Fair Processing Notice - Customer Data

Statement and Purpose of Policy

During the course of our activities, Monmouth will process personal data * belonging to our Customers, which may be held on paper, electronically or otherwise.  This notice stresses the importance of transparency and treating all our Customers’ information properly, being open and honest about how we handle and process the information we collect.  We firmly believe in a key set of guidelines, which give our Customers the trust and confidence to provide us with the information we need to run our business successfully and satisfy their requirements.  Any data processing will always be for legitimate business reasons, in relation to products or services brought from us, and we fully recognise the need to treat all such data in an appropriate and lawful manner, in accordance with the “General Data Protection Regulation” (GDPR).  This notice does not form part of any contract of sale or purchase, and as such, Monmouth reserves the absolute right to amend it at any time.

Monmouth is made up of several different legal entities (Monmouth Scientific Ltd and LabHub Ltd), and this privacy notice is issued on behalf of the Monmouth Group of Companies, with the understanding that “we”, “us” or “our” referred to in this privacy notice relates to the relevant entity within the Monmouth Group responsible for processing your data.

Who is Responsible for Data Protection and Data Security?

Maintaining appropriate standards of data protection and data security is a collective task shared between all relevant employees at Monmouth.  This notice and the rules contained in it apply to all employees, irrespective of seniority, tenure and working hours, homeworkers, apprentices and fixed-term and temporary staff.

The Managing Director has overall responsibility for ensuring that all personal data is handled in compliance with the law, and will work with the HR & Business Director and our Digital Marketing team to ensure the day-to-day security of all data processed by Monmouth.  All staff have personal responsibility in handling any data they have access to consistently with the principles set out, and to ensure that measures are taken to protect the integrity of any data processed.  Managers have the additional responsibility of leading by example and monitoring and enforcing compliance.  Any breach of this policy will be taken seriously, and may result in disciplinary action being taken against an individual in line with Monmouth’s ‘Disciplinary & Appeal Policy For Misconduct & Gross Misconduct’.

Data Protection Principles

Monmouth will do its utmost to comply with data protection law at all times and will demonstrate compliance with key principles, which specify that the personal information we hold about you must be:

  • used lawfully, fairly and in a transparent way
  • collected only for valid purposes that we have clearly explained to you, and not used in any way that is incompatible with those purposes
  • relevant to the purposes we have told you about and limited to only those purposes
  • accurate and kept up-to-date
  • kept securely, and only for as long as necessary for the purposes we have told you about

How We Are Likely To Use Your Personal Data – Adequate, Relevant And Non-Excessive Processing, for Limited Purposes

Your personal data will only be processed to the extent that it is necessary for the specific purpose or purposes notified to you.  We will never collect information for one purpose and then use it for another.  We will always have a lawful basis to process personal information. Information will always be destroyed or deleted when we no longer need it, and subjects have a right to prevent their personal information being used for ‘direct-marketing’ or in a way that is likely to cause them or another person damage or distress.  You may therefore withdraw your consent for us to use your information for direct-marketing purposes at any time.

All Monmouth employees with access to any such information know that it must be kept confidential, on computers locked with a password or shut down when left unattended.  Personal information is never stored on individual computers, but only ever on Monmouth’s shared, central, secure data T-Drive.

Employees fully understand that discretion is to be used when viewing personal information on a monitor to ensure that it is not visible to others.  Only authorised personnel will ever have access to and use of such personal data, and only then for authorised business reasons.

Particular care is taken by employees who deal with telephone enquiries to avoid inappropriate disclosures, and no Monmouth employee will ever allow a caller to bully them into disclosing personal information about any aspect of the data we hold.

Fair and Lawful Processing

We will usually only process your personal data where you have given your consent or where the processing is necessary to comply with our legal obligations.  In other cases, processing may be necessary for the protection of your vital interests, for our legitimate interests or the legitimate interests of others.  The full list of conditions is set out in our “GDPR Policy”.

Accurate Data

We will keep the personal data we store about you accurate and up-to-date.  Data that is inaccurate or out of date will be destroyed.  Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.

Data Retention

We will not keep your personal data for longer than is necessary for the purpose.  This means that data will be destroyed or erased from our systems when it is no longer required, in line with our ‘Data Retention Guidelines’.

Processing in Line with Your Rights

You have the right to:

  • be informed about the collection and use of your personal data
  • request access to any personal data we hold about you, unless elements of this data refer to other individuals, or we have another lawful reason to withhold the information from you
  • object to the processing of your data for direct-marketing purposes
  • ask to have inaccurate data held about you amended
  • prevent processing that is likely to cause unwarranted substantial damage or distress to you or anyone else
  • ask for your personal data to be erased, under certain circumstances— we will make reasonable efforts to comply with your request, unless the law allows us to use your personal information for longer

Data Security and Sharing, and Providing Information to Third Parties

We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss or deletion of, or damage to, personal data.  We have in place procedures and technologies to maintain the security of all personal data throughout the period that we hold or control it, from the moment we obtain it to the time we destroy it when it is no longer needed.

We may have to share your data with third parties, including third-party service providers and other entities in the group.  We require third parties to respect the security of your data and to treat it in accordance with the law.

We cannot absolutely guarantee the security of information transmitted to our website.  However, once your personal information is received, we will ensure appropriate measures are taken to secure your information.  Where a payment is made through our website and over the phone, we may use third party processors such as ‘Sage Pay’ and ‘World Pay’, who specialise in the secure online capture of credit and debit card transactions.

Occasionally, we may have need to transfer your personal information outside the EU.  If we do, you can expect a similar degree of protection in respect of your personal information.  We will only ever transfer personal data to a third party for legitimate business reasons, such as to facilitate the delivery of a Customer order.  This will only happen when we are fully confident that the third party has also put in place adequate measures to ensure the security of such personal data, and fully agrees to comply with those procedures and policies in their entirety.

We will also share your personal information with third parties when required by law, where it is necessary in order to administer the working relationship with you or where we have another legitimate interest in doing so.  We will never disclose your personal data to a third party without your consent, unless we are satisfied that they are legally entitled to the data.

We Will Never:

  • be secretive or misleading when collecting personal data
  • be unclear about the purposes for which we will use or disclose personal data
  • keep records that are inaccurate or out of date, or keep them for longer than required

We Will Always:

  • ensure that we only collect the information we need to provide our product or service, and stop collecting and dispose of it securely when we no longer have a need to keep the data
  • inform people exactly how we are going to process their data and for what purpose, which will be explained clearly and prominently on our websites
  • keep Customer information secure, with only correctly-trained staff able to access it
  • allow people access to the information we hold about them, by complying with any ‘subject access requests’ in a timely manner
  • give Customers the choice to tell us when they no longer wish to hear from us, or no longer wish to receive marketing material of any description

 

For more information on collecting and using personal data, please visit:

www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

 

* “personal data” means recorded information we hold about you, from which you can be identified.  It may include contact details, other personal information, photographs, expressions of opinion about you or indications as to our intentions about you.  “Processing” means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.