Definitions

Data Controller: The controller determines the purposes and means of processing data.
Data Processor: The processor is responsible for processing the data on behalf of the controller.
Data Subject: A person whose data is processed by a controller or processor.

Data Controller Information

Russell Mainstream Supply Limited
16 Back Park,
Kettlebridge, KY15 7QB

Data Retention

Invoices: Data will be stored for 6 years (from the end of the last financial year) in the form of invoices and will be processed solely for archiving purposes in the public interest (HMRC requirements).
These invoices will be destroyed after the minimum time required to comply with HMRC regulations. Organisational methods will be employed to protect the data from unauthorised or unlawful processing and against accidental loss or theft.

Email data: Emails from data subjects to Russell Mainstream Supply Limited email addresses will be deleted from the servers that we use after one month unless the email is part of an ongoing conversation.
In this case, once the email conversation is complete / resolved, the email conversation will be deleted from the email servers.

Online content management system data: Other data stored will be on the online shop's content management system if a data subject creates a registered account. This data includes:

  • Order history
  • Order details
  • Shipping / billing addresses
  • Name and title
  • Email address
  • Vouchers and loyalty points
  • Registration date
  • Date of last visit
  • Age (if given upon registration)
  • Phone number
  • IP addresses
  • Messages
  • Cart details
  • Method of payment
  • Language

Only the registered user and the data controller has access to this data.

Inactive registered user accounts will be deleted after 2 years of inactivity. Due to the right to erasure, a registered user can choose to have their account deleted at any time by contacting the data controller (Russell Mainstream Supply Limited).

The data Russell Mainstream Supply Limited processes and the lawful basis for processing

All data will be processed on the basis of consent.

The data controller Russell Mainstream Supply Limited deems the processing of data as necessary for the following reasons:

  • Names, addresses and phone numbers are required to fulfil customer orders. Names and addresses are required for shipping, a phone number is required so that Russell Mainstream Supply Limited couriers can contact the customer if necessary (please see the 3rd party section for more information).
  • Age data is given voluntarily by the data subject / registered user. Russell Mainstream Supply Limited reserve the right to not send out products to registered users that have volunteered data that indicates that they are aged under 18.
  • Vouchers and loyalty point data is stored on the system (Prestashop CMS) to enable data subjects / registered users to make use of discounts.
  • Date of registration, last visit data and IP address information is data that is processed as default with Prestashop's CMS system. IP addresses may be useful and sometimes viewed if it is suspected that the registered user's account has been compromised. The user's last visit can also help the data controller and the data subject determine whether the data subject / registered user's account may have experienced an unauthorised login. The date of registration assists the data controller in determining which accounts are inactive and require deletion after a year of inactive use (please refer to the data retention section for more information).
  • A billing address is required for accounting purposes and invoices. This is for both the records of the data controller and the data subject who may also require invoices for filing and accounting.
  • Past orders and customer carts are stored so that the data subject / registered user can view past carts / orders for accounting purposes or to assist with future purchasing. Data of orders also assist the data controller in fulfilling those orders.
  • The messaging system within the Prestashop admin is in place so that customers / data subjects can be updated on order status' and so that the data subject can contact Russell Mainstream Supply Limited should they wish to. Messages will be deleted after 3 months.
  • Method of payment used is stored so that the data controller can use this information for accounting purposes. No payment details are stored on the online store or the server that Russell Mainstream Supply Limited uses. All payments are processed by external data processors (please see data processor section).
  • Language is stored so that the data controller is better able to communicate with the data subject if necessary.
  • Email addresses are required for the following purposes:
    To ensure that data subjects receive important information regarding their orders as well as having a point of contact with the data subject incase the data controller needs to contact the data subject in the event of a problem with the order.
    The email address also helps verify if the data subject is indeed the registered user as the recipient of the emails will become aware that an account has been registered using their email address. If they have not created the account, this will help alert them to this.
    The only other reason that email address data would be processed is if the email address is on the Russell Mainstream Supply Limited newsletter list. The data subject has to explicitly and voluntarily give consent to receive a newsletter from Russell Mainstream Supply Limited and have their data stored on the newsletter list.

Consent

The data subject will have to clearly give consent to the processing of their data by agreeing to this privacy notice when registering with Russell Mainstream Supply Limited.
If a data subject withdraws their consent, the data of that individual will no longer be processed. However, as stated in the 'data retention' section, financial records such as invoices need to be stored for the appropriate period designated by HMRC. By giving consent, the data subject understands that this data will be solely used for archiving purposes in the public interest and will be destroyed once the minimum retention period stated by HMRC has passed.

Consent must be given via a positive opt in. The data subject will need to voluntarily tick a checkbox to provide consent. No pre-ticked boxes will be used.

The data subject must agree to both the privacy notice and terms and conditions separately via two separate checkboxes.

