The Company takes the security and privacy of your data seriously. We need to collect, store, and use information or ‘data’ about employees, customers, suppliers, and other interested parties as part of our business operations. Data protection in the UK is governed by the Data Protection Act 2018 (Act) and the EU General Data Protection Regulation. The latter is commonly referred to as GDPR. For the purposes of this policy, the Act, GDPR and any other law introduced in the UK regarding data protection are collectively referred to as Data Protection Legislation. We are committed to complying with our legal obligations under Data Protection Legislation.
This policy explains how the Company will hold and process your personal or company data, and your rights under the Data Protection Legislation to manage the collection, storage, and disposal of this information. It also sets out your obligations when obtaining, handling, processing, or storing personal data while working for or interacting with the Company.
Scope and Applicability
This policy applies to eligible individuals of the Act working for or on behalf of the Company at all levels and grades, whether permanent, fixed term or temporary, and wherever located, including consultants, contractors, seconded staff, casual staff, agency staff, volunteers & agents (herewith called workers).
This policy applies also to customers, potential customers, suppliers, service providers, regulatory bodies and associations, and compliance organisations.
What personal data might you supply to us, how, and why we process your personal data?
‘Processing’ means: any operation performed on personal data such as:
• collection, recording, organisation, structuring or storage.
• adaption or alteration.
• retrieval, consultation, or use.
• disclosure by transmission, dissemination or otherwise making available.
• alignment or combination; and
• restriction, destruction, or erasure.
Customer Account information
Information about you which relates to customers, or customer’s accounts with us. This information may include employee names, email addresses, delivery addresses, telephone, and mobile numbers. We will process this data to maintain your account with us, to provide our services to you, to communicate with you and to back up our database. This is to ensure the proper administration of your account and our business (our legitimate interest) and, where you have entered a contract with us, for the purposes of fulfilling our contract with you.
Registration Information: Information you provide when making an enquiry in relation to our products and/or services, and when a problem is reported with our website. The information may include your names, e-mail addresses and phone numbers.
We will process this data so we can deal with registrations, communications, applications, or to address queries or concerns.
We process this data to ensure the proper administration of registrations and our business communication processes.
Transaction Data: Purchase of products and/or services from us, will require certain information to support the effective supply of those products or services. This information may include names, purchaser contact details, payee banking details, credit checking verifications by prior arrangement, and other information relevant to your transaction.
We will process that data to fulfil any contractual obligations and to complete any financial transactions. This data is tightly controlled with our highest regard for information and data security but is vital to ensure our business can legitimately operate.
Communication Data: If you communicate with us, we may process, store, or review the information contained in your communication. This information may include names and contact information, the content of any direct communication, and any relevant metadata our website generates where customers communicate with us using the contact form available on our website.
We will process that information so we can effectively correspond with customers and keep records of such correspondence. This is to ensure the proper administration of our business, to improve our services, and to ensure customers have the best experience when dealing with us.
Notification Data: Where goods or services have been purchased from us, or where we receive subscription requests for email notifications and or newsletters, we process data such as names, company information, e-mail addresses, postal addresses, and what type of information has been requested.
We process this data so that we can send email notifications and/or newsletters to you. The legal basis for us processing this data is that you have consented to such processing. If you prefer not to receive such communications, please contact us using the details below or use the unsubscribe option on the email notifications.
Regulatory Data: We may process your data if we need to comply with our legal and/or regulatory obligations. This data may include names, contact details, company information, addresses, and details of our connection or relationship with individuals or businesses.
The reason we will process such data is to protect the vital interests of our business and of our customers, adhere to our legal obligations, and ensure our compliance obligations and requirements are met in full.
During each of your visits to our website we will automatically collect the following information:
• Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, login information, browser type and version, time zone settings, browser plug-in types and versions, operating systems, and operating platforms. We obtain this data through our analytics tracking system (Google Analytics). We process this data so we can monitor and analyse how our website is used so we can improve our website and our services.
• Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our website (including dates and times), products viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page. We process this data so we can monitor and analyse how our website is used so we can improve our website and our services.
Information we receive from other sources
This is information we receive about you from 3rd parties, such as credit reference agencies, search information providers, payment and deliver services, and analytics providers. Those organisations will have their own privacy policies detailing how they process personal data, and we will adhere to their Data Protection rules alongside our own. 3rd party data will always be handled sensitively and securely in accordance with our data protection policy.
Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers, and affiliates. If you follow a link to any of these websites, these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Disclose of your customers personal data to others
We may need to share your personal information with certain selected third parties including:
• Our business partners, suppliers, and sub-contractors for the purpose of fulfilling any contract we have with you or them. We use 3rd party companies to process your personal data so we may deliver products to you.
• Analytics and search engine providers that assist us in the improvement and optimisation of our website.
• Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering a contract with you.
• If we sell or buy any business or assets, in which case we may need to disclose certain personal data to the prospective seller or buyer.
• If all or most of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets.
• If we are under a duty to disclose or share your personal data to comply with any legal obligation, to enforce any legal agreements we have, to protect our rights or property, and for the safety of our business, our customers, or other interested parties. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
IP Surfaces Employee Data
The Company will collect and use the following categories of personal data:
• recruitment information: e.g., application form, CV, references, qualifications, and professional memberships.
