- Document prepared by Ray Dyer
- Document became operational on 25th May 2018
- Next review date 1st May 2019
- The Data Protection Lead is Ray Dyer, Managing Director
- Requests for information can be emailed to: email@example.com
J S Peters and Son Ltd and Peters Ltd need to gather and use certain information about individuals as both a Controller and Processer of data.
These details can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This document describes how this data is collected, handled and stored to meet the company’s data protection standards and to comply with the law.
The company does not share information it holds on individuals with any third parties unless legally obliged to do so or where it has written, prior consent.
J S Peters and Son Ltd and Peters Ltd are registered with the Information Commissioners Office.
What data we may collect
We may collect the following information:
- Name and job title
- Contact information including email address
- Financial information allowing us to make or receive payment
- Demographic information such as postcode, preferences and interests
What we do with the information we gather
We are committed to ensuring that your personal data is processed in accordance with GDPR requirements. We will make our best efforts to always ensure that the personal data we hold about you is up-to-date and only retained as long as is necessary.
We will use this information for the following reasons:
- Internal record keeping
- Fulfilment of our legal obligations as a company, for example tax and audit purposes. In these cases, different rules may apply regarding the length of time that personal data should be retained
- We may use the information to improve our products and services
- We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided. This will be done in accordance with the Legitimate Interest lawful basis of data processing under GDPR and you will always be given the option to unsubscribe if you do not wish us to contact you anymore
We are committed to ensuring that the information we collect is appropriate for this purpose and does not constitute an invasion of your privacy.
Legitimate Interests – the legal basis for gathering information
The law allows personal data to be legally collected and used if it is necessary for a legitimate business interest of the organisation - as long as its use is fair and balanced and does not unduly impact the rights of the individual concerned.
The processing of data is necessary so that we can deal with an enquiry or process any orders received from an educational establishment, school library service or public library.
We also provide educational establishments, school library services and public libraries with information about the products and services that we offer which are of benefit to them for them to support their pupils and customers with reading and literacy.
The benefits from the processing mean that we can give our prospective customers and customers the best possible service.
Educational establishments, school library services and public libraries require our products and services to support their pupils with reading and to improve literacy levels. We provide expert advice and support so that we can provide the right books to our customers so that they can ensure all pupils, whether they are reluctant readers or gifted and talented pupils are catered for.
We have undertaken the ICO Legitimate Interest Assessment, including the necessity and balance checks. Preferences can be changed by contacting firstname.lastname@example.org
Who we share the data with
We will not sell, distribute or lease your personal information to any third parties for marketing purposes.
However it may be necessary for us to pass your personal data on to third party service providers, such as freight companies used to deliver your goods, in order to meet our contractual obligations to you.
Any third parties will be legally obliged to keep your details securely and to dispose of them once they no longer have a lawful basis for retaining them
You can block cookies by activating the setting on your browser that allows you to refuse the setting for some or all cookies. However, this may restrict access to some or all parts of our websites and services.
Subject access requests - How do I find out what personal data is held about me?
We can supply the following information if requested:
- The type of data we process
- How the data was obtained
- How the data is processed (stored, retained and disposed of)
- The purpose and lawful basis of the processing
- Details of any third parties to whom the data has been provided and the reasons for this
- Details of how you can correct, withdraw or delete your data from our records
- How to contact the Data Protection Officer in case of query or complaint
If you wish to make a subject access request, please make that request in writing to email@example.com
Right to rectification and data quality. How do I ask for the data to be amended?
If you wish to have the data amended or rectified, please make that request in writing to firstname.lastname@example.org
Right to erasure, including retention and disposal. How do I ask for my data to be removed?
If you wish to have the data removed, please make that request in writing to email@example.com
We have certain legal obligations to keep data, such as invoices, for a statutory period, currently 7 years. Other data relating to the supply of books and other goods will be kept for a period of 1 year from the date of supply.
Where requested, data will be disposed of and destroyed in line with the current legislation. Data will be deleted from both live and archived or back-up copies of our systems.
At present all of our servers are located in the UK, either on site or in secure data centres.
We have been trading on the internet for many years and as such we are constantly improving our security as the nature of remote attacks change. To this end we have taken all appropriate technical and organisational measures to prevent any unauthorised or unlawful access or processing to all of our data this includes the names and email addresses of customers who may which to purchase from us.
All emails in and out of our organisation are thoroughly scanned for viruses and malicious content. The updates for these scanning systems are performed automatically as soon as the new content is available.
How will you identify a breach, what are your breach reporting processes, and in what time frame will you report to us as the controller?
We have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals.
Should such a breach ever occur, our priorities will be the securing of our systems to prevent any further data theft or damage. In line with Article 33(2) of the regulations, if necessary the breach will be reported to the ICO with any information we have gathered at that time, with further updates to this information as we discover it.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also inform those individuals without undue delay.
We will also keep a record of any personal data breaches, regardless of whether we are required to notify.
Breaches would normally be reported within 72 hours, where feasible.
How do you ensure confidentiality within your organisation?
All staff have a GDPR confidentiality clause in their contact of employment. When recruiting new staff we ensure they are aware of the obligations under the GDPR directive and how we, as an organisation, deal with sensitive data.
On-going training regarding Data protection is given to all staff.
We operate CCTV systems at our premises for the safety and protection of staff and visitors. The CCTV system is registered with the ICO. The data is kept for a period of one month.
If you have any general enquiries regarding data protection, please submit them in writing to:
May 2018 v1