Sofa Cash and Carry General Data Protection Policy
At Sofa Cash and CarryF, we are committed to maintaining the trust and confidence of our visitors to our web site, subscribers to our newsletter, our current and potential customers, employees and any individual who we contact or they have been in touch with us. This policy document details how we process, control and securely manage the data related to the individuals.
Our Commitment to GDPR
As part of the commitment to protect our customers, staff and any business contacts data; we follow the GDPR guidelines as follows:
1.1. Website Cookies
– We ensure we have a record of the personal data we hold (if any) and have a reason to store it
– The personal data we hold – e.g. names, emails, and individuals’ financial information
– How we got this information – e.g. a customer form, bought-in marketing lists, staff application forms
– Why we have this information
– How long we’ve had it
– Whether we still need it – if not, this is an opportunity to delete it
– If we share this information with other organisations, or
– If the information we have is ‘special category data’. Examples include health records or information about someone’s race, religion or sexual orientation.
– Identify why we have personal data and how we use it
1.2. Right to Personal Data
– We have a policy in case people ask about their rights regarding the personal information we hold about them.
– The right to be informed: Individuals have the right to know why and how their personal data is being processed. The right of access under current data protection law (subject access request) we’ll provide the information within one month. A copy of the requested information will be provided to the individual free of charge unless the request is what the law calls ‘manifestly unfounded or excessive’, in particular if it is repetitive. If we decide to charge a fee, it will be based on the administrative cost of providing the information. If we refuse, we will tell you why and let you know and you can complain to the ICO or seek a judicial remedy.
– The right to data portability:This allows people get hold of and re-use their personal data for their own benefit across different services. It applies:
– To personal data a person has given us, and
– When we are processing that data on the basis of consent or for the performance of a contract
– When the data is being processed by automated means
People have the following 7 rights over the personal data we hold about them. We have a plan for how to deal with any requests.
1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
5. Right to restriction of processing
6. Right to data portability
7. Right to object
1.3. Self-Assessment and Communication
– Before we collect the data, we carry out self-assessment and identify:
– Do we clearly tell people why we need it and how we will use it?
– Provide them with certain information, including the identity of their business and how we plan to use their information
– We do this so our customers, employees and other individuals understand what we will do with the personal data we collect
– We tell people about their rights and their ability to complain to the ICO if they are concerned about how we handle their information.
1.4. Our Data Security
We check our security. This includes locking filing cabinets and password-protecting any of our devices and cloud storage that hold our staff or customers’ personal data.
– We ensure that personal data is held securely. This includes protecting data against unauthorised or illegal use and against accidental loss, destruction or damage. Some of the steps we take to protect the personal data we hold include:
– Password-protecting and encrypting our electronic devices
– Pseudonymisation (the use of made-up names)
– Setting up firewalls
– Installing anti-virus software
– Securing our business premises, and
– Using securely locked storage for paper records
More details given in Our Data Security Policy section
1.5. Data Breach Procedure and Policy
We developed a process to make sure we know what to do if we breach data protection rules.
– If the breach is likely to result in damage to a person’s reputation, financial loss, loss of confidentiality, or major financial or social disadvantage, we will notify the ICO. If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also contact them directly and without undue delay.
– We have already got a policy in place that deal with the situations should a data breach occurs in our business, for example:
– Paperwork or IT devices are lost or stolen
– Malware is used to gain access to our computer systems
– Personal data is sent to the wrong person by email, post or fax, or
– Documents are not disposed off properly, e.g. not shredded
More details given in Our Data Security Policy section
Types of data we collect
We use a system of classifying the different types of cookies which we use on the Website, or which may be used by third parties through our websites. The classification was developed by the International Chamber of Commerce UK and explains more about which cookies we use, why we use them, and the functionality you will lose if you decide you don’t want to have them on your device.
2.1.1. Cookies Policy
What are cookies?
How long are cookies stored for?
Persistent cookies – these cookies remain on a user’s device for the period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie.
