Privacy Policy
Introduction
At Gillman & Soame we take Data Security very seriously. We recognise the importance of ensuring that Personal Data is only collected when it is absolutely necessary, and that it is processed only when we have Legal Basis to do so. We continuously monitor our Procedures and Network to ensure that the environments in which any Data is stored are protected adequately to Industry-recognised standards.
As a valued Customer it is our responsibility to process any Data you provide for us, or that we collect on your behalf, in a secure environment, and use staff who are specifically trained as to the sensitivity of the Data that passes before them in the course of their employment.
Under the General Data Protection Regulation (UK GDPR in the UK and EU GDPR in the EEA (European Economic Area)), we have responsibilities defined for us which we accept and fulfil. In the case of Data provided by you in the course of a placing an order, we are the Data Controller, which means that we will make decisions as to how we Process your Data in order to fulfil your order. Subsequently we may contact you to give you the opportunity to make purchases of other Photographs we may have captured of you or your child, and you can choose to unsubscribe from such further contact at any time.
Our Privacy Policy is designed to reassure Website Users, Subscribers and all Customers who make purchases through the Website, that we will only Process your Data when is necessary, and even then within the most secure physical and electronic environments. In addition to that, the GDPR (UK GDPR in the United Kingdom, EU GDPR in the EEA (European Economic Area)) gives you certain rights, one of which is The Right to be Informed. In line with this Right, this Privacy Notice will inform you of the following:
- The Information we Gather
- Disclosure and Transfer of Personal Information
- Sources and Legal Bases for Processing of Personal Data
- Retention and Deletion of Personal Data
- Your Rights
- How to Contact Us
We review our privacy practices from time to time. To contact us about privacy issues relating to our website, to report a violation of our Privacy Statement, or to raise any other issue, please e-mail us at enquiries@gillmanandsoame.co.uk.
The Information we Gather
We gather two types of information about users:
-
Tracking information: Information that is collected about every user of the our website, whether such user registers or not, and is automatically gathered using "Cookies." A Cookie is a small bit of data that is written to the user's hard drive by a web server and used to track the pages the user has visited. Cookies do not include personal information about you, rather they are unique to each user, which allows our computers to distinguish between individual users, and personalise your experience if you have previously provided information about yourself. Cookies are only read by the computer that placed them, and cannot execute any code or virus.
-
Personal information: Information that relates to an identifiable individual. When a user registers for our website (as is necessary, for example, for a user to make a purchase through our website), the user may be required to provide personal information such as their name and email address, to select a login name and password, and then will be passed on to a payment processing company to securely provide their credit card information (number, type and expiration date), a telephone number and a billing address. If a user prefers to do so, they can talk offline to a customer service representative, providing the required information over the telephone.
Use of the Information:
Tracking Information: We use tracking information in aggregate form to build higher-quality, more useful services by performing statistical analyses of users' activities, and by measuring demographics and interest regarding specific areas of our website.
Personal Information: At registration, and when a user is purchasing goods through our website, we provide notice to the user that personal information will be collected during the registration and/or purchasing process (as applicable). This Privacy Statement itself is also notice that such information is collected.
Your contact details and other data you supply as part of the registration process are stored and processed by us to enable you to access the Services on our website and to provide you with the goods you have purchased or the information you have requested.
If you have provided an address when purchasing goods, our website may automatically fill in that information on a subsequent order form for your purchase of goods. This is simply a convenience - no information is released to anyone unless you authorise its release, such as by clicking a "Submit" button.
We may pass your contact details only on to our chosen delivery companies, for the sole purpose of delivering your order and informing/updating you on the delivery progress of your order.
We will hold your personal information for as long as is necessary to provide excellent service to you in respect of the product you purchase. This is of particular need and importance where similar products are purchased over a number of years and a customer wishes to check the make-up and detail of previous orders.
Disclosure and Transfer of Personal Information
We do not sell, trade or lease the personal information you entrust to us.
