Handmade in England
Free delivery over £80
Natural Ingredients
Handmade in England
Free delivery over £80
Natural Ingredients
DATA PROTECTION &
UK GDPR COMPLIANCE POLICY
Pertaining to Data Protection Act 2018 (DPA 2018) and
The General Data Protection Regulation (EU) 2016/679 (GDPR)
(now known as UK GDPR)
This document constitutes the compliance of OriēnMir Ltd (“we”, “us”, “the company”) and its incumbent employees, to The Data Protection Act 2018 (DPA 2018) and The General Data Protection Regulation formerly (EU) 2016/679 (GDPR) now UK GDPR by function of and adherence to this internal policy.
In addition to the above, we are also required to comply with statutory and regulatory obligations relating to business generally which may affect the constituent parts of this policy. For Example, the HMRC or the Information Commissioner’s Office (ICO)
Related Links –
ICO Website www.ico.org.uk
LEGISLATION DOCUMENT – GDPR 2016/679
LEGISLATION DOCUMENT – DPA2018
Related documents available online or in print from the OrienMir Ltd office
POLICY STATEMENT
OriēnMir Ltd is committed to providing accessible information regarding protecting the privacy and security of personal data. This policy aims to demonstrate that commitment. By Law, everyone has rights with regards to the way in which their personal data is handled. We recognise that the lawful, fair and transparent treatment of this data will maintain confidence in OriēnMir Ltd and provide for successful business operations going forward.
This Data Protection Policy pertains specifically to, and uses the terminology of, the General Data Protection Regulation (EU) 2016/679 (GDPR) while also referencing terminology of the Data Protection Act 2018 (DPA 2018).
The transition period for leaving the EU ended on 31 December 2020. The UK GDPR has been retained in UK law as the UK GDPR, and will continue to be read alongside the DPA 2018, with technical amendments to ensure it can function in UK law.
While this policy does not form part of any employee’s contract of employment, all OriēnMir Ltd data users are obliged to comply. Any breach of this policy may result in disciplinary action.
This policy and any other documents referred to, and in it, set out the basis on which we will process any personal data we collect from a Data Subject(s), or that which is provided to us by a Data Subject(s) or other sources. This policy constitutes an amalgamation of the general principles of both pieces of aforementioned legislation, some of which may be duplicated where deviations occur. In either and all cases, OriēnMir Ltd is lawfully bound by all of the individual constituent parts both the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), thus, this policy may be amended at any time.DATA PROTECTION & UK GDPR COMPLIANCE
DEFINITIONS
Privacy Notice – (also referred to as Fair Processing Notice or Privacy Policy), is an informative document outlining the how and why of processing and retaining data. This privacy notice should be presented when the Data Subject first provides their data. (at or before the point of collection) Privacy notices usually refer to an entity, company or organisation, but can also refer to an individual, (or sole trader) a group or club. In all cases a privacy notice should refer to any associated third parties. It may take the form of a website notice or internal policy statement, (or both), offered in brief, or in the form of a full detailed process document. In the main however it should outline the following points:
- What is the business, and what does it do? [ Sell skincare products. Provided specialised skin treatments to enhance the skin appearance)
- What is the scope of the notice (to whom does it apply?) [customers]
- What are the applicable laws (according to the jurisdiction where the business is located or services are provided)? [ online and in a clinic in stockport, Greater Manchester]
- What personal data does the business collect? [ Name, billing and mailing Address, telephone number, email, date of birth, medical history, usernames, debit/credit card numbers, contact preference, passwords, job title]
- How does the business obtain personal data? [ selling and/or providing physical and informational products, customers creating an account using the OriēnMir website ]
- How does the business use and process personal data?
Businesses use and process personal data for a variety of reasons, often aimed at improving their services, targeting their marketing efforts, and complying with legal requirements.
Collection of Personal Data
- Direct Collection: OriēnMir collect data directly from individuals through forms, surveys, account creation, and transactions.
- Indirect Collection: Data can be collected indirectly through cookies, tracking pixels, and other online tracking technologies.
Use of Personal Data
- Customer Service and Support: Personal data is used to provide and improve customer support, addressing inquiries and resolving issues.
- Marketing and Advertising: Data helps in personalising marketing efforts, targeting ads, and creating marketing campaigns based on customer preferences and behaviours.
- Product and Service Improvement: Feedback and usage data are analysed to enhance and develop products and services.
- Personalisation: Data allows businesses to tailor experiences and recommendations to individual users.
- Sales and Transactions: Personal data is essential for processing orders, payments, and other sales-related activities.
- Compliance and Legal Obligations: Businesses use personal data to comply with laws and regulations, including tax, employment, and data protection laws.
Processing of Personal Data
- Data Storage: Personal data is stored in databases, data lakes, or other storage systems. It is often encrypted and access-controlled to protect privacy. (Will check with heron)
- Data Analysis: OriēnMir analyses personal data to gain insights into customer behaviour, preferences, and trends. This can involve techniques like data mining, statistical analysis, and machine learning.
