Jaymic Ltd General Data Protection Regulation (GDPR) Policy
Policy created and managed by Peter Moore, acting Data Protection Officer, on behalf of Jaymic Ltd. This policy was created on 25/05/2018 and last reviewed on 06/06/2018. A review of the policy is scheduled for 25/05/2019
Jaymic Ltd require specific personal data from our website users and also customers who shop with us by telephone, email, post, social media (such as Facebook, Instagram or Twitter) or in person. We only collect data which is required to efficiently deal with orders and enquiries, and most of this data needs to be stored for future reference and to meet our accounting and taxation recording obligations.
Jaymic Ltd is considered a “data controller” by the GDPR legislation, which means that we collect your personal data for legitimate reasons (these are documented below), and we may also need to supply some or all of this data to other parties in order to complete orders and enquiries. Again details of what data is held, why and who it may be shared with and why is detailed below. As we are considered a small or medium sized enterprise (SME) we are not obliged to have a specific data protection officer, but the member of staff directly responsible for the accuracy and implementation of our GDPR policy is Peter Moore, who can be contacted either by email, telephone, post, social media or in person via the usual Jaymic Ltd contact channels.
Please carefully read through the following information about our GDPR policy as it explains the specific details of what information we keep about you, it also contains information about your rights to how this data is used, stored and deleted and also about any other companies or individuals who we may need to share some or all of this data with and why.
Explanation of Terms used in this policy:
Jaymic Ltd is referred to as “us”, “we” or “Jaymic Ltd”, and customers and other websites users are referred to “you”, “the customer” or “website user”. The Information Commissioners Office will either be referred to in full or by their commonly used acronym the ICO. The ICO is the government entity responsible for dealing with any complaints related to the use of personal data in the United Kingdom of Great Britain and Northern Ireland under the current data protection legislation. Further details of the ICO can be found on their website ICO.ORG.UK
If you are located in a European Union territory other than the UK then please refer to your own country's government body responsible for enforcement of the GDPR.
1: Personal Data We Hold About You:
We hold the following information about you in our customer records:
Your address – both your main billing address and any other addresses which have been used for deliveries.
Your telephone number if this has been provided.
Your email address if this has been provided. Please be aware that email addresses are essential for placing orders through our website.
The registration number and VIN for your vehicles (or vehicles) if these have been provided to us.
A complete record of all orders placed with us (sales history) and any subsequent returns or credits.
A complete history of payments made to us, as well as the means by which the payment was made (for example by card, bank account transfer or Paypal), and also any refunds and the means by which the refund was made.
If you have communicated with us by email then we will also have access to emails you have sent us or that we have sent to you, except in cases where these have been deleted for security reasons or where they have been deleted upon request of yourself or a member of Jaymic's staff.
2: Who We Share Your Personal Data With And Why:
We are often required to share some of this data with other companies, individuals or entities in order to complete an order or to answer an enquiry. These other entities, and the information we share with them, are:
TNT: In order to facilitate delivery of orders or in some circumstances to facilitate returns we may have to provide information to TNT. Specifically your name, address, email address and telephone number. Further information on TNT's GDPR policies can be found on their website.
DHL: In order to facilitate delivery of orders or in some circumstances to facilitate returns we may have to provide information to DHL. Specifically your name, address, email address and telephone number. Further information on DHL's GDPR policies can be found on their website.
UPS: In order to facilitate delivery of orders or in some circumstances to facilitate returns we may have to provide information to UPS. Specifically your name, address, email address and telephone number. Further information on UPS' GDPR policies can be found on their website.
Fedex: In order to facilitate delivery of orders or in some circumstances to facilitate returns we may have to provide information to Fedex. Specifically your name, address, email address and telephone number. Further information on Fedex's GDPR policies can be found on their website.
Parcelforce: In order to facilitate delivery of orders or in some circumstances to facilitate returns we may have to provide information to Parcelforce. Specifically your name, address, email address and telephone number. Further information on Parcelforce's GDPR policies can be found on their website.
UKMail: In order to facilitate delivery of orders or in some circumstances to facilitate returns we may have to provide information to UKMail. Specifically your name, address, email address and telephone number. Further information on UKMail's GDPR policies can be found on their website.
Royal Mail: In order to facilitate delivery of orders or in some circumstances to facilitate returns we may have to provide information to The Royal Mail (also known as the Post Office). Specifically your name and address. Further information on Royal Mail's GDPR policies can be found on their website.
Worldpay: We use Worldpay to process all of our direct credit and debit card transactions, in order to receive payments and in some cases to make refunds. Worldpay require your name and billing address, as well as contact information which may be your telephone number, email address or both. They also require specific information from your payment card in order to process payments. This will be the main card number, expiry date and security code. They may also require a card issue number and/or a card start date in some cases. Further information on Worldpay's GDPR policies can be found on their website.
Paypal: We use Paypal as an option for making payments to us, both for website orders and as an option for telephone or email orders. We also use Paypal for making refunds in some cases. We do not directly provide Paypal with any information from your debit or credit card, but in order to use Paypal to make a payment you may be required to enter information from your payment card yourself. This will be the main card number, expiry date and security code. They may also require a card issue number and/or a card start date in some cases. Paypal will also require your billing address in most cases, unless you already have an existing account with Paypal. Further information on Paypal's GDPR policies can be found on their website.
