My Basket (0) £0.00

Privacy Policy

Data Protection – Individual Rights Policy

 

 

General

 

This Data Protection – Individual Rights Notice forms part of the Company’s suit of data protection notices.  It is drafted so as to comply with the GDPR (General Data Protection Regulation) which comes into force in England on the 25th of May 2018 and which replaces the Data Protection Act 1998. 

 

This policy will be made public to data subjects. 

Why we need to process your data

In order to purchase a product from our website you can either create a YARL web account or checkout as a guest.

In either case the personal data we collect will include your name, email address, postal address, phone number and information relating to your order. We do not store any credit / debit card information.

We need to keep these personal details in order to fulfil our contract and deliver the product to you.

We will keep hold of your personal data so that we can process your order, contact you in relation to your order, store your order history, maintain our financial records and make it easier for you to order from us in the future.

We will not use or share your data for any other purpose than those outlined above.

Your privacy is very important to us and your data will be processed via secure servers (located at our offices and a third party hosting provider). We regularly review our security policies and take appropriate measures to make sure your data is secure.

We will hold your personal data for a period of eight years from the point of your last order, after which time personal data will be deleted.

Legal Framework

 

The law sets out certain rights of data subjects.  Some of those rights only arise in specific circumstances, whereas others apply in all cases. 

 

The table below sets out individual rights. 

 

The general rights are as follows:-

 

  1. The right to be informed

 

  1. The right of access

 

  1. The right of rectification

 

  1. The right to erasure

 

  1. The right to restrict processing

 

  1. The right to data portability

 

  1. The right to object

 

  1. Rights in relation to automated decision making and profiling

 

 

 

Some of these rights will only arise in relation to certain specific bases for processing.  They are as follows:-

 

Bases

Right to Erasure

Right to Portability

Right to Object

Consent

Y

Y

N (but right to withdraw consent)

Contract

Y

Y

N

Legal Obligation

N

N

N

Vital Interests

Y

N

N

Public Task

N

N

Y

Legitimate Interests

Y

N

Y

 

 

The Rights in Detail 

 

  1. The right to be informed

 

Where we have obtained data directly from you, you have the right to be informed of the following:-

 

  1. Our identity and contact details.

 

  1. The identity of our Data Protection Officer (DPO)

 

  1. Why we are seeking to process your data.

 

  1. The lawful basis which applies to the processing of your data.

 

  1. Details of any third parties who will receive your personal data.

 

  1. Details of any transfers to third party countries and safeguards we have put in place to protect your data. 

 

  1. Details of how long we retain data for.

 

  1. The fact that you have certain rights in relation to your personal data.

 

  1. The fact that you have a right to complain to a supervisory authority.

 

 

In addition, you have certain specific rights depending on the lawful basis for processing which we are relying upon.  For example, if we are processing data on the “Legitimate Interests” basis, you are entitled to know what those interests are.  Where we are processing data on the “Consent” basis, you are entitled to know that you have the right to withdraw your consent.

 

If you wish to complain about any matter related to the processing of your personal data, you may complain either to us or to the supervisory authority. 

 

If you wish to make an internal complaint, you should contact the managing director Duncan Wolley.

 

If you wish to make an external complaint, you should contact the Information Commissioner’s Office, whose details are Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF tel: 0303 123 1113. 

 

If we obtain your data from a third party, we must also tell you what categories of personal data we hold and must provide the information referred to above at the earliest of:-

 

  1. One month of us obtaining the data

 

  1. The point at which we first contact you using that data

 

  1. If we propose to transfer the data to a third party, prior to disclosure of the data     

 

 

  1. The right of access

 

This is very similar to the old subject access regime and allows individuals to have the right to obtain:-

 

(a)     Confirmation that their data is being processed.

 

(b)     Access to their personal data.

 

(c)      Other supplementary information (largely the information that should be provided in a privacy notice).

 

The right to charge £10.00 has been removed and (subject to the below) all subject access requests must be dealt with for free. 

 

The time lapse for compliance with a subject access request has dropped from 40 days to 1 month.

 

Where a request for information is made electronically, the information should be provided in commonly used electronic format (typical emails with pdf or other attachments).

 

Where requests are manifestly unfounded or excessive (especially if they are repetitive) we can charge a reasonable fee to take account of the administrative costs of providing the information or may refuse to respond. 

 

Where we refuse to comply with a subject access request, we must explain why we are refusing and inform the data subject of their right to complain to a supervisory authority and/or for a judicial remedy.  That information must be provided within one month. 

 

The larger the amount of data requested, the easier it might be to argue that a request is manifestly unfounded or excessive.

 

Before complying with the subject access request, we must verify your identity using “reasonable means”.  This is to ensure that we do not send your data to the wrong person.

 

If a subject access request is made by electronic means, we must provide the information requested in a commonly used electronic format. 

 

If we hold a large quantity of information about an individual, we may be permitted to ask you to specify what information you have requested pursuant to your subject access request.  This will help us target your request.  

 

 

  1. The right of rectification

 

You have the right to have data held about you rectified if, for any reason, it is inaccurate or incomplete. 

 

Where we have disclosed your data to third parties, we must notify them of any rectification action which we take. 