If the data subject refuses consent, Russell Mainstream Supply Limited will not be able to process the data subject's data and therefore an account with Russell Mainstream Supply Limited cannot be setup for the data subject and orders cannot be placed by the data subject. Orders and registered accounts cannot be created without data processing and therefore consent is required before either of these can be actioned. Consent is a precondition of signing up to the Russell Mainstream Supply Limited service as data processing is necessary for the service.

No consent is required to browse the online catalogue as only 'essential' cookies are used (please see the 'cookies' section for more information).

Consent can be withdrawn at any time (please see data subject's rights). No personal data will be processed without consent.

Third Parties

By agreeing to this privacy notice, in the event that the data subject places an order with Russell Mainstream Supply Limited, they agree that their name, address and contact details will be passed onto Russell Mainstream Supply Limited couriers / postal services so that their orders can be fulfilled. Depending on the courier (all of which are GDPR compliant), they may contact the data subject with delivery status updates via email or text.

In some cases, where items are not in stock at the Russell Mainstream Supply Limited facility, drop shipping may be required to ensure a quick and efficient fulfilment of the order. In the rare cases that this may occur, the data subject's name, billing / delivery address and contact details such as a phone number or email address may be passed onto Russell Mainstream Supply Limited suppliers and their couriers in order for them to fulfil the order. The drop shippers are:

Lynd Products Ltd
Sentek Ltd
Dimanco Ltd
Day-Impex Ltd
LIA International Ltd
Johnson Test Papers Ltd

The accountancy firm that Russell Mainstream Supply Limited use have access to accounting data via Quickbooks software. Quickbooks stores invoices and data such as name, billing address, shipping address, email address and telephone number. The accountancy firm is:

James Hair & Co

Other than the data processors that we use (see data processors section for more information), the above are the only instances in which a data subject's data would be accessed / processed by a third party.

Data Subject's Rights

A data subject has the following rights:

The right to be informed: A data subject has a right to be informed about the collection and use of their data.

The right of access: A data subject has the right to access their personal data and be aware of and verify the lawfulness of processing. If a data subject uses their right to access, Russell Mainstream Supply Limited will provide a copy of the information free of charge. The information will be provided within 1 month of the request. In order to supply the data subject with the requested information, Russell Mainstream Supply Limited must verify the identity of the data subject. The data subject will already have access to most of their personal data via the secure online Russell Mainstream Supply Limited registered user dashboard. If the data subject clicks on 'My Personal Data' in their dashboard, they can download their data to a PDF or CSV file.

The right to rectification: A data subject has a right to make a request for rectification and have inaccurate data rectified or completed if it is incomplete. Russell Mainstream Supply Limited has one calendar month after the request to respond to and rectify the specified information.

The right to erasure: A data subject has a right to have their data erased. A data subject can make a request for erasure and Russell Mainstream Supply Limited has 1 calendar month to respond. The data subject requests to have the data erased in the knowledge that once this has been completed, they will no longer have a registered account with Russell Mainstream Supply Limited and will be unable to place future orders. Russell Mainstream Supply Limited may need to verify the identity of the data subject before erasing data. This may be in the format of a phone call to the phone number on the registered account details. This method removes the need for requests for additional personal data (e.g photo ID) from the data subject.

The right to restrict processing: A data subject has the right to request restriction of the processing of their data. This right gives the data subject more control over how their data is used and they can limit the way in which a data controller uses their data. When processing is restricted, Russell Mainstream Supply Limited can still store the data but not use it. Russell Mainstream Supply Limited has 1 calendar month to respond to a right of restriction request.

The right to data portability: A data subject has a right to obtain, move, copy or transfer data easily from one online service to another. Once a data subject utilises their right to portability by communicating the request to Russell Mainstream Supply Limited, a response will be made within 1 calendar month. Data will be provided to the data subject in a machine readable format.

The right to object: A data subject has a right to object to processing based on legitimate interests, direct marketing, profiling and processing for purposes of research and statistics. As soon as a right to object request is received by Russell Mainstream Supply Limited, processing of the data subject's data by the data controller will be stopped. The request will also be communicated to third parties and data processors if applicable.

Rights in relation to automated decision making and profiling: This is a right under GDPR regulation but is not applicable to Russell Mainstream Supply Limited as Russell Mainstream Supply Limited does not use automated decision making or profiling.

The right to withdraw consent: A data subject can withdraw consent at any time and consent withdrawals will be acted upon as promptly as possible.

Data Processors

Russell Mainstream Supply Limited (data controller) uses the services of data processors that provide sufficient guarantees that their data protection policies meet GDPR requirements. Each processor has its own policies in relation to GDPR regulation. The owners of Russell Mainstream Supply Limited have checked to the best of their ability that all data processors comply with GDPR regulation.

Russell Mainstream Supply Limited uses the services of five data processors that handle Russell Mainstream Supply Limited user data:

Stripe Payments Europe Ltd payment processor:
Russell Mainstream Supply Limited have entered into a formal agreement with Stripe Payments Europe Ltd by accepting their Data Processing Agreement. This agreement is a contract between Russell Mainstream Supply Limited and Stripe Payments Europe Ltd that covers the requirements of Article 28 of GDPR regulation.

