What information do we collect?
- We collect information from you when you register on the site, place an order, enter a contest or sweepstakes, respond to a survey or communication such as e-mail, or participate in another site feature.
- When ordering or registering, we may ask you for your name, e-mail address, mailing address, phone number, credit card information or other information. You may, however, visit our site anonymously.
- We also collect information about gift recipients so that we can fulfill the gift purchase. The information we collect about gift recipients is not used for marketing purposes.
- Like many websites, we use "cookies" to enhance your experience and gather information about visitors and visits to our websites. Please refer to the "Do we use 'cookies'?" section below for information about cookies and how we use them.
How do we use your information?
We may use the information we collect from you when you register, purchase products, enter a contest or promotion, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:
- To personalize your site experience and to allow us to deliver the type of content and product offerings in which you are most interested.
- To allow us to better service you in responding to your customer service requests.
- To quickly process your transactions.
- To administer a contest, promotion, survey or other site feature.
- If you have opted-in to receive our e-mail newsletter, we may send you periodic e-mails. If you would no longer like to receive promotional e-mail from us, please refer to the "How can you opt-out, remove or modify information you have provided to us?" section below. If you have not opted-in to receive e-mail newsletters, you will not receive these e-mails. Visitors who register or participate in other site features such as marketing programs and 'members-only' content will be given a choice whether they would like to be on our e-mail list and receive e-mail communications from us.
How do we protect visitor information?
We implement a variety of security measures to maintain the safety of your personal information. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. When you place orders or access your personal information, we offer the use of a secure server. All sensitive/credit information you supply is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our databases to be only accessed as stated above.
Do we use "cookies"?
We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.
You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Netscape Navigator or Internet Explorer) settings. Each browser is a little different, so look at your browser Help menu to learn the correct way to modify your cookies. If you turn cookies off, you won't have access to many features that make your site experience more efficient and some of our services will not function properly. However, you can still place orders over the telephone by contacting customer service.
Do we disclose the information we collect to outside parties?
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information unless we provide you with advance notice, except as described below. The term "outside parties" does not include Heyland & Whittle Ltd. It also does not include website hosting partners and other parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others' rights, property, or safety.
However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
How can you opt-out, remove or modify information you have provided to us?
To modify your e-mail subscriptions, please let us know by modifying your preferences in the "My Account" section. Please note that due to email production schedules you may receive any emails already in production.
To delete all of your online account information from our database, sign into the "My Account" section of our site and remove your shipping addresses, billing addresses & payment information. Please note that we may maintain information about an individual sales transaction in order to service that transaction and for record keeping.
Within our firm are two nominated individuals responsible for data under the GDPR. The roles undertaken are twofold, namely; The Data Controller and the Data Processor.
A Controller determines the purposes and means of processing personal data and a Processor is responsible for processing personal data on behalf of a controller.
As of 25th May 2018 the relevant persons within our organisation are:
Data controller: Daniel Shaw; and
Data Processor: Paddy Heyland.
To control and process data requires one of six recognised legal bases under GDPR to do so. The six bases are as follows:
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and simple ways for the withdrawal of consent will be required.
Processing is necessary for a contract with an individual, or because that individual has asked that specific steps be taken before entering into a contract.
- Legal obligation:
Processing is necessary to comply with the law (not including contractual obligations).
- Vital interests:
Processing is necessary to protect an individual’s life.
- Public task:
Processing is necessary for the performance of a task in the public interest or for official functions, and the task or function has a clear basis in law.
- Legitimate interests:
Processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
In order to rely on a ‘legitimate interest’ basis we undertake a three-part test which must be satisfied:
- A legitimate interest has been identified;
- It can be shown that processing is necessary to achieve it; and
- Such processing has been balanced against the individual’s [data subject’s] interests, rights and freedoms.
Furthermore under the GDPR the Data Subject [individual] has a number of rights [seven] regarding the collection and processing of their data. For the purposes of the GDPR Data is identified under two categories:
Personal Data: Any ‘personal data’ relating to an identifiable person held automatically or manually.
Sensitive Personal Data: Including genetic & biometric where processed to uniquely identify an individual.
The seven rights of the Data subject are:
- Right to be informed;
The right to be informed encompasses the obligation to provide “fair processing information”. It emphasises the need for transparency in the use of personal data.