- Data Sharing: Personal data may be shared with third-party service providers, partners, or affiliates for specific purposes such as payment processing, shipping, or analytics.
- Data Security: Implementing security measures such as encryption, access controls, and regular security audits to protect personal data from breaches and unauthorised access.
- Data Retention and Deletion: OriēnMir has policies for how long personal data is retained and the process for securely deleting data that is no longer needed. [ does this need to be a separate document?]
Legal and Ethical Considerations
- Privacy Policies: Clear and transparent privacy policies inform users about how their data is collected, used, and protected.
- User Consent: Obtaining explicit consent from users before collecting or processing their personal data, particularly for sensitive information.
- Data Subject Rights: Respecting the rights of individuals to access, correct, delete, and restrict the processing of their personal data.
- Compliance with Regulations: Adhering to laws and regulations such as the GDPR (General Data Protection Regulation) in Europe, and other relevant data protection laws.
Example of Data Flow
- Collection: A user signs up for a service, providing their name, email, and payment information.
- Storage: The data is securely stored in a customer database.
- Processing: OriēnMir uses the data to create a personalised user profile and recommend products.
- Sharing: Payment information is securely shared with a third-party payment processor.
- Analysis: Usage data is analysed to improve service features.
- Retention/Deletion: Data is retained according to OriēnMir’s retention policy and deleted after a certain period if no longer needed.
- How does the business share or disclose personal data to third parties? [ is point 3 in the processing or personal data okay]
- How long does the business keep the personal data in the system? [ I have written, we will keep it unless the user delete the account. I have added a temp privacy policy see point 6, do I need to specify a time?]
- What measures are in place to ensure the protection and safety of the collected data? [ will ask heron]
- Is there is a cross-border transfer of personal data? Yes for payments and processing orders
- What rights do individuals have regarding their personal data? [ see point 8 on the document I have sent you]
- Who is the data controller for personal data? [ Sheree Powell]
- How does the business use cookies and similar technologies? [ see point 5]
14. How can the users access or control their personal data collected and indicate their opt-out or opt-in preferences? [ log into their account to delete their profile or call customer service to delete their profile. Will check with heron ]
- How can individuals contact the business? [ Email, mail ]
- How will the business update the privacy notice? [ see point 10]
|
* This Data Protection Policy in its entirety is one such example of a privacy notice. Though sections of this full policy may be referenced online for brevity, in all cases this document constitutes the full, complete and comprehensive account for legal purposes. It also constitutes a working document by which the organisation and its data protection officer will refer to it for all related Data Protection matters. (As well as ICO and the policies themselves). |
- 17.
Personal Data or Personal Information – is any information about a living individual from which they can be identified. (directly or indirectly, by the data alone, or in combination with other identifiers; “Information” in this context includes identifiers which are in (our) possession and /or that which can be reasonably accessed). “Personal data” includes “special categories” of personal data and “pseudonymised” personal data, but it does not include data where the identity has been removed (Anonymous Data). Personal Information/Data can be factual, (for example, a name, address or date of birth) or it can be an opinion about that person including their actions and behaviour.
* Pseudonymisation or pseudonymising data – is the process of replacing information that directly or indirectly identifies an individual, with one or more artificial identifiers – or pseudonyms- so that the person to whom the data relates cannot be identified, without the use of additional information which is meant to be kept separate and secure.
** Regarding Special Category Data – please see the appropriate definition below.
*** Data, Personal Data and Personal Information may be referenced interchangeably within this document. UK GDPR compliance focuses on the fact that all individual data or information pertaining to an individual, within any “interpretative context”, is personal. Also, that individual ownership, rather than organisational ownership is of higher priority.Data Subject – A Data Subject is a living individual whose personal data is being processed. Further described as a living, identified or identifiable individual about whom personal information is held (or to be held). Data Subjects may be nationals or residents of any country and may have legal rights regarding their personal data. Information relating to a deceased person does not constitute personal data and therefore is not subject to UK GDPR.
** All OrienMir Ltd Customers, Contractors and Employees are individual Data Subjects and henceforth (in this policy) referenced as such, though individuals can have more than one designation depending on context. (Please be aware that this definition can be interchanged within this document as “you” (as the reader singular) or as the plural of Data Subject (Data Subject(s).
Data Controller – A Data Controller – is a person(s) or organisational entity that determines the purpose(s) and means of processing of personal data. Data Controllers are more often entities rather than individuals but, types of Data Controller do include Sole Traders and people who work for themselves. Controllers shoulder the highest level of compliance responsibility and demonstrates this compliance with legislative and best practice Data Protection principles as well as other UK GDPR requirements. The Data Controller is also responsible for the compliance of its processor(s).