The Data we Control is always kept within the British Isles. Data is never transferred outside of geographical Europe.
We use the appropriate security methods to protect the data that resides on our servers. However, no security system is impenetrable. We cannot guarantee the security of our servers, nor can we guarantee that information that users supply will not be intercepted while being transmitted to us over the Internet.
More details about our Security.
We may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.
Sources and Legal Bases for Processing of Personal Data
Under the GDPR (UK GDPR (United Kingdom General Data Protection Regulation) in the United Kingdom, EU GDPR (European Union General Data Protection Regulation) in the European Economic Area (EEA)) we are required to provide you with certain information relating to the Data we Process. These are as follows:
- The general categories of personal data that we may process;
- In the case of personal data that we did not obtain directly from you, the source and specific categories of that data;
- The purposes for which we may process personal data; and
- The legal basis of the processing.
When you register an online account with us, such as when you place an order through the website, we ask you for your contact details, including your name, address, telephone number and email address. We may process this data to allow essential functions to include communication with you, ensuring data security, and completing your order(s). There are several Legal Bases for these activities, such as fulfilment of our contract with you, and conducting our Legitimate Business Interest of ensuring good customer service.
We may process data about your use of our website and services, and this may include pages you visit, links you follow and ordering data. This usage data may be processed to analyse the use of the website and services, in order to make improvements, and is made available to us through our Web-Analytics reporting system. The legal basis for this processing is our Legitimate Business Interest of making our website as efficient and effective as possible.
We may process information that you provide to us to send you email notifications and/or newsletters, or to send you special offer emails. The legal basis for this processing is Legitimate Business Interest of generating sales through the website.
Subject data is provided by the School, College or organisation with whom we have a contract. This data is limited only to that which is required in order to sufficiently identify who is contained in the photographs, such as Name, Class, Admission Number and Academic or Boarding House information and so forth. Processing is performed in order to provide the services that the school or organisation have engaged us to perform. The processing is carried out in order to perform our contractual obligation with the School, under our Processing Agreement.
We capture and process Photographs (deemed to be personal data under the GDPR (UK GDPR in the United Kingdom, EU GDPR in the EEA (European Economic Area))) as our central and core service. The photograph data is processed to provide the service we have been contracted to complete. We are engaged to capture the photographs on behalf of the school or organisation, so they need to have a Lawful Basis for the processing. The school or organisation is also responsible to make sure that no one is presented for photography whose preference is that they are not included. Under the GDPR this preference can be expressed by the Parent or Guardian and/or the person themselves if they are 12 or over. All processing carried out by Gillman & Soame as Controllers or Joint Controllers to make the images available for sale to Parents, Pupils or subjects is based on Legitimate Interest.
In addition to the specific information related to Processing noted above, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.
Retention and Deletion of Personal Data
The GDPR (UK GDPR (United Kingdom General Data Protection Regulation) in the United Kingdom, EU GDPR (European Union General Data Protection Regulation) in the European Economic Area (EEA)) requires us to maintain a Company Policy in relation to how long we keep various categories of personal data.
Personal data is kept for no longer than it is needed in order to serve the purpose for which it was collected.
We do not store Credit Card information on our systems.
A Summary of the length of time we retain different types of information is as follows:
Photographs: These are the intellectual property of The Company, and Copyright on such work lasts for 70 years. We will, therefore, retain Photographs for 70 years. After this point images are reviewed for longer preservation, to assess their Historical Relevance. If they are likely to become valuable Historically, they are added to the Archive.
Order Data: This is kept for 20 years in order to be able to inform you whether or not you have previously ordered a particular photograph(s).
Identification Data (Name Admission Number and Class, provided by the School or College): This is kept electronically alongside Portraits, and is kept in a secure database - only accessible by authorised Users - for 70 years in line with Copyright, and to ensure that these are made available only to the Subject, or to close relatives of the Subject.
