The General Data Protection Regulations (GDPR) come into effect on the 25 May 2018 and apply to all EU citizens but must be upheld by all organisations worldwide. The aim of GDPR is to provide protection to individuals for their personal information to ensure it is held and processed lawfully.
Personal data is defined as any information relating to an identified or identifiable natural person (a natural person who can be identified directly or indirectly). The data applies to both automated data and manual filing systems.
Vinters Ltd, The Maidstone Studios, Vinters Business Park, Maidstone, Kent, ME14 5NZ, respects and is committed to protecting the privacy of all its clients. We can be contacted at this address or by email: firstname.lastname@example.org or tel: +44 1622 524200. If you disagree or are unhappy with the way we handle your personal data and we are unable to resolve your issue, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
We will apply the following principles when collecting data:
- We will only collect data and use this information where we have lawful and legitimate business reasons to do so
- We will be transparent and tell you how we will use your information
- If we have collected your information for a particular purpose, we will not use it for anything else unless you have been informed and, where relevant, your permission obtained
- We will update our records when you inform us that your details have changed and erase or rectify any inaccurate data
- We will implement and adhere to retention policies relating to personal data
- We will ensure that suitable security measures are in place before transferring your data and will ensure that suitable safeguards are in place before personal information is transferred to other countries
The personal data that Vinters holds for its clients is: Name, address, telephone number, email address, IP address and bank or credit card details. This information is needed to enable employees of Vinters to provide a service to its clients and make charges for these services.
Lawful basis for processing data will be to fufil our contractual obligation to our clients.
Where we use a third party to process payment information on our behalf, we will only pass the information that is necessary for this purpose. The information will be transferred, processed and stored in a secure way and we will only use companies that are regulated by the Financial Conduct Authority.
Where a third party is used for licensing purposes, we will only pass information that is necessary for this purpose (usually first name and second name). The information will be transferred, processed and stored in a secure way and we will ensure the supplier has the appropriate security measures in place.
As part of our operations and continued availability of service to our clients, we duplicate our client database in Europe and the USA – the data is transferred securely using up-to-date encryption and in accordance with permitted processes for cross border data transfer. We have an Information Security Management System which is accredited under ISO27001 and will ensure that the data centres we use in other countries have equal accreditation.
Vinters will only use the data for the purpose for which it has been provided, i.e. the contract of service – if Vinters wish to use the data in any other way, we will seek consent from you and this consent may be withdrawn by you at any time.
In accordance with the GDPR regulations, clients are able to have access to all their own personal data. This request must be put in writing and we will respond to requests within one month in the majority of cases. The client can request that any inaccurate personal data is corrected and that incomplete data is completed.
Retention of Data
Vinters will ensure that data is kept in accordance with its data retention policy which can be made available on request. Once the retention period has expired, Vinters will only retain information if there is a compelling reason to do so, otherwise the data will be erased.
In accordance with GDPR, we will notify the ICO without undue delay but in any event within 72 hours of becoming aware of the breach, where a breach is likely to result in risk to an individual’s rights and freedoms. We will contact you in the case of a data breach – which is defined as a security incident that has affected confidentiality, integrity or availability of personal data.