Session cookies – these cookies allow website operators to link the actions of a user during a browser session. A browser session starts when a user opens the browser window and finishes when they close the browser window. Session cookies are created temporarily. Once you close the browser, all session cookies are deleted.
Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience.You can find more information about cookies at www.allaboutcookies.org and www.youronlinechoices.eu
How are cookies managed?
The cookies stored on your computer or other devices when you access our websites are designed by:
– Us, or on our behalf, and are necessary to enable you to a make purchases or make enquiry on our website
– Third parties who participate with us in marketing programmes; and
– Third parties who broadcast web banner advertisements on behalf of us.
What are cookies used for?
The main purposes for which cookies are used are:
– For technical purposes essential to effective operation of our websites, particularly in relation to on-line transactions and site navigation.
– For us to market to you, particularly web banner advertisements and targeted updates.
– To enable us to collect information about your browsing and shopping patterns, including to monitor the success of campaigns, competitions etc.
– To enable us meet our contractual obligations to make payments to third parties (where applicable) or when a product is purchased or enquiry is made by someone who has visited our website from a site operated by those parties.
How do I disable cookies?
If you want to disable cookies you need to change your website browser settings to reject cookies. Further details on how to disable cookies for the most popular browsers are set out below:
Google Chrome https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=en
Microsoft Edge https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
Mozilla Firefox https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Microsoft Internet Explorer https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies
Apple Safari https://support.apple.com/kb/ph21411?locale=en_US
What happens if I disable cookies?
This depends on which cookies you disable, but in general the website may not operate properly if cookies are switched off. If you only disable third party cookies, you will not be prevented from making purchases on our sites. If you disable all cookies, you will be unable to complete a purchase or make enquiry on our sites.
Cookies used on the Website
A list of all the cookies used on the Website by category is set out below.
Strictly necessary cookies:These cookies enable services you have specifically asked for. These cookies are essential in order to enable you to move around the Website and use its features, such as accessing secure areas of the Website.
Performance cookies:These cookies collect anonymous information on the pages visited. By using the Website, you agree that we can place these types of cookies on your device.These cookies collect information about how visitors use the Website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how the Website works.
Functionality cookies:These cookies remember choices you make to improve your experience. By using the Website, you agree that we can place these types of cookies on your device.These cookies allow the Website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
Third party cookies:These cookies allow third parties to track the success of their application or customise the application for you. Because of how cookies work we cannot access these cookies, nor can the third parties access the data in cookies used on our site.For example, if you choose to ‘share’ content through Twitter or other social networks you might be sent cookies from these websites. We don’t control the setting of these cookies, so please check those websites for more information about their cookies and how to manage them.
2.2. Analytics& Tracking
2.2.1. Google Analytics
When someone visits our website, we use a third party service such as Google Analytics or similar, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is sometimes processed in a way that helps to identify the potential customer or their browsing behaviour. The data is safeguarded in accordance with this document and for more information on Safeguarding your Data stored on Google Analytics, visit the following page
For Google Analytics Data Retention, more information can be found here
To find information relating to other browsers, visit the browser developer’s website.
To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout
2.2.2. Tracking of Videos Embedded within the Website
Videos uploaded on the video sharing platforms and embedded within the website have some level of tracking in place; more details can be found on the following links for the most common video sharing platforms
2.2.3. Online Sales and Web Contact Form Enquiries
When customers, potential customers buy our online products and services or when anyone makes an enquiry from our website or over the phone, we retain the basic information about them in order to deliver the products they bought or the service they enquired about. We may have to contact them again in the future to offer similar product/service and of course they can request us exclusively to remove them from the future contact preferences. The same principle applies to anyone who contacts us in relation to job enquiry or general enquiry.
If you use our Wi-Fi we may collect data about:
– Your device;
– The volume of data which you use;
– The websites and applications which you access; and
– Your usage by access time, frequency and location.
