GDPR Statement

Last updated: 21-05-18

This is the GDPR Statement of Northamber PLC, Namber House, 23 Davis Road, Chessington, Surrey, KT9 1HS. This document sets out how Northamber complies with data protection regulations including the latest GDPR requirements, from May 25th 2018. This Statement applies to suppliers, customers and subcontractors and aims to address the Q&A requests that are required by our partners for GDPR related procedures.

This document is available at all times on the Northamber homepage (www.northamber.com/gdpr). It outlines how we collect and use personal information, how we meet our obligations as a data controller and as a data processor. It may be updated from time to time. The online document will always be the most up to date version. You can contact privacy@northamber.com for any questions relating to our GDPR Policies.
1.

Is Northamber a Data Controller or Data Processor?

 

Either, both. Depending on the type of transaction.

Under Article 28 of the GDPR, Northamber is defined as a data “controller” for personal data that our customers provide for certain transactions; e.g. when we set up an account & when we process orders for delivery to our customer premises. As data controller we may collect contact details, payment details and company details. These will be used to transact orders, to confirm credit, to take payment, to deliver goods etc, as required to fulfil our legal and contractual obligations in processing the account and orders. This data will only be used by staff who have a business need to access the data, will only be shared with those 3rd parties who enable us to perform our obligations (e.g. credit agencies and delivery firms), will be secure in our online and offline systems and will be retained for a maximum of 7 years in order to enable us to comply with our legal obligations, after which time it will be deleted. Our use of sub-contractors or GDPR “data processors” is governed by an agreement that ensures they are also compliant with GDPR and that the data is dealt with accordingly.

Northamber is defined as a data “processor” for personal data that is provided for certain transactions; e.g. when we “drop ship” orders to our customer’s own end user customers as or when we transact licensing agreements or request special bid pricing. As data processor we may collect end user name, address and other contact details that may be passed on to our own sub-contractors (e.g. delivery firms, vendors), as required to enable us to carry out our contractual commitments to our customers. This data will only be used by staff who have a business need to access the data, will only be shared with those 3rd parties who enable us to perform our obligations (e.g. vendors for licenses, delivery firms for deliveries), will be secure in our online and offline systems and will be retained for a maximum of 7 years in order to enable us to comply with our legal obligations, after which time it will be deleted. Our use of sub-contractors or GDPR “subprocessors” is governed by an agreement that ensures they are also compliant with GDPR and that the data is dealt with accordingly.

2.

Does Northamber have a Data Controller Role?

  No, we are not required to have a Data Controller under the GDPR. However we have a Privacy Officer who is part of the executive team and reports to the CEO. Our Privacy Officer is available via the privacy@northamber.com email address. The Privacy Officer is responsible for overseeing that Northamber is meeting its obligations to Data Protection laws and regulations, including GDPR. The Privacy Officer is also a point of contact for Data Privacy related queries from staff, customers and suppliers and other third parties and a focal point for Data Access Requests and Data Breaches.
3.

What personal data do we collect?

  When customers register with Northamber, for either a trade account or to receive marketing information by post, phone or email, we will collect some or all of the following personal data:

• Name, Email address, fax number, postal address, business contact and billing information, transaction and credit card details (during transactions).

• Your preferences on what marketing information (if any) you’d like to receive and how you’d like to receive them

When customers order from Northamber we collect additional information including:

• Payment details – including credit card numbers where relevant
• End user details to enable direct ship / drop ship – including name, address and contact details
• End user details to enable license registration
• End user details to enable special bid pricing requests

Northamber does not collect any Special Category Data as defined by the GDPR for any interactions with customers or suppliers.
4.

How do we use this data?

  When registering with Northamber customers will be asked for consent for us to use personal data for the purposes listed below:

• To enable us to confirm business details when setting up an account, for legal, financial and contractual purposes so that we may provide commercial services to our customers.

• To carry out basic checks for due diligence when setting up accounts to ensure all details are genuine and correct and to avoid fraudulent use of data.

• To allow us to comply with legal requirements placed upon us.

• To send you tailored communications by post, fax and/or email about new products, promotions, news items, event details, special offers or other useful items of interest.

When purchasing from Northamber we will request and use customer and sometimes end user data for the purposes listed below:

• To enable delivery of goods directly to our customers.
• To enable delivery of goods to our customers’ end users, including via sub-contractor delivery firms (sub-processors).
• To facilitate the purchase of software licensing. 
• To enable special bid pricing requests.

