Regulation (EU) 2016/679 (General Data Protection Regulation) replaces Data Protection Directive 95/46. It has direct effect and implies a change in the legislation of the Member States in the field of personal data protection. Its purpose is to protect the "rights and freedoms" of individuals and to ensure that personal data are not processed without their knowledge and, where possible, processed with their consent.
Material scope – GDPR applies to the processing of personal data wholly or in part by automatic means and to the processing of personal data (for example, manually and on paper) by other means, which are part of a personal data record or which are intended to form part of a personal data record.
Territorial scope - The rules of the GDPR will apply to all data controllers established in the EU who process personal data of individuals in the context of their activities. It will also apply to non-EU administrators who process personal data in order to offer goods and services or observe the behavior of data subjects who are resident in the EU.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership of trade unions and the processing of genetic data, biometrics for unique identifying an individual, data concerning health or data on the sexual life of an individual or sexual orientation.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Data subject means any natural person who is the subject of personal data stored by the Controller (Administrator).
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Main place of establishment - the EU controller's headquarters will be the place where he takes the basic decisions about the purpose and means of his data processing activities. For personal data processors, its main place of establishment in the EU will be its administrative center.
If the controller is based outside the EU, he must appoint a representative in the jurisdiction where the administrator works to act on behalf of the controller and deal with supervisors. (Article 4 (16) of the GDPR);
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
PRINCIPLES OF DATA PROTECTION
All processing of personal data are in accordance with the data protection principles referred to in Article 5 of GDRP (EU) 2016/679. The policies and procedures of Tru Kids Ltd aim to ensure compliance with these principles.
Personal data be processed lawfully, in good faith and transparently
Lawfulness - Identify a legal basis before it can process personal data. They are often referred to as "grounds for processing", such as "consent".
Fairness - in order for the processing to be in good faith, the data controller must provide certain information to the data subjects as far as is practicable. This applies irrespective of whether personal data is obtained directly from data subjects or from other sources.
Regulation (EU) 2016/679 increases the requirements for what information should be available to data subjects that are covered by the "transparency" requirement.
Transparency - The GDPR includes rules on the provision of confidential information to data subjects in Articles 12, 13 and 14 of the GDPR. They are detailed and specific, emphasizing that privacy notices are understandable and accessible. Information must be communicated to the data subject in comprehensible form using clear and comprehensible language.
Personal data may only be collected for specific, explicit and legitimate purposes
Data obtained for specific purposes should not be used for a purpose that differs from those officially announced to the supervisory body as part of the Tru Kids Ltd Data Processing (Article 30 GDPR).
Personal data must be adequate, relevant, limited to what is necessary for their processing for the purpose. (Principle of minimum necessary)
- Responsible Person for GDPR is responsible for ensuring that Tru Kids Ltd does not collect information that is not strictly necessary for the purpose for which it was received.
- The Responsible Person for GDPR will ensure that on an annual basis all data collection methods are reviewed by (internal audit / external experts) to ensure that the collected data continues to be adequate, relevant, are not excessive.
- Personal data must be accurate and up-to-date at all times, and the necessary efforts are made to enable deletion or correction immediately (within the framework of possible technical solutions)
- The data stored by the data controller should be reviewed and updated as necessary. Data should not be stored in cases where it is unlikely to be accurate.
- The Responsible Person for GDPR is responsible for ensuring that all staff are trained in the importance of accurate data collection and maintenance.
- It is also the duty of the data subject to declare that the data he transmits for storage by Tru Kids Ltd are accurate and up-to-date. Completing a form from the data subject to the administrator will include a statement that the data contained therein is accurate at the filing date.
- The Responsible Person for GDPR is responsible for ensuring that appropriate procedures and policies are in place to maintain the accuracy and timeliness of personal data, taking into account the volume of data collected, the speed at which it can change and other relevant factors.
- At least annually, the Responsible Person for GDPR will review the storage times of all personal data handled by Tru Kids Ltd, referring to the inventory of the data and will identify all data that are no longer required in the context of the registered objective. These data will be reliably destroyed in accordance with the administrator's procedures and rules.
