General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) came into effect across all EU member states on 25 May 2018. The GDPR provides one framework data protection law for Europe, representing a significant harmonisation of data protection requirements and standards across the EU. Further information.
It's intention is to enforce the principle of "Privacy by Design" by minimising data collection and retention and ensuring data is obtained only by consent and is available on a strict "need to know" basis. Data Collectors (companies like us) must analyse the risks to the data subjects (our customers and personnel) posed by processing the data (storing it, sharing it). Data Collectors must also provide data subjects with a "right to be forgotten".
Your privacy is of paramount importance to us.
Data Protection Impact Assessment
The only information we have relating to customers is the absolute minimum we require to enable us to process and deliver an order i.e. the data they enter at the point of ordering on-line:
Contact Telephone Number(s) (landline and / or mobile)
Contact Email Address(es)
Delivery address (optional)
Company Name (optional)
VAT registration number (optional)
Legal Ground: Contractual necessity.
Location: This information is retained on our webserver which is located within the E.U.
Visible to: Management and Sales personnel.
Risk: In the event of our webserver being hacked, this information would be available to the hacker.
Risk Profile: This information could be used to facilitate identity theft.
Risk Minimisation: Files can only be uploaded to our webserver by means of secure username and password protected access. All communications between our computers and the webserver are by means of secure protocols. There is no provision for anybody outside of our office to upload files to the website. There is no public access to our office network. Browser access to our website is strictly via https using 256-bit encryption so personal data entered by the customer at the point of ordering is encrypted during transmission to our webserver.
Breach Notification: GPDR article 31 requires us to notify data authorities within 72 hours after a breach of personal data has been discovered. Data Subjects i.e. our customers and personnel, have to be notified if the data poses a "high risk to their rights and freedoms". However, whatever about the legal requirements, if we are hacked, we will tell you.
Most payments go via a third-party service e.g. Paypal or Stripe. In this case, we have NO access to the credit card data.
Risk: In the event of our webserver being hacked, no payment information would be available to the hacker.
We have copies of all email correspondence with our customers. Our email service is hosted by hostingireland.ie.
Risk: In the event of our webserver being hacked, no email correspondence would be available to the hacker.
We categorise data into two areas:
1. Trade Data Data that is specific to and received directly from customers and suppliers with whom we expect to or already have regular business transactions (Trade Contacts).
2. End-User Data Data received from our Trade Contacts relating to their customers or prospective customers (End-Users).
Trade Data. Data relating to our customers and suppliers will used for the purposes of processing orders and associated activities surrounding order processing as well as marketing activity specific to the products and services we sell.
End-User Data. Data provided by our Trade Contacts relating to End-User customers will be used for the sole purpose of processing orders. It is the responsibility of the Trade Contact to ensure all permissions are sought before passing on End-User data and that all End-Users are aware that their data may be used by others to fulfil the order processing and delivery.
Where appropriate Trade and End-User Data may be passed to third party contractors for the sole purposes of fulfilling purchase orders.
Information collected includes:
Contact Email Address(es)
Contact Telephone Number(s)
Contact Invoice Address
Contact Delivery Address(es)
VAT registration number
Data will be held securely on in-house computer servers and back-ups as well as in paper format. Any significant breach of data will be communicated as soon as is reasonably possible by the swiftest and most appropriate means available at the time. Data will be held for a period of 6 years, statutory accounting practice.
Declaration: Triscle Ltd will NOT pass on your personal data to third parties other than those involved in the order processing and delivery without first obtaining your consent.
1. Invoice Data
We are obliged by law to retain invoices for 6 years (revenue.ie)
At present, we do not automatically remove invoices after that time. We propose to delete invoices after the legally specified retention period of 6 years has expired
2. Email correspondence
At present, we do not automatically delete emails. We propose to retain emails for the same period as our invoices (6 years) with automatic deletion therafter.
We have no interest in and request no information other than that specified in "Personal Data" above.
Consent is requested from a customer immediately before finalisation of the order. No personal information is transferred to our server until that consent has been given.
Data Protection by default
There are no automatic opt-ins when a customer places an order or registers with us.
Subject Access Requests
We undertake to provide, within one month, a complete breakdown of all data relating to you. Please send an email to email@example.com
We can remove all data relating to you provided it does not conflict with the legally required retention period specified by the Revenue authorities (revenue.ie)
Please send an email to firstname.lastname@example.org