GDPR FAQ at Cartridge Shop
Last updated: 17/05/2018
GDPR: What does it stand for?
GDPR stands for General Data Protection Regulation. GDPR is the new standard for Data Protection effective from May 25th, 2018. One of its aims is to ensure that consumers' personal information is protected to a higher level than previously.
How is your data held and secured under GDPR?
Two of the principles covered by GDPR are "Privacy by Design" and "Privacy by Default". Because of this, we have considered all the information that is supplied and/or captured and hence documented and secured this appropriately.
Additionally...
- Everyone at Cartridge Shop is trained as everyone has a responsibility to ensure that the security of any of your data is maintained.
- Cartridge Shop has external vendors supporting us in the usage of technology to protect and alert us against threats; hence minimising any risk.
Can you ask us to correct or delete data?
Yes – you have a right to ask to "be forgotten" or to have any incorrect data corrected.
In some instances we will temporarily not be able to forget you – such as if we are still fulfilling an order to you – however once this has been completed we should then be able to delete/anonymise any data held by us.
Data will be anonymised where we have a compliance reason to keep a record of the order but have received a valid request from you to delete your data.
If you want to be forgotten or have any questions please contact our customer services department.
Do you have to give consent?
Quite often, by using our services you are inherently giving consent – i.e. for the reasonable use of your address to facilitate the delivery of an order you have placed.
On other occasions, you will give specific consent i.e. to receive marketing communications when you register for the newsletter or an account without checking out. Please note that you can always opt-out or ask what consents have been recorded.
Is Cartridge Shop a data controller and/or data processor?
Under GDPR legislation, Cartridge Shop will be a controller for all data we collect ourselves, and the processor for the majority of it. We will have the same obligations as a controller or processor under GDPR to handle personal identifying information in the correct manner.
As a controller, we use a number of different processors to fulfil our services to customers. Each processor reports to us as the controller and must adhere to our (as the controller) rules. This means that if you ever have an enquiry, Cartridge Shop is your single point of contact as we are responsible for all our processors.
An example of a processor is the vendor of an order management system; where we manage your order data within their system. Even if your data is in their system, they are not allowed to use the data except to support us in the fulfilment of our services to you.
Why do you receive marketing emails?
As a result of GDPR, it is important that Cartridge Shop only sends marketing communications under an appropriate legal basis. The two legal basis used by Cartridge Shop are "consent" and "legitimate interests".
- Consent: When you sign up to receive marketing via our newsletter sign up form, or you register for an account on our website, you are given the option to consent to receive marketing. A declaration saying how your data will be used and a link to the Privacy Policy will be shown, along with a checkbox that needs to be checked in order for you to consent.
- Legitimate Interests: As you are a Cartridge Shop customer, we have the ability to send you marketing communications providing we meet strict criteria set out under GDPR. The ICO states that we can only use this legal basis if all of the following are true:
- Obtained details during the course of a sale.
- Marketing messages are about similar products or services
- The opportunity is given to opt out at the time of data capture (initial sale), and the opportunity is given to opt out on any marketing communication received.
What are "legitimate interests"?
"Legitimate interests" is a legal basis that can be used to process data. The ICO states that it is likely to be most appropriate where data is used in a way that people would reasonably expect and has a minimal privacy impact. There are three elements to the "legitimate interests" basis:
- Purpose test: Identification of the legitimate interest.
- Necessity test: Is processing necessary to achieve the purpose?
- Balancing test: Are the company's interests balanced against the rights of the individual?
Where Cartridge Shop relies on legitimate interests for processing, we will have carried out a thorough Legitimate Interest Assessment to ensure the three elements of the legal basis are met.