The EU General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) will apply from 25th May 2018, when it supersedes the UK Data Protection Act 1998 (DPA). The new law brings a 21st century approach to data protection. It expands the rights of individuals to control how their personal data is collected and processed, and places a range of new obligations on organisations and business’ to be more accountable for data protection.
“We/Us/Our/My/Me” means Stamping Street, a sole trader and non VAT registered business operating in England, whose address is 8 Birch Close, Walmley, Sutton Coldfield, West Midlands, B76 2PF.
How To Contact Us
- Our person responsible for Data Protection matters is Sally Walker, who can be contacted by email at [email protected], by telephone on 07813 060 602, or by post at 8 Birch Close, Sutton Coldfield, West Midlands, B76 2PF, United Kingdom.
Information We Collect and How We Store It
- We rely on a number of legal bases to collect, use and share your information which is necessary to fulfil your order or query, and thus provide our services. We collect information such as your name, gender, email address, telephone number, postal address, payment information, photographs and the details of the product that you wish to order.
- We need to collect your personal information to provide our services, such as fulfilling your order, to settle a dispute or provide customer support.
- All electronic information held is password protected.
- We use service providers to take payments from you (such as Paypal and Create Payments) who are PCI DSS (Payment Card Industry Data Security Standard) compliant. We are PCI DSS compliant which is a mandatory requirement for any business accepting credit or debit card payments.
- All hard copy, printed personal information, such as your order form, is stored in a locked file which only the Data Controller and Data Processor, Sally Walker, has access to, in a secure location.
- The only personal information that we print is your order form, for the purpose of making your order and your shipping label, for the purpose of mailing your order, both prints are mailed to you, the customer, upon completion of your order.
- All customer data is permanently erased from our inbox when no longer required to fulfil your order.
- In the rare event that we do have printed, hard copies of personal information, such as duplicate copies of order forms, these are shredded and disposed of securely.
- Personal information may also be stored securely, in a locked file, in order to comply with our legal obligations for record keeping and tax purposes.
- We are aware that children need particular protection when collecting and processing data as they may not be aware of the risks involved. We take this very seriously. We do not knowingly provide our services or interact with children under the age of 18. If we suspect that an individual is under the age of 18, we will ask for consent from whoever holds parental responsibility for the child, and for good measure, propose offering our services to the guardian as an alternative. If you, as a parent or guardian, discover that your child (under the age of 18) is using our service without your consent, please notify us at [email protected] and we will take the relevant action to ensure the Personal Data, if any, of the child is erased.
Information Sharing and Disclosure
- We do not share personal information unless necessary to fulfil your request.
- Service providers. We engage certain trusted third parties to perform functions and provide services to us, such as delivery companies. We will share your information with these third parties, but only to the extent necessary to perform these services.
- Third parties used by Stamping Street, are a separate entity to us and will have their own Privacy Policies which we recommend you view.
- Our website has SSL encryption (Secure Socket Layer) which provides protection for data and sensitive information passed between the web server and browser by encrypting it. This makes it less likely for a third party to intercept any information that is sent.
- Business transfers. In the event that I sell or merge my business, I may disclose your information as part of that transaction, only to the extent permitted by law.
- Compliance with laws. We may collect, use, retain, and share your information if we have good faith belief that it is reasonably necessary to: (a) respond to legal process or to government request; (b) enforce our agreements, terms and policies; (c) prevent, investigate, and address fraud and other illegal activity, security, or technical issues; or (d) protect the rights, property, and safety of my customers, myself or others.
Transfers Of Personal Information Outside the EU
The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for specific situations. A transfer may be made with the individuals consent; and if it is necessary for the performance of a contract between the individual and the business.
- I may store and process your information through third party hosting services such as Etsy, in the US and other jurisdictions. As a result, I may transfer your personal information to a jurisdiction with different data protection laws than your jurisdiction. If I am deemed to transfer information about you outside of the EU, I rely on Direct Consent from you as an individual as the legal basis for the transfer, for example, by placing an order you are entering into a contract with ourselves. Your postal address may be located outside of the EU and you have asked that your order be shipped to said address, giving your consent. It is therefore necessary that I share your personal information with third parties in order to fulfil the contract that we have entered into.
- I do not retain personal information when there is no longer a requirement.
- Limited personal information will be retained for a maximum of 6 years in order to comply with my legal obligations for record keeping and tax purposes.
The Legal Bases I Rely On To Collect, Use And Share Personal Information
Our use of your personal data will always have a lawful basis, either because it is necessary for our performance of a contract with you or because you have consented to our use of your personal data or because it is in our legitimate interests, including:
- As needed to provide my services, such as when I use your information to fulfil your order, to settle a dispute or to provide customer support.
- When you have provided your affirmative consent, which you may revoke at any time, such as by signing up for my mailing list.
- If necessary to comply with a legal obligation such as retaining information about your purchase if required by tax law.
If you reside in certain territories, including the EU, you have a number of rights in relation to your personal information such as;
- You may have the right to access and receive a copy of the personal information I hold about you by contacting me using the contact information provided above. Under the GDPR, no fee is payable.
- Change, restrict, delete. You may also have the right to change, restrict my use of, or delete your personal information. You have the right to rectification of any personal data, for example, if any information we hold about you is inaccurate or incomplete. Apart from exceptional circumstances like where I am required to store your data for legal reasons, I will generally delete or amend your personal information upon request. We do not hold data for any longer than is necessary to fulfil your order, but if you would like us to delete your data sooner, please contact us.
- You can object to (i) the processing of some of your information based on legitimate interests and (ii) receiving marketing messages from me after providing your express consent to receive them. In such cases, I will delete your personal information unless I have compelling and legitimate grounds to continue using that information or if it is needed for legal reasons.
- If you reside in the EU and wish to raise a concern about my use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local data protection authority.