The Data Protection Act and the EU General Data Protection Regulations (GDPR)
The Data Protection Act and GDPR requires us to manage personal information according to Data Protection Principles and in particular requires us to process your personal information fairly and lawfully. Therefore you are entitled to know how we intend to use any information you provide. You can then make the decision if you want to give it to us in order that we may provide the product or service that you require.
All personnel are personally responsible for maintaining customer or employee
Information confidentiality and will do their best to keep all data correct, timely and secure. We provide training to employees to remind them about their obligations.
We collect information about you when you register with us or when you enquire or order, and when you apply for a job at Watermarque.
We also collect information when you choose to complete customer surveys, provide feedback, participate in competitions or attend our events. Website usage information is collected using cookies and Google analytics, which may capture your IP address.
The personal information we collect depend on the nature of your enquiry, the type of product or service you are enquiring about, or to satisfy any contractual or statutory obligation. This may include personal information, sensitive personal information, recorded voice conversations or CCTV images. Usually the information might include:
- Contact details (name, address, phone numbers, email address)
- Photo ID & proof of address documents (to carry out due diligence)
- Other information in order for us to fulfil your needs and complete the transaction
- By what methods you wish us to contact you.
We acknowledge that your personal information is confidential and we will protect its confidentiality in line with our internal procedures and legal requirements.
How will we process your personal information?
The reason for processing your personal information is:
- It is required to comply with mandatory legal or statutory obligations
- It is required for Public Interest (or National Interest & Criminal Background Record checks as per DPA 2017)
- It is required to protect the vital interest of you or other persons
- It is required for the purposes of our legitimate interests as data controller to continue processing your personal data in a way that we have previously done, however, we will ensure that this does not cause undue damage or distress to you
- Consent, whereby you have given us permission to use the personal data.
- It is required for the performance of a contract
How we will use your personal information? We may use your information in the following ways:
- to ensure the website’s content is presented as effectively as possible for you
- to provide the products, services and information that you have requested
- for our own record keeping internally
- for the preparation of documentation in order to complete transactions for our products and services, which may require sharing your data with 3rd parties
- to develop and improve the products and services we offer, including those from suppliers
- to review our employees interaction with you with a view to improve our performance through training and development.
- we will, with your consent, use your data for market research, marketing purposes and will always give you the option to withdraw this consent.
- we use CCTV images to protect our assets, and for security of you and our employees, and to detect criminal activity
- we use voice recording of telephone conversations for training purposes, to protect you and our employees from verbal abuse, and to ensure we have fully complied with your request for information, products or services
- to respond to complaints or allegations of negligence against us
- we may aggregate your information with other data so as to provide statistics in order to make business decisions and assess data about web traffic patterns, sales, demand for products, etc. This aggregated information does not identify any individual or individual’s personal data.
Who will your personal information be shared with?
Personal information you have supplied may be shared with our manufacturing partners and selected suppliers. We may also share your data with our suppliers that may be based outside the European Economic Area (EEA) in countries that are not regulated by the GDPR rules. We will always use every reasonable effort to ensure our suppliers and their subcontractors provide sufficient protection to safeguard your personal information.
If you are taking out a credit account, we will perform credit data profiling techniques to assess the level of credit and risk associated with opening the account.
In limited circumstances we may disclose your information to third parties:
- if we are under a duty to disclose or share your information to comply with a legal our statutory obligation, or in order to enforce or apply our terms and conditions, or protect the rights, property or safety of our customers, employees or others.
- to fulfil certain compliance requirements, such as external auditor needs
- to our professional indemnity insurer in the event that a claim is made against us in order to defend ourselves
- to our regulators, including but not limited to the Information Commissions Office(ICO), in connection with any ongoing regulatory investigation. This may involve the exchange of information with other companies or organisations for the purpose of fraud protection and credit risk reduction.
- any disclosure to law enforcement agencies where required by law
- in the event that the company goes into receivership
- if the company decides to sell all or part of its business via an asset sale, then the customer database, including your data, will form part of the assets. Any prospective buyer will be subject to a non-disclosure agreement until such time as the transaction takes place and they provide satisfactory assurances that they comply with GDPR requirements.
How long will your information be stored for?
We will store your information in a secure and protected environment for as long as we believe it will better help us to understand how we can serve you and respect your wishes. However, this will be for a reasonable period and only for as long as is necessary. In addition, legislation might oblige us to store the information for a certain period of time.
Under the Data Protection Act and GDPR you have a right:
- to be informed – as per this Privacy Notice
- of access – we will provide a copy of the data we hold about you within 30 days of receiving your request in writing – see address below
- to rectification – of any inaccuracies or omissions in your data
- to erasure and to be forgotten – whereby personal data is no longer necessary for the purpose it was originally collected, but subject to contractual, statutory or legal obligations
- to data portability – whereby personal data is transferred from one data controller to another at your request. It will be your responsibility to check that the receiving data controller complies with GDPR requirements and operates within the EEA.
- to restrict processing of the personal data, or withdraw consent in any or all of the areas previously given
- to object to processing based upon legitimate interest and/or direct marketing
- to be informed in relation to automated decision making and profiling – where decisions may be taken without human intervention,
What about Internet & Site Security?
The Internet is not a secure system and you should always be cautious about the information you disclose whilst online as there is a risk that it could be intercepted.
Personal Data Security
We take the responsibility for the security of your data very seriously. Your data will be held on secure servers within the EEA where possible, with all reasonable technological and operational measures put in place to safeguard it from unauthorised access. Where possible any identifiable information will be encrypted and transferred only by secure means.
Under what conditions might this privacy notice not operate?
In addition to directly providing your information to us, you might also provide Personal Information to other organisations that then forward it to us. The other organisations Privacy Notice will prevail until we deal with you directly.
How to contact us?
If you have any queries, requests or complaints on the subject of data protection or would like to opt in or out of any contact or communications, please do not hesitate to contact our Data Information Officer at the address below: –
GDPR Compliance Team
Watermarque Head Office
Telephone: 01278 664488