Privacy Policy
This privacy policy applies between you, the User of this Website, and Ruth Sudol, the owner and provider of this Website. Ruth Sudol takes the privacy of your information very seriously. This privacy policy applies to our use of any and all Data collected by us or provided by you in relation to your use of the Website.
This privacy policy should be read alongside, and in addition to, our Terms and Conditions, which can be found below.
Please read this privacy policy carefully.
Definitions and interpretation
1. In this privacy policy, the following definitions are used:
Data
collectively all information that you submit to Ruth Sudol via the Website. This definition incorporates, where applicable, the definitions provided in the Data Protection Laws;
Data Protection Laws any applicable law relating to the processing of personal Data, including but not limited to the GDPR, and any national implementing and supplementary laws, regulations and secondary legislation;
GDPR the UK General Data Protection Regulation;
Ruth Sudol, we or us Ruth Sudol of 77 Primley Park Road, West Yorkshire, LS17 7HR;
User or you any third party that accesses the Website and is not either (i) employed by Ruth Sudol and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Ruth Sudol and accessing the Website in connection with the provision of such services; and
Website the website that you are currently using, www.wearefixology.co.uk, and any sub-domains of this site unless expressly excluded by their own terms and conditions.
2. In this privacy policy, unless the context requires a different interpretation:
a. the singular includes the plural and vice versa;
b. references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this privacy policy;
c. a reference to a person includes firms, companies, government entities, trusts and partnerships;
d. "including" is understood to mean "including without limitation";
e. reference to any statutory provision includes any modification or amendment of it;
f. the headings and sub-headings do not form part of this privacy policy.
Scope of this privacy policy
3. This privacy policy applies only to the actions of Ruth Sudol and Users with respect to this Website. It does not extend to any websites that can be accessed from this Website including, but not limited to, any links we may provide to social media websites.
4. For purposes of the applicable Data Protection Laws, Ruth Sudol is the "data controller". This means that Ruth Sudol determines the purposes for which, and the manner in which, your Data is processed.
Data collected
5. We may collect the following Data, which includes personal Data, from you:
a. name;
b. date of birth;
c. contact Information such as email addresses and telephone numbers;
d. financial information such as credit / debit card numbers;
in each case, in accordance with this privacy policy.
How we collect Data
6. We collect Data in the following ways:
a. data is given to us by you; and
b. data is collected automatically.
Data that is given to us by you
7. Ruth Sudol will collect your Data in a number of ways, for example:
a. when you contact us through the Website, by telephone, post, e-mail or through any other means;
in each case, in accordance with this privacy policy.
Data that is collected automatically
8. To the extent that you access the Website, we will collect your Data automatically, for example:
a. we automatically collect some information about your visit to the Website. This information helps us to make improvements to Website content and navigation, and includes your IP address, the date, times and frequency with which you access the Website and the way you use and interact with its content.
Our use of Data
9. Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Website. Specifically, Data may be used by us for the following reasons:
a. internal record keeping;
b. improvement of our products / services;
c. transmission by email of marketing materials that may be of interest to you;
d. contact for market research purposes which may be done using email, telephone, fax or mail. Such information may be used to customise or update the Website;
in each case, in accordance with this privacy policy.
10. We may use your Data for the above purposes if we deem it necessary to do so for our legitimate interests. If you are not satisfied with this, you have the right to object in certain circumstances (see the section headed "Your rights" below).
11. For the delivery of direct marketing to you via e-mail, we'll need your consent, whether via an opt-in or soft-opt-in:
a. soft opt-in consent is a specific type of consent which applies when you have previously engaged with us (for example, you contact us to ask us for more details about a particular product/service, and we are marketing similar products/services). Under "soft opt-in" consent, we will take your consent as given unless you opt-out.
b. for other types of e-marketing, we are required to obtain your explicit consent; that is, you need to take positive and affirmative action when consenting by, for example, checking a tick box that we'll provide.
c. if you are not satisfied with our approach to marketing, you have the right to withdraw consent at any time. To find out how to withdraw your consent, see the section headed "Your rights" below.
Keeping Data secure
12. We will use technical and organisational measures to safeguard your Data, for example:
a. access to your account is controlled by a password and a user name that is unique to you.
b. we store your Data on secure servers.
c. payment details are encrypted using SSL technology (typically you will see a lock icon or green address bar (or both) in your browser when we use this technology.
