The General Data Protection Regulations (GDPR) of The EU became enforceable on 25th May 2018.
The purpose of the GDPR is to provide a set of standardised personal data protection laws across all the member countries of The EU. Personal data is anything which identifies an individual. This can be a name, email address, telephone number, address, an image, for example.
The GDPR defines two classes of entities which interface with personal data: data controllers and data processors. Data controllers receive, store and make decisions about data processing. Data processors do something with the data provided by the controller. You can be a data controller, a data processor, or both. Simon Carter Ltd is both a data controller and data processor. An example of where we act as both a controller and processor is when we receive your online order placed on simoncarter.net. We receive the personal data such as your name and address in our capacity as controller. When we create the shipping label and give your goods to the courier company for delivery we are a processor. We are doing something with the data we control.
As data controllers we are required to be registered with the Information Commissioner's Office of The UK (ICO). Simon Carter Ltd is registered with The Information Commissioner's Office and appears in the public register maintained by it.
Personal data is received by the submission of online forms which have been populated by the data we need to process the order.
The personal data is stored in a database on a dedicated server.
We store some details required for order fulfilment – name, email address, shipping and billing addresses. These may also be used for marketing. We do not receive or store financial information such as credit card details. These are controlled and processed by the payment gateways – Sagepay and PayPal.
The server on which the database resides is maintained according to current best practices of digital data security. It is firewalled and regularly updated. The website code is scrutinised by experts for potential vulnerabilities. The forms into which you enter personal data are secured according to the latest technology and in line with industry standards. The website is audited for PCI (payment card industry) compliance by external auditors. Part of this involves the auditors scanning the website at regular intervals for potential vulnerabilities.
The personal data can be accessed by the website manager, by the Simon Carter Ltd dispatch team, by the accounts department and by authorised personnel at the digital agency who host and maintain the website – Remarkable.net.
Personal data is shared with the digital agency that maintains the website and web server – Remarkable.net, with the payment gateways – Sagepay and PayPal, with the courier companies who collect and deliver the orders, with the email marketing platform – Mailchimp and with Epsilon Abacus (please see the paragraph below under 'what about by post?').
At Simon Carter we take the view that our responsibilities in respect of personal data to not cease at the perimeter of our business. Therefore we seek assurances from the partners with whom we share personal data – the digital agency, the server hosting company, the email marketing platform, the couriers and Epsilon Abacus, that they are also doing the utmost to fulfil their obligations under GDPR.
The other legal basis for using the personal data to send out mailing materials by post, either to market our products or to facilitate such marketing by other brands and retailers is legitimate interest. At the start of the checkout flow are two checkboxes which concern this practice of sending out mailing materials by post. One asks if you would like us to send you our marketing materials about products and offers originating from our brand – Simon Carter. The other offers to share your details with other brands we believe you may be interested to hear from in this way. You can opt out of either of these by checking the relevant box. Technically the checkboxes relate to first party data (our marketing stuff) and third party data (other brands' marketing stuff).
It is stored for as long s we deem necessary to operate under the terms of 'legitimate interest'. We do not have a fixed period. If you create an account on simoncarter.net then, of course, you are responsible for your data. You may amend it as you wish. In other circumstances (checkout as 'guest') we retain the personal data in perpetuity, or until you tell us to delete it.
Under the terms of GDPR you may request that we delete your personal data at any time.
You may request a copy of any of your personal data that we control.
You have other rights under the GDPR such as:
The right to be informed if we process or intend to process your personal data.
The right to rectification if there is an error with the personal data.
The right to restrict processing.
The right to portability of the personal data.
The right to object to the control or processing of personal data.
The right to not be subject to automated decision-making including profiling.
If you have any questions about these rights in respect of your personal data and simoncarter.net please contact us using our contact form and we will be happy to discuss them. You may also contact The Information Commissioner's Office (ico.org) or complain to it.
We do not engage in profiling, using personal data, in order, for example, to tailor your experience of simoncarter.net depending on what we know, or think we know about you. We process personal data for the purposes of order fulfilment, customer service and marketing.
No we don't. We only send marketing emails to those who have explicitly consented to receiving them. This is an entirely separate consent procedure to that required during the giving of personal data for the purposes of ordering and order fulfilment.
We work with Epsilon Abacus (registered as Epsilon International UK Ltd), a company that manages the Abacus Alliance on behalf of UK retailers. The participating retailers are active in the following product categories: clothing, collectables, food & wine, gardening, gadgets & entertainment, health & beauty, household goods, and home interiors. They share information on what their customers buy. Epsilon Abacus analyses this pooled information to help retailers understand consumers’ wider buying patterns. From this information, retailers can tailor their communications, sending people suitable offers by post that should be of interest to them, based on what they like to buy.
Please note that Epsilon Abacus may transfer data outside the EEA. The transfer will take place in the presence of appropriate safeguards, including standard data protection clauses adopted by the EU Commission. If you would like more information, please call us on 020 8683 4475, write to us at our address or email: firstname.lastname@example.org is probably the best one, or use the contact form.
We do not engage in marketing by SMS or MMS messages.
When you contact us via the online contact form your message goes to the website administration dashboard where it can be seen by the website manager. The website manager will make an initial reply to your message via this facility and, in most cases, supply their simoncarter.net email address for you to correspond directly if you wish. The ability to correspond directly is advantageous should you need to attach a file, for example; something which is not possible via the contact form. In certain cases, where appropriate, the website manager will forward your message to the dispatch team if they are best placed to deal with it swiftly. This is the extent to which your personal data received via the contact form is controlled and processed. We provide the contact facility and subsequent email communication for the purposes of customer service only.
We archive company email in order to achieve regulatory compliance. The archive is secure and administered by an authorised person. We do not share the archive with external agencies unless legally required to do so. We might, rarely, have occasion to examine the archive in line with our legitimate business objectives but if this happens such examination would be carried out by the archive administrator under the supervision of a director.
This document sets out our practices in line with what we understand our obligations to be at this time under the terms of GDPR as they relate to simoncarter.net.