This privacy notice explains to our customers, the company’s data protection responsibilities on the collection and processing of our customer’s personal information.
We collect and process your personal data to assist us in running our business and to manage our customer relationships to ensure we provide garden studios to your exacting specification.
We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
We are required to explain how and why we collect such data and what we do with that information. This notice will also provide information as to what you can do about your personal information that is held and processed with us.
We have appointed Sam Cullen as the person with responsibility for ensuring that individuals’ personal information is held and processed in the correct way. She can be contacted at firstname.lastname@example.org. Questions about this policy, or requests for further information, should be directed to her.
What is personal information and what does processing mean?
Personal information is any information that relates to you and can be used directly or indirectly to identify you.
Personal information and processing are defined as follows:
- Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR article 4).
- Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data (GDPR article 9).
- Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR article 4).
The information that we hold on our customers will typically be; name, address, contact phone number and email address.
- Data protection principles
We process personal data about our customers in accordance with the following data protection principles:
- We process personal data lawfully, fairly and in a transparent way.
- We collect personal data only for specified, explicit and legitimate purposes.
- We hold and process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
- We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
- We keep personal data only for the period necessary for processing.
- We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.
In our privacy notices, we tell our customers the reasons for processing their personal data, how we use such data and the legal basis for processing. We will not process personal data of individuals for reasons other than the stated purpose or purposes.
Where we process special categories of personal data to perform obligations, this is done in accordance with a policy, or for legal reasons. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.
Typically, we hold your personal contact information for a period of 10 years to update you on the company, and to ensure our ability to get in touch for the duration of the warranty on your garden studio.
Our legal basis (grounds) for using your personal data
- There are several reasons why we hold, process and share individuals’ personal data. Under data protection laws, the lawful reasons for processing personal data include:
- Consent to make contact
- To comply with a legal obligation.
- To protect the vital interests of the individual or another person.
- For a legitimate interest of the company or one of the organisations it shares data with (eg third party contractors associated with your build)).
We may ask for your consent to use your information in certain ways. If we ask for your consent to use your personal data, you can take back this consent at any time. Any use of your information before you withdraw your consent remains valid.
Performance of a contract
We may need to process data to provide you with a service as a customer.
As a customer we need to hold contact details and specifications specific to the creation of your garden room both for ourselves and for any third-party contractor associated with your build.
Your personal data, where it is reasonable to do so, may also be shared with other professionals contracted by the company to fulfil the requirements of your build.
Why do we collect and process individuals’ personal data?
We process data relating to those customers to support the business. The purpose of processing this data is to assist in the running of the business, including to:
- To contact you by means of internal marketing
- To engage third party contractors required in the specification and completion of your build
- To ensure ability to contact as required by the terms of the warranty on your build.
- To request and facilitate customer recommendations
What data do we hold on you?
The personal data we hold regarding you can include, but is not limited to, information such as:
• Your name and address.
• Email address and telephone number.
Any customer wishing to see a copy of the information about them that we hold should contact Sam Cullen at email@example.com.
How do we obtain personal data?
We may collect this information in a variety of ways. For example, data might be collected through:
• Customer contact enquiries
• Direct marketing campaigns
• Correspondence with you e.g. emails.
• Social media enquiries
We will not share information about you with third parties unless the law or our policies allows us to. In circumstances where consent is the basis for processing, such as customer recommendations, we will not share your data with third parties unless we have your consent.
On some occasions, the company will process your personal data for the performance of a contract that it may hold with a third party. For example, a data security contract with a third-party IT services provider or as part of cloud-based storage.
Who has access to your personal data?
Your personal data may be shared internally with other members of the Sanctum team in order for them to perform their roles.
Throughout these processes we maintain strict confidentiality and only process and retain the personal data for as long as is necessary in accordance with our retention schedule for warranty purposes.
How do we protect individuals’ personal data?
We take the security of your personal data very seriously. We have internal policies and controls in place to try to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our team in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the company uses encrypted devices, uses passwords, virus protection and has appropriate firewalls.
How long do we keep your personal data?
We will only retain the data we collect for as long as is necessary to satisfy the purpose for which it has been collected.
Typically, this will be 10 years for the duration of your garden studio warranty.
What rights do you have in relation to your information?
When the GDPR comes into force in May 2018, you will have the following rights in relation to your personal data. Some of these rights are new.
- The right of access to the personal data and supplementary information. This right is to enable you to be aware of and verify the lawfulness of the personal data we are processing.
- The right to rectification. This right allows you to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure. This is also known as the ‘right to be forgotten’. This is not an absolute right and applies in specific circumstances.
- The right to restrict processing. This right applies in circumstances where, for example, the data subject contests the accuracy of the data or challenges the public interest or legitimate interest basis. Further guidance can be obtained from the ICO’s website.
- The right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes.
- The right to object. Individuals have the right to object to:
Further guidance and advice on the above rights can be obtained from the ICO’s website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting the Sam Cullen. If you would like to exercise any of the above rights please contact Sam Cullen who will send you our Data subject’s rights application form.
Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns to raise any issues you have.