Data Controller: The Glass Box Company
Data Processor: Basehound Media. Processing data on behalf of the Data Controller.
Contact details: email@example.com
Date operational from: 25th May 2018
Date of next review: 31st May 2020
LAWFUL BASIS FOR COLLECTION OF DATA
The customer has opened an online account with The Glass Box Company on theglassboxcompany.co.uk website in order to purchase goods and services through this website and has therefore given explicit consent for the data to be collected, stored and used in order to allow the Company to fulfill it's obligations under the current and future sales contracts.
The customer has subscribed to The Glass Box Company Newsletter to be kept informed of various news items and offers from the Company and has given consent for the data to be collected, stored and used.
At The Glass Box Company (The Company) we take the security of the data you provide to us extremely seriously and will always do our utmost to protect this data and maintain your trust in us.
Requirements under GDPR
The Company is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
When you use this website
We collect information in three ways:
1. From customers who open an account with a view to purchasing from this website.
2. From customers who open an account with a view to purchasing from this website AND subscribe to our Monthly Newsletter through this website.
3. From visitors to our website.
Information collected and used
We collect the following data from you when you open an account:
Your name, email address and telephone number. These are considered to be Standard Levels of data.
We keep this information for as long as you remain a newsletter subscriber and delete it if or when you unsubscribe.
We collect the following data from you when you make a purchase through the website:
Your full name, full address and postcode (for billing and delivery) including the relevant country, your telephone number, your chosen method of payment.
Why do we need this information?
To fulfill our contractual obligations regarding your purchase and collect information for delivery. In order to complete your order we need to know who you are and where to send the goods. We also need to know your chosen method of payment in order to direct you to the correct payment provider.
The Company does not collect, use or store any sensitive payment related data other than your chosen method of payment.
We personalise the emails we send to you, displaying your first name at the beginning of the email.
These emails are our Newsletters in which we inform you of Company news, new products, industry news, any current offers and other information we think may be of interest.
Occasionally we may send specific subscriber offers to you to celebrate your birthday, for example. These offers are for newsletter subscribers only and redemption is required. To combat fraudulent claims we check your name, date of birth and email address against our records at the time of redemption.
When you subscribe to our newsletter you give your initial consent by ticking the acceptance checkbox.
Following receipt of your request for subscription to our Newsletter email we will send a verification email to you.
Please click on the link within this email to verify your subscription. This is the double opt-in step which is necessary to comply with GDPR.
This allows us to store the aforementioned data, which is necessary for us to be able to provide the newsletter service. This data is stored securely by our third-party email service provider. We also have a back-up stored on a password protected external physical drive which is encrypted and kept locked in a secure location.
Redemption claim details are also stored on a secure cloud based server
We will always do our utmost to keep your data safe and compliant with GDPR requirements.
You may unsubscribe from our newsletter at any time by clicking the 'unsubscribe' link at the bottom of each email we send or by requesting to be unsubscribed by sending an email to us. Your details will be deleted from all points of storage. Please note this information is only stored digitally and no physical paperwork exists which contains this customer data.
We use a third-party provider, MailChimp, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice. You can unsubscribe to general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of our emails or by emailing our data controller.
Information we may collect and use from website visitors
Additional information we may collect during normal browsing of the site and held is information about your computer and about your visits to, and use of, the website (including your IP address, approximate geographical location, browser type, referral source, length of visit and number of page views);
This information is required to analyze the performance and popularity of our website and other than the IP address, no other personal information is collected.
Using cookies or other on-device storage
Cookies are information files stored on your computer, tablet or smartphone that help websites remember who you are and information
Tracking how the website is used
As mentioned previously, information is collected about activity on the website by Google Analytics.
This information is used to:
a. analyse statistics;
b. track pages and paths used by visitors to, or users of, the website;
c. target the adverts or offers, such as banners on the website.
d. track the use of our banner adverts.
Who has access to your data?
The Glass Box Company Management has access to your name, email address and date of birth.
The Glass Box Company staff have access limited to customers in the process of redeeming an offer.
Third party service providers where our newsletter service information is stored and managed have access to your name, email address and date of birth.
These service providers are Google, Mailchimp and Basehound Media. All three have been checked by The Glass Box Company and found, to the best of our knowledge, to be GDPR compliant.
Google and Basehound Media also have access to your Google Analytics information about your computer and about your visits to, and use of, the website (including your IP address, approximate geographical location, browser type, referral source, length of visit and number of page views).
Only PayPal has access to your payment information.
Rights of the subscriber under General Data Protection Regulations
1. The right to be informed: Organisations need to tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.
2. The right to access: Individuals can submit subject access requests, which oblige organisations to provide a copy of any personal data concerning the individual. Organisations have one month to produce this information, although there are exceptions for requests that are manifestly unfounded, repetitive or excessive.
3. The right to rectification: If the individual discovers that the information an organisation holds on them is inaccurate or incomplete, they can request that it be updated. As with the right to access, organisations have one month to do this, and the same exceptions apply.
4. The right to erasure (also known as ‘the right to be forgotten’): Individuals can request that organisations erase their data in certain circumstances, such as when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes instances where the individual withdraws consent.
5. The right to restrict processing: Individuals can request that organisations limit the way an organisation uses personal data. It’s an alternative to requesting the erasure of data, and might be used when the individual contests the accuracy of their personal data or when the individual no longer needs the information but the organisation requires it to establish, exercise or defend a legal claim.
6. The right to data portability: Individuals are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that an individual has provided to data controllers by way of a contract or consent.
7. The right to object: Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. Organisations must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defence of legal claims.
8. Rights related to automated decision making including profiling: The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.
Exercising your rights
If you wish to contact the Company to exercise any of the above rights, we require a written request either by letter or email. When requesting please include your full name, email address and date of birth. If you inform the Company via email we'll initially send a verification email to make sure it really is you before we act upon your request. Any request will be actioned within 30 days and you will be informed when the action has been completed.
We reserve the right to check your identity before releasing any data under any of the above rights, if deemed necessary.
We will provide the data as requested under any of the above rights free of charge for the first request. Subsequent requests for the same data and under the same legal right may be charged for at a fee of £20 per duplicate request to cover administrative costs.
Disclosure of your information to Third Parties
Your information will not be passed to any third party other than Google, Mailchimp and Basehound Media but may be shared within the Company.
Exceptions to this rule are government and enforcement agencies and the police.
Every now and again, requests are received for information from government departments, the police and other enforcement agencies.
If this happens, and there is a proper legal basis for providing your information, it will be provided to the organisation asking for it.
How your information is kept secure
The security of information is taken very seriously. Technology and security policies are in place to protect the information held.
Digital data is kept in password protected and encrypted folders on an external drive which is kept locked in a secure place.
Basehound Media (our Data Processor) has access to this data.
Cloud based data is stored on encryted servers. Our Data Controller, Google, Mailchimp and Basehound Media have access to this data.
Physical documents are kept locked in a secure place.
Our Data Controller has access to this data.
Last updated May 2018
Next review May 2020 by the Data Controller assisted by the Data Processor.