Partner and Supplier due Diligence
How do we handle data?
To ensure your own GDPR compliance, we have set out the following information in accordance with our due diligence process about how we use the data you provide us with a Questions and Answer form, to give you necessary insight:
In all circumstances, we store personal data from customer’s orders for up to 6 years before it is deleted from our systems. This is to make sure we can respond to customer service queries after an order or service has resided and handle any legal claims.
We may give other organisations access to data so that we can fulfil contractual obligations and offer the high standard of service our customers and clients deserve. Please find some examples of organisations we use but are not limited to:
Network service providers
Repair service providers
Retail/Consumer finance service providers
Retail payment processing providers
MDM solution providers.
The third parties that we share personal data with have been carefully considered and selected based on contractual agreements, trustworthiness and compliance with legislation.
If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA.
In addition, we may give access to relevant authorities as required by law.
We are in the process of asking our contractors to complete a blank version of this questionnaire, and varying the contracts to incorporate (either directly or by means of a side letter) the appropriate GDPR clauses.
Thereafter, we will be carrying out periodic reviews with the organisations who handle data on our behalf to ensure they still comply with the GDPR.
All our employees have received updated terms incorporating GDPR provisions and standards to ensure compliance and confidentiality throughout the organisation.
This also directly links to our disciplinary procedure.
Restricting access to systems depending on the sensitivity/risk.
Multi-factored authentication where applicable and password protection for all systems, including and excluding personal information.
Record maintenance of access given to individuals; this is granular varying dependent on their role within the business.
Ensuring prompt deployment of updates; including 3rd party services, bug-fixes and security patches for all systems.
Appropriate security over wireless networks (802.11x) and remote access tools; including multi-factor authentication.
Encryption of mobile devices.
Physical data is stored securely on our premises in the UK.
Electronic data will be stored in our data centres and/or cloud locations. Where we use international data centres/cloud locations, we only do so when they have complied with GDPR international data transfer requirements.
Through our payment gateway agreements, personal data is automatically processed, and decisions are made with regard to applicable fraud regulations.
Aside from the above, we do not process data automatically for the purpose of automated decision making; such as profiling, or making consumer credit decisions.
We have a Data Security Breach Policy and procedure in place.
Employees receive training so a breach can not only be identified quickly, but prevented.
We have systematic approach to monitoring the integrity of our IT systems, which is auditable.
Personal data is retained for the period of six years as outlined above the destruction of the digital data is done either by physically destroying the storage media e.g. drives, tapes, or by securely erasing the storage media followed by a reformat. Where we hold the data in a physical format, the data is placed in Shred-it bins, and then securely destroyed off-site, complying with data protection law.