Shortridge Limited
Data Protection Privacy Policy
This policy sets out the basis on which any personal data collected from you or provided by you will
be processed. As a business we are required to notify you of this information under the Data
protection Legislation. Your privacy is important to us and we are committed to protecting and
safeguarding your data privacy rights. This includes current, past and prospective employees,
customers, suppliers and others with whom we communicate.
Our customers
Users of our website
People who have requested to receive marketing information about our goods and services
People who use our goods and services
People who contact us via any medium (eg. By post, email, telephone or social media).
Definitions in this Privacy Policy
Controller
Shortridge Limited (‘Company’) is the controller and responsible for your personal data. Registered
number Z8825893 and whose registered office is at Joseph Noble Road, Workington, Cumbria CA14
4JX.
Data Controller
Suzanne Appleby-Prentice, has determined the purposes for which, and the way, your personal data
is processed. The Data Controller has overall responsibility for compliance with the Data protection
Laws.
Privacy Manager
Debra Steel, HR Manager, is the appointed officer who is responsible for awareness-raising, training
staff and informing the advising the Data Controller, Data Processors and Date Users how to ensure
compliance with the enactments and to monitor that compliance.
Data processer
Any person or organisation that is not a Data User that processes personal data on our behalf and in
accordance with our specific instructions. Our staff will be excluded rom this definition but, the
definition could include suppliers who handle personal data on our behalf.
Data Subjects
All living individuals about whom we hold Persona Data. All data Subjects have legal rights
concerning the processing and storage of their personal information.
Data Users
Our employees whose work involves processing your Personal Data. Data users are responsible for
the proper use of the data they process and must protect the data they handle in accordance with
this policy
The Enactments
The Date protection Act 1998 (the Act) up to and until 25 th Many 2018 after which The General Data
Protection Regulations 2017 (GDPR) will apply both of which regulate the way in which all personal
Data is help and processed.
Personal Data
Information which can be used to directly or indirectly identify a living individual
Processing
Any Activity in which the data is used, including (but not limited to) obtaining recording, organising,
amending, retrieving, using disclosing, erasing, destroying and/or holding data. The terms
“processing” also includes transferring personal data to third parties.
Supervisory Authority
The Authorised Body which is empowered to govern and manager how the GDPR is implemented
and abided by in the EU state. In the case of the UK the Supervisory Authority is the: Information
Commissioner’s Office.
Sensitive Personal Data
This includes information about a person’s race, ethnicity, political opinions, convictions, religion,
trade union membership, physical and/or mental health and sexual preference. Sensitive personal
data can only be processed with the express written consent of the person concerned.
What kind of Data do we collect?
The information listed below is in addition to any personal data we are required by law to process in
any given situation: –
Identity Data – includes names, company names, usernames or similar identifier.
Contact Data – includes billing address, delivery address, email address and telephone number.
Financial Data – includes bank account details.
Transaction Data – include information about the particular transaction and/or other services
we provide to you, information about product and/or services you provided to us and details
about payment to and from you.
Technical data and Usage data – include usage of our website
Profile Data – includes your preferences, feedback and survey responses
Marketing and communication Data – include your preferences in receiving marketing from us
and your communication preferences.
We may also collect and share Aggregated Data such at statistical or demographic data for any
purpose. Aggregated data may be derived from your personal data but is not personal data in law as
this data does not directly or indirectly reveal your identity. For example, we may aggregate your
Usage Data to calculate the percentage of users accessing a specific website feature. However, if we
combine or connect Aggregated Data with your personal data so it can be directly or indirectly
identity you, we treat the combined data as personal date which will be used in accordance with this
policy.
We do not collect any Sensitive Data about you. If we need to process such information for the
purpose of a particular transaction we will only do so where we have obtained your prior consent to
do so or where there we are otherwise legally permitted to do so. We do not collect any
information about criminal convictions and offences again unless such information is relevant to a
transaction.
Shortridge seek to ensure that the information collected and processed is proportionate, and we will
notify you of any changes.
How we will use your personal data?
For Personal Date to be processed Lawfully, the basis for the processing must be one of the legal
grounds set out in the Enactments.
We will only collect and process your personal data to the extent that it is needed to fulfil our
operational and contractual needs or to comply with any legal requirements.
How long do we keep your personal data for?
We will retain your personal data for as long as reasonably necessary to fulfil the purposes we
collected it for, including for the purposes of satisfying any legal regulations, tax, accounting or
reporting requirements. We may retain your personal data for a longer period in the event of a
complaint or is we reasonable believe there is a prospect of litigation in respect to our relationship
with you.