* In the context of this policy document, OrienMir Ltd is the Data Controller. This means that we are responsible for deciding how we hold and use personal information. We are required under data protection legislation to create and notify a Data Subject(s) of the information contained in this privacy notice.
Data User – Data Users are OrienMir Ltd employees whose work involves processing personal data. Data Users must protect the data they handle in accordance with the Law, this data protection policy, and any applicable internal data security procedures at all times.
Data Processor – A Data Processor is:
- a person(s) or organisational entity that processes personal data on behalf of the data controller.
- a person(s) or organisational entity that is not an employee of the controller.
Being third party, a Data Processor can also be a data controller in its (their) own right.
Processing – is described as any functional operation performed on personal data. It includes obtaining, recording or holding the data, or organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Sensitive Personal Data – historically pertaining to DPA1998/2018 and sometimes referred to as Special Category Data – (UK GDPR) – is data which includes information about a person’s:
- Racial or Ethnic Origin, (yes, for skin analysis)
- Political opinions, Religious, Philosophical (or similar) beliefs,
- Trade Union Membership,
- Physical, Genetic or Biometric Data, ( yes for skin treatments)
- Health Conditions (including Mental Health), ( yes for skin treatments and client safety)
- Sexual Preferences.
Such personal data must be processed in a lawful, fair and transparent fashion, meaning that from the UK GDPR an Article 6 basis needs to be identified in order to process this data. In addition, you can only process Sensitive Personal Data/Special Category Data if you meet one of the specific articles in Article 9 UK GDPR.
Special Category Data/Sensitive Personal Data includes Personal data which by its nature reveals or is concerning the above sensitive types of data. (In other words there is a difference between one and other, the emphasis in this case being the word “Sensitive” or phrase “Special Category” for differentiation purposes) Therefore, if you have inferred or guessed details about someone which fall into one of the above categories, this data may also count as special category/Sensitive Personal data (depending on how certain that inference is and whether you are deliberately drawing that inference.)
Article 6 UK GDPR – Processing shall be lawful only if, and to the extent that at least one of the following applies:
- The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent;
- Processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, which require protection of personal data, in particular where the Data Subject is a child.
Article 9 UK GDPR – Revealing a Data Subject’s Special Category Data is prohibited. Though shall be permitted if one of the following limitations is given or processing is necessary for the following:
- Explicit Consent
- Employment, Social Security and social protection (with a basis in law)
- Vital Interest
- Not for Profit bodies
- Made public by the Data Subject
- Legal Claims or Judicial Acts
- Reasons of substantial public interest (with a basis in law)
- Health or Social Care (with a basis in law)
- Archiving, Research and Statistics (with a basis in law)
There are further stipulations if using conditions (b), (g), (h), (i), (j)
Please refer to the link: ICO – Lawful Bases for Processing Special Category Data
Sensitive Personal Data continues:
Criminal Offence Data – Regarding the commission of, or proceedings for, any offence committed or alleged to have been committed by a person (or Data Subject), including the disposal of such proceedings or the sentence of any court in such proceedings. This type of sensitive data is categorised separately under the heading of Criminal Offence Data and requires different reasons to process this data and a different type of processing.
For Guidance, Please use the following link: ICO – Criminal Offence Data Processing
https://ico.org.uk/for-organisations/UK GDPR-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/criminal-offence-data/Consent – Consent in this context is an agreement between the Data Controller and the Data Subject. It must be freely given, specific and informed, and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement of clear positive action, signify agreement to the processing of their personal data. Consent requires a positive opt – in, no pre-ticked boxes or any other method of default consent.
Regarding Consent OrienMir Ltd will:
- Make the request for consent prominent and separate from our terms and conditions.
- Ensure the consent is obvious, a request and require an action in order that people positively opt in.
- Use clear, plain language that is easy to understand
- Specify why we want the data and what we’re going to do with it
- Name our organisation and any third-party controllers who will be relying on the consent.
- Must be recorded – OrienMir Ltd will record the evidence of consent – who consented, when, how and what they were told
- Tell individuals they can withdraw their consent.
- Ensure that individuals can refuse to consent without detriment.
- Avoid making consent a precondition of a service.
- Ensure consent has no set time limit
- NOT use pre-ticked boxes or any other type of default consent.
Explicit Consent – is consent which requires a more clear and specific statement than that of above (i.e. not just action – requires definable parameters)
Automated Decision Making (ADM), – is when a decision is made which is based solely on Automated Processing, which produces legal effects or significantly affects an individual. In other words – Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention. UK GDPR prohibits Automated Decision Making (ADM) unless certain conditions are met but not Automated Processing.
AUTOMATED DECISION MAKING
. OrienMir Ltd is allowed to use automated decision-making in the following circumstances:
1. Where we have notified the Data Subject(s) of the decision and given them 21 days to request a reconsideration. ( how can I do this when the treatment mostly will happen on the same day as the consent?)
