Posters on Demand Limited (‘POD’, ‘pod’) has created this document to demonstrate its commitment to data privacy and its alignment with the requirements of the Data Protection Act 1998 and, in substitution from 25 May 2018, the General Data Protection Regulation 2018 (GDPR) in respect of handling and processing personal data.
Data received from Customers
We (or our third-party sub-processors acting on our behalf) will collect and process data that is provided to us by customers. Personal data may be included in the data you provide for the purchase of any products and the information contained on the products ordered. It is important that contractual arrangements with those individuals clearly set out how you will use their data and with whom it could potentially be shared. We require all our customers to comply with the GDPR.
By adding individuals’ personal data to POD’s systems, or by sending personal data via email or by other methods to POD, you give consent to us processing the data and you confirm that you have obtained the appropriate consent from the relevant individuals for the personal data to be processed by POD.
POD will retain and use this data to perform the contract between us whilst you remain a POD Customer and further will use it where it is in POD’s legitimate interest, for example, fraud prevention.
We collect customer contact personal data as a Data Controller and use it for the purpose of order processing and account management. Once any orders have been completed this data will be held securely on our systems for the duration of the contract.
You may provide us with information about customer contacts who will administer the activities associated with POD on behalf of the customer. We will collect this information as a Data Controller in order to successfully complete a commercial transaction. These details may include names, postal addresses, email addresses, telephone numbers and billing information.
The customer contact’s details will be retained for as long as we provide a service to a customer.
Data sharing
Other than as set out in the next paragraph and even where we collect personal data in the capacity of a Data Controller, we will never distribute or share personal data that is held on our system with any third parties other than POD’s employees, consultants and sub-contractors.
Marketing
POD maintains a marketing database that contains the basic details of individuals who have consented to POD sending information about products, events or services, as well as general news about the POD company, to them, via email.
Each marketing email that is sent provides you with the ability to unsubscribe from receiving marketing emails at any time. Alternatively, you can opt out by sending a request specifying your new choice to info@podnow.co.uk.
POD engage the services of external freelance consultants and suppliers for various purposes within the company.
It is necessary to share bank details with our bankers to make payments for services, POD will always make sure that the details are only processed using secure banking systems.
POD will never share this information elsewhere, outside of the company unless required to do so by a regulatory or legal authority.
Website use – tracking and monitoring
Users of POD websites should refer to the privacy section of POD’s terms and conditions, which are located at the following address: www.podnow.co.uk/privacy. This provides details on how information that is collected on the website is managed by POD.
Our websites and online systems use cookies to distinguish you from other users of our website. For detailed information on the cookies we use, please refer to the terms and conditions on the website. We may automatically collect the following information when you visit our website:
- your IP (Internet Protocol) address
- your login information
- your browser type
- time zone settings
- browsers and operating systems used
- information about your visit, such as the pages visited, or documents downloaded
Employees
POD will only process and hold staff data for the legitimate purpose of employment.
Personal data including name, address, contact details, NI number, date of birth, bank details, employment history, medical history and next of kin contact details is stored and processed on the POD HR drive and Sage payroll system and will be held for the duration of the employment.
On leaving the company all data will be removed from systems and personnel files and be archived for a period of 3 years before being securely destroyed. PAYE information will be held on Sage 50 payroll for 6 years after as required by HMRC.
CVs and interview notes will be held for 6 months after the recruitment of a role before being securely destroyed or deleted. Data for successful candidates will be stored with employment data.
Prospective CVs will be considered on receipt, shared with internal departments and destroyed should no suitable vacancies be available. POD does not store prospective CVs.
References will be requested from former employers as part of employment terms. Factual references for former staff will only be provided on request from future employers, POD will only state dates of employment and final role. On receipt of financial reference requests, HR staff will seek consent before providing information.
Security
POD’s online systems have security measures in place to help protect against the loss or misuse of any data under our control.
