General Data Protection Regulation Policy
On 25th May 2018, new legislation surrounding the handling, processing and storage of personal data came into force across the European Union. The new legislation is designed to protect the rights of the individual where their personal data is concerned.
In line with these new laws, we have reassessed our data protection policies and created a more robustly designed set of policies and procedures to ensure that an individuals data is handled and processed in a more secure way.
Compliance
Pluscrates does not process special category data apart from in rare circumstances. This policy, therefore, covers an individual’s personal data only.
Pluscrates does not process the data of anyone under the age of 18.
A complete audit of all data we hold on file in both digital and physical format has been carried out. Any data which has been deemed to be outside of the new GDPR retention policy has been deleted or disposed of in a secure and safe way. Any holes in the existing policies and procedures have been identified and filled in line with the new standards.
An audit of personal data will be carried out on all data on an annual basis. Interim audits will be carried out in line with the retention periods listed in this policy.
An individual’s data is only processed in line with Pluscrates data protection policy.
Data Security controls
As part of the new policy, a full audit of security surrounding all personal data has been carried out. Pluscrates systems are designed with both staff and customers data security in mind. We operate our systems with the following security measures in place:
Secure firewalls at both ends of our secure leased line.
Password protected laptops/computers/phones – all access points are covered by our company password policy.
Multi-level and multi-vendor anti-virus and anti-malware software and systems are in use to prevent such threats as; worms, ransomware, phishing emails etc.
Role-based access control is in place to restrict data access to relevant staff.
All HR information is stored in secure files in both physical and digital formats, access to HR information is restricted to the HR department, the DPO and senior management.
Strong physical security is in place at all locations where data is stored in both a physical and digital format.
Multi-factor authorisation is used where available.
All external processors are vetted and terms agreed which cover data protection best practice.
Data Protection Policy
Pluscrates collects individuals data via several different methods: email, phone, website, order forms, online forms, physical forms, 3rd party suppliers, direct from the customer.
There is a distinction between the individual data of an employee/ex-employee at Pluscrates and the individual data of a customer/prospective customer.
Scope
This public policy will focus on the individual data of a customer/prospective customer. For access to the policy pertaining to staff and employee information, please see the alternative link.
The policy applies to any data in either digital or physical form held by any of our five depots. It applies to all systems, staff (whether permanent or temporary), directors, consultants, suppliers and third parties who collect, access and/or process individuals data as part of their work with Pluscrates.
Consent
If an individual’s data is collected directly from the subject. Then consent will be sought at this time.
This consent will be:
Informed – transparent information about how the data is to be used will be provided.
Specific – this data will only be used for the purposes outlined at the time the data is collected.
Freely given/non-conditional
Consent to use an individual’s data can be withdrawn at any time. Unless contractual necessity prevents it.
If the individual’s data is collected on behalf of Pluscrates, then we will take on the role of the data processor, therefore the consent will be sought by the data controller. Consent can of course still be withdrawn at any time.
In the case of Pluscrates, the most likely data controller will be your removal company. They will have provided us with the information for the purpose of carrying out your delivery or collection. Your personal data will not be used for any other purpose.
An individual’s rights
Under the new GDPR rules, an individual has the right to:
1, Right to be informed – the individual has the right to be informed when their data is collected and how it will be used.
2. Right to access – an individual can access the data held on file at Pluscrates at any time
3. Right to rectification – if an individual discovers errors in their data or if their data has changed since it was originally collected, then the individual can ask for it to be rectified.
4. Right to erasure/be forgotten – if an individual so wishes, they can have their data erased from our databases. At this point, none of their data will be used for any reason going forward.
5. Right to restrict processing – an individual can request that restrictions are put on their data being used, eg. “I would no longer like to be contacted via email”.
6. Right to data portability – if the request is made, then an individual’s data will be made available in a secure manner for transportation eg. On a password protected USB stick or via a password protected email.
7. Right to object – if an individual does not believe that their data is being used for the purpose for which consent was given, they can object to their data being used in this way. At this point, their data will cease to be used in any form that they are not happy with.
8. Rights in relation to automated decision making and profiling – It is an individual’s right to be informed of any automated decision making or profiling is carried out on their data. They also have the right to object to this action being undertaken, request information about how this decision was made and the right to appeal if they do not agree with the decision.
This will affect our customers in relation to a credit check which will be performed prior to account set up. If negative results are found through this credit check then it does not necessarily mean that we will refuse service, in most cases, it will merely mean that additional measures in the form of deposits or upfront payment are taken at the time the order is processed. All of our credit checks are performed by Experian (see the link for more information).
If at any time, you would like to act upon any of the above, please fill in one of the forms, located on the [individual’s rights page]. Alternatively, you can give the head office a call where you will be able to speak with the DPO or one of their team. You are also able to email the Data Protection Officer at dpo@pluscrates.com.
The data you provide at the time of the request will only be used for the purpose of fulfilling the request and no other purpose. Once the request has been fulfilled, or 30 days after initial contact (whichever is shorter) your data will be destroyed/deleted in line with our privacy policy.
Retention periods
Financial information
Pluscrates Ltd is governed by UK law in regards to how long we keep financial information, this information will, therefore, be kept for 7 years in both physical and digital format.
Signed dockets
Our signed dockets make up part of the legally binding contract we hold with both the removal customer and the end client. They will contain information pertaining to name, address, telephone number and any special instructions, as well as a signature. These will be kept in a physical form for 3 years and in a digital format.
Quotes
Any information gathered on an individual for quoting purposes will be kept in our database. If the quote has been converted to an order then this information will be kept in a digital format for up to 7 years. If a quote has not been converted then the information will be deleted after 1 year.