2.3. Mailing Lists
As part of the registration process for our monthly e-newsletter, we collect personal information. We use that information for a couple of reasons: to tell you about stuff you’ve asked us to tell you about; to contact you if we need to obtain or provide additional information; to check our records are right and to check every now and then that you’re happy and satisfied. We use third-party providers, such as MailChimp or Similar tools, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, as an example, please see MailChimp’s privacy notice https://mailchimp.com/legal/privacy. You can unsubscribe to general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of our emails or by emailing our data protection officer.
2.4. General Support, HelpDesk& Ticketing Data
When a customer engages us for general support, we use a HelpDesk and a Ticketing system. During the support process, we collect important information that will help us resolve your reported issue. We use the information sometimes to share with third party suppliers for expert consultation and to ensure your reported issues are addressed effectively. The information generally includes your name, address data, email and contact number. After your issue is resolved, we store the reported issue and the details associated with it in our Helpdesk Ticketing system for the entire serviceable lif of your contract or duration of lifetime the system your reported the issue for. This is to ensure we keep a track record of all the issues reported for the system in question so we can effectively see how many times the same issue recurred.
As part of the HelpDeskSupportt and Ticketing process, you will receive regular alerts and notifications (emails, text and phone calls) to keep you updated on the progress being made.
You may, of course, request your information to be deleted from our HelpDesk and Ticketing system or can also request for updates not to be sent as part of communication preferences.
2.4.1. Third Parties
We may share anonymised personal information with other organisations, particularly with our solutions specialists, hosting companies, hardware and software suppliers, who use this to provide the best possible solution and/or service to help support your business needs.
Many of the third parties work in partnership with us and have NDA’s (non-disclosure agreements) in place to protect our customer’s data. We will let them know about your requirements and may have to share your name and contact details with them but they can’t contact you unless you have agreed to. We will not share sensitive information or your payment details.
2.4.2. Phone Calls
Where you have opted-in to receive calls from us regarding our new products and services, we and our sales and marketing partners will be getting in touch to make you aware of our special offers, promotions and to demonstrate our new products and services.
For HelpDesk support and Ticketing requests, where you have contacted us and requested support, we will assume that you’ve given us permission to contact you over the phone unless of course you have exclusively asked for not to be contacted over the phone.
2.4.3. Remote Access to your Computer Systems
Where we have pre-arranged support contract with you, and you have provided us permission to connect to your Computer Systems remotely in order to resolve a reported issue or to install a new software/hardware; we will be able to connect to your computer systems remotely. It’s your responsibility to ensure any personal & private data of your staff and your customer is not visible to us and we do not have access to it to avoid any un-intended personal & private data access.
2.4.4. Permission to Access& Process Data
In order to servesupport and sales requests; our customer’s (as data controllers for their business) must agree to give us the permission to process theirs and their client’s personal data such as Website Enquiries, Website Analytics, Technical Support Requests to suppliers on their behalf, CRM Records, Sales and Marketing Records, emails, logins, passwords and other confidential information. We will treat and process all confidential and personal information under the GDPR and security principles set out in this document.
Our Data Security Policy
3.1. Our Security Principle to protect your Data
A key principle of the GDPR is that we process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.
Doing this requires us to consider things like risk analysis, organisational policies, and physical and technical security measures.
We also ensure that we have appropriate processes in place to test the effectiveness of our measures, and undertake any required improvements by following checklists provided by ICO as a guideline. Some of the checklist items are:
– We undertake an analysis of the risks presented by our processing, and use this to assess the appropriate level of security we need to put in place.
– When deciding what measures to implement, we take account of the state of the art and costs of implementation.
– We follow this document in general as our information security policy and take steps to make sure the policy is implemented.
– Where necessary, we have additional policies and ensure that controls are in place to enforce them.
– We make sure that we regularly review our information security policies and measures and, where necessary, improve them.
– We have put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.
– We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we process.
– We use encryption and/or pseudonymisation where it is appropriate to do so.
– We understand the requirements of confidentiality, integrity and availability for the personal data we process.
– In some cases, we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
– We sometimes conduct testing and reviews of our measures to ensure they remain effective
– Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism.