Regarding international data transfers, the Data Processing Agreement outlines that it may be necessary for Stripe Payments Europe Ltd to transfer data outside of the European Economic Area. If personal data is transferred to a location that has not been issued an adequacy decision by the European Commission, Stripe Payments Europe Ltd will ensure that appropriate safeguards have been implemented in accordance with applicable law.

Examples of appropriate safeguards mentioned in Stripe's privacy policy are:  EU Standard Contractual Clauses with a data recipient outside the EEA, verification that the recipient has implemented Binding Corporate Rules, or verification that the recipient adheres to the EU-US and Swiss-US Privacy Shield Framework. Full privacy policy can be viewed here: https://stripe.com/gb/privacy

Stripe has privacy shield certification. Their Privacy Shield policy can be viewed here: stripe.com/privacy-shield-policy.

Data processed by Stripe Payments Europe Ltd includes:

  • Cardholder name
  • Email address
  • Unique customer identifier
  • Order ID
  • Bank account details
  • Payment card details
  • Card expiration date
  • CVC code
  • Date/time/amount of transaction
  • Merchant name/ID
  • Location

To read more about Stripe and GDPR, you can view the 'Stripe Privacy Center' page by clicking here: https://stripe.com/privacy-center/legal

Nochex payment processor:
Nochex have added a GDPR statement to their privacy policy: https://www.nochex.com/privacy-policy/

Paypal payment processor:
Russell Mainstream Supply Limited has received a statement from Paypal that confirms that Paypal will be GDPR compliant by the 25th May 2018.

Krystal Hosting:
Krystal have confirmed in a statement that they are GDPR compliant:
'We have updated our Privacy Notice to meet the requirements of the new framework and have also implemented the required internal procedures to ensure that as a business we are fully GDPR compliant.'

Xero bookkeeping software:

Information regarding Xero's GDPR policies can be found here: https://www.xero.com/uk/campaigns/xero-and-gdpr/

A data processing addendum that covers the requirements of Article 28 of GDPR regulation has been agreed and signed by both parties (Xero managers / directors and a Russell Mainstream Supply Ltd director).

Within the addendum, it states the following regarding international data transfers:

Xero shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (e.g., New Zealand), to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

So although, xero may transfer data outside of the EU, they will only do so to locations where appropriate safeguards have been ensured.

Xero is also regularly audited against SOC 2 standards by an independent third-party auditor. The SOC 2 report covers the Trust Services Principles and Criteria for Security, Availability, and Confidentiality. 

Data Breaches

In the unlikely event of a data breach (security measures / procedures are regularly assessed and adhered to), Russell Mainstream Supply Limited will report the breach to the Information Commissioner's Office.
This will be reported within 72 hours of Russell Mainstream Supply Limited becoming aware of the breach.
If the breach is likely to affect individual's rights and freedoms, the affected individuals will be informed without undue delay.

Records will be kept of any personal data breaches. Personal data breaches can include:

Access by an unauthorised third party.
Sending personal data to an incorrect recipient.
Computing devices containing data being lost or stolen.
Malicious sources deleting or stealing data.
Alteration of personal data without permission.
Loss of availability to personal data.

Cookies

The cookies on Russell Mainstream Supply Limited have been separated into 'essential' and 'extras'. In order for the website to function e.g the shopping cart or DDOS protection, the 'essential' cookies are installed by default when a user navigates the website. The 'extra' cookies are required for the following services to function:

  • Google analytics
  • Google Adwords
  • Bing Ads

In order for the above 'extra' cookies services to function, the user must choose to agree to the cookie notification popup. If the user does not agree, they can still browse the site but the 'extra' cookies services will not function and these 'extra' cookies will not be installed.

Data subjects that are also registered users can also revoke their consent to cookies within their Russell Mainstream Supply Limited customer account.

Social Media

Russell Mainstream Supply Limited have a Twitter.com account. If a data subject contacts Russell Mainstream Supply Limited via direct message, the message will be stored for 30 days and will not be shared with other organisations.

Phone Customer Service

This is a helpline service to assist callers that require information regarding Russell Mainstream Supply Limited products and orders. No payments will be taken over the phone. Any notes taken of phone numbers, names or other personal information will be shredded immediately after use.

Newsletter

Newsletters will only be sent to data subjects that have opted in by voluntarily signing up for the newsletter. Data subjects will be able to unsubscribe from newsletters whenever they like. Data subjects can either click 'unsubscribe' at the bottom of newsletters received or they can contact Russell Mainstream Supply Limited directly. Please note that any data subjects that signed up to the Russell Mainstream Supply Limited newsletter prior to the 25th May 2018 will need to re-sign up to the newsletter for their email addresses to be included on the list.

The information in this privacy policy was correct (to the best of the data controller's knowledge) at the time of publication: May 24th 2018
Last update: August 27th 2019