Data Protection Statement
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This is a privacy and data protection regulation that is in force throughout the European Union (EU).. All EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed of. This rule clarifies how EU resident’s personal data laws are applied, internally within the EU and worldwide. Any organisation that works with EU residents personal data in any manner, irrespective of location, has obligations to protect the data. BPC UK Limited is aware of its role in providing the right procedures and security to support its employees, customers and suppliers and help meet our GDPR obligations.
To make BPC UK Limited compliant with our obligations under the General Data Protection Regulation we have taken the following steps:
We have made sure that key people within the company are aware that the law has changed to the GDPR and they all appreciate the impact that this is having on the way we obtain, record, store and distribute individual’s data throughout the company. We will continue to advise our staff on the GDPR and its impact on the policies, procedures, and responsibilities of staff & stakeholders.
- Information That We Hold
We document what personal data we hold, where it comes from and who we may share it with.
- Communicating Privacy Information
- Individuals’ Rights
We have checked our policies to ensure they cover all the rights individuals have, including how we delete personal data or provide data electronically.
- Subject Access Requests
We have updated our policies and have planned how to handle requests for access within the timescales laid out in the regulations and have procedures to provide any additional information.
- Lawful Basis for Processing Personal Data
We have identified the lawful basis for our processing activity as outlined in the GDPR and have acted upon it to restrict the contact with individuals on our database. We have also used this information to delete out of date information.
We have reviewed how we seek, record and manage consent.
We have analysed our systems and company practices and do not store or collect any data related to any persons below 16 years of age.
- Data Protection Managers
We have designated Data Protection Managers to take responsibility for data protection compliance throughout the company.
Under the GDPR you have the right to:-
Request copies of your data, rectification of your data, erasure of your data, object to us processing or restrict the processing of your data and where our systems allow give electronic access to copies of your data in a digital format.
Rectify any errors in information we hold about you and to change or correct any details you have already given us.
See a copy of the information we hold about you. Before we agree to this, you must provide us with sufficient irrefutable evidence of your identity and sufficient details of the information you wish to see to enable us to locate it.
Be removed from any mailing list we hold at any time by contacting us by email: email@example.com or by post to the Data Protection Manager, BPC UK Limited, Aston Way, Moss Side Industrial Park, Leyland PR26 7UX
Please inform us about changes to your details so that we can keep our records up to date.
We have taken, and will continue to take, steps to ensure that the businesses we work with have suitable security protocols and policies in place to manage and record your data privacy and preferences correctly and that your data is stored securely. The security of your data is paramount.
For the purpose of General Data Protection Regulation (GDPR), the Data Controller is BPC UK Limited, whose registered address is: Aston Way, Moss Side Industrial Park, Leyland PR26 7UX
This document provides the policy framework through which effective management of Data Protection can be achieved. The purpose of this policy is to ensure that the Company (BPC UK Ltd) and its staff comply with the relevant regulations and provisions of the General Data Protection Regulations when processing personal data. The policy and subsequent procedures are designed to ensure that the personal data is accurate, fairly obtained or given and subsequently stored in a secure format and location. Any genuine infringement of the regulations will be treated seriously by the Company and may be considered under the Company disciplinary procedures. This policy applies regardless of where the data is held.
The Company is required to adhere to the principles of data protection as laid down by the regulations. In accordance with those principles personal data shall be:
1.1. Processed fairly and lawfully;
1.2. Processed for specified purposes only;
1.3. Adequate, relevant and not excessive;
1.4. Accurate and up to date;
1.5. Not kept longer than necessary;
1.6. Processed in accordance with data subject rights;
1.7. Processed and held securely;
1.8. Not transferred outside Europe without adequate protection;
1.9. Available for review upon request;
1.10. Removeable upon request, if certain criteria are met;
1.11. Controlled and breaches of that data are dealt with correctly.
- Related Documents
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons (EU residents) with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Computer Misuse Act 1990.
The Payment Card Industry Data Security Standard.
- Responsibility & Applicability
3.1 BPC UK Limited responsibilities
As the Data Controller the Company and its directors are responsible for establishing policies and procedures in order to comply with the requirements of the relevant regulations.
3.2 Data Protection Manager Responsibilities
The Data Protection Manager holds responsibility for:
3.2.1. The Company Data Protection Notification. Details of the notification are published on the Information Commissioner’s website. Anyone who is, or intends, processing personal data for purposes not included in the notification should seek advice from the Data Protection Manager.
3.2.2. Drawing up guidance, giving advice and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of information.
3.2.3. The appropriate compliance with data subject access rights and ensuring that data is released in accordance with data subject access legislation.
3.2.4. Ensuring that any data protection breaches are recorded, resolved and reported appropriately in accordance with the guidance from the Information Commissioner’s Office.
3.2.5. Investigating and responding to complaints regarding data protection including requests to remove or stop processing personal data.
