We are sMASHing Supplies Ltd, company registration number 4849414 and registered address Unit 42 Basepoint Business Centre, Lincoln Road, High Wycombe, Buckinghamshire, HP12 3RL
Our Data Protection Controller can be contacted at firstname.lastname@example.org
We have produced this privacy notice in order to keep you informed of how we handle your personal data. All handling of your personal data is done in compliance with the General Data Protection Regulation (EU) 2016/679 (“Data Protection Legislation”).
Your rights under Data Protection Legislation include:
The right to be informed of how your Personal Data is used (through this notice)
The right to access any personal data held about you
The right to withdraw consent at any time, by emailing email@example.com
The right to rectify any inaccurate or incomplete personal data held about you
The right to erasure where it cannot be justified that the information held satisfies any of the criteria outlined in this policy, or where you have withdrawn consent
The right to prevent processing for direct marketing purposes, scientific/historical research or in any such way that is likely to cause substantial damage to you or another, including through profile building
The right to object to processing that results in decisions being made about you by automated processes and prevent those decisions being enacted.
Who is a Data Controller?
If we have collected your personal data directly from you for our own purposes, we are the Data Controller.
If we have purchased your personal data from a third-party for our own purposes, we are the Data Controller. Where we have purchased your personal data, we will contact you to let you know before we first start to use it, or, at the latest, within one month of acquiring it.
If we have been passed your personal data from a third-party for our own purposes, we are the Data Controller. We will inform you of this before first using it, or, at the latest, within one month of acquiring it.
If we have been passed your personal data from a third-party for a joint purpose that we both influence, we are the joint Data Controller. We will inform you of this before first using it, or, at the latest, within one month of acquiring it.
If your data has been passed to us by a third party for processing under their instruction, that third party is the Data Controller. They should have notified you that they would be passing your personal data to us, sMASHing Supplies Ltd, at the time they collected your data and within their own privacy notices/standards. For a list of Data Controllers that we process personal data for, the section below ‘Third Party Interests’.
If we have received your personal data as part of a business to business relationship, the Data Controller is your employer.
What are the lawful bases for processing personal data?
Under Data Protection Legislation, there must be a ‘lawful basis’ for the use of personal data. The lawful bases are outlined in Article 6, Section 1 of the GDPR.
This legislation covers:
- Your Consent
- Performance of a contract
- Compliance with a legal obligation
- Protection of your, or another’s vital interests
- Public interest/official authority
- Our legitimate interests
About our processing of your data
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
The personal identity date we may collect, use, store and transfer about you include first name, maiden name, last name, username or similar identifier, marital status and title.
Contact Data we collect includes billing address, delivery address, email address and telephone numbers.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Direct marketing to former, current and prospective clients. This processing is conducted lawfully on the basis of ‘our legitimate interests’.
To combat fraud, we share information of clients who instruct the payment issuer to cancel payments to us without first informing us of why and/or allowing us the opportunity to issue a refund with credit reference agencies. This processing is conducted lawfully on the basis of ‘protection of your, or another’s vital interests’.
We require certain information about you in order to instruct our payments processor to take payment from you and transfer it to us. We do not retain any payment card information apart from our card terminal payment receipt.
This processing is conducted lawfully on the basis of ‘performance of a contract’.
We might record calls for training and/or auditing purposes. We also collect Calling Line Identification information. This is used to help improve the efficiency and accountability of our customer services. This processing is conducted lawfully on the basis of ‘our legitimate interests’.
Email and Web Contact Identity Data
If you contact us through our website or by email, we will use the information you send in order to respond to your enquiry or complaint. This information will be kept in order to improve our service to you. This processing is conducted lawfully on the basis of ‘our legitimate interests’.
Marketing and Communications Data
If you make a purchase with us, we will add your contact information to our marketing list and send you information we think you might be interested in. This processing is conducted lawfully on the basis of ‘our legitimate interests’.
Cookies are small text files that are placed on your computer’s hard drive through your web browser when you visit any website. Cookies are used to enhance your user experience and do not collect personal data.
What happens if I refuse to give sMASHing Supplies Ltd my personal data?
The information about you that we have collected for the performance of our contracts is required in order for us to successfully fulfil our obligations to you. If you choose not to provide the personal data requested, we will not be able to enter into a contract with you to provide the services we offer. If we are already processing your personal information under a contract, you must end our contractual relationship (as/where permitted) in order to exercise some of your rights.
We process some personal information as part of a contractual relationship with a Data Controller. Any requests to restrict this type of processing should be forwarded to the Data Controller; they will be responsible for discussing your concerns and making any decisions.
What are sMASHING Supplies Ltd’s legitimate interests?
Legitimate interests are a flexible basis upon which the law permits the processing of an individual’s personal data. To determine whether we have a legitimate interest in processing your data, we balance the needs and benefits to us against the risks and benefits for you of us processing your data. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest.
How long will your personal data be kept?
sMASHing Supplies Ltd holds different categories of personal data for different periods of time. Wherever possible, we will endeavour to minimise the amount of personal data that we hold.
If ‘consent’ is the basis for our lawful processing of your data, we will retain your data so long as both the purpose for which it was collected and your consent, are still valid. We review the status of your consent every twelve (12) months and treat non-response to our requests for renewal of consent as if they were your request to withdraw consent. Occasionally, we might identify a legitimate interest in retaining some of your personal data that has been obtained by consent. If we do, we will inform you that we intend to retain it under these conditions and identify the interest specifically.
If we process your data on the basis of ‘legitimate interests’, we will retain your data for so long as the purpose for which it is processed remains active. We review the status of our legitimate interests every twelve (12) months and will update this notice whenever we determine that either a legitimate interest no longer exists or that a new one has been found.
All categories of personal data that are held by us because they are essential for the performance of a contract, will be held for a period of six years, as determined by reference to the Limitations Act 1980, for the purposes of exercising or defending legal claims.
Who else will receive your personal data?
sMASHing Supplies Ltd may pass your data to the third parties for the sole purposes of providing our services to you, and for no other purpose.
Third Party Interests
For the purposes of carrying out our process and fulfilling our services to you, we may pass your data to the following businesses we engage:
Website and Email Hosting Services
Call Handling Services
Credit Card Processing
Credit Referencing Agencies
Credit/Debt Control Agencies
Courier and Delivery Contractors
You may request which specific companies we have shared your data with by contacting our Data Controller.
Third party websites
Our website may provide links to our suppliers, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our website.
In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.
In addition to sending us your complaints directly to firstname.lastname@example.org, you can send complaints to the Information Commissioner’s Office. If you believe that we have failed in our compliance with data protection legislation, complaints to this authority can be made by visiting https://ico.org.uk/concerns/.