Data Protection and Privacy statement
Garden Railway Specialists Ltd (“we”, “GRS”) regard your privacy as important and we comply with the current law. The Data Protection Act 1998 (“DPA”) applies to any personal data that we process, and from 25th May 2018 this will be replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (“DPA 2018”) (together “data protection laws”). We will only use any personal information you send us for the purposes for which you provide it, or where allowed by law. We will only hold your information for as long as necessary for these purposes and will not pass it to any other parties unless this is made clear to you. All GRS staff or suppliers who have access to your personal data or are associated with the handling of that data are obliged to respect the confidentiality of your personal data and to abide by our Terms and Conditions Policy which is available on our website.
Topics covered in this Privacy Notice
• Who we are and who is responsible for data privacy
• Our purpose in holding your personal data
• The categories of data that we hold
• Sharing your data with third parties
• Our lawful basis for processing that data
• Our legitimate interests in processing that data
• Your rights in respect of the data we hold
• Transferring your data to other countries for storage or processing
• How long we hold your data for
• The consequences should you choose to withhold data or ask us to remove it from our records
• Whether we use automated decision making
Who we are and who is responsible for data privacy
Garden Railway Specialists Ltd are a retail business operating from shop premises with an internet sales presence also. We specialise in the marketing and supply of all garden railway hobby equipment, materials, servicing, training and advice. We are the ‘data controller’ of personal data and we take that responsibility very seriously. We only use third parties for ‘data processing’ to enable us to provide marketing emails and to process sales in our retail shop and online purchases.
Our address is:
Garden Railway Specialists Ltd
6 Summerleys Road
Our Director Matthew Adamson is responsible for Data Privacy within GRS. He can be contacted via the address and email above. If the matter is urgent please provide a telephone number and he will telephone you if possible.
Our purpose in holding your personal data
We hold personal data for the processing of sales orders and to provide informative emails about new products, quarterly newsletters and details of special offers and promotions.
The categories of data that we hold
We hold your name, address and contact details, including your telephone number and email address where you provide these.
We also record your payment history including how you paid for your purchases so that we can reconcile our accounts.
All information you provide to us is stored on our secure computers and access is limited to our internal staff. Everyone is required to abide by our Data Protection Policy.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We do not store any financial details on our computers. Credit card details for online payments are encrypted by our third party processor (Sage).
Sharing your data with third parties
We will only share your data with our email marketing specialist for the purpose of sending our newsletters, promotions and selected special offers.
Our lawful basis for processing that data
Our lawful basis for processing the personal data of our customers is by consent.
Your rights in respect of the data we hold
You have the following rights in relation to your personal information:
• the right to be informed about how your personal information is being used;
• the right to access the personal information we hold about you;
• the right to request the correction of inaccurate personal information we hold about you;
• the right to request the erasure of your personal information in certain limited circumstances;
• the right to restrict processing of your personal information where certain requirements are met;
• the right to object to the processing of your personal information;
• the right to request that we transfer elements of your data either to you or another service provider
You should note that some of these rights, for example the right to require us to transfer your data to another service provider or the right to object to automated decision making, may not apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us. For example, we do not use automated decision making in relation to your personal data. However, some have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.
Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a very complex area of law. More information about your legal rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-the-public/.
To exercise any of the above rights, or if you have any questions relating to your rights, please contact us by using the details set out in the “Who we are” section above.
If you are unhappy with the way we are using your personal information, you can also complain to the UK Information Commissioner’s Office or your local data protection regulator. We are here to help and encourage you to contact us to resolve your complaint first.
Transferring your data to other countries for storage or processing
We do not transfer your data to countries outside the European Economic Area (EEA) for processing including storage. If the data is held on “Cloud servers” it will only be done where there is a binding agreement with the relevant data authorities to regulate this in line with the data protection laws.
How long we hold your data for
We only hold your personal data for the purpose of your transaction plus a period of sixty months, unless you ask to be forgotten in which case your data will be removed with 28 days.
The consequences should you choose to withhold data or ask us to remove it from our records
If you do not agree to our processing of your personal data, we may not be able to make information or offers available to you and be unable to help with after sales service or warranties.
If you receive marketing emails from us, there will always be an unsubscribe option at the bottom of each email which will automatically remove you from our email marketing list. To rejoin you will need to subscribe from the opt-in form on our website home page.
Whether we use automated decision making
We do not use any automated decision-making tools in any of our processing.
The management of data protection at GRS
The company will nominate a Director to be accountable for data protection.
The current nominee is Matthew Adamson, Director, who can be contacted by email at firstname.lastname@example.org. We will respond to any request within 7 days.