Data controller Brian Mandel
Name of Business: Klevacrylic Ltd (also trading as Gail Klevan, Gail Klevan Jewellery or Gail Klevan Designs)
Address: Studio One, 6 The Broadway, London NW7 3LL
Telephone Number: 020 8200 4672
Email address: office-at-gailklevan.com
What this Notice is about
Your privacy is important to us and we will use all reasonable efforts to protect it. This Privacy Notice tells you what information we obtain and hold about you as a customer. It explains what information we collect, why we collect it, and what we do with it, as well as who we share it with. We collect and handle personal information about our customers to enable us to provide goods and service to customers and to promote our business. This includes selling, marketing and promoting our brand, performing our business activities and answering enquiries. We call this information “your information”. It is also referred to as “data”.
Why we are giving you this notice
We are required by data protection law to give you this notice. We must be open with you about why information is collected about you and then what is done with it. We must act fairly in relation to this information. You have various legal rights relating to this information which are spelt out in more detail in this notice.
In order that we can collect or use information about you there must be a legal basis or gateway for doing so. This notice identifies the relevant gateway for the various types of information we collect and hold about you. A detailed explanation of these gateways is given in this notice.
Under data protection legislation we can only process data “as necessary” and only to the extent that it is needed. For example, we can use your bank details regarding payments and other limited purposes only. However, in certain instances, as necessary, we can share any of your data with relevant service providers. We may also share any of your data, as necessary, with the police/law enforcement agencies or regulatory authorities.
The data we collect/hold about you
We use different ways to collect data about you including information you supply to us when using our website, using email or other messaging channels, at events, or in conversation either in person or by telephone.
As necessary, personal data is processed by us consisting of the following, as applicable: –
- Identity and contact details
- Bank details
- Recovery of arrears, claims or possession proceedings
- Emails texts and other communications and via our website.
- Website and online portal information.
We also generate and use data internally, e.g. our accounting and business records.
We may also collect and receive data about you from third parties. This may be information given to us by friends or family who are buying a gift for you, or acting on you behalf or otherwise assisting you, or from commercial outlets such as shops, galleries, exhibition operators or website operators with whom you will already have a relationship.
Sharing data with others
We will share information we hold with others where this is necessary. Where required, information may be shared with contractors; suppliers; service providers; tradespeople; financial organisations (including banks); debt collection and tracing agents; courts; police and law enforcement agencies; taxation authorities etc. We also may share information with professional advisers such as lawyers and accountants or an advice agency which involves sharing information about you with them. Under data privacy regulations sharing data also includes passing information through technical platforms and services provided by third-party suppliers and also to background business services none of which may have any interest in your data directly but who nevertheless may have full or partial access to it. Whenever we share data we must comply with data protection legislation and ensure they have published data privacy policies.
What we share will depend on what is necessary in the circumstances and more details are given elsewhere in this document in respect of different kinds of information which we hold about you.
Service Provider’s Privacy Statement
Principal Internet Service Provider
Computer support service
Cloud storage provider
Our website hosting provider
Our mailing list and mailshot operator
Social media platforms
Facebook, Twitter, Instagram, Pinterest, Whatsapp, LinkedIn
We will not normally use these for most personal information but in case we do, or for example where you or we use messaging services provided by these organisations we include these here for completeness.
Third party sales platforms
We may receive and process your details in order to process your order or enquiry. We may use these details to despatch goods you have ordered or answer enquiries or perform relevant activities.
Shops, galleries, museums, exhibitions and events etc
Our card payment operator
Search engines, websites, etc
On occasions were relevant, we may obtain information about you which is publicly available via search engines such as Google or Facebook and websites. This will include information about you which you yourself made public. However, when doing so we make sure that we comply with applicable guidelines under data protection legislation.
Special categories of data/sensitive personal data
In limited situations we will process information about your health or any disability. This data is given special protection under data protection law. Normally we would expect to ask you for your explicit consent before we collect or use this kind of data but if you or a third party volunteer information to us relating to skin conditions or other conditions relevant to the wearing or design of our products, or body size or body shape information related to the wearing or design of our products then we will deem this consent to be given.
Why we collect data and the legal basis for processing your personal data
We must tell you why we collect and hold information about you.
We must also have a legal basis before we are allowed to collect or process your personal data. Processing personal data includes recording, storing, altering, using, sharing or deleting data. We only need one of these “gateways” and for our purposes they are –
- You consent. Consent may be requested in certain cases but generally we do not rely on your consent to process your personal data.
- To perform our contract so that we can provide the goods and services you require.
- Compliance by us with a statutory or other legal obligation.
- Where we are pursuing our own legitimate interests or those of a third party. This will not apply if our interests are overridden by your interests or your fundamental rights and freedoms. We must carry out a balancing exercise therefore to decide whether we can rely on this gateway to ensure that it applies. In each case we have done this and we do not consider your interests, rights or freedoms outweigh our own or those of the third party concerned.
This notice identifies the relevant gateway applicable in each case. In some cases, we will rely on more than one gateway depending on the particular purpose for which we are using your data.
Additionally, any data must be processed by us fairly and openly.