When the websites are accessed by users, data traffic is encrypted using up-to-date secure socket layer (SSL) technology so that it can only be accessed by the end user.
All sensitive information on the website, such as passwords is encrypted by a proprietary encryption system. All personal data can only be accessed by the relevant end users by way of unique usernames and passwords that must be entered when a user logs in to the systems.
POD is PCI DSS (Payment Card Information Data Security Standard) compliant. Credit card information is never stored on POD’s systems and is only used to authorise the specific transaction through POD’s card payment authority (Stripe) and then removed. Where credit card data is held (for speed of future payments), this is only held by Stripe. Under no circumstances will your credit card information be passed to any other third party.
Where we store data
All data in POD’s systems is stored on a secure set of servers hosted by our hosting provider. The servers reside in the United Kingdom. Data is frequently backed up and stored in the provider’s backup/disaster recovery facility, which is also in the UK.
This is in a secure server hosting facility with the necessary environmental, physical and technical controls in place to ensure unapproved access is prevented.
POD’s email data is stored with Microsoft located in EU data centres and follows Microsoft standard security and backup processes.
Destruction of physical data
POD employees are trained to destroy all personal data securely. POD has contracts in place to have all paperwork containing personal data securely shredded onsite.
Data breach incidents
In line with our regulatory requirements, POD has a set of processes for issue and incident management, including data breaches. These processes include the required notifications to be sent to the Information Commissioners Office and customers. This is reviewed annually and may be subject to change.
General Data Protection Regulation 2018
POD has adapted its policies and procedures to ensure it is compliant with the GDPR. This document has been produced to represent our current status and will be reviewed annually and updated as processes are developed.
Under GDPR, individuals have certain rights when it comes to the control of personal data.
The right to be informed. Each individual has the right to be given information about how their data is being processed and why. POD has provided this policy to show how we handle your data.
The right of access. POD have a duty to comply with the requirements of Subject Access Requests (SAR)
The right to rectification. The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
The right to be forgotten. You have the right to ask POD to remove your data.
The right to restrict processing. You may restrict processing for a legitimate reason, we would still have the right to hold that information.
The right to data portability. You may be able to obtain the information we hold about you and use it for your own purposes. Conditions apply.
Should you wish to exercise any of your rights above, please email info@podnow.co.uk stating the following information:
Name
Contact details
Relationship to subject
Full details of information relating to your request
Reason for request and the right being exercised
You will be asked to verify your identity if you are the subject alternatively you will be asked to provide consent from the subject if you are a representative.
Should we require further information we will contact you.
Your request will be dealt with within one month of receipt of your request.
Under the GDPR you have further rights in relation to automated decision-making and profiling. POD does not currently use automated decision-making or profiling. Should any further automated processes be implemented, the policy will be reviewed and updated.
Cookies
Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website. It also allows us to improve our website.
A ‘Cookie’ is a small piece of information that we store on your computer. Our system will issue cookies to your computer when you access the site. We use the following cookies.
Strictly necessary cookies: these are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.
Analytical/performance cookies; These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
Functional Cookies: these are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Remarketing Cookies: these allow us to recognise your interests, based on the web pages you visit on our website, and allow us to present you with relevant promotions and updates to keep you up to date with POD. Third-party vendors, Google, Facebook and Instagram, use these cookies to serve ads in various places across the internet. If you wish to opt out of remarketing cookies, simply click on the below links and follow the opt-out processes:
- Google: Network Advertising Initiative opt-out page
- Facebook: Your Ad Preferences
- LinkedIn: Advertising Preferences and Third Party Data
- Instagram: Access Tool
This website uses tracking software to monitor its visitors to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computer’s hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including “strictly necessary” cookies) you may not be able to access all or parts of our website.
You can remove cookies from your computer at any time by going into the settings in your browser and deleting the browsing history and cookies stored. The exact location of this setting will depend on your browser of choice.