13. Technical and organisational measures include measures to deal with any suspected data breach. If you suspect any misuse or loss or unauthorised access to your Data, please let us know immediately by contacting us via this e-mail address: info@wearefixology.co.uk.
14. If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
Data retention
15. Unless a longer retention period is required or permitted by law, we will only hold your Data on our systems for the period necessary to fulfil the purposes outlined in this privacy policy or until you request that the Data be deleted.
16. Even if we delete your Data, it may persist on backup or archival media for legal, tax or regulatory purposes.
Your rights
17. You have the following rights in relation to your Data:
a. Right to access - the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is "manifestly unfounded or excessive." Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the reasons why.
b. Right to correct - the right to have your Data rectified if it is inaccurate or incomplete.
c. Right to erase - the right to request that we delete or remove your Data from our systems.
d. Right to restrict our use of your Data - the right to "block" us from using your Data or limit the way in which we can use it.
e. Right to data portability - the right to request that we move, copy or transfer your Data.
f. Right to object - the right to object to our use of your Data including where we use it for our legitimate interests.
18. To make enquiries, exercise any of your rights set out above, or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via this e-mail address: info@wearefixology.co.uk.
19. If you are not satisfied with the way a complaint you make in relation to your Data is handled by us, you may be able to refer your complaint to the relevant data protection authority. For the UK, this is the Information Commissioner's Office (ICO). The ICO's contact details can be found on their website at https://ico.org.uk/.
20. It is important that the Data we hold about you is accurate and current. Please keep us informed if your Data changes during the period for which we hold it.
Links to other websites
21. This Website may, from time to time, provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are advised to read the privacy policy or statement of other websites prior to using them.
Changes of business ownership and control
22. Ruth Sudol may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of Ruth Sudol. Data provided by Users will, where it is relevant to any part of our business so transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use the Data for the purposes for which it was originally supplied to us.
23. We may also disclose Data to a prospective purchaser of our business or any part of it.
24. In the above instances, we will take steps with the aim of ensuring your privacy is protected.
General
25. You may not transfer any of your rights under this privacy policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.
26. If any court or competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy policy will not be affected.
27. Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
28. This Agreement will be governed by and interpreted according to the law of England and Wales. All disputes arising under the Agreement will be subject to the exclusive jurisdiction of the English and Welsh courts.
Changes to this privacy policy
29. Ruth Sudol reserves the right to change this privacy policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website and you are deemed to have accepted the terms of the privacy policy on your first use of the Website following the alterations.
You may contact Ruth Sudol by email at info@wearefixology.co.uk.
Attribution
30. This privacy policy was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).
This privacy policy was created on 2nd January 2023
Terms & Conditions
As we can accept your order and make a legally enforceable agreement without further reference to you, you must read these terms and conditions to make sure that they contain all that you want and nothing that you are not happy with. If you are not sure about anything, just phone us on 07952116642.
Application
1. These Terms and Conditions will apply to the purchase of the goods by you (the Customer or you). Ruth Sudol trading as Fixology of Margaret House , 2 Devonshire Crescent, LS8 1EP with email address info@wearefixology.co.uk; telephone number 07952116642 (the Supplier or us or we).
2. These are the Terms on which we sell all Goods to you. By ordering any of the Goods, you agree to be bound by these Terms and Conditions.
Interpretation
3. Consumer means an individual acting for purposes which are wholly or mainly outside their trade, business, craft or profession;
4. Contract means the legally-binding agreement between you and us for the sale and purchase of the Goods;
5. Delivery Location means the Supplier's premises or other location where the Goods are to be supplied, as set out in the Order;
6. Goods means any goods that we supply to you, of the number and description as set out in the Order;
7. Order means the Customer's order for the Goods from the Supplier as set out overleaf
Goods
8. The description of the Goods is as set out in our website, catalogues, brochures or other form of advertisement. Any description is for illustrative purposes only and there may be small discrepancies in colour or size.
9. In the case of Goods made to your special requirements, it is your responsibility to ensure that any information you provide is accurate.
Basis of Sale
10. The description of the Goods in our website, catalogues, brochures or other form of advertisement does not constitute a contractual offer to sell the Goods.
11. When an Order has been made, we can reject it for any reason, although we will try to tell you the reason without delay.