2. Where it is necessary to perform a contract with the Data Subject(s) and appropriate measures are in place to safeguard their rights.
3. In limited circumstances, with explicit written consent and where appropriate measures are in place to safeguard Data Subject’s rights.
If OrienMir Ltd makes an automated decision on the basis of any sensitive personal information, we must have either the Data Subject(s) explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard the rights of the Data Subject(s).
The Data Subject(s) will not be subject to decisions that will have a significant impact on them based solely on automated decision-making, unless we OrienMir Ltd have a lawful basis for doing so and we have notified the Data Subject(s).
Automated Processing – is any form of automation of personal data to evaluate certain personal aspects of an individual. In particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing
Profiling – is defined in UK GDPR with the same definition as Automated Processing (above):
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour location or movements”
Profiling can be used for a wide range of purposes. It can be used extensively in an online context to suggest or serve content to users, to determine where, when and how frequently that content should be served, to encourage users towards particular behaviours, or to identify users as belonging to particular groups. It can also be used to help establish or estimate the age of a user (as detailed in the standard on age appropriate application), or for child protection, countering terrorism, or the prevention of crime.Profiles are usually based on a user’s past online activity or browsing history. They can be created using directly collected personal data or by drawing inferences (e.g. preferences or characteristics inferred from associations with other users or past online choices).
Content feeds based on profiling can include advertising content, content provided by other websites, downloads, content generated by other internet users, written, audio or visual content. Profiling may also be used to suggest other users to ‘connect with’ or ‘follow’. Why is Profiling related to Data Protection important?
- Profiling is mentioned in Recital 38 to the UK GDPR as an area in which children merit specific protection with regard to the use of their personal data.
- There are also specific rules at Article 22 of the UK GDPR about decisions (including profiling) which are based solely on the automated processing of personal data, and which have a legal or similarly significant effect on the data subject.
“22(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her”
Cookies: – A cookie is a small text file that is downloaded onto ‘terminal equipment’ (eg a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.
PECR – The Privacy and Electronic Communications (EC Directive) Regulations 2003 – PECR is a piece of legislation which requires that you provide users with clear and comprehensive information about your use of cookies and obtain prior consent for any that are ‘non-essential’.
PECR Legislation – PECR Legislation
https://www.legislation.gov.uk/uksi/2003/2426/contents/made“The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations, starting with those that generate the most complaints.”
If you use cookies for the purposes of profiling you need to consider PECR rules for the setting of the cookie, and the UK GDPR and this code for the underlying processing of personal data (Profiling) that the cookie supports or enables. As an overview what follows is a quick reference:
- Cookies, Profiling, and your Core Services – If the cookie is essential to the provision of your core service then it is likely that the underlying profiling that the cookie enables is (essential) too. You need a lawful basis (other than Consent) for the underlying processing (Profiling) and won’t need Consent for the cookie.
- Cookies, Profiling, and Age Estimation or Age Assurance – You may also use cookies for profiling that intends to meet the implied age verification requirements of Article 8 of the GDPR, (related to children and consent) or to age assure in order to properly apply the standards of this code. In this circumstance, the purpose you use the cookies for is regarded as essential for the service, thus see section 1 Cookies, profiling, and your core services.
For more detail about Article 8 ICO – Annex C Lawful bases for processing.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/12-profiling/For more information about cookies, and when a cookie is essential and non-essential, follow the ICO guidance ICO – Cookies and similar technologies.
Further information regarding Profiling: ICO – Profiling
Data Privacy Impact Assessment (DPIA): This is a data processing tool and assessment method used to identify and reduce risks of a data processing activity. A DPIA should be conducted for all major system or business change programmes involving the processing of personal data. It is a key part of accountability obligations and demonstrates how an organisation complies with said obligation.
Personal Data Breach – is an act or omission that compromises the security, confidentiality, integrity or availability of personal data. (Including the compromise of physical, technical, administrative or organisational safeguards that we (OrienMir Ltd) or our third-party service providers put in place to protect it. Any loss, unauthorised access, disclosure or acquisition, of personal data is a personal data breach. By Law, OrienMir Ltd must report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
Data Protection Officer – A Data protection officer ensures proper safeguards are in place and to ensure that data isn’t mishandled. – By definition, the Data Protection Officer is responsible for overseeing data protection strategy and implementation to ensure compliance with UK GDPR requirements. This is not a mandatory position, but it is recommended that all companies nominate or employ someone with the required expertise to manage their data protection activities.
The Data Protection Officer of OriēnMir Ltd is Paul Collins contactable via email on [email protected] – phone 03 33 344 15 16 (I’ll get you an email for you. Do you want data[email protected], [email protected] or [email protected] ?)