 

You may make a request for rectification by post to Duncan Wolley, YARL Hydracentre, Scarth Road, Sowerby Woods Industrial Estate, Barrow in Furness, LA14 4RF or by e-mail to duncanwolley@hydracentre.com.  Your request for rectification should contain sufficient information for us to understand what data which we hold is inaccurate or incomplete and what the correct data is.  It would also assist if you could explain why the data we hold is not correct, although this is not absolutely necessary. 

 

We may have to contact you if there is anything we do not understand in your request for rectification. 

 

We must respond to a request for rectification within one month, although this can be extended to two months where your request is complicated. 

 

If you are not happy with our decision about rectification, you may complain to the Information Commissioner’s Office using the contact details set out above or you may apply to the Courts for a judicial remedy.           

 

 

  1. The right to erasure

 

Depending on which basis we use for processing your data, you may have a right to erasure of that data.  This is also known as the “right to be forgotten” and allows you to request the deletion or removal of your personal data when there is no longer any compelling reason for us to continue processing it. 

 

The right to erasure applies in any of the following circumstances:-

 

  1. Where the personal data held is no longer necessary in relation to the purpose for which it was originally collected and processed.

 

  1. If you have provided consent to us processing your data and wish to withdraw that consent.

 

  1. Where you object to us processing the data and there is no overriding legitimate interest allowing us to continue processing. 

 

  1. Where we have processed your data in breach of the law.

 

  1. Where your data must be erased in order to comply with a legal obligation.

 

  1. Where we are entitled to processing data pursuant to a right of freedom of expression or freedom of information. 

 

  1. Where the personal data is processed in relation to the offer of information and society services to a child.  This is unlikely to apply in relation to the company.     

 

We may refuse to comply with a request for erasure in certain limited circumstances, which include bringing or defending legal claims or for archiving purposes which are in the public interest or which for the purposes of scientific or historical research or statistical purposes. 

 

Where we accept a request for erasure, we must tell any third party to whom we have disclosed the data.

 

 

  1. The right to restrict processing

 

We will be obliged to restrict the processing of your personal data in any of the following circumstances:-

 

  1. You have disputed the accuracy of data which we hold.  In that situation, processing of the data will be restricted until such a time as we have established whether or not the data is accurate.

 

  1. Where you have objected to the processing of data for the purposes of legitimate interests and we are considering whether our legitimate interests override your interests.  Again, the restriction of processing will only last for so long as it takes for us to make that decision, although if we find in your favour, we will cease processing the data altogether on that ground.

 

  1. Where we are processing your data contrary to the law and for whatever reason you do not request erasure of your data. 

 

  1. If we no longer need the data but you require it in order to bring or defend a legal claim. 

 

During a period of restriction, we may still store your data, but we may not use it. 

 

Where we have disclosed your data to third parties, we must notify them of any restriction that is in force. 

 

If you wish to restrict the processing of your data, you may make a request by post to Duncan Wolley, YARL Hydracentre, Scarth Road, Sowerby Woods Industrial Estate, Barrow in Furness, LA14 4RF or by e-mail to duncanwolley@hydracentre.com.      

 

 

  1. Data portability

 

The right to data portability is a new right which allows you to re-use data we hold about you for obtaining services elsewhere or for your own purposes.  It is designed to allow easy transfer of your data from one IT system to another. 

 

The right to data portability will only apply in limited circumstances (where we are processing your data with your consent or pursuant to an obligation under contract) and also when the processing has been carried out by automated means. 

 

You can request data portability by contacting Duncan Wolley, YARL Hydracentre, Scarth Road, Sowerby Woods Industrial Estate, Barrow in Furness, LA14 4RF by post or by e-mail to duncanwolley@hydracentre.com.

 

We must provide the personal data in a structured, commonly used and machine readable form.  We must provide the data free of charge.  We will send the data to you or direct to a third party organisation if you request it. 

 

We must comply with a request for data portability without undue delay and in any event within one month.  However, this can be extended to two months where the request is complex or we receive more than one request.  If we need more than one month, we will write to you to tell you why the extension is necessary. 

 

If we refuse your request for data portability, we must explain why and if you are not happy with our decision, you may complain to the Information Commissioner’s Office using the contact details set out above or you may apply to the Courts for a judicial remedy.

 

 

  1. The right to object          

 

You have the right to object to us processing your data if we are processed on the grounds of legitimate interests.  The right also applies in certain other circumstances, but these do not apply to the company. 

 

You also have the right to object to the processing of your data for direct marketing (including profiling) and the processing of your data for the purposes of gathering statistics or for scientific/historical research. 

 

Your right to object must be sent to Duncan Wolley, YARL Hydracentre, Scart Road, Sowerby Woods Industrial Estate, Barrow in Furness, LA14 4RF by post or by e-mail to duncanwolley@hydracentre.com.  You must set out the grounds for your objection which must relate to your own particular situation. 

 

Upon receipt of your objection, we must stop processing your data unless either of the following criteria applies:-

 

  1. We can demonstrate compelling legitimate grounds for processing which override your interests.

 

  1. We are processing the data pursuant to a legal claim.

 

If you object to the processing of your personal data for direct marketing purposes, we must cease that processing immediately.  There are no grounds for us to refuse. 

 

Where we carry out processing of data online, you must be able to raise an objection online.