- The Responsible Person for GDPR is responsible for complying with data requests within one month, which can be extended by a further two months. If the Tru Kids Ltd decides not to comply with the request, the Responsible Person for GDPR must respond to the data subject in order to explain his / her reasons and to inform him / her of the right to complain and the supervisory authority and to seek redress.
- The Responsible Person for GDPR is responsible for taking appropriate measures in cases where third party organizations have inaccurate or outdated personal data to inform them that the information is inaccurate or obsolete and is not used to make decisions about individuals to inform the parties concerned; and to forward any correction of personal data to third countries where necessary.
- Personal data must be stored in such a form that the data subject can only be identified for as long as is necessary for the processing.
- When personal data is retained after the processing date, it will be stored appropriately (minimized, encrypted, aliased) to protect the identity of the data subject in case of data breaches.
- Personal data are processed in a way that ensures appropriate security (Article 24, Article 32 of the GDPR)
The Responsible Person for GDPR will carry out an impact assessment (risk assessment) taking into account all circumstances related to data management or processing operations by Tru Kids Ltd.
In determining the suitability of the processing, the Responsible Person for GDPR should also examine the extent of any damage or loss that may be caused to individuals (eg staff or customers) if a security breach occurs, as is the case and any likely damage to the reputation of the controller, including a possible loss of customer confidence.
When assessing appropriate technical measures, the Responsible Person for GDPR will consider the following:
- Password protection;
- Automatic locking of idle workstations in the network;
- Removing access rights for USB and other removable storage media;
- Antivirus software and firewalls;
- Access rights based on roles, including those of assigned temporary staff;
- Protect devices that leave the organization's premises, such as laptops or others;
- Security of local and wide-area networks;
- Enhanced privacy practices such as pseudonymization and anonymization;
- Identification of appropriate international security standards appropriate for Tru Kids Ltd
When assessing the appropriate organizational measures, the Responsible Person for GDPR will consider the following:
- Levels of appropriate training in Tru Kids Ltd
- Measures that take into account staff reliability (for example, appraisal assessments, recommendations, etc.);
- Inclusion of data protection in employment contracts;
- Identification of disciplinary measures for violations with regard to data processing;
- Regularly inspect staff for compliance with relevant security standards;
- Control of physical access to electronic and paper-based records;
- Store the database paper in lockable wall cabinets;
- Restricting the use of portable electronic devices outside the workplace;
- Limiting employee use of personal devices in the workplace;
- Accepting clear rules for creating and using passwords;
- Regular backup of personal data and physical storage of media with copies outside the office;
- Imposition of contractual obligations on counterparty organizations to take appropriate security measures when transferring data outside the EU.
These controls are selected based on the identified personal data risks as well as the potential for damage to the data subjects who are being processed.
Compliance with the principle of accountability
Regulation (EU) 2016/679 includes provisions that promote accountability and manageability and complement transparency requirements. The principle of accountability in Art. 5, par. 2 requires the controller to prove that he adheres to the other principles in the GDPR and explicitly states that this is his responsibility.
RIGHTS OF DATA SUBJECTS
- Data subjects have the following rights in respect of the processing of data and the data recorded for them:
- Make requests to verify that personal data associated with it is being processed and, if so, to access the data, as well as information on who the recipients of that data are.
- Request a copy of their personal data from the controller (administrator);
- Ask the controller (administrator) to correct personal data when they are inaccurate and when they are no longer up to date;
- Require the controller (administrator) to delete personal data (right to be forgotten);
- Ask the controller (administrator) to limit the processing of personal data, in which case the data will be stored but not processed;
- To object to the processing of his or her personal data;
- To object to the processing of personal data relating to him / her for direct marketing purposes.