3.1.1. Computer security Checks that we apply:
– Install firewalls and virus-checking on our computers and servers
– Protect our computers by downloading the latest patches or security updates, which should cover vulnerabilities.
– Only allow our staff access to the information they need to do their job and don’t let them share passwords.
– Encrypt or Password Protect any personal information held electronically that would cause damage or distress if it were lost or stolen.
– Take regular back-ups of the information on our computer system and keep them in a separate place so that if we lose our computers, we don’t lose the information.
– Securely remove all personal information before disposing of old computers (by using technology or destroying the hard disk).
– Installing an anti-spyware tool. Spyware is the generic name given to programs that are designed to secretly monitor your activities on your computer.
3.1.2. Email security
– Before sending confidential information, we sometimes check whether the content of the email should be encrypted or password protected.
– When we start to type in the name of the recipient, some email software will suggest similar addresses we have used before. In this case, we make sure we choose the right address before we click send.
– When we want to send an email to a recipient without revealing their address to other recipients, we make sure to use blind carbon copy (bcc), not carbon copy (cc).
– We take care when using a group email address. Check who is in the group and make sure we really want to send the message to everyone.
– If we send a sensitive email from a secure server to an insecure recipient, security will be threatened. In this case, we do not take responsibility of recipient’s email security arrangements.
3.1.3. Fax security
– We consider whether sending the information by a means other than fax is more appropriate, such as using a courier service or secure email.
– We make sure to only send the information that is required. For example, if a solicitor asks us to forward a statement, we send only the statement specifically asked for, not all statements available on the file.
– We make sure to double check the fax number we are using
– We check that we are sending a fax to a recipient who is responsible for their own security measures at receiving end
– If the fax is sensitive, the recipient must acknowledge that they are at the fax machine, they are ready to receive the document, and there is sufficient paper in the machine.
– The recipient must ring up or email to make sure the whole document has been received safely.
– Recipient must request a cover sheet. This will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents.
3.1.4. Other security measures
We shred all the confidential paper waste & we check the physical security of our premises.
We provide our staff trainingon data security so that:
– They know what is expected of them
– They are wary of people who may try to trick them into giving out personal details
– They can be prosecuted if they deliberately give out personal details without permission
– They use strong passwords
– They do not believe emails that appear to come from a bank that ask for account, credit card details or a password (a bank would never ask for this information in this way)
– They do not open spam – not even to unsubscribe or ask for no more mailings. We tell them to delete the email and use spam filters
Data Access, Management, Assessment & Changes
4.1. Access to your personal information
You are entitled to view, amend, or delete the personal information that we hold. Email your request to our data protection officer.
4.2. Management and Reporting of Data Breaches
In an unlikely event of data breach, depending on the nature of the data we will follow the ICO’s guidelines on reporting Data breaches. More details can be found here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
We as a responsible business have a duty of care for the data that we hold for our customers, suppliers and staff and are committed to carry out regular self- assessments to ensure we are compliant with the ICO’s regulations as per the GDPR. Where the self- assessment exercise identifies need for us to change our policies and procedures, we will look to update our internal procedures and also ensure our staff and systems are updated accordingly.
4.4. Data Controller, Data Processor and Data Protection Officer
We will be the primary data controllers when it comes to handling your data, our partners and trusted third parties may be the data processors in some cases and if you would like to discuss what information we hold about you, we have a dedicated data protection officer who can be reached on firstname.lastname@example.org
4.5. Changes to this Policy
We have always prioritised the privacy and security of the content we protect with our applications and services. As part of our GDPR compliance efforts, we will continue to refine, improve and document our security measures to protect against unauthorised access, use or disclosure of the content we protect. GDPR compliance will be a responsibility of all data processors and data controllers, including those that administer and use our products. We are committed to making our products and services compliant, so our customers can continue to use our products and services with confidence, in a manner that supports their own compliance efforts.
Regulatory guidance on the GDPR from European data authorities is still evolving, and we are closely monitoring how the GDPR’s personal privacy rights will be interpreted in the context of the services we provide. As this evolves we will continue to follow the latest guidance in our policies, terms and processes.