of our Terms and Conditions for a contract of supply will imply acceptance of this Data Protection Policy.
Acceptance confirms that you have read and understood this notice and you give permission for Affordable Granite Surrey Ltd. (the Company) to hold my personal details in both paper and electronic forms.
Policy Owner: Andy Phillips, Managing Director
Affordable Granite Surrey Ltd., trading as Affordable Granite
Policy Last Reviewed: 25th April 2018