Donwood Glass ‘The Company’ has registered with the ICO and its registration number is Z8030005
We may hold personal data on individuals for the following purposes:
• Accounts and records;
• Administration and processing of clients’ personal data for the purposes of providing Products and Services, including processing such personal data using software solution providers and back office support;
1. The data protection principles
The Data Protection Laws require us acting as either data controller or data processor to process data in accordance with the principles of data protection. These require that personal data is:
1. Processed lawfully, fairly and in a transparent manner;
2. Collected for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. Kept for no longer than is necessary for the purposes for which the personal data are processed;
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and that
7. The data controller shall be responsible for, and be able to demonstrate, compliance with the principles.
We regularly review the personal information we obtain, we ensure it complies with the data protection purposes and ensure to document how we are managing our data.
2. Legal bases for processing
We will only process personal data where we have a legal basis for doing so. Where The Company does not have a legal reason for processing personal data any such processing will be a breach of the Data Protection Laws.
The Company will review the personal data we hold on a regular basis to ensure it is being lawfully processed and is accurate, relevant and up to date and the data controller shall be responsible for doing this.
Before transferring personal data to any third party (such as suppliers, service providers, financial organisations, clients and any other third party including software solutions providers and back office support, we will establish that third party has a legal reason for making the transfer.
3. Privacy by design and by default
We have implemented measures and procedures that adequately protect the privacy of our customers and ensures that data protection is integral to all processing activities. This includes implementing measures such as:
• data minimisation (i.e. not keeping data for longer than is necessary);
• cyber security;
• Data Protection Impact Assessments where applicable (e.g. deployment of new technology, where a profiling operation is likely to significantly affect individuals and where there is large scale processing of special categories of data)
The Company take administrative, technical and physical measures to safeguard the individuals’ personal data against unauthorized access, unauthorized disclosure, theft and misuse. This includes limiting access of employees to, and the use of, personal data through the use of passwords and graduated levels of clearance to those who have a genuine business need to know it. Anyone who is processing personal data will do so only in an authorized manner and they are subject to a duty of confidentiality.
We take physical precautions to ensure that the computer servers on which personal data is stored and archived are secure and that access to such servers is protected. We educate our employees with respect to their obligations to protect your personal data and we require our affiliates and any third party service providers to take comparable steps in the form of appropriate technical and operational security measures to ensure the protection of any of your personal data.
Rights of the individual
We will provide any information relating to data processing to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. The Company may provide this information orally if requested to do so by you.
1. Privacy notices
Where we collect personal data from an individual, The Company will give the individual a privacy notice at the time when it first obtains the personal data.
Where The Company collects personal data other than from the individual directly, we will give the individual a privacy notice within a reasonable period after obtaining the personal data, but at the latest within one month. If we intend to disclose the personal data to a third-party then the privacy notice will be issued when the personal data are first disclosed (if not issued sooner).
Where The Company intends to further process the personal data for a purpose other than that for which the data was initially collected, we will give the individual information on that other purpose and any relevant further information before it does the further processing.
2. Subject access requests
You are entitled to access your personal data on request from the us. You can do this by emailing firstname.lastname@example.org
The individual or another data controller at the individual’s request, has the right to ask us to rectify any inaccurate or incomplete personal data concerning an individual.
If we have given the personal data to any third parties we will tell those third parties that it has received a request to rectify the personal data unless this proves impossible or involves disproportionate effort. Those third parties should also rectify the personal data they hold – however The Company will not be in a position to audit those third parties to ensure that the rectification has occurred.
The individual or another data controller at the individual’s request, has the right to ask The Company to erase an individual’s personal data.
If we receive a request to erase it will ask the individual if they want their personal data to be removed entirely or whether they are happy for their details to be kept on a list of individuals who do not want to be contacted in the future (for a specified period or otherwise). The Company cannot keep a record of individuals whose data it has erased so the individual may be contacted again by us should The Company come into possession of the individual’s personal data at a later date.
If we have made the data public, we shall take reasonable steps to inform other data controllers and data processors processing the personal data to erase the personal data, taking into account available technology and the cost of implementation.
If The Company has given the personal data to any third parties it will tell those third parties that it has received a request to erase the personal data, unless this proves impossible or involves disproportionate effort. Those third parties should also rectify the personal data they hold – however we will not be in a position to audit those third parties to ensure that the rectification has occurred.
1. Collection and use of personal data
a. Collecting and using your personal data
We operate primarily as a business to business environment and therefore obtain data either as part of an organisation (e.g. director) or as a Sole Trader. The type of data we process is personal information, this is information that identifies you or could be combined by us or our service providers and affiliates with other information to identify you. This information may include your name and surname, e-mail address, your home address, your telephone number, location data, internet protocol (IP) address, and may include your age and other similar information when associated with you.
We directly collect your information from the following sources:
• information you give us when you fill out forms, such as during contract agreements, eMails or website enquiries;
• Information you give us when you make a purchase (e.g. your shipping address);
• Information you give us when reporting faults or contacting our client services team;
• information from other sources, such as companies that help us to update our records (e.g. BT, Lease companies or Royal Mail);
• We may also acquire information about you from other promotional or marketing companies with whom you shared your information and whom you have consented and allowed to provide information to us.
