GDPR Compliance Statement
The EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardise data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.
The Original Art Shop (Staffordshire) Ltd. is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the demands of the GDPR and the UK’s Data Protection bill.
The Original Art Shop (Staffordshire) Ltd. is dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and objectives for GDPR compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.
The Original Art Shop (Staffordshire) Ltd. has a consistent level of data protection and security across our organisation, This includes: -
- Information Audit - carrying out at regular periods a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed.
- Policies & Procedures - data protection policies and procedures are in place to meet the requirements and standards of the GDPR and any relevant data protection laws, including: -
Data Protection – our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy by design and the rights of individuals.
Data Retention & Erasure – we have updated our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
Subject Access Request (SAR) – we have revised our SAR procedures to accommodate the revised 30-day timeframe for providing the requested information and for making this provision free of charge. Our procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply and ensure that communications with data subjects are compliant, consistent and adequate.
Your Data Privacy
- Your personal data
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
- Who we are
The Original Art Shop (Staffordshire) Ltd. is the data controller, contact details HERE. A data controller decides how your personal data is processed and for what purposes.
- How we process your personal data
The Original Art Shop (Staffordshire) Ltd. complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes: -
- 1. To administer customer records;
- 2. To maintain our legislative obligations of accounts and records;
- 3. To keep you informed of new product and special events offers at The Original Art Shop (Staffordshire) Ltd.
- Legal basis for processing your personal data
- 1. Explicit consent of the data subject so that we can keep you informed of new product and special events offers at The Original Art Shop (Staffordshire) Ltd.
- 2. Processing is necessary for carrying out obligations under credit control law, or a collective agreement.
- Sharing your
Your personal data will be treated as strictly confidential and The Original Art Shop (Staffordshire) Ltd. will not share data with any other person, company or organisation.
- Length of time
we keep your personal data
We keep data in accordance with legal requirements or for a reasonable but not an excessive length of time to maintain our records.
- Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
- The right to request a copy of your personal data which the The Original Art Shop (Staffordshire) Ltd. holds about you;
- The right to request that the The Original Art Shop (Staffordshire) Ltd. corrects any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for the The Original Art Shop (Staffordshire) Ltd. to retain such data;
- The right to withdraw your consent to the processing at any time;
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable)
- The right to lodge a complaint with the Information Commissioners Office.
- Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
- Contact Details
Please refer any GDPR related enquiries to: firstname.lastname@example.org or directly to The Original Art Shop (Staffordshire) Ltd. 225 Trentham Retail Village, Trentham, ST4 8AX.