All of the information on our quotes is valid for up to 30 days.
Right to be forgotten
Due to the legal restrictions which Pluscrates has to abide by, it may not be possible to comply with a ‘right to be forgotten’ if this counteracts the retention periods for our financial information or it conflicts with lawful contractual reasoning. In such cases, we will inform the individual and offer any alternatives. Which may include; redaction or rectification.
Credit card information
If you place an order through our website then your debit/credit card information will be taken. This information will be held by Paypal and will fall under their privacy policy.
Please see further information here. https://www.paypal.com/uk/webapps/mpp/ua/privacy-prev
On occasion, we may take debit/credit card information over the phone. This information will be entered onto a physical form. The physical forms are kept in a locked filing cabinet when not in use.
The payment will then be processed on the Worldpay website.
Please see their policy here. https://www.worldpay.com/uk/privacy-policy
Once the payment has successfully been taken, we will redact any information relating to your debit/credit card numbers. The only information kept on file will be your name, address, order reference and receipt number. The physical form will be securely shredded after 6 months.
We do not keep debit/credit card information on file once the payment has been accepted. And we do not use this information for marketing purposes.
Emails
It is often important for the staff at Pluscrates to keep emails for a period of 1 year or more. This is to aid in the confirmation of data held on our financial systems.
An automatic retention period will be implemented for all emails which do not fall into this category or which do not pertain to information which by law is required to be kept.
Security
At Pluscrates, we take the security of data very seriously. Each of our systems is designed with a ‘protection by design’ methodology in mind.
All of your personal details are stored on a secure server. This server is password protected and has a range of multi-vendor and multi-level anti-virus software in place as well as a secure firewall. Admin staff at Pluscrates access this server, and the information contained on it, via a secure leased-line which has a secure firewall installed at both end access points.
The physical copies of any information collected by hand, which is kept in a physical form, or printed out in a physical format, for use on the job, will be stored in filing cabinets which are kept in secure rooms within the Pluscrates offices.
Each desktop, laptop and phone used to access an individual’s information is password protected and where possible is protected by two-factor authentication or fingerprint protection. Passwords are changed on a regular basis.
Access to your data
All the machines used to access our secure server are password protected and have multi-vendor, multi-level anti-virus software installed.
No third party will be given access to your data held on the server.
Any access to our server via a third party is limited to their required scope of data and logins are monitored. Third parties who access our secure servers are required to sign a non-disclosure agreement prior to them being provided with a login.
You may gain access to a copy of the data relating to you, which we hold on file at any time by filling in a ‘Data subject access request form’ which is available on Pluscrates.com. (actual address)
A copy of this data will then be sent to you either via a secure email, signed for post or on an encrypted UBS device. The company will respond to any ‘Data Subject request’ within 30 days.
Data sharing
Pluscrates will not share any customer personal data with third parties, other than those involved in the completion of work requested eg. Couriers will be given delivery details and contact details for the named ‘contact’ on site. A separate policy has been signed by all of our preferred suppliers to ensure that these companies are abiding by our privacy policies and that your personal data is kept safe
The only exception to this is for third parties involved in law enforcement and any government agency. If we receive a request from either of these, we will inform you of the information requested and if necessary seek legal advice before doing so.
Pluscrates will never sell on your data. We will only use an individual’s data for marketing purposes where specific consent has been obtained.
Profiling
Pluscrates will not use your data for any form of profiling.
The only exceptions to this are in relation to a credit check which will be performed prior to the account set up. If negative results are found through this credit check then it does not necessarily mean that we will refuse service, in most cases, it will merely mean that additional measures in the form of deposits or upfront payment are taken at the time the order is processed. All of our credit checks are performed by Experian (see the link for more information).
Legal basis for processing
Our legal basis for processing your information will fall under one of the following requirements:
Freely given consent
Legal obligation
Contractual obligation
Data Breaches
In the unlikely event of a physical or digital data breach occurring, any person/s whose data has been compromised will be contacted within a 72 hour period from discovery. We will also ensure that a full investigation is completed and the findings, along with a comprehensive report of how we will improve security will be sent to the ICO.
Website Privacy policy
Pluscrates.com is the website owned and operated by Pluscrates for the following purposes:
Information regarding our products and services
Providing information to the general public about; how we operate, the policies we have in place, the accreditations we have gained and adhere to, and general public information about the running of the business.
A news and blog platform
Online contact form
Depot information about our national network
Online shop
Our website uses Cookies to improve customer interaction and for the online shop to function correctly. For more on our Cookies policy, please see here. pluscrates.com/cookie-policy.
Pluscrates use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be upfront about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
All gathered information on our website ie. from contact forms, will be used for the purpose it has been given. Prior to you submitting your information, you will be given details about how your information will be used.
You will also be given the option to opt-in to receive marketing on the subject of our products and services. It is important to note that any consent regarding marketing can be withdrawn at any time.
Placing an order through our website will mean that your data is collected on our system, processed by our in-house team and copied onto our Rental Management software. This data will fall under contractual obligation, please refer to retention periods and security above for more information.
Complaints, Questions and Comments
If you have a complaint about the way in which we collect, process and store your personal data please contact our Data Protection Officer at Head Office on 0208 900 0321 or dpo@pluscrates.com.
If, after contacting us, you feel that we have not resolved your issue, you have the right to complain to the Information Commissioners Office.
Other relevant links:
https://en-gb.wordpress.org/about/privacy/
https://woocommerce.com/privacy-policy/
https://policies.google.com/privacy