How do we store your personal data?
Information may be held at our offices and third-party agencies, (for example Credit Checking
Agency).
- We are committed to taking all reasonable and appropriate steps to protect the personal
information that we hold from misuse, loss or unauthorised access. If you suspect any misuse or loss
or unauthorised access to your personal information, please let us know immediately. - We also maintain security procedures which, but are not limited to:
Secure lockable desks and cupboards, Desks and cupboards shall be kept locked if they hold
personal data. - Methods of disposal. Paper documents containing Personal Data are shredded and digital
storage devises shall be physically destroyed when they are no longer required. - Data users shall be appropriately training and supervisor in accordance with this Notice
which include requirements that computer monitors do not show confidential information
to passers-by and that Data Users log off from or lock their PC/electronic device when it is
left unattended. - Our computers have appropriate password security, boundary firewalls and effective
anti-malware defences. We routinely back-up electronic information to assist in restoring
information in the event of disaster.
Keeping your Personal Data Secure
Our employee and contracted personnel are bound to our privacy policies, procedures and
technologies which maintain the security of all your Personal Data from the point of collection to the
point of destruction.
We maintain data security by protecting the confidentiality, integrity and availability of your
Personal Data and when we dos so abide by the following definitions:
Confidentiality
We ensure that the only people authorised to use your personal data can access it. Employees are
prohibited from accessing and writing your personal data unless it is necessary to do so.
Integrity
We will make certain that your personal data is accurate and suitable for the purpose for which it is
processed.
Availability
We have established procedures which mean only authorised Data Users should be able to access
your personal data if they need it for authorised purposes.
Transferring the personal data out of the EEA
We shall only transfer any personal date we hold to a country outside the European Economic Area
(“EEA”), if one of the following conditions applies
- The country to which your personal data shall be transferred ensures an adequate level of protection and can ensure your legal rights and freedoms.
- You have given your consent that your personal data is transferred.
- The transfer is necessary for one of the reasons set out in the Enactments, including the performance of a contract between you and us or to protect your vital interest.
- The transfer is legal required on important public interest grounds or for the establishment, exercise or defence of legal claims.
- The transfer is authorised by the ICO and we have received evidence of adequate safeguards being in place regarding the protection of your privacy your fundamental rights and freedoms and which all your rights to be exercised.
The personal data we hold may also be processed by staff operating outside the EEA who work for us
or for one of our suppliers. Those date users may be engaged in, among other things, the fulfilment
of contracts with you, such processing of payment details and/or the provision of support services.
When we may share your personal data
There are times when we may need to share your personal data. This section discusses how and
when we might share your data.
I the course of us fulfilling our role it will be necessary for us to disclose your personal date in certain
situations:
- In our role we may need to share your personal data with certain bodies to fulfil our contract
with you such as your suppliers, contractors, sub-contractors, HRRC, ICB and other
governmental, regulatory bodies. - We use the following software providers to process electrical data including personal data,
TMS, KCS, Sage, Wombat. These providers state that it is GDRP compliant and or applies
equivalent/adequate safeguards. - We use secure external servers to process/store our electronic records, including your
personal data which are maintained by Microsoft.
Your Rights
Under the data protection legislation, you have several rights with regards to your personal data.
- Right to be informed
Shortridge Limited is publishing this Policy to keep you informed as to what we do with your
personal information. We strive to be transparent about how we use your data. - Data Subject Access Request (DSAR).
You may ask to us confirm what information we hold about you at any time and request us
to modify, update or delete such information. We will not charge you for this unless your
request is excessive. If you require further copies of this information from us, we may
charge you a reasonable administrative cost where legally permissible. Where we are legally
permitted to do so, we may refuse your request. If we refuse your request, we will always
tell you the reason for doing so. - Request correction.
You may request us to correct your personal data that we hold about you and to check that
we are lawfully processing it. - Request to erasure.
This enables you to ask us to delete or remove personal data in certain circumstances.
normally, the information should meet one of the following criteria:
a. The data are no longer necessary for the purpose for which we originally collected and
or processed them.
b. Where previously given, you have withdrawn your consent to us processing your data
and there is no other valid reason for us to continue processing.
c. The data has been processed unlawfully (i.e. in a manner which does not comply with
the GDPR).
d. Prevent processing which is likely to cause damage or distress to you or anyone else.
e. It is necessary for the data to be erased in order for us to comply with our legal
obligation as a data controller or if we process the data because we believe it necessary
to do so for our legitimate interests, you object to the processing and we are unable to
demonstrate overriding legitimate grounds for our continued processing regarding data
subject right to erasure and may refuse your request in accordance with the law.