- Right of access;
Data Subjects have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
Such a Data Access Request will be provided free of charge within one month, with the following exceptions/provisos:
- Such a request is manifestly unfounded or excessive;
- Such a request is repetitive;
- Such a request requires copies of previously provided information.
In the event of charges being raised the firm will notify in advance such costs which in any event will be based on the administrative cost of providing the requested information.
In the event of manifestly unfair or excessive requests we may refuse to respond to the request and any such refusal will be notified to the requester [data subject] with a reason for the refusal and, in addition, information as to the data subject’s rights to complain to the supervisory body or judicial authority within one month of such a request being received.
- Right to rectification;
The GDPR gives Data Subjects the right to have personal data rectified. Personal data can be rectified if it is inaccurate or incomplete.
- Right to erasure;
This right is to enables a Data Subject to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
- Right to restrict processing;
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, storage of the personal data is permitted, but not to further process it.
Information can be retained just enough for the individual to ensure that the restriction is respected in future.
- Right to data portability;
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- Right to object;
The right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. As well as this notice to the Right to Object in this policy, we will, in all initial communications with a data subject, inform them of this right separately from any other information.
In addition a Data Subject has the right to make a complaint to the Information Commissioner’s Office [ICO] on-line, by phone or in writing at the following:
T: 0303 123 1113;
Information Commissioner’s Office, Wycliffe house, Water Lane, Wilmslow, Cheshire. SK9 5AF.
The following table identifies the types of data we collect, control and process; and the legal basis we rely upon for doing so:
Type of information collected.
Legal basis for processing
Data Subject’s name, address, telephone numbers, e-mail address(es).
Managing the Data Subject’s relationship with the firm.
Performing the Firm’s contract with the Data Subject.
Data Subject’s name and email address.
Mail shot and marketing purposes.
Legitimate interest. The Data Subject may object at any time and will be informed accordingly.
Bank account details or payment details
To pay, be paid, or to refund monies.
To fulfil the contract between the Firm and the Data Subject.
Data subject’s name, address, email, next of kin.
To perform HR functions within organisation.
Contract with employee.
Data subjects name, address, bank details.
Maintain records for tax & NI purposes
How long will personal data be used for?
We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and the Data subject’s data, the purposes for which we process the data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Nevertheless by law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for [six] years after they cease being customers for [tax] purposes.]
In some circumstances we may anonymise the Data Subject’s date (so that it can no longer be associated with them) for research or statistical purposes in which case we may use this information indefinitely without further notice to the Data subject.
The Firm will protect the data we collect in the following ways:
The Data Subject’s data will not be transferred outside the European Economic Area [EEA] without the explicit consent of the Data Subject;
The Firm has in place general recognised standards of technology including operational security including, but not limited to, data encryption thereby enabling the protection of relevant data from misuse, loss, damage, alteration, destruction or unauthorised access.
Any receipt or transfer of funds will be via recognised secure payment systems. The firm will securely destroy any financial information once used and longer needed other than required by law.
The firm’s website will adhere to SSL encryption protocols.
Any breach of data which may pose a serious risk will be notified to the Data Subject without delay.
The Firm will not sell, pass on or contract with third parties Data Subject’s data without prior written [withdrawable] consent other than where required to by law; or otherwise provided for in the above table; or as follows:
A Data subject’s data may be passed to third parties which are under contract with the Firm to provide services to the Data Subject on the firm’s behalf. In such an event the data shared is only that necessary to fulfil the service requirement under the terms of the contract with the Firm. Within such a contract an express condition will be that the third party keep any data secure and not to use in any other way, such data, for their own or other parties purposes.
The Firm will retain the Data Subject information for as long as necessary under the legal bases as identified in the table above or to comply with any legal obligation on the Firm’s part. The firm will re view annually the data it holds to establish whether it continues to have the right to process it. Should such a right fail to continue to apply the Firm will cease from processing such data. Data may be retained thereafter in order to comply with any legal obligations which may arise.
A cookie is a text file placed on your hard disk by a Web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you the user.
A primary purpose of a cookie is to inform a web server that user has returned to a specific page on a web site. For example if a user personalises our Web page or registers with our website or services a cookie will enable us to recall specific personal data such as billing and delivery addresses. On a user’s return to our site the data previously provided can be retrieved thereby facilitating our services and features previously customised. The control and processing of any such data will be undertaken in line with the General Data Protection Regulation [GDPR] 2018.