The Wedding Post Box Company Cornwall Privacy Policy – May 2018 Update

As a small business I am required to use and keep personal data for processing post box bookings and for my accounts. I am required to inform you of how I both process and store personal data for The Wedding Post Box Company Cornwall.

 

Data collected and how I use this data

I collect the following data;

 

The Wedding Post Box Company Cornwall - Bookinga

What data is processed? – Names, addresses, emails, payments, personal data such as dates and names for customised orders.
 

* Customised design using personal data such as dates and names, it is your responsibility to ensure that you have permission to share this information with The Wedding Post Box Company Cornwall, which will be stored securely and will only be use for the customer’s order only


Lawful / legal basis for recording the data – To process bookings.

 

 

The Wedding Post Box Company Social Media Accounts - (Facebook, Instagram, Twitter)

 

What data is processed? - Names, addresses, emails,

The Wedding Post Box Company Cornwall uses social media accounts, to allow people who find us to send us messages to find out more about us, to reserve bookings and all information is collected through the message boxes on these sites. 

 

Lawful / legal basis for recording the data – To process orders made by customers, or to share information the customers request.

 

Payment Processing

Any payments that are made to The Wedding Post Box Company Cornwall is processed by a third parties sites ie Etsy or Paypal.

 

Third Party Websites:(Etsy, Paypal, Facebook etc) These sites are governed by their own privacy statements, and The Wedding Post Box Company Cornwall is not responsible for their operations, including but not limited to their information practices. Users submitting information to or through these third-party websites should review the privacy statements of these sites before providing them with personally identifiable information.

 

All data I used is viewed and processed either using my secure computer which has a password system to be accessed. Or my mobile phone which is fingerprint protected. All my passwords are regularly changed and updated to and I am covered by ICO.

 

Date Sharing - No data is shared with any

 

Disclosure

Any data required or held by me is secure and held only by myself, and it will not be distributed to any third parties unless I have your permission or is required for for lawful / legal basis; for example, I am required to share my accounts with HMRC if they request it (please read retention of data).

 

You may request details of personal information which I hold about you and you may ask for them to be deleted, unless required for lawful / legal basis.

 

Retention of Data

 

I do not retain customers information any longer then required, but I will retain the following information for  accounts / HMRC

 

o    What data is processed? – Documentation required for preparing accounts for HMRC.

·         Data refers to – email confirmation, invoices, receipts, payments from customers.

·         Lawful / legal basis for recording the data – the legal basis for processing this data is ‘legal obligation’ because it is required by HMRC.

·         Data sharing – the document may be shared on request with HMRC.

·         Data storage – the documents will be stored securely in paper / online format.

·         Data retention – HMRC state: ‘I must keep records for at least 5 years after the 31 January submission deadline of the relevant tax year. HM Revenue and Customs (HMRC) may check my records to make sure you're paying the right amount of tax.

·         Data destruction – after the required length of time, the documents will be shredded / securely deleted.

 

All other data collected if not needed for lawful / legal basis is deleted ASAP after obtaining it if no longer required.

 

Data Breaches

I will be obligated to notify the ICO of a data breach within 72 hours of becoming aware of the breach. We understand the huge fines in place for failing to follow correct procedures for a breach in data.