How do we handle data?

To ensure your own GDPR compliance, we have set out the following information about how we use the data you provide us with a Questions and Answer form, to give you necessary insight:

How long is the personal data you receive from us stored for?

In all circumstances, we store personal data from customer’s orders for up to 6 years before it is deleted from our systems. This is to make sure we can respond to customer service queries after an order or service has resided and handle any legal claims.

Have you appointed a Data Protection Officer?

No – we are not required to do so under the GDPR. This is due to our business size, not requesting Personal Sensitive-information and the way we use personal data is not particularly complex.

What other organisations have access to the data we share with you, and why?

We may give other organisations access to data so that we can fulfil contractual obligations and offer the high standard of service our customers and clients deserve. Please find some examples of organisations we use but are not limited to:

  • Couriers
  • Network service providers
  • Stock/Distribution providers
  • Repair service providers
  • Insurance providers
  • Retail/Consumer finance service providers
  • Retail payment processing providers
  • MDM solution providers.

The third parties that we share personal data with have been carefully considered and selected based on contractual agreements, trustworthiness and compliance with legislation.

If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA.

In addition, we may give access to relevant authorities as required by law.

Is due diligence carried out in relation to such organisations’ handling of data?

We are in the process of asking our contractors to complete a blank version of this questionnaire, and varying the contracts to incorporate (either directly or by means of a side letter) the appropriate GDPR clauses.

Thereafter, we will be carrying out periodic reviews with the organisations who handle data on our behalf to ensure they still comply with the GDPR.

Do your employment terms and conditions clearly set out the confidentiality and information security standards expected of your staff?

All our employees have received updated terms incorporating GDPR provisions and standards to ensure compliance and confidentiality throughout the organisation.

This also directly links to our disciplinary procedure.

How often do your employees receive data protection/information security training?

We provide all employees with information and training relevant to their roles and keep this updated throughout their employment with our company. Training is regularly reviewed to reflect new regulatory and legislative requirements.

What physical security measures are in place to protect the data we send to you?

  • Restriction of access to buildings, data centres and server rooms as necessary.
  • Biometric access on all doors where personal information is exposed/obtainable.
  • Monitoring of unauthorised access.
  • Written procedures for employees, contractors and visitors covering confidentiality and security of information.

What technical security measures do you have in place to protect the data we send to you?

  • Restricting access to systems depending on the sensitivity/risk.
  • Multi-factored authentication where applicable and password protection for all systems, including and excluding personal information.
  • Record maintenance of access given to individuals; this is granular varying dependent on their role within the business.
  • Ensuring prompt deployment of updates; including 3rd party services, bug-fixes and security patches for all systems.
  • Appropriate security over wireless networks (802.11x) and remote access tools; including multi-factor authentication.
  • Encryption of mobile devices.

Where is the data we send to you physically stored?

Physical data is stored securely on our premises in the UK.

Electronic data will be stored in our data centres and/or cloud locations. Where we use international data centres/cloud locations, we only do so when they have complied with GDPR international data transfer requirements.

Do you use any automatic processing of data?

Through our payment gateway agreements, personal data is automatically processed, and decisions are made with regard to applicable fraud regulations.

Aside from the above, we do not process data automatically for the purpose of automated decision making; such as profiling, or making consumer credit decisions.

Please describe the processes you have in place to detect and notify us of security incidents in relation to the data we send to you.

  • We have a Data Security Breach Policy and procedure in place.
  • Employees receive training so a breach can not only be identified quickly, but prevented.
  • We have systematic approach to monitoring the integrity of our IT systems, which is auditable.

What is your data destruction process?

Personal data is retained for the period of six years as outlined above the destruction of the digital data is done either by physically destroying the storage media e.g. drives, tapes, or by securely erasing the storage media followed by a reformat. Where we hold the data in a physical format, the data is placed in Shred-it bins, and then securely destroyed off-site, complying with data protection law.

If you have any questions regarding GDPR please email customer.services@aerial-direct.co.uk.