The General Data Protection Regulations (GDPR) of The EU became enforceable on 25th May 2018.
The purpose of the GDPR is to provide a set of standardised personal data protection laws across all the member countries of The EU. Personal data is anything which identifies an individual. This can be a name, email address, telephone number, address, an image, for example.
The GDPR defines two classes of entities which interface with personal data: data controllers and data processors. Data controllers receive, store and make decisions about data processing. Data processors do something with the data provided by the controller. You can be a data controller, a data processor, or both. Simon Carter Ltd is both a data controller and data processor. An example of where we act as both a controller and processor is when we receive your online order placed on simoncarter.net. We receive the personal data such as your name and address in our capacity as controller. When we create the shipping label and give your goods to the courier company for delivery we are a processor. We are doing something with the data we control.
As data controllers we are required to be registered with the Information Commissioner's Office of The UK (ICO). Simon Carter Ltd is registered with The Information Commissioner's Office and appears in the public register maintained by it.
Personal data is received by the submission of online forms which have been populated by the data we need to process the order.
The personal data is stored in a database on a dedicated server.
We store some details required for order fulfilment – name, email address, shipping and billing addresses. We do not receive or store financial information such as credit card details. These are controlled and processed by the payment gateways – Sagepay and PayPal.
The server on which the database resides is maintained according to current best practices of digital data security. It is firewalled and regularly updated. The website code is scrutinised by experts for potential vulnerabilities. The forms into which you enter personal data are SSL secured according to the latest technology and in line with industry standards. The website is audited for PCI (payment card industry) compliance by external auditors. Part of this involves the auditors scanning the website at regular intervals for potential vulnerabilities.
The personal data can be accessed by the website manager, by the Simon Carter Ltd dispatch team, by the accounts department and by authorised personnel at the digital agency who host and maintain the website – Remarkable.net.
Personal data is shared with the digital agency that maintains the website and web server – Remarkable.net, with the payment gateways – Sagepay and PayPal, with the courier companies who collect and deliver the orders and with the email marketing platform – Mailchimp.
At Simon Carter we take the view that our responsibilities in respect of personal data to not cease at the perimeter of our business. Therefore we seek assurances from the partners with whom we share personal data – the digital agency, the server hosting company, the email marketing platform, the couriers and so on, that they are also doing the utmost to fulfil their obligations under GDPR.
This depends on whether you choose to create an account with simoncarter.net or check out as a 'guest'
Where you create an account with simoncarter.net you have access to your personal data, which you can administer. If you request deletion of your personal data it is deleted from the database.
If you checkout as a guest we retain the personal data for 30 days. This gives us time to deal with any issues that might arise with the order, or to issue a refund. After that the personal data is deleted.
Under the terms of GDPR you may request that we delete your personal data at any time.
You may request a copy of any of your personal data that we control.
You have other rights under the GDPR such as:
The right to be informed if we process or intend to process your personal data.
The right to rectification if there is an error with the personal data.
The right to restrict processing.
The right to portability of the personal data.
The right to object to the control or processing of personal data.
The right to not be subject to automated decision-making including profiling.
If you have any questions about these rights in respect of your personal data and simoncarter.net please contact us using our contact form and we will be happy to discuss them. You may also contact The Information Commissioner's Office (ico.org) or complain to it.
We do not engage in profiling, using personal data, in order, for example, to tailor your experience of simoncarter.net depending on what we know, or think we know about you. We process personal data for the purposes of order fulfilment, customer service and marketing.
No we don't. We only send marketing emails to those who have explicitly consented to receiving them. This is an entirely separate consent procedure to that required during the giving of personal data for the purposes of ordering and order fulfilment.
The same applies. We do not send marketing materials by post unless you have explicitly and unambiguously consented to that in a process separate from that of placing an order, and we provide a means for you to easily withdraw consent to the receiving of marketing materials, whatever form they take.
We do not engage in marketing by SMS or MMS messages.
When you contact us via the online contact form your message goes to the website administration dashboard where it can be seen by the website manager. The website manager will make an initial reply to your message via this facility and, in most cases, supply their simoncarter.net email address for you to correspond directly if you wish. The ability to correspond directly is advantageous should you need to attach a file, for example; something which is not possible via the contact form. In certain cases, where appropriate, the website manager will forward your message to the dispatch team if they are best placed to deal with it swiftly. This is the extent to which your personal data received via the contact form is controlled and processed. We provide the contact facility and subsequent email communication for the purposes of customer service only.
We archive company email in order to achieve regulatory compliance. The archive is secure and administered by an authorised person. We do not share the archive with external agencies unless legally required to do so. We might, rarely, have occasion to examine the archive in line with our legitimate business objectives but if this happens such examination would be carried out by the archive administrator under the supervision of a director.
This document sets out our practices in line with what we understand our obligations to be at this time under the terms of GDPR as they relate to simoncarter.net.