Customer Privacy Notice: BS 10012:2017

23 May, 2018

This policy is not contractual and can be reviewed, amended or withdrawn at any time. Please be advised that Sapphire discourages the retention of hard copies of policies and procedures and can only guarantee that the policy on the Sapphire website is the most up to date version.

Sapphire’s Customer Privacy Notice

1. Your Personal Data:

What we need
Sapphire will be what’s known as the ‘Controller’ of the personal data you provide to us. We only collect enough personal data about yo u to fulfil the purpose of the contract for the provision of the product sale or service contract. This may include personal as well as special categories of data and we will keep you informed on why this is necessary to collect.

If you have taken a product or service from us, we may offer you further information that we feel you are interested in.  You will be able to opt-out of this selective messaging at any time.  In addition, you may opt-in to our information services that will keep you fully informed of the business and its present and future services.

Your Personal Data Rights
Sapphire will respect all of your Data Subject Rights. When communicating with you about your Rights, we will authenticate you to ensure that your personal data is communicated safely.  Sapphire aims to administer your Rights within 30 days of the request or when sufficient information is collected to fulfil that request.  Your Rights include, but not limited to:

The Right of Access:  At any time, you can ask for a copy of your personal information.  Sapphire will respond with whether data is held or not, if data is held then a copy of the information and the required supplement notice will be offered to you.

Right of Rectification:  allows you to submit changes to your records and once the changes are verified they will be amended to Sapphire records. Similarly, Sapphire may periodically request you to check your data is held accurately.

Right of Erasure:  If you request your data to be erased and there is no other lawful basis to keep your data, then it will be removed.

Retention Periods
All personal data collected under contract will be held for a period of 6 years plus current from the end of the contract.  This includes: contractual and personal data.

Data collected under consent will be used until consent is withdrawn or if it is no longer useful for the purpose with which it was collected.  Some data may not be removed if it involves a disproportionate effort.

This does not affect your Rights as a data subject.

Please note: After this retention period has expired, Sapphire will be unable to offer confirmation of costs, descriptions of work undertaken, or anything pertaining to the product or service.

Failing to Provide Necessary Personal Data
Failing to provide some or all the necessary personal data may result in:

  • being unable to fulfil our contractual or legal obligation, which may in turn place you at a significant disadvantage.
  • if your personal data is not received in a timely manner then, for example, delays or failures of contracts or proceeding may result

Sharing Personal Data
Sapphire may share your personal data with other organisations, companies or partnerships in order to carry out the contract of service you have requested.

If Sapphire shares your data on a regular basis with organisations we will performed due-diligence and hold written contracts and agreement with these organisations to legally safeguard your data.  Sapphire will obtain consent from you to share your personal data where these legal safeguards do not exist.

If you have consented for us to share your data with other organisation for the purposes of marketing, we will keep your consent on record until it is withdrawn, or the purpose is no longer valid. On withdrawal of consent Sapphire will endeavor to contact these organisation on your behalf to remove your consent.

Transfer to International Countries
Your data may be transfered internationally.  If your data is transferred, Sapphire will legally safeguard your personal data by:

  • Transferring to EEA countries.
  • Transferring to an EU Adequate country, or a US Privacy Shield company.
  • Transferring under “EU Model Clauses” agreement with the importing party.

Owing to the global nature of the Internet infrastructure, the information you provide may be transferred in transit to countries outside the European Economic Area that do not have similar protections in place regarding the protection of your personal data. Where this is the case end-to-end encryption will be employed to transmit the data securely.

Where Sapphire is unable to utilise legal safeguards when transferring data to a third-country, then Sapphire will seek consent from you to facilitate the data transfer.  This could be the case when arranging specific co-operation from abroad.

Information Security
Transmission:  Where personal data is electronically transmitted from one computing device to another over a public network an encrypted path will be used, e.g. SSL.  If your data is transmitted in a hard-copy format from one place to another using national mail services or secured methods of transport suitable to the nature of the personal data.

Storage:  Personal electronic records are located on servers in secure premises.  If your data is required to be stored outside of the secure premise, the data will be in an encrypted format.  Personal paper-based records will be stored in a locked filing cabinet in secure offices to prevent inadvertent access by unauthorised 3rd parties

Access:  Only personnel authorised by Sapphire will have access to your personal data records on a need to know basis.

Disclosure of personal data:  We do not disclose personal data unless we’re required to do so to comply with the law; under contract; have your consent or is in your vital interest.

Automated Decision Making and Profiling
The information you provided to Sapphire will be provisioned on to the Sapphire database.  Sapphire systems do not make automated decisions nor perform any online profiling.  This does not affect your Rights as a Data Subject.

Data Subject Rights
If you would like to exercise your Data Subject Rights including your right access; rectification; erasure; restriction; or objection to processing, please contact the Data Protection Officer at Sapphire.

Data Protection Officer
Sapphire
North Point
Faverdale North
Darlington
Co Durham
DL3 0PH

Escalating a Data Protection Concern
While you should contact Sapphire in the first instant of a compliant or dispute.  You have the right of redress and you are welcome to contact the Information Commissioners Office, please see:  https://ico.org.uk/concerns or call the ICO on: 0303 123 1113.