Plug & Play Design Ltd is a ‘data controller’ which means that we are responsible for deciding how we hold and use your personal information. When we say ‘we,’ ‘us’ or ‘our’ in this policy, we are referring to Plug & Play Design Ltd. We are registered as a data controller with the Information Commissioner’s Office as follows:
Plug And Play Design Ltd, 1 Portsmouth Road, Guildford, GU2 4BL
ICO Registration number: ZA313864
Personal data we collect about you
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, last name and title.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from you and other details of services you have purchased from us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
- Usage Data includes information about how you use our website and services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.
How your personal data is collected
We collect your personal data from you direct, through you completing the contact form on our website or emailing us. However, we may also collect information via/from third party sources. Those third party sources include but are not limited to:
- Search information providers such as Google and Bing.
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services.
- Identity and Contact Data from data brokers or aggregators.
- Identity and Contact Data from publicly available sources.
- Networking and social events.
- Systems to ensure the security of our premises, including security CCTV footage.
Legal Grounds for using your Personal Data
We will only process your personal information where we have a lawful basis for doing so. Under the General Data Protection Regulation, there are six lawful bases. We have given some examples of where each basis applies, as follows:
- To decide whether to enter a contract with you or to perform that contract with you. We rely on this lawful basis to process your personal information to perform our contract for services with you;
- Where we have a legitimate interest to process your information, provided your interests and fundamental rights do not override those interests. We may market our services to you on the grounds of legitimate interest, but we will always give you the option to opt-out of those communications; and/or
- Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
How we use your personal information
We may use your data in the following ways:
- To create client records and files to enable us to provide services;
- To respond to a request for or query about your personal information;
- To process your request to provide services to us as a third party supplier and monitor your contractual arrangement with us;
- To send you marketing information, including updates on services and details of events in which we believe you might be interested;
- To gather and provide information required by or relating to financial returns, reports and audits;
- To process and deliver your order including, manage payments, fees and charges or collect and recover money owed to us;
- To respond to enquiries or investigations by regulatory bodies or law enforcement agencies;
- To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
- To use data analytics to improve our website, services, marketing, customer relationships and experiences; and/or
- As part of any report required for external audits and quality checks.
Who we share your personal data with
In the course of carrying out our work and your instructions we sometimes need to share your personal data with third parties, including but not limited to:
- Service providers acting as processors who provide the following services:
- external IT and system administration services and support functions;
- website hosting, development and maintenance;
- processing service orders, support with fulfilment, accounting and record keeping; and
- email marketing services in respect of collection of personal data and storage of personal data to enable us to send marketing communications to you.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers who require reporting of processing activities in certain circumstances.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Keeping and Storing Personal Data
The security of your personal data is of paramount importance to us. We store the personal data we hold in our CRM, email accounts and cloud document storage. These services are password protected and encrypted.
Your data may be stored by third parties processing your data on our behalf (see who we share your data with) but in accordance with a data sharing agreement.
We retain your personal data in accordance with our Terms of Business and our Data Retention Policy. Different retention periods apply for different types of data. Please contact us if you would like to see a copy of our Data Retention Policy.
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.
Promotional offers from us
We may use your Identity, Contact, Technical and Usage Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.
We do not share your personal data with any third party for marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at [email protected] at any time.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of service purchase, service experience or other transactions.
Under the GDPR you can exercise a number of rights, as follows:
Right of access To be provided with a copy of your personal data
Right to rectification To require us to correct any mistakes in your personal data
Right to be forgotten To require us to delete your personal data – in certain situations
Right to restrict processing To require us to restrict processing of your personal data – in certain circumstances
Right to data portability To receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations
Right to object To object to your personal data being processed for direct marketing and, in certain other situations, to our continued processing of your personal data
Rights related to automated decision-making The right not to be subject to a decision based solely on automated processing
You will not have to pay a fee to exercise any of your rights, however, we may charge a reasonable fee if a request for access is clearly unfounded or if it is deemed to be excessive. Alternatively, we may refuse to comply with a request in such circumstances. We will ask for proof of identity before we provide any personal information, to prevent any unauthorised access.
If you would like to exercise any of these rights, please contact us – see below ‘How to contact us.’
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Keeping your personal data secure
We have security measures which strive to prevent personal data from being accidentally lost, or used or accessed unlawfully. We follow strict procedures as to how your personal information is processed, to prevent any unauthorised person obtaining access to it. All personal information you register on our website will be located behind a firewall and we will use our strict procedures and security features to try to prevent unauthorised access to our systems. Unfortunately, the transmission of information via the internet is not completely secure and although we strive to protect your personal data, we cannot absolutely guarantee the security of your data. Those processing your information within our business and on our behalf, will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
How to Contact us
If you would like to contact us to discuss any aspect of this Policy, please use the following details:
The Managing Director is responsible for Data Protection Compliance.
How to Complain
We hope that we can resolve any query or concern you may raise about our use of your information. However, the General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, particularly in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: +44 0303 123 1113.
This policy was updated in May 2018 and subsequently updated in March 2019.