3: Retention of Personal Data:
Your personal data is usually stored indefinitely by us. This may seem excessive, but we have many customers who may not need to contact us or place an order for very frequently and may not have instant access to their sales records. We are also obliged to keep full records for at least six years from the end of the tax year following the order. This is mainly for taxation and legal reasons, but is also useful for you as it means we have easy access to information about previous orders or enquiries. You are legally entitled under the new GDPR legislation to request that your personal information is deleted, other than where this clashes with the overriding legal or taxation obligations stated above. In some circumstances we are able to refuse to delete this information, but the full reasons for this can always be provided.
Credit or debit card information is not held after sales are made, other than where a product or products has been ordered but there will be a delay between the act of ordering and the processing of the payment and dispatch of the order occurs, for example if you want to order a part which is not currently in stock and it needs to be ordered from one of our suppliers. In this case the card information is held securely until we are ready to process the payment and complete the order.
If you feel that your personal data has been misused or compromised in any way you are entitled to contact the relevant legal authority to investigate or to make a complaint. For the UK this is currently the Information Commissioners Office, more commonly referred to the ICO.
4: Your Individual Rights under the GDPR legislation
The GDPR legislation ensures that you have certain rights when dealing with a company in the UK, or elsewhere in the European Union. These specific rights are detailed below:
4a: The Right to Be Informed:
You have the right to informed about what personal data we hold about, why we hold this data and how we use this data. This information can be found above in sections 1, 2 and 3.
4b: The Right to Access:
You have the right to access any and all personal data we hold about you. If you wish to see this data we are legally obliged to provide it to you in a common machine readable format. In most cases this will be a combination of spreadsheets (for example a CSV or XLS file), Adobe Acrobat text and image files (known as PDFs), email such as EML files or simple text documents (TXT or DOC files). We must provide this information within one calendar month of your request. The information must be provided free of charge, except where it is apparent that excessive or malicious requests are being made in which case a reasonable fee based on the administration time require may be charged.
4c: The Right To Rectification:
You have to right to demand that any incorrect personal information we hold about you is corrected. We are obliged to make these corrections within one calendar month of receiving your demand. In most circumstances you may also demand that these changes are passed on to anyone we have shared the incorrect data with (please refer to section 2 above for further information about who we may share your data with and why).
4d: The Right To Erasure:
Where there is no legitimate reason for us to store your personal data you have the right to request that it is erased. If you request erasure of your data then we are obliged to comply with the request within one calendar month. If we are of the opinion that there is a legitimate reason for us to refuse your request we are obliged to explain why. You also have the right to contact the ICO or your relevant local authority to complain or protest if we refuse your request or do not comply within the required time period.
4e: The Right to Restrict Processing:
You have the right to request that we restrict processing of your personal data in cases where you object to the way it is being used, or if you consider it to be incorrect. By “restricting processing” we mean not using your data to process orders or enquiries, and not to provide it to any additional parties such as one of our delivery agents (please see section 2 above for information about who our delivery agents are and what information is provided to them). If we need to restrict processing of your data this will be for a fixed period, most likely one calendar month from the date we receive the request during which time the reasons for the restriction will be corrected if we deem it necessary to do so. As always you have the right to contest or complain about this to the ICO or your relevant regional authority.
4f: The Right To Data Portability
You have to right to have any personal data you have provided to us made available to you in a portable format in order for you to provide this data to other data controllers or processors. We are obliged to provide this within one calendar month of you making the request. This right does not extend to any personal data we hold which has not been directly provided by you, such as sales or revenue forecasts and also does not apply data provided which has already been erased (such as payment card information).
4g: The Right to Objection:
You have the right to object to how your data has been used if you believe that it has been misused or used incorrectly. Another major part of the right to objection is that you have the right to refuse direct marketing (such as an email newsletter or text message) even if you have previously authorised us to contact you for direct marketing purposes. If you request that we desist from contacting you with direct marketing then we are obliged to cease this as immediately as possible. The last part of the right to objection is that you have to right not to be subjected to automated de scion making based on data you have provided, which includes specific profiling of you made by automated means. For the record Jaymic Ltd do not currently use any form of customer profiling or automated decision making.
When you register with our website or contact us by telephone, email, post, via social media or in person we consider this to be a declaration of your consent for us to contact you and to retain some or all of the personal data listed above in section 1. This is not taken as implied consent for any direct marketing approaches which must be specifically given to us.
6: Data Breaches:
We are obliged to have in place procedures for detecting, investigating and report any potential data breaches. We are obliged to notify the ICO and any affected individuals if we consider it appropriate or where it may impact you financially or impinge on any of your legal rights.
7: Privacy By Design:
Although this is not a specific legal obligation Jaymic Ltd do strive to collect and retain as little personal data as is required, and to take reasonable steps to protect this data from misuse. Your personal data is not available to other companies or individuals other than where specified in sections 1, 2 and 3 of this document. Jaymic Ltd will also endeavour to go beyond the basic legislation where we consider it necessary as part of our ongoing commitment to data security and privacy. We would also like to firmly state that we do not buy or sell personal data for any reason, and that if we do have personal data held about you then this will have been acquired from you directly and with your consent.
8: International Customers or Website Users:
As was stated at the beginning of this document the authority responsible for enforcement of data protection regulations in the UK is the ICO, but the current GDPR legislation applies to all European Union member states. If you are placing an order from within another country or territory within the European Union then you must refer to guidance from your own local governmental authority responsible for data protection and enforcement, but the essential legal definitions of the GDPR are universally accepted across the entire EU. If you are based outside the European Union then the current GDPR legislation does not apply to you specifically, but Jaymic Ltd will endeavour to maintain the same high standards of accountability and data protection to all customers regardless of their location or nationality.