When this type of information is collected we are happy to provide the reason for collecting the information and how the information will be used, some examples include:
• We may use your information in order to fill your orders for goods and services, answer your inquiries and to prevent loss and fraud;
• Communicating with you about your orders, information requests, faults or complaints;
• Communicating with you regarding customer service issues and any product recalls or warranty service;
• Processing your information for relevant marketing and promotional purposes, including with our promotional partners;
• Improving our services;
• Using third parties to assist us in our operations. We may share your information with these third parties in order to provide services to you such as fixed line products, mobile products, financial arrangements and invoicing.
• Protecting the security or integrity of our websites and our business.
b. The Legal Bases
The Company will always ensure to have a legal basis for collecting and processing your personal data in accordance with GDPR and other data protection legislation. The legal bases we rely upon to provide our services to you are covered below.
Legitimate Interest: Such as the purpose of providing you with information of goods and services that are relevant to you.
Legal Obligation: This includes (but is not limited to) sensitive personal data of our employees, your personal data used for financial checks and any CCTV recording for the purposes of crime prevention.
Contractual Requirement: Such as fulfilling the purposes of a contract for goods or services. Your personal data is fundamental to ensuring we can fulfil the terms of our contract with you, if we do not have your personal data for this purpose we will be unable to enter into a contract with you.
Consent: We will request your explicit consent for the processing of your personal data that falls outside the scope of the aforementioned legal bases. Such instances may include sharing your personal data with other third parties not already covered or other types of marketing than direct marketing from The Company.
c. Recipients of data
We may need to share your personal information with our service providers and our corporate affiliates that help us with our business operations. For example, we will share information about your shipping address with companies that provide shipping services to us. We require our service providers and our affiliates to keep your personal information secure. In addition, we and our service providers and suppliers generally may not use or disclose personal information for any purpose other than providing the services on our behalf unless we or they have obtained your explicit consent.
We will however disclose personal information without your knowledge or consent if we receive an order or other legal requirement issued by a court, tribunal, regulator or other person with jurisdiction to compel disclosure of your personal information.
2. Data protection
The Company takes administrative, technical and physical measures to safeguard your personal information against unauthorized access, unauthorized disclosure, theft and misuse. This includes limiting access of employees to, and the use of, your personal information through the use of passwords and graduated levels of clearance to those who have a genuine business need to know it. Anyone who is processing your information will do so only in an authorized manner and they are subject to a duty of confidentiality.
We do not publish all of our security measures online because this may reduce their effectiveness. We take physical precautions to ensure that the computer servers on which your personal information is stored and archived are secure and that access to such servers is protected. We educate our employees with respect to their obligations to protect your personal information and we require our affiliates and any third-party service providers to take comparable steps in the form of appropriate technical and operational security measures to ensure the protection of any of your personal information.
We also have procedures in place to deal with any suspected data security breach. We will notify you and the ICO of a suspected data security breach where we are legally required to do so.
3. Data retention
We will retain your personal data only for as long as is necessary and the retention of your personal data will be reviewed periodically. Upon expiry of that period, we will seek further consent from you if we wish to continue storing or processing it. Where your consent is not given, we will immediately cease processing your data. Different laws require us to keep different data for different periods of time.
4. Your rights
We want to make you aware that you have the following data protection rights:
• The right to be informed about the personal data the Company processes on you;
• The right of access to the personal data the Company processes on you;
• The right to rectification of your personal data;
• The right to erasure of your personal data in certain circumstances;
• The right to restrict processing of your personal data;
• The right to data portability in certain circumstances;
• The right to object to the processing of your personal data that was based on a public or legitimate interest;
• The right not to be subjected to automated decision making and profiling; and
• The right to withdraw consent at any time.
Where you have consented to us processing your personal data and sensitive personal data, you have the right to withdraw that consent at any time by contacting our Data Protection Officer at email@example.com
In addition to the above, you also have the right to have any data requests or information relating to any modifications to your personal data communicated electronically or in a commonly used format that is clear and easy to understand.
In the event of a deletion request of personal data, we will endeavour to remove all requested date from all systems including our CRM, billing platforms and our local networks. Both digital and paper versions of any personal data will be destroyed or deleted where relevant. However, with your consent, some basic information may be retained for our suppression list to ensure there will be no future uses of your data. We will also advise any third parties of any deletion requests received to allow the personal data to be removed that may have been sent to them unless this proves impossible or involves disproportionate effort.
5. Using our website
Although our website works to only include, quality, safe and relevant external links, users should always adopt a policy of caution before clicking any external web links located on The Company website. We cannot guarantee or verify the contents of any externally linked website and advise that our users should note that you click on external links at your own risk and that our website and The Company cannot be held liable for any damages or implications arising from following external web links.
6. Complaints or queries
If you wish to complain about this privacy notice or any of the procedures set out in it, please contact:
Data Protection Officer at firstname.lastname@example.org
You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.