General Data Protection Regulation
In accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 introduced in 2018, users of personal data have to protect your data to a high standard, and advise why they need the data, and for how long they store it for. You also have a right to be forgotten and have your data erased. This section will advise you on our policies to abide to this regulation.
Quality Silver is committed to respect and uphold everybody's right to privacy, to process personal data securely and to comply with legislation prevailing in the UK. This policy describes what we do to achieve this.
Definition of terms used in this policy
'We', 'Us' and 'Our' refer to Jewellery Workshop
'You' and 'Your' refer to a client of Jewellery Workshop. This may be a customer, supplier or member of our emailing list.
'Processing' means collecting and storing data, and using it to contact you if consent is given.
'Our website' means https://www.jewellery-workshop.co.uk.
'Device' means any computer, tablet, smart phone or other equipment equipped with a web browser and connected to the internet.
'GDPR' means the General Data Protection Regulation.
'PCI-DSS' means Payment Card Industry Data Security Standard.
'HMRC' means Her Majesty's Revenue and Customs, the UK tax authority.
'Full card details' means the card number, expiry date, name of account holder and CVC number of any debit, credit or charge card.
'Information' and 'Data' are used interchangeably.
The data controller and data protection officer for Jewellery Workshop is Jason Beer, address shown on the 'About Us' page of our website and on the top of all invoices.
Jewellery-Workshop.co.uk is a secure website protected by Secure Socket Layer (SSL), as indicated by the padlock symbol in your browser. SSL protects data by encrypting it as it travels over the internet between your web browser and the server.
Our website does not store any personal data, so in the unlikely event that our website is compromised, no customer data is available. We have made the decision to not have online order history, online accounts and invoices and other database driven applications in order to make sure that customer data is not stored online.
Why do we process personal data?
We need to collect and store your personal information so that we can fulfil your order, and contact you in the event of any query about it.
Our legal basis under Article 6 of the GDPR for processing personal data in any given instance is one or more of:
6.b) Processing is necessary for the performance of a contract to which you are party, specifically the supply of goods or services by Jewellery Workshop
6.c) Processing is necessary for compliance with a legal obligation to which we are subject, in particular the retention of records for a specified time for tax purposes (see below).
6.f) Processing is necessary for the purposes of legitimate interests pursued by the data controller, specifically the collection of statistical data to assist in improving our offer and website to the mutual benefit of you and us.
What data do we process?
The personal information we collect and store is limited to that shown on our order confirmations and invoices, as follows:
- Your invoice name and address
- Your delivery name and address if different
- Your telephone number
- Your email address
- Your payment reference or method
- A list of the items you purchased from us
Online payments and financial data
Online payments are made through the secure website of our Payment Service Provider (PSP). The PSP is either Sellerdeck Payments (provided by Creditcall), Sagepay or PayPal, according to the payment method you choose. Each of these PSPs is PCI-DSS compliant to the highest level, ensuring that your card details are secure. We never see your full card details because you enter them directly through the PSP website. The only payment information we see and store is either the last 4 digits of the card number and the expiry date, or the PayPal transaction number. These details maybe shown on our invoices for your reference.
Offline payments and financial data
We will not collect and store your bank account number or card details if printed on your cheque. As soon as your cheque is banked, this information would be classed as deleted.
How is personal information stored?
Personal information is stored electronically and is encrypted to prevent unauthorised access. Any personal information in the form of printed copies of sales orders and invoices is kept in a secure storage facility with limited access, and no public access.
Your right to rectification
In accordance with article 16 of the GDPR, if you notice that we have stored any of your personal data incorrectly, please let us know and we will correct it straight away.
How long do we keep your data for?
HMRC rules require us to keep records for at least 6 years after the January tax return submission date. To make sure we comply, we keep sales and purchase invoices for 7 years before deleting or destroying them.
If you have opted in to our emailing list you may request that your email address is removed from the list at any time. If we have not had any contact with you for 6 years, all your personal data will automatically be deleted including your entry in our emailing list.
We currently do not operate a mailing list. This will only apply should we decide to start a mailing list in the future.
All old computer equipment will have the hard drives removed, and destroyed. We never dispose of old computers with the hard drives fitted.
Your 'right to be forgotten'
In accordance with article 17 of the GDPR, your personal data will be deleted when:
a) The information is no longer necessary for the purposes for which it was collected, or
b) You withdraw consent and there is no other legal ground for processing under Article 6 (see 'Why do we process personal data?' above).
Can we supply a copy of the data we hold?
Yes, send a self addressed envelope with postage attached and we will be able to forward you any information that we hold. The self addressed envelope must be to the name and address that we have on file so that we are not sending to the wrong person.
If you have moved, then please contact us as we may need proof of name and address to ensure we are sending to the correct person.
Although we are happy to send you the data we hold, this is typically only the following information.
Method of payment (but not payment data such as card numbers)
Delivery instructions, such as leave with neighbour
Reason for purchase, such as gift
How you found us, such as Google
We operate a CCTV system for security purposes. It is possible that paperwork such as your invoice may inadvertently be recorded as we move orders around the office and workshop. The CCTV recordings are only accessible to the directors of Jewellery Workshop, and law enforcement if requested.
The footage from our cameras record 24 hours a day, and all footage is overwritten approximately every 30 days on a rolling basis.
GDPR compliant partners
We will never share your personal data with third parties, except where necessary in order to process your orders, limited data may be passed to carefully selected partners with the view of fulfilling your order.
Our payment partners who will process your payments on our behalf;
Sellerdeck Payments (Creditcall)
In order to deliver your order, your name and address will be printed on the outside of our parcels. Our delivery partners are;
Post Office Counters
Our review software is operated on our behalf by Codepath Ltd who process website reviews on our behalf. The information they may hold is very limited, and completely optional, this information will typically be
Name (example John)
Location (example London)
Each of these are entirely optional, and if you review anonymously, as long as we can verify you as a genuine client then we will substitute your details as below.
Name : CL
We may also share your personal information for the purposes of law enforcement if requested by the Police, or if a chargeback occurs which needs to be investigated.
In the unlikely event of a data breach, we will contact the UK supervising authority (Information Commissioner's Office) and yourself in accordance with articles 33 and 34 of the GDPR.
This policy was updated on 22nd May 2018.