12. A Contract will be formed for the Goods ordered, only upon the Supplier sending an email to the Customer saying that the Order has been accepted or if earlier, the Supplier's delivery of the Goods to the Customer.
13. Any quotation is valid for a maximum period of 30 days from its date, unless we expressly withdraw it at an earlier time.
14. No variation of the Contract, whether about description of the Goods, price or otherwise, can be made after it has been entered into unless the variation is agreed by the Customer and the Supplier in writing.
15. We intend that these Terms and Conditions apply only to a Contract entered into by you as a Consumer where we, the Supplier and you the Customer, enter the Contract at any of the Supplier's business premises, and where the Contract is not a contract (i) for which an offer was made by the Customer in the Supplier's and the Customer's simultaneous physical presence away from those premises, or (ii) made immediately after the Customer was personally and individually addressed in the Supplier's and the Customer's simultaneous physical presence away from those premises. If this is not the case, you must tell us, so that we can provide you with a different contract with terms which are more appropriate to you and which might, in some way, be better for you, eg by giving cancellation rights pursuant to consumer protection law. Business premises means immovable retail premises where we carry on business on a permanent basis or, in the case of movable retail premises, on a usual basis.
Price and Payment
16. The price of the Goods and any additional delivery or other charges for the Goods, and the total price of them and the charges, is that set out in our price list current at the date we accepted the Order or such other price as we may agree in writing.
17. Prices and charges include VAT at the rate applicable at the time of the Order.
18. Payment for Goods must be made within 1 day of invoice. You must pay in cash or by submitting your credit or debit card details with your Order and we can take payment immediately or otherwise before delivery of the Goods.
Delivery
19. We will deliver the Goods to the Delivery Location by the time or within the period agreed, or failing any agreement, without undue delay and, in any event, not more than 30 days after the day on which the Contract is entered into.
20. In any case, regardless of events beyond our control, if we do not deliver the Goods on time, you can (in addition to any other remedies) treat the Contract at an end if:
a. we have refused to deliver the Goods, or if delivery on time is essential taking into account all the relevant circumstances at the time the Contract was made, or if you told us before the Contract was made that delivery on time was essential; or
b. after we have failed to deliver on time, you have specified a later period which is appropriate to the circumstances and we have not delivered within that period.
21. If you treat the Contract at an end, we will (in addition to other remedies) promptly return all payments made under the Contract.
22. If you were entitled to treat the Contract at an end, but do not do so, you are not prevented from cancelling the Order for any Goods or rejecting Goods that have been delivered and, if you do this, we will (in addition to other remedies) without delay return all payments made under the Contract for any such cancelled or rejected Goods. If the Goods have been delivered, you must return them or allow us to collect them from you and we will pay the costs of this.
23. If any Goods form a commercial unit (a unit is a commercial unit if division of the unit would materially impair the value of the goods or the character of the unit) you cannot cancel or reject the Order for some of those Goods without also cancelling or rejecting the Order for the rest of them.
24. We do not generally deliver to addresses outside England and Wales, Scotland, Northern Ireland, the Isle of Man and the Channels Islands. If, however, we accept an Order for delivery outside that area, you may need to pay import duties or other taxes, as we will not pay them.
25. You agree we may deliver the Goods in instalments if we suffer a shortage of stock or other genuine and fair reason, subject to the above provisions and provided you are not liable for extra charges.
26. If you or your nominee fail, through no fault of ours, to take delivery of the Goods at the Delivery Location, we may charge the reasonable costs of storing and redelivering them.
27. The Goods will become your responsibility from the completion of delivery or Customer collection. You must, if reasonably practicable, examine the Goods before accepting them.
Risk and Title
28. Risk of damage to, or loss of, the Goods will pass to you when the Goods are delivered to you.
29. You do not own the Goods until we have received payment in full. If full payment is overdue or a step occurs towards your bankruptcy, we can choose, by notice to cancel any delivery and end any right to use the Goods still owned by you, in which case you must return them or allow us to collect them.
Withdrawal and cancellation
30. You can withdraw the Order by telling us before the Contract is made, if you simply wish to change your mind and without giving us a reason, and without incurring any liability.
