DATA PROTECTION POLICY

 

INTRODUCTION

 

Christopher Farr Cloth Ltd. (“CFC”) needs to gather certain information about individuals or companies and other entities for the purpose of conducting its business.  These can include actual and potential suppliers, customers and agents, as well as competitors and third parties the organisation has a relationship with or may need to contact for this purpose. (“Business Contacts”)  

 

The information CFC needs to gather is only such personal information as would normally appear on a business card or in a published directory, for example name, organisation, position, email address, postal address and telephone numbers as well as financial information when the individual, company or other entity has purchased products or services from CFC.  (“Personal Data”)

 

This policy describes how Personal Data will be collected, handled and stored to meet the CFC’s data protection standards and to comply with applicable law.

 

 

WHY THIS POLICY EXISTS

 

This Data Protection Policy is to ensure that CFC complies with data protection laws and good practice, protects the rights of Business Contacts, is open about how it stores and processes Personal Data and how it protects itself from the risks of data breach.  



APPLICABLE LEGISLATION

 

 

  • DATA PROTECTION ACT

 

The Data Protection Act 1998 (“DPA”) describes how organisations must collect, handle and store Personal Data.  These rules apply regardless of whether Personal Data is stored electronically, on paper or on other materials. To comply with the law, Personal Data must be collected and used fairly, stored safely and not disclosed unlawfully.

 

The DPA is underpinned by eight important principles.  As we understand them, they provide that Personal Data must:

 

  1. Be processed fairly and lawfully

  2. Be obtained only for specific, lawful purposes

  3. Be adequate, relevant and not excessive

  4. Be accurate and kept up to date

  5. Not be held for any longer than necessary

  6. Processed in accordance with the rights of data subjects

  7. Be protected in appropriate ways, and

  8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of legal compliance.

 

 

  • GENERAL DATA PROTECTION REGULATION 

 

The General Data Protection Regulation (“GDPR”) is EU Regulation 2016/679 of the European Parliament and of the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data in force as of 25 May 2018. 

 

The purposes of GDPR, as we understand them, are to ensure that organisations which hold certain types of information about persons:

 

  1. Have a legal basis for doing so

  2. Follow good practice in holding that information 

  3. The persons are aware that such information is being held and for what use and on what conditions 

  4. The persons can have access to that information and certain rights with respect to its holding; and

  5. The persons can require that it no longer be so held.  

 

The DPA and GDPR, as they are now and as they may be amended or superseded from time to time, are jointly referred to herein as the “Legislation”.

 

 

PEOPLE, RISKS AND RESPONSIBILIITES

 

This policy applies to CFC, its directors and shareholders, as well as its employees and all consultants working on its behalf.

 

It applies to all Personal Data which CFC holds relating to identifiable individuals, even if that information technically falls outside of the scope of the Legislation.    

 

This policy helps to protect CFC from data security risks including breaches of confidentiality, failing to offer individuals the choice how CFC uses data relating to them, and reputational damage from unauthorised persons gaining access to personal data.

 

The CFC directors are ultimately responsible for the ensuring that CFC meets its legal obligations as such.  

 

They are responsible for: keeping employees and consultants updated about data protection responsibilities, risks and issues; reviewing on a timely basis all data protection procedures and related policies and updating data protection procedures and policies as required;  ensuring compliance with the Legislation; arranging data protection training when appropriate; handling data protection questions from clients and suppliers as well as inquiries from individuals with respect to their personal data being held by CFC; and including appropriate data protection provisions in CFC’s Terms and Conditions as well as checking for data protection compliance in all contracts and agreements with third parties who either may handle CFC’s Personal Data or CFC may handle their personal data.

 

 

GENERAL GUIDELINES

 

All  Personal Data should be kept secure and sensible precautions taken in a manner consistent with security standards for organisations of CFC’s type and size including:  strong passwords should be used and never shared; Personal Data should not be disclosed to unauthorised persons; and Personal Data should be regularly reviewed and updated for accuracy.

 

When Personal Data is stored on paper (either as a result of the printing of data formerly electronically held or otherwise), it should be kept in a secure place where unauthorised persons cannot see it.

 

When Personal Data is stored electronically, it must be protected from unauthorised access, accidental deletion, and malicious hacking attempts including:  strong passwords that are changed regularly and never shared; any removable storage should be kept securely; only approved cloud computing services should be used; and data should be backed up frequently.   All servers and computers should be protected by approved security software.

 

 

DATA USE

 

Personal Data should not be disclosed to any unauthorised person and ideally should be encrypted before being transferred electronically.   It should not be transferred outside the United Kingdom unless that country or territory also ensures an adequate level of legal compliance. 



SUBJECT ACCESS REQUESTS

 

All individuals who are the subject of Personal Data held by CFC have the right to:

  • Request access to their Personal Data

  • Request correction of their Personal Data

  • Request erasure of their Personal Data

  • Object to the processing of their Personal Data

  • Request restriction of processing of their Personal Data

  • Request transfer of their Personal Data

  • Withdraw their consent to CFC holding their Personal Data

 

Such requests from individuals should be made by email to the Managing Director of CFC at cloth@christopherfarrcloth.com who will take such steps as she deems necessary to first verify the identity of the person making the request and then satisfy their request.   Unless advised otherwise, there will not be a charge for providing this service and it should be provided within 14 days.

 

When a request for information is from any source for which applicable legislation allows disclosure of personal data without the consent of the relevant person, the Managing Director will ensure that the request is legitimate and, if in doubt, seek legal advice.



PRIVACY POLICY

 

CFC aims to ensure that individuals are aware that their Personal Data is being held, the legal basis therefor, and that they understand how their Personal Data is being used and how to exercise their rights with respect thereto.  To these ends CFC has a Privacy Policy which is to be available on request to the Managing Director and is also available on the CFC website (www.christopherfarrcloth.com).

 

 

Newsletter Sign up

Search our Collections

Search Tips

name / colour / pattern / designer / keywords