3.3 Staff responsibilities
Staff members who process personal data about other staff members, customers and suppliers or any other individual must comply with the requirements of this policy and its related documentation. Staff members must ensure that:
3.3.1. All personal data is kept securely.
3.3.2. No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party.
3.3.3. Personal data is kept in accordance with the Company data protection policy.
3.3.4. Any queries regarding data protection, including data subject access requests and complaints, are promptly directed to the Data Protection Manager.
3.3.5. Any data protection breaches are swiftly brought to the attention of the Data Protection Manager and they support the Data Protection Manager in resolving the breaches.
3.3.6. Where there is uncertainty around a Data Protection matter, advice is sought from the Data Protection Manager.
3.3.7. Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Data Protection Manager.
3.4 Third-Party Data Processors Where external companies are used to process personal data on behalf of the Company, responsibility for the security and appropriate use of that data remains with the Company. Where a third-party data processor is used:
3.4.1. A data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data.
3.4.2. Reasonable steps must be taken that such security measures are in place;
3.4.3. A written contract establishing what personal data will be processed and for what purpose must be set out.
3.4.4. A contract outlining both parties responsibilities under the General Data Protection Regulations, must be signed by both parties. For further guidance about the use of third-party data processors please contact the Data Protection Manager.
3.5 Contractors and Short-Term Staff
The Company is responsible for the use made of personal data by anyone working on its behalf. Managers who employ contractors or short-term staff must ensure that they are appropriately vetted for the data they will be processing. In addition, managers should ensure that:
3.5.1. Any personal data collected or processed in the course of work undertaken on the Companies behalf is kept securely and confidentially.
3.5.2. All personal data is returned to the Company on completion of the work, including any copies that may have been made. Alternatively, that the data is securely destroyed and the Company receives notification in this regard from the contractor or short-term member of staff.
3.5.3. The Company receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the contractor.
3.5.4. Any personal data made available by the Company, or collected in the course of the work, is neither stored nor processed outside the UK unless written consent to do so has been received from the Company.
3.5.5. All practical and reasonable steps are taken to ensure that contractors and short-term staff do not have access to any personal data beyond what is essential for the work to be carried out properly.
3.5.6. A contract outlining both parties responsibilities under the General Data Protection Regulations, must be signed by both parties.
- How the Company Uses Personal Information and What Personal Information is Recorded
4.1. Order Information
To process your order, we may require your name, billing address, phone number, email address, postal address, bank account details and credit card information. We use this information to process your order and, if any questions should arise, to contact you about your order. We may contact you by email, phone or mail.
4.2. Information From Registration Forms
Our site’s on-line forms and our paper-based order forms require you to give us contact information (like your name, email address, organisation name, quote address and phone number). Contact information from the registration forms is used to answer questions, send you information or brochures about the Company and its services, quote you pricing and to send occasional newsletters. You may opt-out of receiving mailshots by using the tick-boxes described below. We may also later use the information to contact you regarding the quote, brochure or information supplied to you.
Our online surveys may ask you for contact information (like email address). Contact information is used to make improvements to our products and service, and to build up bodies of knowledge about effective Internet marketing.
4.4. When Additional Information is Requested
We will try to let you know at the time of collection how we intend to use the personal information you provide, such as respond to your enquiry, accept an order, conduct a survey or allow you to access specific information such as account information, etc. We do our best to maintain the accuracy of any personal information you do supply to us.
4.5. Updating Your Data
You can help us update and maintain the accuracy of any personal information you supply by notifying us of any changes to your address, title, phone number or e-mail address.
4.6. Information Automatically Logged
We use your IP address to help diagnose problems with our server and to administer our Web site. We also use this information to help us to make using our web site easier and more enjoyable.
4.7. Web Site Data
In almost all cases, when you go to a web site, web servers log your interaction with the site in something called a log file. Standard log files like ours contain basic information like what time what pages were viewed, and the IP address of the visitor. We use this information to analyse trends, administer the site, track user’s movements, and gather broad demographic information for aggregate use. We make no effort to identify IP addresses with individual users.
4.8. The Company is Responsible for, and May Use, Personal Information as Follows:
4.8.1. to maintain our business relationships;
4.8.2. to process orders and provide agreed goods and services;
4.8.3. for invoicing, processing payments, account set up and maintenance;
4.8.4. to communicate, including to respond to information requests and enquiries submitted and/or to obtain feedback on our products and services;
4.8.5. for record keeping, statistical analysis and internal reporting and research purposes;
4.8.6. to ensure data security;
4.8.7. to notify about changes to our products and services;
4.8.8. to decide on and notify about price changes;
4.8.9. to monitor the quality of our products and services;
4.8.10. for logistical purposes, including to plan and log delivery information;
4.8.11. to investigate and resolve any complaints that are made;
4.8.12. to provide evidence in a dispute;
4.8.13. as we may otherwise consider necessary to obtain credit references, credit checks and for debt collection, fraud detection and prevention and risk management purposes;
4.8.14. to answer your questions;
4.8.15. to send you newsletters and mailshots on BPC UK Limited products and services, either by post, fax or email;
4.8.16. to contact you if you have requested pricing or brochures, or if you have received a quotation from us.
