General Data Protection Regulation (GDPR)
GDPR will apply to all EU states from the 25th May 2018.
GDPR is an EU regulation which has two main drivers:
The EU wants to give people more control on how their personal data is being used.
The EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market. Galty Ventures Ltd has always complied with data protection laws and regulations surrounding the use of personal data. However, GDPR means we are having to change a number of our processes and policies. This document outlines what we have done at Galty Ventures Ltd to ensure we are fully compliant with the new regulation as from 25th May 2018.
What does GDPR change?
In summary, two things:
Transparency - Customers must be given far more information about what is done with their personal data, why, and what rights they have.
Control – Customers are given much more control in terms of obtaining a copy of their personal data, have it corrected, having it deleted, being told what legal ground is relied on to process the data, how long it will be kept for, objecting to processing (especially automated processing) and being told about security breaches and loss of data.
Data Controllers and Data Processors at Barrington Watch Winders Ltd
A Data Controller states how and why personal data is processed. Galty Ventures Ltd has a Data Controller and we will be more than happy to provide names should you have a valid request. Please email firstname.lastname@example.org asking for the name of your Data Controller.
A Data Processor is the individual at Galty Ventures Ltd who is processing the data. All of our team who are in a sales, operations, finance and marketing roles can process data at Galty Ventures Ltd.
The duty of our Data Controller is to ensure that our processors abide by the law and our processors must abide by these rules and maintain records of their processing activates.
Our Data Controller must ensure that data is processed lawfully (see below “What is Lawful?”), is transparent and used for a set purpose.
Once this purpose has been fulfilled and the data is no longer required, it then needs to be deleted from our systems.
Who we are and our details?
All our company details on our website, www.barringtonwatchwinders.com
What is Lawful?
Firstly, a person has consented for us to have their personal data and to process it.
Secondly, collecting the data is in our legitimate interest, such as preventing fraud.
How do we get consent from you?
During your registration for our newsletter we present a double opt in process for us to retain your data. This then records the data and time your consent was given. We may also retain your data if you place an order with us.
To comply with GDPR, Galty Ventures Ltd have to answer the following questions.
When did you give us consent?
The date you have clicked and submitted to the Galty Ventures Ltd opt-in box.
What did you give consent for?
Galty Ventures Ltd work with companies, charities and Government bodies, mainly in the UK, but also elsewhere in the EU.
You are giving us consent to market to you no more than once per month and also to communicate about business opportunities we may be working on.
Why do Galty Ventures Ltd require consent?
We require your data to maintain a commercial relationship over time with all our stakeholders to ensure that we can supply appropriate services and products to you.
How did you give consent?
Via an opt-in box either on this website or via an email we have sent you.
How can I withdraw my consent for you to hold my data?
You have the right to withdraw your consent for us to hold your data at any time. You do not have to offer a reason for this.
Once we have received notice from you to withdraw consent to hold your data, your details will be removed from our system and marketing lists within seven working days.
To remove your consent for us to hold your data, you can unsubscribe at any time using the unsubscribe option on our communications or by sending an email to email@example.com
Do we have this history by individual person?
Yes, our records will provide history by the individual, not the company or organisation they represent.
When will the consent expire?
We expire consent seven years after it has been given.
What is classified as personal data?
Personal data could relate to economic, cultural and mental health information on yourself. We do not hold any of this data.
What data we hold and why? Profiling and collection of other personal data
Profiling means any form of automated process of personal data to evaluate certain aspects relating to a person to analyse and predict their interest, behaviour, health and location. At Galty Ventures Ltd, at time we collect information on:
Location – we use location information, such as where you live, to send you products in future or inform you of local events that may be of interest to you.
Contact data – mobile phone number and email address.
Who do we share our data with, selling or offering of your data to third parties (1)
Galty Ventures Ltd will not sell your personal data to any third parties without your written consent.
(1)The only third party companies we share data with are:
Companies in our group, defined by where there is a common directorship or shareholding.
Holding of “Special Personal Data” also known as “Sensitive personal Data.”
This relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and health or sex life.
Galty Ventures Ltd does not hold or collect any of this data.
What is soft Opt-in?
Soft opt-in is a term used to allow us to communicate with an individual even though they have not actually opted in as from the 25th May 2018. An individual could be a prospect, customer or supplier with whom we have spoken to about watch winders. Under the soft opt-in rules, we are allowed to communicate with this individual via email as long as the subject matter is related to watch winders.
The soft opt-in ruling can be deemed to be ambiguous. We have interpreted this section under the new GDPR rules that we can communicate with individuals via their personal email account or mobile phone if we can clearly demonstrate we have communicated with them in the past about a relevant subject matter.
What have we done to comply with the new GDPR ruling?
Board of Directors - Our board of directors have been fully briefed on GDPR and have appointed Data Controllers internally.
Training - All our existing staff – and new recruits – will go through a one-day data protection training course as a minimum, there being a refresher course on a yearly basis.
Company mobile phones – All company mobile phones are password protected.
Company laptops – All laptops are password protected. They are hidden when in a vehicle and locked away if ever stored overnight at an office. Employees are aware on the need to keep them safe in a home environment.
Personal Data – Our CRM system, Word, Excel, Outlook are all stored in the cloud via a Microsoft storage facility as opposed to the computer drive.
Downloading of data – The bulk downloading of data from our CRM system has been changed so that only Data Controllers can undertake this process. Excel spreadsheets are then deleted when not needed.
Printed material – We are a paperless office. All documentation that can hold personal data is stored on our CRM system
CRM system – This is security protected (https://) The data is help offsite in a data centre and backed up every day. All employees have an individual login and a passcode that changes on a daily basis. Only current employees of our company have access to this system.
Your rights as an individual
The GDPR includes the following rights for individuals:
the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object
the right not to be subject to automated decision-making including profiling.
You can remove consent, for any reason at any time by emailing firstname.lastname@example.org
Should you have any questions regarding GDPR and your data at Galty Ventures Ltd, again, please email email@example.com and the Data Controller will get back to you within two working days.
In the event of a security breach
We take data security very seriously and use best endeavours to ensure the systems and procedures we follow provide us with a high level of data security. Should a data breach occur, we will analyse the situation and report it to the necessary authorities and communicate with any individuals that may have been affected.
Galty Ventures Ltd look to report this information to the Information Commissioners Office with 48 business hours and communicate with any individual affected within 72 hours.
Filing a Complaint
We hope that you will not find it necessary to file a complaint against our company with reference to Data Protection. Should you feel it appropriate, you will need to contact:
Organisation: Information Commissioners Officer
Website address: www.ico.org.uk
Telephone: You can call their helpline on 0303 123 1113
Who are the ICO?
The ICO are the UK’s independent authority set up to uphold information rights in the public interest promoting openness by public bodies and data privacy for individuals.
In order to be able to offer you Klarna's payment options, we will pass to Klarna certain aspects of your personal information, such as contact and order details, in order for Klarna to assess whether you qualify for their payment options and to tailor the payment options for you.
In cooperation with Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, we offer you the following payment options. Payment is to be made to Klarna:
- Pay in 3
- Pay Later
Further information and Klarna's user terms you can find here. General information on Klarna can be found here. Your personal data is handled in accordance with applicable data protection law and in accordance with the information in Klarnas privacy statement.