- Appeal to a supervisor if he / she believes that any of the GDPR provisions is violated;
- Request and be given personal data in a structured, widely used and machine-readable format (data portability);
- Withdraw your consent to the processing of personal data at any time with a separate request addressed to the administrator;
- Not subject to automated decisions affecting him to a significant extent without human interference;
- Oppose automated profiling, which happens without its consent;
- Under consent, Tru Kids Ltd understand any free expression, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or a clear confirmation action, which expresses its consent to the processing of the related personal data. The data subject may withdraw his / her consent at any time.
- Tru Kids Ltd understands "consent" only in cases where the data subject has been fully informed of the planned processing and has expressed his / her consent and without exerting pressure on it. Consent obtained under pressure or on the basis of misleading information will not be a valid basis for the processing of personal data.
- Consent cannot be inferred from the absence of a reply to a message to the data subject. There must be active communication between the controller and the subject for consent. The administrator must be able to demonstrate that consent has been received for the processing operations.
- For specific categories of data, explicit consent in writing to obtain consent to the processing of personal data of data subjects shall be obtained unless there is an alternative legal basis for processing.
- All personal data must be accessible only to those who need it and access can only be granted in accordance with established access control rules. All personal data must be treated with the utmost certainty and must be kept:
- in a self-contained room with controlled access; and / or in a locked cabinet or in the filing cabinet; and / or
- if computerized, password protected in accordance with internal requirements set out in organizational and technical measures to control access to information (eg access control rules); and / or
- Stored on portable computer media that are protected in accordance with organizational and technical measures to control access to information.
- Establish an organization to ensure that computer screens and terminals cannot be viewed by anyone other than the authorized employees of Tru Kids Ltd. All employees are required to be trained and accept the relevant contractual clauses / declaration of compliance with the organizational and technical measures of access as well as the rules for the locking of workstations before being given access to information of any kind.
- Paper-based records should not be left where they can be accessed by unauthorized persons and cannot be removed from the designated office premises without explicit permission. As soon as paper documents are no longer required for ongoing customer support work, they must be destroyed in accordance with the established procedure / rules and the relevant protocol.
- The processing of personal data "outside the office" represents a potentially greater risk of loss, theft or violation of personal data. The staff must be specifically authorized to process data outside the controller's premises.
INFORMATION ABOUT YOUR DATA PROCESSING:
WHAT DO WE DO WITH YOUR INFORMATION?
When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address.
When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.
Email marketing (if applicable): With your permission, we may send you emails about our store, new products and other updates.
How do you get my consent?
When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.
If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.
How do I withdraw my consent?
If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at any time, by contacting us at firstname.lastname@example.org
We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service.
Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read Shopify’s Terms of Service here or Privacy Statement here.
In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.
However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.
For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
In particular, remember that certain providers may be located in or have facilities that are located in a different jurisdiction than either you or us. So if you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
As an example, if you are located in Canada and your transaction is processed by a payment gateway located in the United States, then your personal information used in completing that transaction may be subject to disclosure under United States legislation, including the Patriot Act.
When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.
If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards.
Here is a list of cookies that we use. We’ve listed them here so you can choose if you want to opt-out of cookies or not.
_session_id, unique token, sessional, Allows Shopify to store information about your session (referrer, landing page, etc).
_shopify_visit, no data held, Persistent for 30 minutes from the last visit, Used by our website provider’s internal stats tracker to record the number of visits
_shopify_uniq, no data held, expires midnight (relative to the visitor) of the next day, Counts the number of visits to a store by a single customer.
cart, unique token, persistent for 2 weeks, Stores information about the contents of your cart.
_secure_session_id, unique token, sessional
storefront_digest, unique token, indefinite If the shop has a password, this is used to determine if the current visitor has access.
AGE OF CONSENT
By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.
If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.
QUESTIONS AND CONTACT INFORMATION
If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Privacy Compliance Officer at email@example.com or by mail at Tru Kids Ltd
Controller: Tru Kids Ltd ID 12339959
Address: Headlands House, 1 Kettering Parkway, Kettering NN15 6WJ
Manager: Natasha Ponponne
Telephone: +44 1536 481153
Response person for GDPR: Natasha Ponponne