In addition to the specific information related to Retention and Deletion noted above, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.
Your Rights
The GDPR (UK GDPR (United Kingdom General Data Protection Regulation) in the United Kingdom, EU GDPR (European Union General Data Protection Regulation) in the European Economic Area (EEA)) defines certain Rights that you as a Data Subject may exercise in relation to your Personal Data. In Summary, these Rights are as follows:
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Data Portability
- The Right to Object
- Rights in Relation to Automated Decision Making and Profiling.
Some of the details of Terms listed above are explained as follows. As some of these terms are complex, this should not be seen as a full explanation, and we certainly recommend that you read information presented by the Regulatory Bodies for further details.
The Right of Access
You have the right to request copy of the Personal Data we hold, plus Supplementary information, such as whether we are processing your data, along with the reasons. In most cases, as long as the rights of a third party aren't compromised, we will comply with your request within a calendar month.
For clarity, we only hold data necessary to record what you have ordered, to make sure the order gets to you at the correct address, and to contact you about your order, and about potential future orders. We don't collect or store any data which isn't needed for these purposes.
The Right to Rectification
If any data we hold is incorrect, you have a right to request that this is corrected for you.
The Right to Erasure
If you no longer wish us to store or process your Personal data, you have a right to request that any data we hold is erased, or deleted. If you contact us to request a Right to Erasure, we will comply where possible, but there are exceptions, or exclusions to this right. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims. It may also be that the Legitimate Business Interests of the Company would be threatened by the erasure. For these reasons, The Company has the right to reject a request under the Right to Erasure, but we will always explain to you clearly why the decision was taken, and what you can do next.
The Right to Restrict Processing
You may have a reason to request that we do not process your data for a specific period of time. Legal Bases for this could be:
- You contest the accuracy of the personal data.
- Processing is unlawful but you don't want the data to be erased.
- We no longer need the personal data for the purposes of our processing, but you need the personal data for the establishment, exercise or defence of legal claims.
As an alternative to the Right to Erasure, you may wish to request that we do not process your data for a specific period of time. You can make this request under your Right to Restrict Processing.
There are several legal exemptions to the Right to Restrict Processing: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another person; or for reasons of important public interest. It may also be that the Legitimate Business Interests of the Company would be threatened by the restriction. For these reasons, The Company has the right to reject a request under the Right to Restrict Processing, but we will always explain to you clearly why the decision was taken, and what you can do next.
The Right to Object
You have the right to object to our Processing of your data in relation to Marketing. If you object, we will cease to contact you for this reason from the date of your request.
You also have a right to object to our processing of your personal data on grounds relating to your particular situation, but the processing may be necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you exercise your Right to Object, we will cease to process the personal information unless there are legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. It may also be that the Legitimate Business Interests of the Company would be threatened by the objection. For these reasons, The Company has the right to reject a request under the Right to Restrict Processing, but we will always explain to you clearly why the decision was taken, and what you can do next.
Rights in Relation to Automated Decision Making and Profiling.
To the extent that the legal basis for our processing of your personal data is: (a) consent; or (b) that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format.
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state where you normally live, your workplace or the place of the alleged infringement.
If the Lawful Basis for processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal of consent can not be backdated from the actual date of receipt.
How to Contact Us
If you wish to exercise any of your rights in relation to the data we hold about you, you may do this in writing.
You may also ask us any questions about this Privacy Statement.
You may email us at enquiries@gillmanandsoame.co.uk.
If you would prefer to contact us by Post, please write to:
Data Protection Officer
Gillman & Soame UK Ltd.
Units 7-8 Chancerygate Business Centre
Langford Lane
Kidlington
Oxfordshire
OX5 1FQ
The address above is also our Registered Office address and Principal Place of Business, where we trade as Gillman & Soame UK Ltd., Company Number 04508575.
You can telephone us on 01869 328 200.