At LAM Communications Ltd, we value your privacy. While we need to collect certain information from you in order to process your orders and make sure we provide essential customer service to our customers, we protect your personal information. Please read this statement to find out how we do that.
At our website, we allow our visitors to purchase products online. In order to process the orders, we must collect your full name, address, delivery address (if different), telephone numbers, email address, and credit card information, including the type of card, the card number, expiration date, and card holder’s name. We make sure that this is collected and transmitted using secure technology. It is stored by us on a secure server to allow us to process credit card reconciliations, provide customer service, and handle audits and warranty claims, among other purposes.
As a convenience to our online purchasers, we may also offer them the convenience of being able to keep their personal information (but not their credit card information) stored in an online profile or customer account. This will make shopping easier for our repeat customers, as they will not have to re-enter their information every time they make a purchase. Users who choose this option will select a password, which will be the only way this information can be accessed, and they will be able to modify, change, or correct their information at any time. Customers who want to delete access to their online profiles can do so by calling customer services on 01226 361 700 or email firstname.lastname@example.org
We also allow our users to sign up for our mailing list by registering for our mailing list with their name and email address or by checking the appropriate box when purchasing. Users can remove their information from our mailing list at any time by sending an email with those instructions to email@example.com. In addition, every email from us will come with instructions for how to unsubscribe. For customers who have not made an online purchase, this will also remove their information from our database.
We will not disclose any of your personally identifiable information except as necessary to fulfil your order, or when we have your permission, or under special circumstances, such as when we believe in good faith that the law requires it.
We store all personal information on our password protected secure servers.
Cookies/Other Data Collection
A cookie is information that is stored by the server on the client side of a client/server communication. Typically, a cookie records your preferences when using a particular site. Cookies are commonly used to rotate the banner ads that a site sends so that it doesn’t keep sending the same ad as it sends you a succession of requested pages. They can also be used to customise pages for you based on your browser type or other information you may have provided the Web site. Web users must agree to let cookies be saved for them, but, in general, it helps web sites to serve users better. This web site may set cookies in your computer to provide you a better shopping experience and customised information by saving you time. However you may set your browser to refuse the cookies automatically or you may manually erase it from your browser.
For our internal purposes, we gather date, time, pages visited, originating search engine, and IP address of all visitors to our site. We keep this information for our internal security audit log and systems administration purposes, to help diagnose problems with our server, and to administer our web site.
General Data Protection Regulations
LAM Communications Data Protection Policy
LAM Communications regards the lawful and correct processing of personal and sensitive data as an integral part of its purpose. LAM Communications believes this is vital for maintaining the confidence of customers, employees and other stakeholders about whom we process data, and ourselves.
This Data Protection Policy explains how LAM Communications will meet its legal obligations concerning confidentiality and data security standards. The requirements within the policy are primarily based upon the EU General Data Protection Regulation (EU GDPR), which is the key piece of legislation covering data security and confidentiality of personal and sensitive personal data in the European Union.
- LAM Communications will fully implement all aspects of the EU GDPR.
- LAM Communications will ensure all employees and others handling personal data are aware of their obligations and rights under the EU GDPR.
- LAM Communications will implement adequate and appropriate physical and technical measures and organisational measures to ensure the security of all data contained in or handled by its systems.
The main focus of this policy is to provide guidance about the protection, sharing and disclosure of personal data, but it is important to stress that maintaining confidentiality and adhering to data protection legislation applies to anyone handling personal data or personal sensitive data on behalf of LAM Communications.
Registration with the Information Commissioner
The Digital Economy Act 2017 requires every data controller (i.e. organisation) in the UK to pay a fee to the Information Commissioner’s Office (ICO) and outline the categories of data they hold about people, and what they do with it.
LAM Communications is registered with the ICO Under registration reference ZA268750 for the purposes of Retail and Wholesale.
Definitions of Personal Data and Sensitive Personal Data
- All identifiable customer data
- All identifiable employee data
- All other personal data processed by LAM Communications
Examples of personal identifiable data LAM Communications processes include:
- Names, addresses, emails, phone numbers and other customer contact information
- Credit or Debit card details to facilitate payment for goods
- National insurance numbers and payroll data
- Photographs, video and audio recordings
Certain types of data are regarded as sensitive and attract additional legal protection. Sensitive personal data is considered to be any data that could identify a person such as:
- The racial or ethnic origin of the individual
- Political opinions or affiliations
- Religious beliefs or other beliefs of a similar nature
- Membership of a trade union
- Physical or mental health or condition
- Sexual life
- Commission or alleged commission of any offence
- Any proceeding for any offence committed or alleged to have been committed or disposal of such proceedings or the sentence of court in such proceedings
- Bank account details, any official identification details such as passport or driving licence numbers etc.
Data Protection Principles
The eight Data Protection principles that lie at the heart of the EU GDPR give the Regulation its strength and purpose. To this end, LAM Communications fully endorses and abides by the principles of data protection. Specifically, the six principles require that:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or are rectified without delay;
- kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals, and;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Personal data and sensitive personal data must not be used other than for the specific purpose required to deliver a product or service. The individual should always know that their data is being processed. When that data is especially sensitive, consent is required before the data can be processed by LAM Communications.
All data collected from people under the age of 16 (unless there are concerns about mental capacity in which case this should be extended) is to be treated as sensitive personal data.
A record can be in computerised and/or in a physical format. It may include such documentation as:
- Manually stored paper files e.g. membership records, employee records
- Hand written notes
- Letters to and from LAM Communications
- Electronic records
- Videos and tape recordings
Backup data (i.e. archived data or disaster recovery records) also falls under the DPA; however, a search within them should only be conducted if specifically asked for by an individual as an official Subject Access Request.