Related Section Link
ICO Definitions – ICO – Definitions
ORIENMIR LTD and DATA PROCESSING
OriēnMir Ltd – Manufacturer and Distributer of Cosmetics
Company Number 14940491
Registered Office: 5 Brayford Square, London, England, E1 0SG
OriēnMir Ltd process data from Data Subjects under two broad categories:
- (Customer) Business Transaction Data – OriēnMir Ltd only processes this personal data when the law allows us to, and primarily for the successful completion of continued business-related transactions.
- Internal Employee Data – Internal employees are Data Users and Data Subjects. As such, OriēnMir Ltd only processes personal data when the law allows us to under either designation, and primarily to affect the function of effective business.
OriēnMir Ltd obtain personal data by Direct Consent via the following:
- Online Direct Marketing (OriēnMir Ltd Website) and Social Media Platforms.
- WHERE WHICH ONES? Instagram, Linkedin, Facebook, Youtube, Twitter
- Free Samples, (OriēnMir Ltd Website and in person)
- Direct Sales (OriēnMir Ltd Website and in person)
- Word of Mouth (regarding internal employees and Recruitment)
- Online Recruitment Platforms
- Third Parties (relating to Contractors)
- It is also possible to obtain data through contractors or third parties including but not limited to Credit Reference and Recruitment Agencies, and/or former employers and former employees).
For ICO Marketing/PECR guidance use this link: ICO – Marketing guidance
https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/ Regarding Consent OrienMir Ltd will:
- Make the request for consent prominent and separate from our terms and conditions.
- Ensure the consent is obvious, a request and require an action in order that people positively opt in.
- Use clear, plain language that is easy to understand
- Specify why we want the data and what we’re going to do with it
- Name our organisation and any third–party controllers who will be relying on the consent.
- Must be recorded – OriēnMir Ltd will record the evidence of consent – who consented, when, how and what they were told
- Tell individuals they can withdraw their consent.
- Ensure that individuals can refuse to consent without detriment.
- Avoid making consent a precondition of a service.
- Ensure consent has no set time limit
- NOT use pre-ticked boxes or any other type of default consent.
In limited circumstances, OriēnMir Ltd may approach Data Subjects for further written consent to allow us to process certain particularly sensitive data. If we do so, we will provide the Data Subject(s) with full details of the information that we would like and the reason we need it, so that they can carefully consider whether they wish to consent.
The Data Subject is under no obligation to consent. If they fail to provide certain information when requested, however OriēnMir Ltd may not be able to perform the contract or service we have entered into, or we may be prevented from complying with our legal obligations (where applicable).
Information that OriēnMir Ltd will process (under consent)
Business Client/Customer (Third Party) Information: (Data Processors and/or Data Controllers) includes:
Trading Name Email Address
Registered Company Name Company Registration Number
Postal Address VAT Registration Number
Admin/Billing Contact Name Telephone Number
Online Direct Marketing, (via OriēnMir Website and Social Media Platforms) Personal Information to be processed includes:
Name
Phone numbers Something
Something Something
Something Something
Something Something
- names
- phone numbers
- email addresses
- mailing addresses
- usernames
- passwords
- billing addresses
- debit/credit card numbers
- contact preferences
- contact or authentication data
- job titles
- information revealing race or ethnic origin
- health data
- financial data
- data about a person’s sexual orientation
Recruitment related (Internal Employee) Personal Information to be processed includes:
Name/Title Addresses/Contact details
Date of Birth Gender Marital Status/Dependants
Next of Kin Emergency Contact National Insurance Number
Bank Account Payroll Records Tax Status
Salary, Annual Leave, Pension and Benefits
Start Date Workplace Driving Licence
Right to Work Employment Records References
For the function of financial processing, (such as Sales. Purchases Quotes and Invoicing) Personal Information will include:
Payment activity Invoice contact details
Invoice Address Invoice job details
Amount Paid Outstanding Amount
Discount(s) Applied Reference names and unique identifying numbers
Regarding Direct Sales (via the OriēnMir Website) Personal Information processed will include:
Name
Telephone Email address
Mailing Address
Debit/credit card information
Billing address
For the purposes of product production, processed data may include: Company name, website name,
named department specialists, product title,
individual(s) name, Company Address,
Website Details, Personal Qualifications
The above (within each category outlined) is not an exhaustive and finite list of processed and /or personal information, the mainstay of which within each purpose will be consented to by the Data Subject(s) directly. It may be possible that OriēnMir Ltd is able to obtain and process further related data held in the public domain. This data will only be used if it is Lawful and relevant to the completion of continued and mutual business-related transactions.APPLICATION TO AND STATEMENT OF – UK GDPR PRINCIPLES
Article 5
As a statement OriēnMir Ltd will only process personal data for the specific purposes set out in the Article. We will notify the Data Subject(s)of those purposes when we first collect the data or as soon as possible thereafter.