4.9. Sharing Your Information or Allowing Your Information to be Used by Other Companies
Your information will not be shared with individuals or other companies except in the following circumstances:
4.9.1. To third parties that are involved in the processing of your order, for delivering specific services to you (for example, the financial institution that issued your credit card, the company that prepares your printing plate or the delivery service that delivers your order).
4.9.2. Where we forward your information to one of our distributors so that they can handle your enquiry.
4.9.3. Where you have asked us for information on products and/or services which we cannot provide, we may forward your information to other companies in order that they can help you. This is an unusual situation and usually, we will notify you of this.
4.9.4. Where BPC UK Limited is sold to, or buys, another company, your information will be shared with this company.
4.9.5. In some circumstances, for email contact and notifications, a third party processor may be used for the distribution. In these circumstances we would only use a highly reputable company with a proven track record, robust privacy policies and security procedures in place.
4.9.6. Unless required by law.
4.10. Protecting Your Privacy, If You Wish
Options exist that allow you specifically to opt-out of receiving any mailshots from the Company.
If you do opt to receive one of our email newsletters or other online publications, these will always contain information on how you may apply to stop receiving them.
By ticking the box, you agree to the conditions listed. If you uncheck the box, you will not be contacted by BPC UK Limited for any reason and we may not be able to trade with you.
- Data Subject Access Requests
The Company is required to permit individuals (Data Subjects) to access their own personal data held by the Company via a data subject access request. Any EU Citizen may exercise this right and should do so in writing to the Data Protection Manager, a charge may be made for this request.
5.1. The Company aims to comply with a data subject access request as quickly as possible but will ensure that it is provided within the 40-calendar day limit as set out in the regulations.
5.2. Individuals will not be entitled to access information to which any of the exemptions in the regulations apply. However, only those specific pieces of information to which the exemption applies will be withheld and determining the application of exemptions will be made by the Data Protection Manager.
5.3. The Company currently charges £10 to make a data subject access request.
5.4. The Company has the right to ask for enough information to judge whether the person making the request is the individual to whom the personal data relates. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.
5.5. Before responding to a subject access request, the Data Protection Manager may be required to ask for information that allows for the accurate retrieval of the specific personal data covered by the request.
- The Right to Erasure
The regulations introduce a right for individuals to have personal data erased; this is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your personal information where there’s no compelling reason for us to keep using it or its use is unlawful. This is not a general right to erasure; there are exceptions, e.g. where we need to use the information in defence of a legal claim. Individuals have the right to have their data ‘erased’ in certain specified situations – in essence where the processing fails to satisfy the requirements of the GDPR. The right can be exercised against controllers, who must respond without undue delay (and in any event within one month, although this can be extended in difficult cases). The Company aims to comply with an individual’s right to erasure of the data we store about them if this does not conflict with the legal basis for processing and Legitimate Interests Assessment. The right applies in the following cases:
6.1. When the data is no longer necessary for the purpose for which it was collected or processed.
6.2. Individuals can require data to be ‘erased’ when there is a problem with the underlying legality of the processing or where they withdraw consent.
6.3. To processing based on legitimate interests – if the individual objects and withdraws consent to processing and the Data Controller cannot demonstrate that there are overriding legitimate grounds for the processing.
6.4. When we have processed the personal data for direct marketing purposes and the individual objects to that processing.
6.5. When the data retained is otherwise unlawfully processed (i.e. in some way which is otherwise in breach of the GDPR).
6.6. Where we have to erase the data to comply with a legal obligation.
6.7. In addition to creating the right to be forgotten, Article 17 restricts the use of people’s personal data to the original purpose it was collected for. If we wanted to process or use the data in any other way we must get the individuals fresh, clear consent.
6.8. Where the Data Controller has made personal data public, and where it is obliged to erase the data, the Data Controller must also inform other controllers who are processing the data that the data subject has requested erasure of the data. The Company has an obligation to take reasonable steps to achieve this but it may not be possible to erase all available data in the public domain.
6.9. Right to restriction of processing This right gives an individual an alternative to requiring data to be erased; and it also allows the individual to require data to be held in limbo whilst other challenges are resolved.
6.9.1. The individual can require the Data Controller to ‘restrict’ processing of the data whilst complaints (for example, about accuracy) are resolved, or if the processing is unlawful but the individual objects to erasure.
6.9.2. Measures will be taken to make the data unavailable to users and to make sure that no further processing can be allowed to take place with the data.