31. You can cancel the Contract except for any Goods which are made to your special requirements by telling us no later than 30 days after the Contract was made, if you simply wish to change your mind and without giving us a reason, and without liability, except in that case, you must return to any of our business premises the Goods in undamaged condition at your expense. Then we will without delay refund to you the price for those Goods, but we can retain any separate delivery charge. This does not affect your rights when the reason for the cancellation is any defective Goods.
Conformity
32. We have a legal duty to supply the Goods in conformity with the Contract, and will not have conformed if it does not meet the following obligation.
33. Upon delivery, the Goods will:
a. be of satisfactory quality
b. be reasonably fit for any particular purpose for which you buy the Goods which, before the Contract is made, you made known to us (unless you do not actually rely, or it is unreasonable for you to rely, on our skill and judgment) and be fit for any purpose held out by us or set out in the Contract; and
c. conform to their description.
34. It is not a failure to conform if the failure has its origin in your materials.
Circumstances beyond the control of either party
35. In the event of any failure by a party because of something beyond its reasonable control:
a. the party will advise the other party as soon as reasonably practicable; and
b. the party's obligations will be suspended so far as is reasonable, provided that that party will act reasonably, and the party will not be liable for any failure which it could not reasonably avoid, but this will not affect the Customer's above rights relating to delivery and the right to cancel below.
Privacy
36. Your privacy is critical to us. We respect your privacy and comply with the General Data Protection Regulation with regard to your personal information.
37. These Terms and Conditions should be read alongside, and are in addition to our policies, including our privacy policy and cookies policy which can be found the policy can be found on our website.
38. For the purposes of these Terms and Conditions:
a. 'Data Protection Laws' means any applicable law relating to the processing of Personal Data, including, but not limited to the GDPR.
b. 'GDPR' means the UK General Data Protection Regulation.
c. 'Data Controller', 'Personal Data' and 'Processing' shall have the same meaning as in the GDPR.
39. We are a Data Controller of the Personal Data we Process in providing the Goods to you.
40. Where you supply Personal Data to us so we can provide Goods to you, and we Process that Personal Data in the course of providing the Goods to you, we will comply with our obligations imposed by the Data Protection Laws:
a. before or at the time of collecting Personal Data, we will identify the purposes for which information is being collected;
b. we will only Process Personal Data for the purposes identified;
c. we will respect your rights in relation to your Personal Data; and
d. we will implement technical and organisational measures to ensure your Personal Data is secure.
41. For any enquiries or complaints regarding data privacy, you can email: info@wearefixology.co.uk.
Excluding liability
42. The Supplier does not exclude liability for: (i) any fraudulent act or omission; or (ii) for death or personal injury caused by negligence or breach of the Supplier's other legal obligations. Subject to this, the Supplier is not liable for(i) loss which was not reasonably foreseeable to both parties at the time when the Contract was made, or (ii) loss (eg loss of profit) to the Customer's business, trade, craft or profession which would not be suffered by a Consumer because the Supplier believes the Customer is not buying the Goods wholly or mainly for its business, trade, craft or profession).
Governing law, jurisdiction and complaints
43. The Contract (including any non-contractual matters) is governed by the law of England and Wales.
44. Disputes can be submitted to the jurisdiction of the courts of England and Wales or, where the Customer lives in Scotland or Northern Ireland, in the courts of respectively Scotland or Northern Ireland.
45. We try to avoid any dispute, so we deal with complaints as follows: If a dispute occurs customers should contact us directly. We will aim to respond within 5 days.
46. We aim to follow these codes of conduct, copies of which you can obtain as follows: CSP code of conduct available from https://www.csp.org.uk/documents/council-code-conduct
Statement and purpose of policy
A. Ruth Sudol (the Employer) is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.
B. We confirm for the purposes of the data protection laws, that the Employer is a data controller of the personal data in connection with your employment. This means that we determine the purposes for which, and the manner in which, your personal data is processed.
C. The purpose of this policy is to help us achieve our data protection and data security aims by:
1. notifying our staff of the types of personal information that we may hold about them, our customers, suppliers and other third parties and what we do with that information;
2. setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules and the legal standards; and
3. clarifying the responsibilities and duties of staff in respect of data protection and data security.
D. This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.
E. For the purposes of this policy:
1. Data protection laws means all applicable laws relating to the processing of personal data, including, for the period during which it is in force, the UK General Data Protection Regulation.
