General Data Protection Regulation
DATA PRIVACY NOTICE
Nature’s Craft Limited
Last Updated 16 August 2018
Natures Craft Limited, trading as Nature’s Craft, is a company limited by shares and incorporated under the laws of Ireland (hereinafter referred to as “Company”, “our”, “we” or “us”). The Company was established on Thursday 13 July 1995 as a wholesale and trading company and our company number is 235747.
Please read this data privacy notice carefully, as it applies to all of our interactions with you. Should you have any queries in respect of this notice, please do not hesitate to contact us by email at: email@example.com or by telephone on 00353 1 450 4144.
A data controller is an entity that determines the purposes and means of data processing (either alone or together with others), i.e. the entity making the decisions as to how and why personal data is processed.
A data processor is any entity that processes personal data on behalf of the controller.
An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Any information relating to a data subject.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Who is the Data Controller?
Unless otherwise stated, the Company is a controller of data responsible for your information when you interact with us. The Company’s address is Unit 1, The Westway Business Centre, Ballymount Avenue, Dublin 12.
Personal Data That We Collect
We collect the personal data which we require to participate in the purchase and sale of goods in compliance with applicable laws and regulations.
The data we collect depends on the context of your interactions with us and the choices you make. As a wholesale company we retain personal data of our trading partners and any other entity or organisation that is instrumental in the buying, stocking, selling and distribution of our products or is engaged in providing any additional administrative, financial, or IT services necessary for the normal running of our wholesale business activity.
The data we collect can include the following:
- Identity and contact information: first and last name, business name, date of birth, gender, email address, residential or business address, occupation, phone and fax numbers and other similar contact data (whether in a personal or professional capacity).
- Payment data: personal data which is necessary to process any payments.
- Miscellaneous: further information as may be required to comply with any applicable laws and regulations.
Purposes and Legal Basis
Depending on the context of your interactions with us, we use the information we have about you in the following ways and for the following purposes:
- To comply with applicable laws and regulations, such as (but not limited to):
- the Companies Act 2014, as amended;
- Sale of Goods and Supply of Services Act, 1980; and
- Consumer Protection Act 2007.
- To perform contracts that have been entered into by the Company, such as those pertaining to the sale and purchase of goods or involving financial transactions of various types;
- To perform contracts that the Company has entered into with you, such as sale and purchase and delivery of good and financial transactions of various types;
- To maintain a record of customers that have entered their details onto our website and who have entered into various contracts with us;
- To maintain a record of the contact details of our trading partners and any other entity or organisation that is instrumental in the buying, stocking, selling and distribution of our products or is engaged in providing any additional administrative, financial or IT Services necessary to the normal running of our wholesale business activity;
- To maintain a record of the contact details of the parties to each transaction entered into by the Company, and of those persons providing services to the Company, such as legal advisors, tax advisors, auditors, banks, insurance, marketing companies and other service providers; and
- Where necessary to ensure the efficient operation of the Company.
We rely on three separate legal basis to lawfully process your personal data, which are as follows:
- Necessary for effectively managing our trading relationship with you;
- contractual necessity; and
- legitimate interests.
You have choices about the data we collect. For further information in this regard, please refer to the section titled ‘Data Subject Rights’ below.
Where do we Obtain and Store your Personal Data?
You provide some of this data directly. Information is provided by you:
- When you provide information for, and/or execute documentation pertaining to the establishment and operation of a trading relationship or other types of accounts for the Company, or when you engage in similar activities for the purposes of any financial transaction that the Company may wish to conclude; and
- When you input detail into our website for the establishment of normal functioning of our business operations.
We may also obtain data from third parties. These third-party sources vary over time, but have included:
- Abovementioned partners, entities and organisations; and
- Credit Reporting Agencies.
The personal data that we process can be stored on the systems of the Company, or on third-party systems of service providers to the Company.
We rely on several legitimate interests in using and sharing your personal information. These interests include facilitating the day-to-day business operations of the Company. Examples in this regard include:
- Engagement with trade partners;
- Financial and legal service providers; and
- Marketing Companies.
Data Subject Rights
The General Data Protection Regulation (“GDPR”) provides a number of rights with respect to how the personal data of data subjects is used including rights of access, rectification, erasure, restriction, data portability and objection.
- Right of Access
Data subjects are entitled to obtain details concerning the processing of their personal data and to have access to a copy of any personal data that is processed in an easily accessible format.
- Right of Rectification
Data subjects are entitled to have inaccurate personal data concerning them rectified without undue delay, and, taking into account the purposes of the processing, to have incomplete personal data completed.
- Right of Erasure (Right to be Forgotten)
Data subjects have the right to have their personal data erased without undue delay in specified circumstances. This is known as the right of erasure or ‘the right to be forgotten’. These circumstances include:
- i) The personal data is no longer necessary in relation to the purposes for which it was collected;
- ii) The data subject withdraws consent and there is no other legal basis for processing;
iii) In the case of reliance on legitimate interests as a ground for processing and in circumstances where an objection is raised by the data subject, there are no overriding legitimate grounds for the processing;
- iv) The personal data has been unlawfully processed;
- v) The personal data has to be erased for compliance with a legal obligation under European Union or Member State law; or
- vi) The personal data has been collected in relation to the offer of information society services to a child.
The right to erasure is not available where the processing of the relevant personal data is necessary:
- i) For the purposes of exercising the right of freedom of expression and information;
- ii) For compliance with a European Union or Member State legal obligation which requires processing by law and to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
iii) For reasons of public interest in the area of public health;
- iv) For certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; and
- v) For the establishment, exercise or defence of legal claims.