Notifying Data Subjects – If OriēnMir Ltd collect personal data directly from Data Subjects, we will inform them about: (a) The purpose or purposes for which we intend to process that personal data; (b) The types of third parties, if any, with which we will share, or to which we will disclose that personal data; (c) The means, if any, with which Data Subject(s) can limit our use and disclosure of their personal data.
If OriēnMir Ltd receive personal data about a Data Subject from other sources, we will provide the Data Subject with this information as soon as possible thereafter. We will also inform Data Subjects whose personal data we process, that we are the data controller with regard to that data.
This means that OriēnMir Ltd will comply with the following seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); – Regarding Business transaction data processing, the procedures terms and conditions are offered to all OriēnMir Ltd customers via a customer information and price list document (do I need to provide an example?), sent to all new account holders and prospective customers. It is also available from our office direct upon request and available on our website.
Regarding Internal employees, OriēnMir Ltd process data specifically to function the effective, continued business of OriēnMir Ltd. Employees are offered the terms and conditions of employment upon successful recruitment. Consent for use and retention of personal data is incumbent within the recruitment and retention process, not least communicated through the interview process, employee handbook and mandatory legal compliance documentation.
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’); OriēnMir have outlined within this document the specific reasons and data we require to process. This will be communicated to the Data Subject(s) at the time of processing in line with the legal bases and principles of this robust data protection policy, and as advised by the ICO website. (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
OriēnMir Ltd will ensure that:
- ALL data which is in our possession is accurate and up to date.
- Every reasonable step is taken to ensure that personal information that is inaccurate, with regard to the purposes for which it is processed, is erased or rectified as soon as possible.
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
OriēnMir Ltd will process relevant personal data for as long as is lawful, and as long as business transactions with the appropriate Data Subject(s) remain current and continue. As an archive however, we will hold relevant Data Subject(s) data no longer than a five-year period.
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
g) Accountability
Article 5(2) adds that:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
Related Section Links
Accounyability Framework
Regarding lawfulness, fairness and transparency – For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds as set out in Article 6 of the UK GDPR.
OriēnMir Will Use 4 Of The 6 Available Bases As Outlined Below
Consent
Contract
Legal Obligation
Public Task
As outlined below:
- Consent: “the individual has given clear consent for you to process their personal data for a specific purpose.”
- OriēnMir will use this as a legal basis for processing data (as outlined and evidenced in the data processing section of this document.)
- OriēnMir will also however require consent to comply with PECR, Marketing and the use of Cookies.
User Guidance – The ICO outline that this may be “too generic” a use of this lawful basis, instead interpreting our evidence as “broader business purposes”; Also consideration should be made to offering Data subjects options not to consent (consider however, can OrienMir still provide the service if Data Subjects don’t consent? NO they need to consent for treatment and processing physical and informational products ); However as OriēnMir have specifically outlined what data is to be used for what purpose, it would seem imprudent to omit our using this basis. (Particularly regarding Recruitment Data Processing.).
(b) Contract: “the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.” – In the first instance OriēnMir will be using this Lawful basis as the backbone of our Broad Business processing basis, in order that we retain compliance to our terms and conditions of service, and not least to remain compliant to the following agencies:
-
- Environment Agency and/or the Health and Safety Executive.
- Financial HMRC and Companies House.
- Employment Law and workers’ rights
- Data Protection Law –
(c) Legal Obligation: “the processing is necessary for you to comply with the law (not including contractual obligations).” – OriēnMir will use this legal basis to process data – where applicable – for the following obligations should they occur:
- a breach of a duty of confidence; – this can arise as a result of confidential information coming to the knowledge of a competitor of OriēnMir or some other circumstances in which it would be unfair if it were disclosed.
- an infringement of copyright; this can arise particularly if there is the use of, or the production of, copyright-protected material without the permission of OriēnMir.
- a breach of an enforceable contractual agreement; – (verbally, written or implied) – predominately under the following circumstances:
- If a party refuses to perform the duties set out in the contract
- If the work carried out is defective
- Due to not paying for a service or not paying within the specified time limits
- From a failure to deliver goods or services
- Due to goods that do not conform to an agreed description
- From being late with services without a reasonable excuse
- a breach of the Human Rights Act 1998 and/or any other legal obligation outlined by suitably appropriate authority.
Also
5) Using Legal Obligation as our basis OriēnMir Ltd may also disclose personal data we hold to third parties regarding:
(a) In the event that OrienMir Ltd sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.
(b) If we, or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
(c) If we are under a duty to disclose or share a Data Subject’s personal data in order to comply with any legal obligation, other than that stated above
6) OriēnMir will process personal data on the basis of Legal Obligation specifically regarding compliance to (Professional, Occupational and/or Regulatory Health related Certification.
As this may also constitute “future proofing”, this legal basis will be documented, evidenced, and communicated where and when it becomes appropriate, in advance of requiring said personal information. Any current use of this legal basis will be notified to the Data Subject(s) at the time of the consent being sought. ( I suppose this will be written on the consent form and in the clients notes during treatment services, will that be sufficient?]
