The law regarding data protection sets out a number of legal bases by which a company can process personal data. The legal bases that we rely on include consent, contracts, legal obligations and legitimate interests.
Contracts - We can process personal data if it is necessary for a contract you have with us, or because you have asked us to take specific steps before entering into a contract. For example, if you have contacted us, whether that be online, via email or verbally over the telephone, regarding our products, we would require some personal data to supply a quote and/or products. The types of personal data we may require to do this might include your name, contact details and financial information.
Legal Obligations – We can process personal data if it is necessary for us to comply with the law. For example, we have a legal obligation to store personal data, such as who products and services were bought from and sold to, for taxation purposes.
Legitimate Interests – We can process personal data to pursue our legitimate interests. However, this has to be in line with what might be reasonably expected as part of running our business and which does not impact your rights, freedom or interests. For example, if you are an existing customer, we can use your contact details to send you direct marketing information, informing you about products that we think might interest you.
We use Google Analytics to track traffic on the website.
If you use the contact form on the website we will have access to your name, email address, phone number and any other details you supply in your message.
If you contact us by email or on the telephone we will keep details of those interactions. For example, we may take notes of the conversations we have had to support your enquiry.
We may gather personal data from you which will help us to recommend products of interest. For example, you might tell us about your medical complaint and we can inform you about suitable products.
If you request a quote or place an order we will gather personal data to fulfil that request. For example, to purchase a product we will require your name, address and payment information, as a minimum.
Your image may be recorded on CCTV if you visit our premises.
When you visit our website.
When you complete the contact form.
When you contact us via email or by telephone.
When you purchase a product.
If you visit our premises.
To respond to your enquiries, queries, refund requests and complaints. Processing the data you send, helps us to respond in the most appropriate way. Any information you provide is at your discretion and you provide any personal details at your own risk. We do this on the basis of our contractual obligations to you, our legal obligations and our legitimate interests in providing you with the best service we can.
To process any orders that you make. If we don’t collect your personal data, we won’t be able to process your order, fulfil our contractual obligations and comply with our legal obligations.
To protect our customers, premises, assets and employees, we operate CCTV on our premises. We do this on the basis of our legitimate business interests. If we discover any criminal activity or alleged criminal activity through our use of CCTV, we will process this data for the purposes of preventing or detecting unlawful acts as a legal obligation.
To send you relevant information about products. We’ll do this on the basis of our legitimate business interest. You are free to opt out from receiving relevant product information – please see ‘You Rights’ section.
To comply with our contractual or legal obligations to share data with law enforcement.
Here at Thorpe Mill Ltd, we know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
Paper Filing Systems – all personal data that is in paper format is locked away securely on the premises.
Once a period of six years has elapsed all data in paper format is collected by a Data Shredding company, we are then issued with a ‘Certificate of Destruction’ to say all data has been disposed of in a secure & appropriate manner.
Electronic Based Systems – Access to your personal data is password-protected and stored on a computer which is locked using a password. We use up to date Microsoft operating systems and anti-virus software.For details of Microsoft security information please see https://www.microsoft.com/en-us/windowsforbusiness/intelligent-security. Electronic information is also backed up to an encrypted hard drive.
Our Website – The website uses up-to-date industry procedures to protect your personal information. We also protect the security of your data during transmission using Secure Sockets Layer (SSL) encryption software.
Physical Facilities – the paper and electronic systems detailed above are contained within our physical facilities which has locked internal and external doors, shutters, alarm system with police response and there is CCTV on the premises.
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected. For example, information relating to orders we will keep for six years to comply with our legal and contractual obligations.
At the end of that retention period, your data will either be deleted completely or anonymised. The only reason we would anonymise and use your data was if we wanted to use it in a non-identifiable way for business planning.
We sometimes share your personal data with trusted third parties. For example, we use Sage Pay to process payment data to comply with our contractual and legal obligations.
Were it is feasibly possible, we have contracts in place with third parties to ensure that those organisations keep your data safe and protect your privacy. Examples of third parties we work with include:
IT Companies – to support our website and other business systems
Payment Solutions Services
Human Resources Services
Operational Companies – such as delivery couriers
We may have to share information to third parties for their own purpose. This is in very specific circumstances, for example we may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.
For further information please contact our Data Protection Manager.
You have the right to request access to the personal data we hold about you. One exception to this, is that if by disclosing your information, another person’s data is disclosed, we are not permitted to disclose the information. However, we will try to disclose as much information as we can, without compromising anyone else’s personal data.
If you believe that there are inaccuracies in the information we hold about you, you have the right to inform us of any changes you would like to make.
In certain circumstances you have the right to:
Request that your data is erased
Request that we restrict the processing of your data
Request that we port your data to another organisation
Object that we process your personal data
The right to restriction, erasure and objection, apply if we rely on consent or legitimate interests as our legal basis for processing. For example, we rely on legitimate interest as our legal basis for processing when we contact you for marketing purposes. If you asked us to restrict the use of, erase or if you objected to your data being used in this way, and our only use of your data at that time was for direct marketing, we would be obliged to act on this. However, if we have a legal obligation to process the information, we may not be able to restrict the use of or erase your data. For example, if you had purchased a product from us and then asked us to erase your data, we would stop using your personal data for marketing purposes and any other services you had previously consented to. However, as a legal obligation, we are required to keep records of our accounts for the products we sell, for tax purposes. Therefore, we could only erase your data when the legal retention period ends.
To ask for your information, notify us that would like to make a change to your personal data or object to the way we process your personal data, please contact our Data Protection Manager, Thorpe Mill Ltd, Unit 1a Aireside Business Park, Royd Ings Avenue, Keighley, BD21 4BZ or email email@example.com
If we choose not to action your request we will explain to you the reasons for our refusal.
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to make a complaint to the Information Commissioner’s Office www.ico.org.uk/concerns
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
If you have any questions that haven’t been covered, please contact our Data Protection Manager, Thorpe Mill Ltd, Unit 1a Aireside Business Park, Royd Ings Avenue, Keighley, BD21 4BZ or email firstname.lastname@example.org
This notice was last updated on 16/05/2018