We would only be entitled to refuse to comply with your request for one of the following reasons:
a. To exercise the right of freedom of expression and information.
b. To comply with legal obligations or for the performance of a public interest task or
exercise of official authority
c. For public health reasons in the public interest.
d. For archival, research or statistical purposes or to exercise or defend a legal claim.
e. When complying with a valid request for the erasure of data we will take all reasonably
practicable steps to delete the relevant data.
Right to restrict processing.
You have the right to request that we restrict our processing of your
personal data in certain circumstances. This means that we can only continue to store your data and
will not be able to carry out any further processing activities with it until either (1) one of the
circumstances listed below is resolved: (2) you consent or (3) Further processing is necessary for
either the establishment, exercise or defence of legal claims, the protection of the rights of another
individual, or reasons of important EU or Member State public interest.
The circumstances in which you are entitled to request that we restrict the processing of your
persona data are:
- Where you object to our processing of your personal data for our legitimate interests.
Here you can request that the data be restricted while we verify our ground for
processing your data. - Where our processing of your personal data is unlawful, but you would prefer us to
restrict our processing of it rather than erasing it. - Where we have no further need to process your personal data, but you require the data
to establish, exercise or defend legal claims.
If we shared your personal data with third parties, we will notify them about the restricted
processing unless it is impossible or involves disproportionate effort. We will, or course, notify you
before lifting any restrictions on processing your personal data.
Access to data portability
If you wish, you have the right to transfer your data form us to another data controller. We will help
with this – either by directly transferring your data for you, or by providing you with a copy in a
commonly used machine-readable format.
The right to object
If we are using your data because we deem it necessary for our legitimate interest to do so and you
do not agree, you have the right to object. We will respond to your request within 30 days (although
we may be allowed to extend this period in certain cases). Generally, we will only disagree with you
if certain limited conditions apply.
Telephone queries request and written requests
When receiving telephone enquiries, in which personal date is requested we will only verbally
disclose personal data held on our system if we can confirm the caller’s identity so as to ensure that
the data is only given to a person who is entitled to receive it.
We may suggest that a caller put their request in writing to assist in establishing the caller’s identity
and to enable us to clearly record the nature of the request and to assist in further identity checks.
If we have reasonable doubts about the identity of the person making the request, we may request
additional information to confirm the caller’s identity.
In difficult situation our data user may refer a request to their line manager for assistance.
When responding to written requests personal data will only be disclosed if we can confirm the
identity of the sender and or enough supporting evidence is provided by the sender establishing
their identity.
Web Site
We may collect and process the following data:
- Information that you provide by filling in forms on out site. This includes information provided at the time of registering to use our site, subscribing to our services, posting material or requesting further service. We may also ask you for information when you report a problem with our site.
- If you contact us, we may keep a record of that correspondence.
- We may from time to time also ask you to complete survey that we use for research purposes, although you do not have to respond to them.
Third-party links
Our website may include links to third party websites, plug ins and applications. Clicking on those
links or enabling those connections may allow third parties to collect or share data about you. We
do not control these third-party websites and are not responsible for their privacy statements.
When you leave our website, we encourage you to read the privacy of every website you visit.
IP addresses
We may collect information about your computer, including where available you IP address,
operating system and browser type, for system administration and for internal reporting purposes.
This is statistical data about our users’ browsing actions and patterns and does not identify any
individual.
Cookies
Our website uses cookies to distinguish you form other users of our website. This helps us to
provide you with a good experience when you browse our website and allows us to improve our site.
If you disable or refuse cookies, please not that some parts of this website may become inaccessible
or not function properly.
Children
Shortridge do not believe its website or marketing contact is appealing to children, nor is it directed
at children. We do not knowingly collet personal identifiable data from persons under the age of 18
years. Any information regarding a child or children must me submitted on request when provided
by a parent, guardian or the child where a parent or guardian is present.
Complaints
You have the right to make a complaint at any time to the Information Commissioners Office (ICO)
the UK supervisory authority for data protection issues ( www.ico.org.uk ). We should, however,
appreciate the chance to deal with your concerns before your approach the ICO so please contact us
in the first instance.
Suzanne Appleby-Prentice
Shortridge Limited
Joseph Noble Road
Workington
Cumbria CA14 4JX
Changes to our Date Protection Policy
We keep our policy under regular review and reserve the right to amend and update the policy as
required. Where appropriate, we will notify you of those changes by mail, email and or by placing
and updated version of the policy on the website.