Rights of Access by Individuals
The EU GDPR gives every living person (or their authorised representative) the right to apply for access to the personal data which organisations hold about them irrespective of when and how they were compiled, i.e. hand-written records, electronic and manual records held in a structured file. This is called a Subject Access Request. The EU GDPR treats personal data relating to employees, members and clients alike.
Understanding and complying with the eight Data Protection Principles is the key to understanding and complying with LAM Communications responsibilities as the data controller. Therefore, LAM Communications will, through appropriate management, and strict application of criteria and controls:
- Ensure that there are lawful grounds for using the personal data
- Ensure that the use of the data is fair and meets one of the specified conditions
- Only use sensitive personal data where we have obtained the individual’s explicit consent (unless an exemption applies)
- Only use sensitive personal data, if it is absolutely necessary
- Only obtain and use personal data for those purposes which are known to the individual
- Ensure personal data is only used for the purpose it was given. If we need to use the data for other purposes, further consent will be obtained.
- Only keep personal data that is relevant to LAM Communications
- Keep personal data accurate and up to date
- Only keep personal data for as long as is necessary
- Always adhere to our Subject Access Request Procedure and be receptive to any queries, requests or complaints made by individuals in connection with their personal data
- Ensure individuals are given the opportunity to ‘opt in’ to receiving mass communications
- Take appropriate technical and organisational security measures to safeguard personal data.
In addition, LAM Communications will ensure that:
- There is an employee appointed as the Security Information Risk Owner with specific responsibility for Data Protection in LAM Communications. This is currently the Director and company secretary
- Everyone managing and handling personal data and sensitive personal data understands that they are legally responsible for following good data protection practice and has read and signed the LAM Communications Data Protection Policy.
- Everyone managing and handling personal data and sensitive personal data is appropriately supervised.
- Enquiries about handling personal data and sensitive personal data are dealt with promptly.
- Methods of handling personal data and sensitive personal data are clearly understood by all employees
- Methods of handling personal data and sensitive personal data are regularly assessed and evaluated by the Security Information Risk Owner and relevant members of the Executive team.
- Performance with personal data and sensitive personal data handling is regularly assessed and evaluated by the Security Information Risk Owner and relevant members of the Executive team.
Roles and Responsibilities
Maintaining confidentiality and adhering to data protection legislation applies to everyone at LAM Communications. LAM Communications will take necessary steps to ensure that everyone managing and processing personal data understands that they are responsible for following good data protection practice. Employees will receive training and sign the LAM Communications Data Protection Policy as part of their induction.
All employees have a responsibility to:
- Observe all guidance and codes of conduct in relation to obtaining, using and disclosing personal data and sensitive personal data
- Obtain and process personal data and sensitive personal data only for specified purposes
- Only access personal data and sensitive personal data that is specifically required to carry out their activity or work
- Record data correctly in both manual and electronic records
- Ensure any personal data and sensitive personal data is held is kept secure
- Ensure that personal data and sensitive personal data is not disclosed in any form to any unauthorised third party
- Ensure personal data and sensitive personal data is sent securely
- Read and sign the policy, directing any questions to the Director and company Secretary.
Failure to adhere to any guidance in this policy could mean an individual(s) being criminally liable for deliberate unlawful disclosure under the EU GDPR. This may result in criminal prosecution and/or disciplinary action.
The company Directors are responsible for:
- Determining if the business holds personal data and sensitive personal data and ensuring that the data is adequately secure, access is controlled and that the data is only used for the intended purposes
- Providing clear messaging to all employees about data protection requirements and measures
- Ensuring personal and sensitive personal data is only held for the purpose intended
- Ensuring personal and sensitive personal data is not communicated or shared for non-authorised purposes
- Ensuring personal and sensitive personal data is password protected when transmitted or appropriate security measures are taken to protect when in transit or storage.
Security Information Risk Owner – The Director and Company Secretary holds the post of Security Information Risk Owner. Responsibilities include:
- Ensuring compliance with legislation principles
- Ensuring notification of processing of personal data and sensitive personal data to the ICO is up to date
- Providing guidance and advice to employees in relation to compliance with legislative requirements
- Auditing data protection arrangements
- Reporting on any breaches of Data Protection legislation
- Ensuring those handling personal data are aware of their obligations by producing relevant policies, auditing the arrangements and ensuring the relevant people receive training
In the Security Information Risk Owner’s absence, advice can be gained from https://ico.org.uk/.
The Information Commissioner’s Office (ICO) – The Information Commissioner’s Office is responsible for overseeing compliance e.g. investigating complaints, issuing codes of practice and guidance, maintaining a register of Data Protection Officers. Any failure to comply with DPA may lead to investigation by the ICO which could result in serious financial or other consequences for LAM Communications.
Breach of Policy
In the event that an employee fails to comply with this policy, the matter may be considered as misconduct and dealt with in accordance with LAM Communications Disciplinary Policy.
Any individuals or organisations with whom LAM Communications data has been shared may be personally liable for any breach of the EU GDPR.
Dealing with a Data Breach
If a data breach is suspected, the person who identified the breach should immediately:
- Notify the Director and Company Secretary
Following notification of a breach, the Security Information Risk Owner will take the following action as a matter of urgency:
- Implement a recovery plan, which will include damage limitation
- Assess the risks associated with the breach
- Inform the appropriate people and organisations that the breach has occurred
- Review the LAM Communications response and update our information security