2. Data subject means the individual to whom the personal data relates.
3. Personal data means any information that relates to an individual who can be identified from that information.
4. Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
5. Special categories of personal data means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
Data protection principles
1. Staff whose work involves using personal data relating to Staff or others must comply with this policy and with the following data protection principles which require that personal information is:
a. processed lawfully, fairly and in a transparent manner. We must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
b. collected only for specified, explicit and legitimate purposes. Personal data must not be collected for one purpose and then used for another. If we want to change the way we use personal data, we must first tell the data subject.
c. processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. We will only collect personal data to the extent required for the specific purpose notified to the data subject.
d. accurate and the Employer takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information.
e. kept only for the period necessary for processing. Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it. For guidance on how long particular information should be kept, contact the Data Protection Officer.
f. secure, and appropriate measures are adopted by the Employer to ensure as such.
Who is responsible for data protection and data security?
2. Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained in it apply to all staff of the Employer, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (Staff).
3. Questions about this policy, or requests for further information, should be directed to the Data Protection Officer.
4. All Staff have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. The Data Protection Officer must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
5. Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Staff or customer personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
What personal data and activities are covered by this policy?
6. This policy covers personal data:
a. which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
b. is stored electronically or on paper in a filing system;
c. in the form of statements of opinion as well as facts;
d. which relates to Staff (present, past or future) or to any other individual whose personal data we handle or control;
e. which we obtain, is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
7. This personal data is subject to the legal safeguards set out in the data protection laws.
What personal data do we process about Staff?
8. We collect personal data about you which:
a. you provide or we gather before or during your employment or engagement with us;
b. is provided by third parties, such as references or information from suppliers or another party that we do business with; or
c. is in the public domain.
9. The types of personal data that we may collect, store and use about you include records relating to your:
a. home address, contact details and contact details for your next of kin;
b. recruitment (including your application form or curriculum vitae, references received and details of your qualifications);
c. pay records, national insurance number and details of taxes and any employment benefits such as pension and health insurance (including details of any claims made);
d. telephone, email, internet, fax or instant messenger use;
e. performance and any disciplinary matters, grievances, complaints or concerns in which you are involved.
Sensitive personal data
10. We may from time to time need to process sensitive personal information (sometimes referred to as 'special categories of personal data').
11. We will only process sensitive personal information if:
a. we have a lawful basis for doing so, eg it is necessary for the performance of the employment contract; and
b. one of the following special conditions for processing personal information applies:
i. the data subject has given explicit consent.
ii. the processing is necessary for the purposes of exercising the employment law rights or obligations of the Company or the data subject.
iii. the processing is necessary to protect the data subject's vital interests, and the data subject is physically incapable of giving consent.
iv. processing relates to personal data which are manifestly made public by the data subject.
v. the processing is necessary for the establishment, exercise, or defence or legal claims; or
vi. the processing is necessary for reasons of substantial public interest.
12. Before processing any sensitive personal information, Staff must notify the Data Protection Officer of the proposed processing, in order for the Data Protection Officer to assess whether the processing complies with the criteria noted above.
13. Sensitive personal information will not be processed until the assessment above has taken place and the individual has been properly informed of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.
14. Our Privacy Notice sets out the type of sensitive personal information that we process, what it is used for and the lawful basis for the processing.
How we use your personal data
15. We will tell you the reasons for processing your personal data, how we use such information and the legal basis for processing in our Privacy Notice. We will not process Staff personal information for any other reason.
16. In general, we will use information to carry out our business, to administer your employment or engagement and to deal with any problems or concerns you may have, including, but not limited to:
a. Staff address lists: to compile and circulate lists of home addresses and contact details, to contact you outside working hours.
b. Sickness records: to maintain a record of your sickness absence and copies of any doctor's notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness, as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform reviewers for appraisal purposes of your sickness absence level, to publish internally aggregated, anonymous details of sickness absence levels.
c. Monitoring IT systems: to monitor your use of e-mails, internet, telephone and fax, computer or other communications or IT resources.
d. Disciplinary, grievance or legal matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve you.
e. Performance reviews: to carry out performance reviews.
Accuracy and relevance
17. We will:
a. ensure that any personal data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.
b. not process personal data obtained for one purpose for any other purpose, unless you agree to this or reasonably expect this.
18. If you consider that any information held about you is inaccurate or out of date, then you should tell the Data Protection Officer. If they agree that the information is inaccurate or out of date, then they will correct it promptly. If they do not agree with the correction, then they will note your comments.