Why we process your data
The various purposes for which it may be necessary for us to process various categories of your information include: –
- For advising which of our products may be suitable
- To perform our contract to provide you with goods or services
- For contractual performance for payment collection including banking details
- For contractual performance and/or in our legitimate interests for record keeping
- For contractual performance for arranging repairs where appropriate
- For contractual performance or in our legitimate interests for recovering debts and other payments due
- In our legitimate interests for processing complaints
- In our legitimate interests for obtaining and holding audio and video recordings
- In our legitimate interests for the storage of emails, records of calls and other communications
- In accordance with our legal obligations if you exercise your rights under data protection law
- To perform our legal obligations for compliance with legal and regulatory requirements
- In our legitimate interests for the establishment and defence of legal rights
- In our legitimate interests for prevention, detection and investigation of crime and antisocial behaviour and the security of any website or other means of electronic communication
We may change the purposes where this is compatible with the purpose for which we obtained the data originally. If we need to use your data for a non-compatible purpose we will notify you and explain the legal gateway that allows us to do so. We may process your information without your knowledge where this is required or permitted by law.
More information about what we do with data and why, along with the relevant legal gateway is given in the Table. This also tells you who we share data with and receive it from.
We will monitor, record and retain your calls, emails, text messages, social media messages and other communications. This is in our legitimate interests to maintain an accurate record of these. This may be necessary to manage your transaction. We need these records for our ongoing dealings with you, including our data protection obligations.
Length of storage of data
Data can only be stored on a time limited basis and not indefinitely. We will hold personal data about you for the duration of your transaction and for seven years after. This is the statutory limitation period six years plus a further year to allow for service of proceedings should proceedings commence later. We are also required to retain information for up to six years for tax purposes. If no transaction is completed then we retain data for one year.
Storage and security of data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
All our information is stored securely electronically on servers or devices. Certain information is also retained on a secure basis in hard copy format.
To protect our legitimate interests telephone conversations and voice messages may be recorded electronically for monitoring and to ensure that we have a record of what is said. You or others may leave messages when calling which may be transcribed automatically and received by us as an email which we may store.
While we do not operate CCTV we may occasionally video at events or when meeting with your permission. CCTV may also be installed in shop, exhibition or other premises we may use for our activities but such systems are operated by the managers for each location/vanue and are outside our control and normal access. They should be operated in accordance with legal requirements and may be used to detect access to private or secure areas, for the detection of crime, or the security and safety of the relevant areas and recordings may be kept for those purposes.
Holding data outside the UK or European Union
Third-party providers store related data internationally and not necessarily within the UK or European Union. The recipient of this data is the provider concerned. You need to refer to the provider concerned to determine if they have the required clearance (adequacy decision) from the EU authorities or whether or not, instead, there is an agreement containing appropriate and suitable safeguards and to obtain a copy of this agreement.
As a “micro” business we use portable computing equipment and may operate the business from locations outside the UK or the EU which are covered by local data privacy regulations. However other than our own portable equipment and local ISPs providing broadband service we will still use the same service providers listed elsewhere in this document.
Where we hold personal data about you, you are the data subject. Data protection legislation gives you a number of rights. To exercise any of these rights you should contact us. You can do so by email at the address given above or you can telephone us on the number given above. You can also write to us at our address given at the top of this notice. Normally no fee is payable.
In particular you have a right to object to the processing of your information where we are processing this in our own legitimate interests or those of someone else. This applies if you feel that this impacts on your own interests or your fundamental rights or freedoms.
These rights are as follows –
- Access – you have the right to make a request to be told what personal data we hold about you. This is a right to obtain confirmation that data has been processed and to have access to your personal data and the right to information details which should be provided with the privacy notice.
- Correction/Rectification – if you consider any data we hold about you is inaccurate you can tell us so that where appropriate this can be corrected. Where a mistake is made in data processing then you can ask to have it rectified. Any third parties who have received the data from us should then be told of the rectification and you should be informed by us of any such third parties.
- Erasure – you have a right to ask us in certain circumstances to erase any data we hold about you (the so called right to be forgotten). Individuals can request the right to have personal data erased to prevent processing in specific circumstances, i.e. it is no longer necessary, consent has been withdrawn, there is an objection and where applicable your rights etc., override the legitimate interests to continue our processing, or data has been unlawfully processed.
- You can object to our processing of data – this allows you to object to our processing of data about you. We must then stop processing data unless we can establish legitimate reason for continuing. In particular this applies where we are relying on our own legitimate interests or those of a third party to process data but it can also apply in other situations.
- Restricting processing – you can ask us to suspend processing of your personal data and we must then restrict processing of data. This includes where you are contesting the accuracy of a statement or the lawfulness of the processing.
- Data portability – this allows individuals to reuse their personal data for their own purposes across different services allowing them to move, copy or transfer personal data more easily.
Withdrawal of consent
Where your consent provides us with the legal gateway to process data about you, you can withdraw this at any time by telling us by email or post using the telephone/addresses given above.
We operate our own internal complaints policy and if you have any concerns about the way in which we collect or handle data please contact us.
Additionally, you have the right to lodge a complaint with the Supervisory Authority who is –
Information Commissioner’s Office