We will keep data for the duration of our joint relationships. Data will be retained in accordance with legal requirements and be deleted after such requirements are met. For example if we end a business relationship, data will be retained for seven years and then destroyed.
5.

Who has access to personal data?

  At Northamber we take care to ensure personal data is only accessible to those who have a business need. For example when setting up an account, the data used for that purpose is only accessible to employees involved in that process.  Personal data is not accessible to employees for whom there is no business need.

Access decisions are taken by the Executive Team.
6.

How are corrections of data carried out?

  Northamber regularly confirms personal contact details and marketing preferences with our partners, following which a confirmation email is sent to confirm the current details. This information can be updated at any time by contacting Northamber by phone, to an account manager or to the Privacy Officer.

If you believe we have any incorrect personal information about you, or if anything changes, you may request to see this data, which we will provide within 30 days at no charge. If you are requesting more detailed data that requires an additional amount of resource, we may make a nominal charge to cover our costs.

Any relevant changes in your personal data should be notified to Northamber via your usual contact or to the privacy@northamber.com email address.
7.

Does Northamber have a central repository of data processing activities?

  Yes, Northamber maintains a GDPR compliant data processing repository. It is reviewed and updated on an ongoing basis as required.
8.

How does Northamber manage Storage and Security of data including personal data?

  Northamber takes great care to keep data secure. There are both physical and electronic processes in place and management procedures ensure data is protected. We use encryption where possible, for example when taking credit card orders.

Data is physically stored in the UK at Northamber owned facilities and is not passed outside the EEA. Precise location of the data and backups is confidential in order to maintain data security. If you need more information please contact the privacy@northamber.com email address.
9.

What is Northamber’s Data Retention Policy?

  Data including personal data is kept for up to 7 years to enable Northamber to manage accounts, requests, compliancy requirements and legal requirements. After which time it is destroyed.

Personal data relating to prospective employees who are not successful candidates will be kept for 12 months and then destroyed.

Data is removed through standard deletion and overwriting processes to ensure restoration is not possible.

Data deletion and destruction is authorised via the management process and staff training and compliance checks.
10.

How does Northamber manage Data Access Requests?

  Data Access Requests are monitored and logged via the management system which meets regularly. Data Access Requests are managed through this management process and documented accordingly. The Privacy Officer is part of this team and process and would be responsible for managing it to completion.
11.

How does Northamber manage Data Breaches?

  Should a data breach occur that would be logged and managed by the management system described above. The Privacy Officer is responsible for ensuring the correct processes and procedures are followed and documented, including reporting to any relevant third party.

Data breaches are understood by all staff and management and processes are in place to identify and report them through the management system. Training of all staff includes this subject and other GDPR related responsibilities.

Internal tracking and audits are carried out to ensure compliance by staff on all data privacy related matters.
12.

Does Northamber have a central repository of data processing activities?

  Yes, Northamber maintains a GDPR compliant data processing repository. It is reviewed and updated on an ongoing basis as required.
13.

Does Northamber train staff on Data Privacy?

  Yes, all staff are trained on Data Privacy and GDPR on an ongoing basis. For example prior to May 25th 2018 all staff have been trained on the company and individual requirements and responsibilities. All staff are aware of and agree to the lawful requirement placed up on them individually and the company.

Training is delivered by various internal and external parties and is under the direction of the Privacy Officer. Refresher courses are run on an ongoing basis as new staff join, regulation changes are made or to re-enforce as required.
14.

Does Northamber use Cookies on its web sites?

  Yes, when you visit our website we will also optimise your experience though the use of cookies, more details of which are included in our separate cookie policy (www.northamber.com/cookie-policy).
15.

Is Northamber registered under the DPA?

  Yes, Northamber is registered under the Data Protection Act 1988 and complies with DPA and GDPR guidelines.
16.

How are changes to this statement & policy managed?

  Northamber may make occasional changes to this policy in order to ensure compliance and best practice. The latest version of this document will be available on this page and the date will reflect when the latest changes were made.
17.

Who is the Northamber Contact for Data Privacy?

  Our Privacy Policy and main contact for all things privacy related, is overseen by our Privacy Officer, who may be contacted at the privacy@northamber.com email address.