Latest Update: March 2021
Like every organisation, we are required to comply with the new EU General Data Protection Regulation (GDPR), which came into force on 25th May 2018 replacing the 1998 Data Protection Act. The GDPR aims to protect the privacy, rights and freedoms of all EU citizens, and places stricter requirements on organisations relating to how they process personal information. This new law will not be affected by Brexit. The UK Government is currently processing further law (the Data Protection Bill), which will enhance the provisions of the GDPR and clarify areas of it that have been left to individual states to govern.
Although we’ve always been very careful with the data we hold, we have taken this opportunity to declutter and create a fresh look to help you find what you need more easily.
Personal Information is defined as any information (data) which can be used to directly or indirectly identify a living individual. This can include obvious things like: your name; date of birth; National Insurance number; driving licence number; home or work address, postcode; telephone and mobile numbers; email addresses. It also protects your identification through less obvious things like your computer IP address and device location data. There are also categories of data which are considered as Sensitive Personal Information such as: health and medical details, including biometric and genetic data; political or religious beliefs; sexual preferences and orientation. Processing Sensitive Information is prohibited except under certain circumstances – unless you are also an employee of The Range, it is unlikely that we will ever ask you for this type of information.
Your Rights: The GDPR brings clarity to your rights whenever a company collects information about you. You are entitled to the following:
•To be informed when and how we collect, process or store your data. Ideally, this is done before your data is collected, however there may be times when this is not possible, for example when your data is not collected directly from you. In this case, organisations are now required to inform you that they have acquired your data within one month of its collection.
•To access information we hold about you. Previously, an administration fee of up to £10 could be requested to respond to these requests; this no longer applicable, so requests for your personal information are free. To help us respond in the most efficient and effective way, please email email@example.com with your request.
•To rectify any discrepancies or errors in the information we hold about you. If we have stored any information about you, and you believe it to be incorrect, you may ask that it be rectified.
•To restrict processing. We’ll be honest here, other than processing your orders and handling service communications and marketing emails, we don’t tend to process your identifiable information. However, you may ask us to stop processing it, for example, if you want to take a break from receiving marketing communications.
•The right to data portability. If you want to transfer your data that we hold, we can.
•To object to processing, for example to stop receiving direct marketing communications.
•To ask us to erase the data we hold about you. However, you should note that there may be overriding legal statutory or regulatory reasons that prevent us from doing this.
•Where Automated Decision Making is used, there must be an option for human intervention.
Principles of Data Protection: In addition to your rights as a “Data Subject”, the GDPR also outlines several specific principles that organisations should adhere to in order to help maintain the integrity and security of your data. These principles are intended to support your rights as outlined above. Processing should be:
• Lawful, Fair and Transparent – In other words, we should have a legal reason for processing your data, we should be fair in processing your data and we should be transparent in processing your data.
• Limited Purpose – We should only process your data for the purpose that we informed you about, e.g. processing orders, sending product updates and offers, marketing, handling complaints. We should not use data collected for one purpose to fulfil another purpose.
•Data should be Minimal – We won’t ask you for more information than is necessary to carry out the activity we are collecting it for, i.e. we wouldn’t ask for your National Insurance number, unless you were joining our team.
•– Any data we hold about you should be kept accurate and up to date. We will often rely on you to notify us of any changes that affect our ability to do this. This principle supports your right to rectify discrepancies and errors.
• Storage Limitation – This means that we won’t keep your data for longer than is necessary to perform the purpose for which it was collected, or to satisfy any legal statutory or regulatory requirement to keep it.
• Integrity & Confidentiality – We will take every reasonable organisational effort and technical measure to protect the data we hold about you from unauthorised access, alteration or disclosure.
Data Sharing: We don’t usually share your information with any other parties, however, there are occasions when we might have to, for example to provide a delivery agent with your address. If we do, we will endeavour to obtain your consent before sharing your information although there may be times when we do this without obtaining your permission, for example where a third party performs a duty directly on our behalf and under our instruction.
Data Privacy Notices (DPNs): Where we collect your information for any purpose, we are required to inform you: who we are, what information we are collecting, why we need it, the lawful basis for obtaining it, how long we will keep it for and how we will use it.
You’re in Control: We take Data Protection very seriously, for you, other customers, our staff, and partners. If you need to get in touch with our Data Protection Officer, email firstname.lastname@example.org
You may also write to:
Thank you for taking the time to read this.