The New General Data Protection Regulation (GDPR) is coming into force on the 25th May 2018.
To prepare we have been analysing the data we hold on our databases and bringing in new policies to protect our customers, staff, and any other persons we hold private information for. There is a separate policy for Staff members available from Jenny Cobb.
This document is liable to change with the introduction of GDPR and any new regulations that come into force following 25/5/18 and Brexit.
This policy should outline your rights regarding your personal data and the way in which we treat it, this is important to R&M Wholesale and we encourage our customers to support our endeavours to get this right. We are not registered as a Data Controller with the ICO.
We reserve the right to review and change our Privacy policy as required. We will make available new versions on our website or will post when requested.
Data
Any Information regardless of how it is stored, whether electronically, on paper, or on server.
Data Controller
The Data Controller for R&M is the current Account Manager (Jenny Cobb at the time of writing). The Account Manager has overall responsibility for the handling of data for R&M Wholesale.
Data Processor
Any staff member for R&M that will process data on our customers. They should work within the parameters of this document and refer any questions to the Data Controller.
Data Subjects
All people that we hold information about, they have a legal right concerning their data and how it is stored, processed, and transferred.
Personal Data
Any information that can be used to identify an individual.
Storage
How we hold your data, this can be in any format whether paper or electronic
Processing/transferring
Any way in which your data is used by the company. It includes but is not exhausted by
Printing, amending, emailing, organising, destroying, obtaining, using, and disclosing.
ICO
The registered office who implement and are responsible for overseeing GDPR in the UK.
Sensitive personal data
This would include information about an individual, race, religion, sexual orientation, ethnicity, political opinions, physical health, mental health, criminal convictions, union membership etc. At the time of writing this, R&M Wholesale are unaware of any sensitive data held about their customers. Sensitive data can only be processed when written consent is given from the individual.
Personal data must be
1 Processed Lawfully, fairly, and transparently.
The legal grounds set out in the act of GDPR reason that data must be held for the purposes of the performance of the business. R&M Wholesale require two of the grounds to support our business needs.
The first is consent: to allow us to market our customers with a price guide, telephone calls, new product samples etc, we have sent out consent forms to all our customers and require them to be returned to comply with their individual consents. We shall continue to update as consent changes, and gain consent from new customers as they trade with us.
The second is Legitimate Interest: we hold some information about you to trade with you, but nothing that would be considered sensitive because it isn’t relevant for our business purposes. The type of information is held to send invoices, make deliveries, and to comply with VAT regulations or other governing bodies. We do not need your permission to hold this information, because it is necessary to fulfil the nature of our business with you.
We do not share your information with third parties unless it is to comply with a legal procedure (e.g. debt proceedings, police enquiries), to aid with Technical problems (we have I T Support), or Audit proceedings (a VAT Inspection). A trade reference request will need to be supported by a signed document from the owner/director of a company to release information about you to a third party.
2 Only used for the purpose it was intended for.
We will process the information you send to us regarding opening, updating and maintaining our accounts and your customer status. We do not sell information to third parties. We will use the information to provide you with a service, and marketing where consent has been given. Should we require to use your data for a purpose other than explained, we will seek your consent before processing and proceeding.
3 Accurate and up to date.
We will up date your information when you tell us it needs amending and seek confirmation when we find it is out of date. Please assist us by making us aware of any changes through your representative, our sales office, or our accounts office. Your rights stipulate that you may have any errors corrected regarding your personal information, and we must destroy and/or amend any incorrect data.
4 Not be kept for longer than needed.
We will not keep personal data for longer then is necessary for us to maintain our records. We must keep information about invoices for seven years to fulfil our legal obligations. Once data is no longer needed we will destroy it. We already cleanse our data base annually to delete inactive accounts, we will create a disposal policy and schedule to erase other data held on the premises to comply with GDPR.
5 Be kept secure and confidential (and not transferred out of the country without consent).
R&M do not transfer data out of the country, we are an independent partnership based in the UK and have no other parties that have a right to your information on databases.
Our databases are password protected, and we operate a clear desk policy at night. We shred card details and excess paperwork daily. Our staff understand that they must not disclose information about customers outside of the business.
6 Relevant and not excessive for the purposes of use.
We must keep information that is relevant to trading with our customers, this includes name, address, contacts within your business, mobiles or telephone numbers, delivery details, and email addresses. Please let us know if we are sending correspondence to a contact whose job has changed and no longer requires that information, or if we no longer need to keep several delivery addresses for your company.
We will manage and process your personal data in line with your rights.
We will amend your data when requested and destroy where needed.
We will erase your data when requested if it doesn’t infringe upon our legal obligations to governing bodies.
We will provide you with access to your information when requested.
We will not give your information away or allow it to be used for third party marketing.
We will gain consent for our own marketing purposes.
We will allow you to withdraw and amend your consent to our own marketing.
We will train staff to work with understanding regarding the GDPR.
We will notify you of any data breach as we become aware of it.
We will only process your personal data to help us run our business within the confines of the law and comply with legal requirements.
We will respond to your requests promptly and accurately.
We will inform you about any changes to our services, terms and conditions, and security or fraud issues.
We will respond to basic amendment requests within 24 hours, and the complex enquiries within two weeks. If we are unable to reply within that timescale we will let you know, and request to extend our response time along with an explanation for the delay.
If we don’t respond within a month you have the right to ask why we’ve taken over the specified period, and you can complain to the Information Commissioner Office (ICO). Their address is
Wycliffe House
Water lane
Wilmslow
Cheshire
SK9 5AF
Tel no 0303 123 11 13
We will issue a Data Request without fee unless you request the same information multiple times and it becomes excessive. You are entitled to the information unless providing you with the documentation would affect other individuals’ rights and freedoms.
You can request information about the way in which we process information and the categories of staff and third parties who have access to the information. You may also request information about our retention and destruction procedures.
You have data portability rights, which includes the right to have your information transferred to another Data Controller in another Company.
You can request that we correct or update any inaccurate information in your Personal Data immediately or without delay.
You can request the “right to be forgotten” and we erase your Personal Data. When we receive your request, we must comply with the request unless it inhibits our ability to comply with our legal obligations for the retention of information, or where it is necessary to retain the data to defend a legal claim.
You may request restrictions against the processing of your data for a specific reason for example
Should you request a restriction, then we will store your data but change the way it is processed.
You can request a change to your marketing status in your personal data and we will stop using it for marketing purposes.
We use a data processing system called Orderwise and Sage to maintain our electronic systems. We may occasionally need their staff to access our systems to correct any technical issues that R&M may be experiencing. Access to your accounts will be restricted and monitored.
We back up our systems daily and they are all password protected. Access is monitored by the General Manager.
Should you have concerns regarding who in your company can access data about you, your orders and invoices etc then we are happy to set up a password for use to confirm identity. We can then ensure that any callers are entitled to that information if asked. If you have an external bookkeeper, then please request to add their name as a contact for our Accounts Manager so she can email/fax copies of documentation as needed.
Should you feel that R&M have not responded appropriately to your requests, or you feel that we are dealing with your personal information inadequately you can complain by emailing Jennifer.c@rmwholesale.co.uk or calling 01884 258 266 between 9:00 and 2:30. If you remain unhappy with the resolution, then you may complain directly to the ICO ( address above).