Storage and retention
19. Personal data (and sensitive personal information) will be kept securely in accordance with our
20. The periods for which we hold personal data are contained in our Privacy Notices.
Individual rights
21. You have the following rights in relation to your personal data.
22. Subject access requests:
a. You have the right to make a subject access request. If you make a subject access request, we will tell you:
i. whether or not your personal data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you;
ii. to whom your personal data is or may be disclosed.
iii. for how long your personal data is stored (or how that period is decided);
iv. your rights of rectification or erasure of data, or to restrict or object to processing;
v. your right to right to complain to the Information Commissioner if you think we have failed to comply with your data protection rights; and
vi. whether or not we carry out automated decision-making and the logic involved in any such decision making.
b. We will provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.
c. To make a subject access request, contact us at info@wearefixology.co.uk.
d. We may need to ask for proof of identification before your request can be processed. We will let you know if we need to verify your identity and the documents we require.
e. We will normally respond to your request within 28 days from the date your request is received. In some cases, eg where there is a large amount of personal data being processed, we may respond within 3 months of the date your request is received. We will write to you within 28 days of receiving your original request if this is the case.
f. If your request is manifestly unfounded or excessive, we are not obliged to comply with it.
23. Other rights:
a. You have a number of other rights in relation to your personal data. You can require us to:
i. rectify inaccurate data;
ii. stop processing or erase data that is no longer necessary for the purposes of processing;
iii. stop processing or erase data if your interests override our legitimate grounds for processing the data (where we rely on our legitimate interests as a reason for processing data);
iv. stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override the Employer's legitimate grounds for processing the data.
b. To request that we take any of these steps, please send the request to info@wearefixology.co.uk.
Data security
24. We will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
25. Maintaining data security means making sure that:
a. only people who are authorised to use the information can access it;
b. where possible, personal data is pseudonymised or encrypted;
c. information is accurate and suitable for the purpose for which it is processed; and
d. authorised persons can access information if they need it for authorised purposes.
26. By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.
27. Personal information must not be transferred to any person to process (eg while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.
28. Security procedures include:
a. Any desk or cupboard containing confidential information must be kept locked.
b. Computers should be locked with a strong password that is changed regularly or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
c. Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used.
d. The Data Protection Officer must approve of any cloud used to store data.
e. Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
f. All servers containing sensitive personal data must be approved and protected by security software.
g. Servers containing personal data must be kept in a secure location, away from general office space.
h. Data should be regularly backed up in line with the Employer's back-up procedure.
29. Telephone precautions. Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:
a. the identity of any telephone caller must be verified before any personal information is disclosed;
b. if the caller's identity cannot be verified satisfactorily then they should be asked to put their query in writing;
c. do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the Data Protection Officer.
30. Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.
31. Additional measures to ensure data security include:
a. additional measures to ensure data security include: deleting correspondence with personal information.
Data impact assessments
32. Some of the processing that the Employer carries out may result in risks to privacy.
33. Where processing would result in a high risk to Staff rights and freedoms, the Employer will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
Data breaches
34. If we discover that there has been a breach of Staff personal data that poses a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner within 72 hours of discovery.
35. We will record all data breaches regardless of their effect in accordance with our Breach Response Policy.
36. If the breach is likely to result in a high risk to your rights and freedoms, we will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures it has taken.
Individual responsibilities
37. Staff are responsible for helping the Employer keep their personal data up to date.
38. Staff should let the Employer know if personal data provided to the Employer changes, eg if you move house or change your bank details.
39. You may have access to the personal data of other Staff members and of our customers in the course of your employment. Where this is the case, the Employer relies on Staff members to help meet its data protection obligations to Staff and to customers.
40. Individuals who have access to personal data are required:
a. to access only personal data that they have authority to access and only for authorised purposes;
b. not to disclose personal data except to individuals (whether inside or outside of the Employer) who have appropriate authorisation;
c. to keep personal data secure (eg by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
d. not to remove personal data, or devices containing or that can be used to access personal data, from the Employer's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
e. not to store personal data on local drives or on personal devices that are used for work purposes.
Training
41. We will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.
42. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy will receive additional training to help them understand their duties and how to comply with them.
Attribution
43. This data protection and data security was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).