(d) Vital interests: the processing is necessary to protect someone’s life. – It is not anticipated that OriēnMir will use this as a legal basis, however where appropriate
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. – Regarding Manufacture of a Safe product and regarding compliance to health and safety certification more generally, OriēnMir will be using this legal basis to process personal information. The regulatory organisations that require these legal bases are: (I needs to speak to you about this. Im not sure what company would need the sensitive information for manufacturing purposes)
- WHAT/WHO? WHAT/WHO?
- WHAT/WHO? WHAT/WHO?
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) –
“1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
User Guidance
To evidence the use of this lawful basis the ICO recommend the following “test”
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
OriēnMir Statement – OriēnMir Ltd process data to complete and continue mutual business sales for our customers – (Data Subject(s) – as well as for ourselves. This will include third-party processing to produce and/or administrate for said “product ingredients” which make up the constituent parts of the overall product where said data is “imperative” to the ingredient’s accuracy and/or potency.
Should the use of this personal data be overridden by the data subjects rights we will of course not rely on the processing of said data.
Links
To read the appropriate ICO advise follow this link:
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/
Transferring Personal Data to a country outside the EEA – OriēnMir Ltd may transfer any personal data we hold to a country outside the European Economic Area (‘EEA’), provided that one of the following conditions apply:
(a) The country to which the personal data is transferred ensures an adequate level of protection for the Data Subjects’ rights and freedoms;
(b) The Data Subject has given his consent;
(c) The transfer is necessary for one of the reasons set out in (UK DPA 1998) and/or EU 2016/679 (UK GDPR) including the performance of a contract between us and the Data Subject(s), or to protect the vital interests of the Data Subject(s);
(d) The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims;
(e) The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the Data Subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
Related Section Link
- https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
- https://ico.org.uk/for-organisations/advice-for-small-organisations/whats-new/blogs/information-sharing-without-consent-advice-for-small-organisations/
DATA SECURITY AND RISK
OriēnMir Ltd as the Data Controller must be able to demonstrate and implement appropriate organisational measures to ensure compliance with data protection principles, regarding security. These will include:
- Suitably qualified DPO and or an executive accountable for data privacy
- Integrating data protection into internal documentation and practices, policies and procedures
- Appropriate Training for employees
- Regular testing of privacy measures having been implemented, conducting reviews and audits to assess compliance
EXAMPLES PLEASE
Record Keeping
Direct Marketing
Sharing with third parties – please see sections on this for duplication
DATA SHARING
OrienMir Ltd may have to share the Data Subject’s data with third parties, including third-party service providers, contractors, designated agents and other entities in the group. We require third parties to respect the security of data and to treat it in accordance with the law. We may also need to share personal data with a regulator or to otherwise comply with the law.
Data sharing may include the uploading of data to cloud based storage
OriēnMir Ltd has put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify the Data Subject(s) and any applicable regulator of a suspected breach where we are legally required to do so.
What follows is not an exhaustive list of OriēnMir Ltd’ security measures but should serve to demonstrate our commitment to security and confidentiality.
Security Measures include but are not limited to:
(a) Entry controls. Any stranger seen in entry-controlled areas will be challenged and reported;
(b) Secure lockable desks and cupboards. Desks and cupboards will be kept locked if they hold confidential data of any kind. (Personal data is always considered confidential.);
(c) Methods of disposal. Paper documentation will be shredded by a third -party specialist in waste paper recycling and destruction, the results of which will be verified with certification. Digital storage devices will be physically destroyed when they are no longer required;
(d) Equipment. Data users will ensure that individual monitors do not show confidential data to passers-by and that they log off from their PC when it is left unattended;
(e) Confidentiality. Only people who are authorised to use the data can access it; where appropriate, when a higher level of confidentiality is required over and above the aforementioned security measures all RELEVANT AND APPROPRIATE data users will have been vetted by the Disclosure Scotland Criminal Records Check (CRB);
(f) Integrity means that personal data will be accurate and suitable for the purpose for which it is processed;
(g) Availability means that authorised users will be able to access the data if they need it for authorised purposes. Personal data will therefore be stored on a secure and centralised system (E.g. a generic cloud-based CRM) instead of individual PCs.
DATA RETENTION
How long will we retain customer information for?
We will only retain personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In other words, OriēnMir Ltd will continue to process relevant personal data for as long as business transactions with the appropriate Data Subject(s) remain current and continue. As an archive however, we will hold relevant Data Subject(s) data no longer than a five-year period.
