THE EU GENERAL DATA PROTECTION REGULATION (GDPR)

 

From May 25th 2018, the Data Protection Directive 95/46/EC will be replaced by the EU General Data Protection Regulation (GDPR), the purpose of which is to harmonize and enhance the protection of the public data of EU citizens, and to enforce its compliance by any business or website based within the European Union.  At the time of its implementation the UK is a member of the European Union, and our business is therefore subject to the legislation.  The penalties for non-compliance include heavy fines, up to €20,000,000 or 4% of annual turnover (whichever is greater).  

 
In general terms, this has implications for how we manage and retain your data, and if you are using this website, enhances your rights pertaining to your data.  Data in the context of this particular website may mean personal details and contact details (including telephone numbers, email addresses and physical addresses).  When we take financial data from you, we act as a portal to external payment gateways such as Sagepay and Paypal - we may use cookies in order to save this data on our website, to make future transactions more convenient.  This website offers the facility to create a user and/or trade account, which will necessitate the retention of your data by our company, which may include contact details and financial data, including historical transaction details.
 
 
YOUR RIGHTS SUMMARIZED
 
Under the new regulations, your rights pertaining to your data include, but are not limited to, the following:
 
  • Only data which is necessary for the operation of its stated intention must be retained - for example: marketing data consent must be gained separately to operational data consent.
  • Consent from the data subject must be clearly and unambiguously given, in order for us to retain your data and use it for operational purposes, including marketing.  This means that pre-checked opt-out style checkboxes will no longer be acceptable - consent must be a conscious action by the user.
  • Subjects whose data is being retained must be made aware without undue delay (to a maximum of 72 hours) of any breach of the website/company's data security system.
  • Data subjects must have a right to access and digitally export all of their held data, free of charge, within 30 days of any such request.
  • Data subjects should be empowered with the knowledge of how data is being used.  They can request its deletion if wished, and demand the "right to be forgotten" by the organization - this must be complied with if the data is not necessary for the operation of its original intention, or its retention is not considered to be "in the public interest".
  • Each company/website must have its own policy in place for ensuring the enforcement of this legislation.

This is only an outline of the new legislation, and briefly summarizes your rights as a subject of data retention.  For a more comprehensive explanation of GDPR and how it protects your data in the context of our retention of it, please visit: https://www.eugdpr.org/.