- Restriction of Processing
There are four instances in which a data subject is entitled to restrict processing of his or her personal data as an alternative to erasure:
- i) The accuracy of the personal data is contested by the data subject, in which case the processing is restricted for a period enabling the controller to verify the accuracy of the personal data;
- ii) The processing of the personal data is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
iii) The controller no longer needs the personal data for the purposes of the processing, but the personal data is required by the data subject for the establishment, exercise or defence of legal claims, and
- iv) The data subject has objected to processing pending verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, continued processing, with the exception of storage, may only occur in the following cases:
- i) The data subject consents;
- ii) The processing is necessary for the exercise or defence of legal claims;
iii) The processing is necessary for the protection of the rights of other individuals or legal persons; or
- iv) The processing is necessary for public interest reasons.
You are entitled to be notified by us before any restriction on processing is lifted.
- Data Portability
This right enables you to receive personal data concerning you, in a structured, commonly used and machine-readable format, and to transmit that data to another controller without hindrance from us. This right only applies where processing is based on your consent or on the performance of a contract, and the processing is carried out by automated means.
- Right to Object to Data Processing
Data subjects have a right to object to the processing of their personal data in the following circumstances:
- i) Where processing is based on legitimate interest grounds or because it is necessary for a public interest task/official authority. The controller is required to cease processing unless it demonstrates compelling legitimate grounds for the processing which override the rights of the data subject or the processing is necessary for the defence of legal claims;
- ii) Processing for direct marketing purposes. No further processing may occur once an objection has been received; and
iii) Processing for scientific or historical research or statistical purposes. Processing may only occur following an objection if the processing is necessary for the performance of a task carried out for reasons of public interest.
- Rights in relation to Automated Processing, including Profiling
Data subjects have a right not to be subject to a decision based solely on automated processing, which includes profiling. This right does not apply if the decision:
- i) Is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- ii) Is authorised by law which lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
iii) Is based on the data subject’s explicit consent.
- Right to Withdraw Consent
Data subjects have a right to withdraw consent, where consent is relied upon as the legal bases for processing.
Requests in relation to the enforcement of your rights will be responded to free of charge and within 30 days of receipt of the request. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Further Information with respect to your Rights and the Legal Bases of Processing relied upon by the Company
- Reliance on Compliance with a Legal Obligation
These grounds may be relied upon where the bases for processing is laid down in a relevant Irish or European Union law or regulation.
You do not have a right to erasure of your personal data, to data portability or to object to the processing of your personal data where we are relying on the grounds of compliance with a legal obligation with respect to the processing of your personal data.
- Reliance on the Grounds of Contractual Necessity
These grounds may be relied upon where we have entered into a contract with you, in respect of the performance/execution of such contract, and includes steps taken at your request prior to the entering into of the contract.
You do not have a right to object to the processing of your personal data where we are relying on the grounds of contractual necessity for such processing, but you do have a data portability right.
- Reliance on the Grounds of Legitimate Interests
You may object to the processing of your personal data where we are relying on the grounds of legitimate interests for such processing. Your right of objection is absolute where these grounds are relied upon for marketing purposes. In all other circumstances, we can override your objection if we can demonstrate an overriding compelling legitimate ground.
A right of data portability does not apply where we are relying on the grounds of legitimate interests in relation to the processing of your personal data.
Automated Decision Making
We will not use your personal data for automated decision-making purposes (including profiling).
Recipients and Categories of Recipients
We share information we have about you in accordance with this data privacy notice:
- With professional advisers to and service providers appointed by the Company:
(i) as may be necessary in connection with the performance of contractual obligations, or
(ii) in circumstances where information is provided to facilitate compliance by such service providers with applicable laws.
- With third parties generally when you have requested us to do so; and
- When we have a good faith belief that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other governmental agencies.
Third Country Transfers
We may, for the purposes outlined in this data privacy notice, transfer your personal data outside of the European Economic Area (“EEA”) provided such transfer is to a recipient who (i) is located in a country that the European Commission deems to provide an adequate level of protection for personal data, or (ii) is subject to an agreement, derogation or other legal act which allows for the lawful transfer of personal data outside of the EEA.
We will retain your information only for as long as necessary for the purposes set out in this data privacy notice, for as long as your business or professional relationship with us is active, or as needed for the completion of a transaction, or for other essential purposes such as complying with applicable laws and regulations, resolving disputes or for the establishment, exercise or defence of legal claims.
Security of Personal Data
The Company is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use or disclosure. For example, we store personal data you provide on computer systems that have limited access and which are located in controlled facilities.
Appointment of a Data Protection Officer
Pursuant to the GDPR, it is mandatory for controllers to designate a Data Protection Officer (“DPO”) in the following circumstances:
- where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- where the core activities of the controller or the processor consist of regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions.
As these circumstances do not apply to us, you are advised that a DPO has not been appointed for the purposes of GDPR.
You have the right to file a complaint against us with the Irish Data Protection Commissioner, which is the lead supervisory authority of the Company. You may also complain to your local supervisory authority. You can find your local supervisory authority on https://ec.europa.eu/info/law/law-topic/data-protection. We would, however, appreciate the opportunity to deal with your concerns before you approach any supervisory authority so please contact us in the first instance.
Statutory or Contractual Requirement to provide Information
When collecting your personal data is mandatory (either under applicable law or in accordance with a contractual requirement), this will be stated at the time of collection of the personal data.
Changes to this Data Privacy Notice
We will update this data privacy notice when necessary to reflect feedback from you or the way in which we process personal data. When we post changes to this data privacy notice, we will revise the “Last Updated” date at the top of this data privacy notice. If there are material changes to this data privacy notice or in how we will use your personal data, we will notify you before such changes take effect.
How to Contact Us
If you have a privacy concern, question or complaint, or you wish to exercise any of your rights as a data subject, please contact us by email firstname.lastname@example.org or by telephone on 00353 1 450 4144.