• Your title, name, and date of birth.
• the contact details and those for your emergency contacts.
• your gender.
• your marital status and family details.
• information about your contract of employment (or services) e.g., start and end dates of employment, role, and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits, and holiday entitlement.
• bank details and information in relation to your tax status including your national insurance number.
• identification documents e.g., passport and driving licence and information in relation to your immigration status and right to work for us.
• information relating to disciplinary or grievance investigations and proceedings.
• information relating to your performance and behaviour at work.
• training records.
• electronic information in relation to your use of IT systems/swipe cards/telephone systems.
• your images (whether captured on CCTV, by photograph or video).
• any other category of personal data of which we may notify you from time to time.
Under Data Protection Legislation, we may only process employee’s personal data for legally recognised purposes, such as:
• Performing or fulfilling the contract of employment, or any contract for personal services between us.
• Complying with any legal obligation.
• If it is necessary for our legitimate interests or for the legitimate interests of someone else.
We will only process such data for certain purposes and in accordance with the law. We may do so if we have both your explicit consent and in the following circumstances:
• where it is necessary for carrying out rights and obligations under employment law.
• where it is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent.
• where you have made the data public.
• where necessary for the establishment, exercise, or defence of legal claims.
• where necessary for the purposes of occupational medicine or for the assessment of your working capacity.
We do not need your consent to process your personal data for these purposes. However, we will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
If you choose not to provide us with certain personal data you should be aware that we may not be able to carry out the contract between us properly. For example, if you do not provide us with personal data relating to any long-term health condition, we may not be able to make reasonable adjustments in relation to any disability from which you may suffer.
Employee Special Category Data
We also process “special category” data. The types we process are as follows:
• your racial or ethnic origin.
• your political opinions.
• your religious or philosophical beliefs.
• your sexual orientation*.
• trade union membership.
• your health.
Employees can make a ‘subject access request’ (‘SAR’) in writing to find out the information we hold about them. If you would like to make a SAR in relation to your own personal data, you should make this in writing to the HR Manager. We will respond within one month unless the request is complex or onerous in which case the period in which we must respond can be extended by a further two months, but this will be communicated to you.
Storage of Data
We will always try to ensure that your personal data is processed within the European Economic Area to ensure the data is covered by European Union GDPR legislation. In some circumstances where it is necessary for us to transfer your personal outside the European Economic Area, we will only transfer such personal data to third parties where we have carried out due diligence on such third parties to ensure they will protect your personal data using similar standards and safeguards as we expect.
We also have contractual provisions in place with such third parties to ensure your personal data is protected, based on the standard contractual clauses approved by the European Commission and/or the UK Government. You consent to the transfer of your personal data outside of the EEA, where we comply with these requirements.
All information you provide to us is stored on our secure servers, which are managed by a certified and authorised IT support partner, which specialises in the security of our technological infrastructure and business information. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, and we will maintain appropriate technical and organisation measures to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Deletion of personal data
We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it which will include satisfying any legal, accounting, or reporting requirements. Any personal data that we process will be deleted from our systems once we have completed the purpose for which we were processing the data. In some cases, this may last for a considerable period, for example, if you are a long-term customer of ours, we will need to store your data until our relationship with you comes to an end.
To determine the appropriate retention period for personal data, we consider; the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure of your personal data; the purposes for which we process your personal data and whether we can achieve those purposes through other means; and the applicable legal requirements. We will take into consideration several factors such as your relationship with us, your engagement with us, and the fulfilment of contracts we have with you. We may need to retain your personal data where this is necessary to comply with our legal or regulatory obligations, or to protect the vital interest or the vital interests of other persons.
Under data protection laws you have the following fundamental rights:
• The right to access the personal data we hold about you.
• The right to have your personal data corrected if there are errors or inaccuracies in it, or your personal data is incomplete. If you think that any data we hold about you is incorrect or inaccurate, you can contact us at email@example.com to help us correct this.
• The right to restrict the processing we carry out in relation to your personal data.
• The right to object to the processing we carry out in relation to your personal data.
• The right to have the personal data we hold about you provided to you in a useable format.
• The right to complain to a supervisory authority (in the UK this is the Information Commissioner’s Office) about how and/or why we are processing your personal data.
• The right to tell us you no longer consent to us processing your personal data. In practice you will usually agree in advance to us using your personal data for marketing purposes and if you no longer wish us to use your data you can opt out of receiving such marketing messages at any time. You can do this either by unsubscribing from the marketing messages we send you, notifying us in writing at firstname.lastname@example.org or updating your marketing preferences on our website (ipsurfaces.co.uk).
• The right to ask us to provide you with details of any personal data we hold about you. You do not have to pay us a fee to access your personal data unless we believe your access request is unfounded, repetitive, or excessive. In this case we may charge you a reasonable fee to access your personal data or we may decide not to comply with your request. We will notify you if this is the case. We will require evidence of your identity before we respond to your request.
We have appropriate security measures in place to prevent personal information from being accidentally lost or from being used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Information about us