Data Protection Policy
Data Protection Policy
Introduction
- Purpose
This data protection policy outlines the principles and guidelines that our e-commerce site ("markandday.co.uk"), based in the Netherlands, must follow to ensure the protection and confidentiality of user data. This policy aims to comply with the guidelines of the General Data Protection Regulation (UK DATA PROTECTION ACT 2018).
1.2 Scope
This policy applies to all personal data collected, processed, and stored by the website in the provision of services related to account creation, browsing, purchasing, payment, and order tracking of home furnishing items.
Definitions
2.1 Personal Data
Personal data refers to any information related to an identified or identifiable natural person, such as name, address, email address, payment information, and order history.
2.2 Data Controller
The website, which determines the purposes and means of processing personal data, is the controller within the meaning of the UK DATA PROTECTION ACT 2018.
2.3 Processor
Any third-party entity mandated by the website to process personal data on its behalf, such as payment providers or logistics suppliers, is considered a processor.
Data Collection and Processing
3.1 Legal Basis for Processing
The website will process personal data only if it has a legal basis to do so, such as user consent, the need to execute an order, legal obligations, or legitimate interests pursued by the website or by a third party.
3.2 Types of Personal Data Collected
The website collects and processes the following personal data for specified purposes:
- Account creation: name, email address, password (encrypted), address coordinates, and contact information.
- Navigation: IP address, cookies, and other usage data for statistical analysis and website improvement.
- Purchase: personal data necessary for order processing, including billing and delivery addresses, phone numbers, and order history.
- Payment: payment details, such as credit card numbers, are processed securely by third-party payment providers. The website does not store complete payment card information.
- Order tracking: information related to the order status and delivery, such as tracking numbers and carrier details.
3.3 Data Minimization
The website will collect and process only the personal data necessary and relevant to the specified purposes. Collected data will be limited to the strict minimum required.
3.4 Data Retention
Personal data will be retained as long as necessary to achieve the purposes for which they were collected and in accordance with legal obligations. When data is no longer needed, it will be securely erased or anonymized.
User Rights
4.1 Right of Access and Rectification
Users have the right to access their personal data and request its rectification if it is inaccurate or incomplete. Users can update their account information directly via the website's account settings.
4.2 Right to Erasure
Users may request the erasure of their personal data in certain circumstances, such as the withdrawal of consent or if the data is no longer necessary for the purposes for which it was collected.
4.3 Right to Data Portability
Users have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller, to the extent technically feasible.
4.4 Right to Restriction of Processing
Users may request the restriction of processing of their personal data in certain circumstances, such as disputing the accuracy of the data or unlawful processing.
4.5 Right to Object
Users have the right to object to the processing of their personal data on the basis of legitimate interests. The website will cease processing the data unless compelling legitimate grounds override the interests, rights, and freedoms of the concerned person.
4.6 Right to Withdraw Consent
When the processing of personal data is based on the user's consent, individuals have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent carried out prior to its withdrawal.
Data Security
5.1 Confidentiality and Integrity
The website implements technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data. These measures include encryption, access controls, regular security assessments, and data protection training for staff.
5.2 Data Breach Management
In the event of a data breach that may pose a risk to the rights and freedoms of concerned individuals, the website will promptly notify the competent supervisory authority and the individuals concerned, in accordance with applicable laws and regulations.
Data Transfers
6.1 Transfers within the EU/EEA
The website may transfer personal data to other countries in the European Union (EU) or the European Economic Area (EEA) without additional measures, as these countries are considered to provide an adequate level of data protection.
6.2 Transfers outside the EU/EEA
If personal data is transferred outside the EU/EEA, the website will ensure that appropriate safeguards are in place, such as the use of standard contractual clauses or reliance on an adequacy decision of the European Commission.
Third-Party Processors
7.1 Processors
The website may use third-party processors for specific purposes, such as payment processing or order fulfillment. These processors will be carefully selected and required to comply with UK DATA PROTECTION ACT 2018 requirements and provide sufficient guarantees for data protection.
Privacy by Design and by Default
8.1 Privacy Impact Assessments
The website will conduct Privacy Impact Assessments (PIAs) to assess potential risks and impacts on individuals' privacy when developing new systems or processing personal data in new ways.
8.2 Privacy by Default
Measures to enhance privacy protection, such as minimizing the collection of personal data and providing granular privacy options, will be implemented by default to enable users to have maximum control over their personal information.
Compliance and Training
9.1 Data Protection Officer (DPO)
The website has appointed a Data Protection Officer responsible for overseeing data protection and privacy matters. Users may contact the DPO for any questions or concerns regarding their personal data.
9.2 Staff Training
All employees and subcontractors who handle personal data will receive appropriate training on data protection and privacy best practices, as well as their obligations under the UK DATA PROTECTION ACT 2018.
Policy Review
This data protection policy will be regularly reviewed to ensure its ongoing relevance and compliance with legal requirements. All necessary updates will be made and communicated accordingly.
Contact Information
For any questions or concerns regarding this data protection policy, users can contact the website's Data Protection Officer at the following address: info@markandday.co.uk