Regarding OriēnMir Ltd employees and data retention – Details of retention periods for different aspects of personal information are available in our retention policy which is available in the OriēnMir Ltd employee handbook. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise personal information so that it can no longer be associated with the Data Subject(s), in which case we may use such information without further notice to the Data Subject(s). Once the Data Subject(s) is no longer an employee, worker or contractor of the company we will retain and securely destroy personal information in accordance with our data retention policy and/or the applicable laws and regulations.RIGHTS OF ACCESS, CORRECTION AND RESTRICTION
The Data Subject has specific rights when it comes to how their data is processed:
1) Right to be informed – The Data Subject has the right to be informed when their data is collected and how it will be processed. – Guidance: The data controllers must provide specific and detailed information to the Data Subjects on whether their data was collected directly or indirectly. The information given must be thorough and appropriate, conscise, transparent and easily accessible.
2) Right of access – The Data Subject has the right to make a ‘Subject Access Request’ and view any of the data stored by OriēnMir Ltd for free and within 1 month.
To do this contact OriēnMir Ltd using our public contact details or make a communication for the attention of our Data Protection Officer: – email – admin@OrienMir Ltd.biz – or call – 03 33 344 1516
3) Right to rectification – The Data Subject has the right to request that their information be changed if it is incorrect or incomplete.
4) Right to erasure – The Data Subject has the right to ask to be forgotten and their personal data erased from records, provided that the Data Controller does not have a lawful basis for continuing the processing. Requesting erasure of personal information enables the Data Subject(s) to ask us to delete or remove personal information where there is no good reason for us continuing to process it. The Data Subject(s) also have the right to ask us to delete or remove their personal information where they have exercised their right to object to processing (see below).
5) Right to object – The Data Subject has the right to object to their data being processed in a certain way, for example, by unsubscribing from direct marketing emails or if objections are made to the processing of personal information where we are relying on a legitimate interest (or those of a third party) and there is something about a particular situation which makes the Data Subject(s) want to object to processing on this ground.
6) Right to data portability – The Data Subject has the right to request their data in a portable format if they need to share it with a third party.
7) Right to restriction of processing – The Data Subject has the right to restrict the processing of their information until they confirm that it can be further processed. (provided that the Data Controller does not have a lawful basis for continuing the processing)
8) Rights in relation to automated decision making and profiling – The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Please note that should the Data Subject(s) exercise their right to request that we OriēnMir Ltd erase or cease any processing activity, we may retain a record of this request and the action taken in order to both evidence our compliance, and to take steps to minimise the prospect of any data being processed in the future should it be received again form a third-party source.
If the Data Subject has any questions or wishes to exercise their rights please contact OriēnMir Ltd email – admin@OrienMir Ltd.biz or call- 03 33 344 1516REGARDING THE RIGHT TO WITHDRAW CONSENT
In the circumstance where the Data Subject(s) may have provided OriēnMir Ltd with consent to the processing of related personal information, they also have the right to withdraw consent. At any time.
To withdraw consent, please contact:
OriēnMir Ltd:admin@OrienMir Ltd.biz – 03 33 344 1516
Once we have received notification that the Data Subject has withdrawn consent, we will no longer process any related information for the purpose or purposes originally agreed to, unless we have another legitimate basis for doing so in law.
DATA PROTECTION OFFICER
We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle personal information, please contact:
Name:
admin@OrienMir Ltd.biz – 03 33 344 1516
RIGHT TO MAKE A COMPLAINT
Any individual including the Data Subject(s) has the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Please go to the ICO website: www.ico.org.uk or call their helpline on:
0303 123 1113 or follow the information in the link below:
CHANGE OF PURPOSE
OriēnMir Ltd will only use personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use personal information for an unrelated purpose, we will notify the Data Subject(s) and we will explain the legal basis which allows us to do so.
Therefore please note that we may process personal information without the Data Subject’s knowledge or consent, in compliance with the above rules, only where this is required and/or permitted by law.
Changes to this privacy notice
OriēnMir Ltd reserve the right to update this privacy notice at any time, and we will provide Data Subject(s) with a new privacy notice when we make any substantial updates. We may also notify related Data Subject(s) in other ways from time to time about the processing of personal information.
END
Frequently Asked Questions
To book an appointment, or to make an enquiry into the services we offer, please contact us via email on [email protected].
Skin transformation takes time and effort. A six-week program of weekly treatments is a great starting point for achieving your desired results.
Kindly advise us of any health conditions, allergies or injuries which could affect your choice of treatment when making your reservation.
Children aged between 14-16 years must be accompanied by an adult during treatments. We politely ask that children below the age of 14 are not brought into the Skinesis Clinic.
Please arrive 10 minutes prior to your treatment to complete essential consultation details. Please be advised that late arrivals will result in a reduction of treatment time.
If you are late to your appointment, you lose that time. If you cancel your appointment on the same day or do not attend you will be charged 100% of the treatment price. Not attending means you did not arrive within the first 20 minutes of your appointment. If you cancel within 48 hours you will be charged 100% of the treatment price. If you wish to reschedule, you must do so at least 48 hours before your appointment.
We politely ask that pets are not brought into the OriēnMir Spa.