- Legal Basis for Processing and Legitimate Interests Assessment
The terms of the legal basis we rely on to process your personal information, and the Legitimate Interests Assessment details are as follows:
7.1 The contacts on the Company database are business customers. All customers have always had the option of unsubscribing from our emails. We will keep Company-based personal details in the following circumstances:
7.1.1. If the person has an account with us. This means that they’ve purchased from us in the past and have a commercial interest in our products.
7.1.2. If the person has had a quote from us in the last 9 years (this also invokes the lawful basis of ‘Contracts’ for data processing).
7.1.3. If the person has had a proforma from us in the last 9 years (this also invokes the lawful basis of ‘Contracts’ for data processing).
7.1.4. If the person has provided us with their details (either as a business card or badge-scan) at a trade show or business meeting in the last 5 years. We have a record of the source of this data and can use it to evidence a legitimate interest in the Company.
7.1.5. If the person is from a business supplier to the Company.
7.1.6. If the person is a ‘marketing’ contact: either a business supplier interested in us, or an editor with a professional interest in our Company and our products.
7.1.7. If the person does not live in the UK or Europe.
7.2 Purpose Test: The interests are legitimate for us in terms of continuing business with a customer, or a person who has asked for a quote/proforma, or who has contacted us with an enquiry. Because the customer is a business customer, this is also legitimate for them, since contact with the Company is part of their normal day-to-day business activity.
7.4 Balancing Test: This is the act of considering the interests of the Company versus those of the customer and considering the relationship with the client. In the cases above, the customer’s business is reliant on the information and products that we’re providing. Usually we’re working closely with customers. None of the data is particularly sensitive and there would be an expectation from them that the data that they receive from us is appropriate and timely. Their personal data is never sold on, so they would never receive inappropriate content or marketing from sources that they’re unaware of, or not interested in. There is always an option to opt-out of emails and communications that are sent.
- Information Security
The objective of the Company Information Security Policy is to ensure that all data and information contained in the information systems, on which the Company depends, are adequately protected. Achieving this depends on staff working diligently in accordance with these policy guidelines.
8.1 The Company Information Security Policy requirements and recommendations are to:
8.1.1. Ensure that all persons referred to within section 3, (Responsibility and Applicability) understand their own responsibilities, for protecting the confidentiality and integrity of the data that they handle.
8.1.2. Ensure that all information and information systems under the Company control are protected to the appropriate level.
8.1.3. Ensure that all users are aware of, and comply with, this policy including sub-policies and all current and relevant UK and EU legislation.
8.1.4. Provide a safe and secure information systems environment for all staff and any other authorised users.
8.1.5. Protect the Company from liability or damage through the misuse of information or information systems.
8.1.6. Ensure that all confidential information is protected from unauthorised access.
8.1.7. Ensure that appropriate measures are be taken to manage risks to the availability of information
8.1.8. Ensure that information is disposed of in an appropriately secure manner when it is no longer relevant or required.
8.2 Storage Criteria for Electronic Data
8.2.1. All internal data is protected by hardware firewalls and filters, dedicated anti-virus and intrusion scanning and an enhanced Windows domain security policy.
8.2.2. Any customer data taken off site is securely protected with 256-bit AES: XTS HMAC-SHA-512 encryption.
8.3 Web Data Security
8.3.1. The company web site has security measures in place to protect the loss, misuse, and alteration of the information under our control.
8.3.2. The Company is committed to taking reasonable steps to protect the individual identifying information that you provide. When our registration/order form asks users to enter sensitive information (such as credit card number), that information is encrypted.
8.3.3. While on a secure page, such as our payment form, the lock icon on the bottom of Web browsers such as Netscape Navigator and Microsoft Internet Explorer becomes locked, as opposed to un-locked, or open, when you are just ‘surfing/browsing’. This is your assurance that our site is authentic and that we’re employing SSL security.
8.3.4. You can check this security protection setting within your browser. To ensure you have the most protection available, be sure to download the latest version of today’s most popular browsers. For more information, contact your browser’s publisher.
8.4 Web Site External Links Our Web site may provide links to third party sites. Please be aware that the Company is not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects personally identifiable information. This privacy statement applies solely to information collected by this site.
- Data Protection Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. Where a Data Protection breach occurs, or is suspected, it should be reported immediately in accordance with the Data Security Breach Incident Management Procedure which states:
9.1. Confirmed or suspected data security breaches should be reported promptly to the Data Protection Manager as the primary point of contact either by email or post.
9.2. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.
9.3. The Data Protection Manager must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it.
- Updating this Policy
Queries regarding this policy or the implications of our implementation of the General Data Protection Regulations, should be directed to the Data Protection Manager by email: firstname.lastname@example.org or by post to the Data Protection Manager, Aston Way, Moss Side Industrial Park, Leyland PR26 7UX